Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Bavaria: Munich Regional Court considers right of access fulfilled with provision of URL links to data

The Munich Regional Court issued, on 2 September 2021, its judgment in 23 O 10931/20, in which it held that a company, which operated a social network and online platform, had fulfilled its obligation to provide the requested personal data to the plaintiff under Article 15 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') by providing permanently available URL links to the plaintiff.

Background to the case

The plaintiff, among others, claimed damages pursuant to Article 82 of the GDPR for an alleged personal data breach by the defendant and claimed that the defendant had not complied with his or her request for information on his or her personal data.

Findings of the Court

In particular, the Court held that the plaintiff was not entitled to compensation for non-material damage pursuant to Article 82 of the GDPR and that by providing the two URL links which can be accessed via the personal customer account in the 'Settings & Data Protection' area, the defendant had also provided the information pursuant to Article 15 of the GDPR. Furthermore, the Court held that the plaintiff's claim that the URL links were dead links which only generated the message 'page not found' was not true since the Court was able to see for itself after the meeting that the URL links could be opened without any problems in the accounts as permanently available links. Moreover, the Court held that the electronic provision of personal data from the account is expressly permitted by the GDPR because Recital 63 of the GDPR states that, where possible, the controller should be able to provide remote access to a secure system that would allow data subjects direct access to their personal data. Lastly, the Court held that damage, which consists of the loss of control over data, is not sufficient to establish measurable, non-material damage.

Outcomes

The defendant had provided the information requested by the plaintiff under Article 15 of the GDPR by providing him or her with permanently available URL links which enabled the customers to access the data stored about them at any time.

You can read the decision, only available in German here.