According to Art. 15 GDPR, there is a comprehensive right to information about data processing, including the right to a copy. The processing of such requests for information regularly presents companies with considerable challenges, as details on the type and scope of the obligation to provide information are only gradually being clarified by case law. Companies must give good reasons if they restrict or refuse a right to information. Inadequate processing of requests for information can result in claims for damages and fines, which is why you should set up appropriate processes along with sample responses.
The right to information in accordance with Art. 15 GDPR
Data subjects have the right to receive comprehensive information from companies or authorities about the processing of their personal data. This includes the purpose of the processing, the categories of data concerned, the recipients of the data, the storage period and the existence of other rights such as rectification, erasure or restriction of processing. From the legislator’s point of view, this information is essential to ensure transparency and enable data subjects to control their data.
In addition, Art. 15 (3) GDPR establishes a right to receive copies of the data processing operations. The ECJ(C-487/21) requires verifiable reproductions of the documents relating to the data subject.
According to the BGH(judgment of 05.03.2024 – VI ZR 330/21), the claim for surrender includes types of documents that reflect data processing. Correspondence between the parties involved must generally be submitted as a true copy. In the case of internal memos, telephone and meeting notes, it is sufficient to submit only excerpts, excluding internal information, if the personal processing is clear from the excerpt and submission of the entire document is not exceptionally indispensable. The data subject would have to prove the latter.
The documents must be submitted immediately, but at the latest within one month, unless an exceptional extension to a total of three months is indicated due to the complexity of the process.
Limits and challenges in providing information
The right to information is not unlimited. Art. 15 para. 4 GDPR allows companies to refuse or restrict access if the rights and freedoms of other persons are affected. This is particularly the case if disclosure would reveal personal data of third parties or business-critical information. In such cases, a careful assessment must be carried out to determine whether the sensitive information can be redacted or anonymized.
Proportionality also plays a role. In its decision of 12.01.2025 (BFH IX R 25/22), for example, the Federal Fiscal Court (BFH) clarified that high requirements are placed on the refusal to provide information. The BFH clarified that a high processing effort is not sufficient to generally refuse to provide information. Data in paper files must also be searched in order to fulfill the requirement.
Liability risks in the event of incorrect processing
Companies that process requests for information inadequately or late expose themselves to financial risks. Courts have awarded damages if an affected party has been harmed by incomplete or untimely responses – provided they can prove that they have suffered damage(BAG 8 AZR 215/23). The decisions of the courts of first instance are complex. Companies should not rely on individual case decisions, but should respond to requests in a structured and legally compliant manner.
Opportunities for companies: Data minimization and more efficient processes
The strict handling of requests for information can also have positive effects. Companies are encouraged to make their data processing more efficient, automate processes and delete unnecessary data. Structured archiving and progressive digitization not only facilitate the processing of requests for information, but also reduce data protection risks overall.
Practical recommendations for companies
To minimize risks, you should take the following measures:
- Take requests for information seriously and respond in a timely manner.
- Use standardized answer patterns to avoid formal errors.
- Have requests clarified if the scope is unclear.
- Carefully check third-party data and business-critical information and redact it if necessary.
- Critically examine claims for damages by those affected.
By proactively preparing for requests for information, you can not only minimize compliance risks, but also benefit from more efficient data management in the long term. Set up appropriate processes with sample letters.
