The data secrecy / personal data

according to Art. 15 DSGVO

Law firm for IT law and data protection law in Kerpen, Cologne and Witten

IT law and data protection law | Strong partner for employees and employers

The data secrecy & personal data

Law firm for IT law and data protection law in Kerpen, Cologne and Witten

Lawyer for - Labor Law | Criminal Law | IT Law | Data Protection

General data secrecy is anchored in the Federal Data Protection Act and is jointly applicable with the General Data Protection Regulation. In the context of the use of personal data, the collection and use of such data is only permissible if the Federal Data Protection Act or other legal norms expressly permit or direct this, or if the data subject has given his or her consent to the use of such data. 

Since the use is under the premise of permission, persons are not allowed to collect the data without authorization, process it afterwards or use and disseminate it. In the context of an employment relationship and an activity that involves the use of the data, a prohibition exists even if one no longer works for the employer and no longer performs his activity. An example of this would be an activity within the scope of a personnel position.

A distinction must therefore be made between data protection guidelines, data protection laws and data protection regulations. A data protection directive provides a certain direction here, which at the national level leads to a data protection law such as the BDSG (Federal Data Protection Act). The data protection law thus differs from country to country and can always be somewhat different. However, in the context of data protection regulations, these are equally binding at the international level for all European countries or EU member states and thus obligated to comply with this regulation.

The German Federal Data Protection Act has been in existence in its form since 2018. This was enacted in the context of the General Data Protection Regulation and further substantiates this European regulation. Thus, explicit regulations were formulated and special regulations were made for Germany. For example, the Federal Data Protection Act regulates content that the GDPR (Basic Data Protection Regulation) does not describe or has left extra open. However, there are also explicit data protection laws at the state level, such as the Data Protection Act of North Rhine-Westphalia (DSG NRW).

Unquestionably, the consideration of the GDPR (General Data Protection Regulation) is still exciting in this respect, however, as it gives you the personal right to request information about your personal data from the bodies that process it.

The right to information according to Art. 15 DSGVO

Information according to Art. 15 DSGVO

The Art. 15 of the Basic Data Protection Regulation guarantees every individual a significant right. According to this article, data subjects are entitled to request information from a company or body about what data is stored or processed about them. In most cases, the data subject is also provided with information about the purpose of the processing, the origin of the data or the recipient of the data. 

The right to information applies to public bodies such as authorities and all other bodies such as companies, associations or even clubs. The aim of this information should be to obtain a general overview and a certain degree of control over what precise data is processed and stored.

What does the right to information entail?

Content of the right to information

The Art. 15 GDPR creates a basis for you to specifically assert rights such as the right to rectification, erasure, restriction of processing or the right of revocation to processing at all. Thus, there is the possibility to obtain information from the person responsible for the collection and processing, whether this data is processed and if applicable, which. Covered are the data that relate to the person. More details are explained in Art. 4 (1) No. 1 of the GDPR.

"Personal data" [means] any information relating to an identified or identifiable natural person (hereinafter "data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;"

The term "data" is thus broadened to include more than just the person's master data, such as name, address or date of birth. Data such as communications that have already ended or notes and documents are also affected. The request for information is basically free of charge for you. The exception to this would be if the request is obviously unfounded or if there is an excessive accumulation of requests. In this case, a fee may be charged for the information.

The right to rectification

Right to rectification

The right to rectification derives from Art. 16 of the GDPR highlight. If you notice that your personal data is incorrect, you have the right to demand that the processing agency immediately corrects your data. This must be done "without delay", i.e. without culpable hesitation.

Right to rectification
"The data subject shall have the right to obtain from the controller the rectification without delay of inaccurate data concerning him or her. Taking into account the purposes of the processing, the data subject has the right to obtain the completion of incomplete personal data, including by means of a supplementary declaration."

The right to erasure and restriction of processing

Deletion and restriction of processing

Data secrecy, personal data, Art. 15 DSGVO, basic data protection regulation, data regulation, lawyer IT law, lawyer IT law, lawyer data protection, lawyer data protection law, lawyer data protection, lawyer data protection law

You also have the right to erasure or restriction of processing against the body. In particular, you have the right to erasure and restriction if the processing of your data is no longer necessary or the collection was not lawful, you have written a revocation against the processing or have filed an objection to the processing. In addition, the right exists if the deletion is required due to legal grounds or even, for example, a young person has registered with a social network. All grounds for erasure can be found in Article 17 of the GDPR.

As an exception to the above right, it must be mentioned that erasure or restriction will not occur if the processing of the data serves a public task or the public interest. Another exception is if the processing of the data is for the purpose of research, science or statistics and is necessary. As an example for statistics and the housing situation in Germany, the "Census 2022" can be mentioned very topically. Participation in this is mandatory and failure to comply with the notification can be penalized by up to € 5,000.00. In the most extreme case, the surrender of the data can even be enforced.

To ensure the security of the data, all employees of the survey offices are subject to professional confidentiality and the online data collection is encrypted. Likewise, the data is not forwarded to third parties.

Should you wish to obtain information from a body in accordance with §15 DSGVO, then you must be informed of the following.

The desired right to information has the following contents

Contents of the right to information

  • Purpose of processing
    • this is the purpose which the body pursues with the data processing. This must be stated clearly and specifically.
  • Intention of the transfer together with recipients and categories of recipients
    • the entity must mandatorily disclose whether it intends to disclose your personal data to a third party entity.
  • Storage period and storage information
  • Notice of your rights
    • the body must inform you of your other rights. These are the designated rights of rectification, erasure or opposition or withdrawal of consent.
  • Reference to automated decision making
    • the automatic decision-making designates, for example, profiling.
  • Your personal data
    • you are also entitled to an (electronic) copy of the personal data.
  • Categories of data processed
  • Source of the dataset

The following contents are not included in the requested information

Missing contents of the right to information

  • Contact details of the data controller as well as its data protection officer
  • Legal basis of processing
    • Here, conceivable legal bases are the GDPR or the BDSG.
  • Pursued interests of the responsible person
    • This refers to the interests for data processing.
  • Intention of the change of purpose
  • The duty to process

Limits of the information

Limits of the information

The right to information according to the Art. 15 GDPR is specifically not granted without limits. The limit of information is primarily the rights and freedoms of other persons. In simpler terms, this is personal data of third parties or trade and business secrets. Thus, the person providing the information may regularly but not always and completely refuse to provide the information. Logically, he always has the option of blacking out the data of third parties or secrets in order to sufficiently protect their identity. Further restrictions may result from the Federal Data Protection Act or from the Social Code X. 

One example of this is the protection of public safety. This in turn means the protection of the written legal order, the state and its institutions, and the individual legal interests of citizens.

Furthermore, there is an obligation to retain personal data if it is used, for example, on the basis of tax or commercial law regulations. As a rule, there is no right to information if this is associated with a disproportionately high effort and the person providing the information can ensure the purpose limitation of the protection of the data through suitable technical or organizational measures. More details on the restriction of the right to information are governed by Section 34 of the BDSG. 

The right to information does not exist if the data subject is not to be informed or if the data may not be deleted due to legal regulations or if it is used exclusively for purposes of data backup or data protection control. Both variants must require a disproportionately high effort in order for the request to be denied.

How do I get my information?

Receiving the information

The request itself, including the right to information, can be made and submitted in an informal application to the appropriate office without the need for justification. If you visit the office in person or ask for information by telephone, this will usually not be granted or possible. In the case of a telephone request, it is usually not possible to ensure that the identification of the authorized person will be successful. This follows from the principle that the body processing the personal data must ensure that the data is not disclosed to unauthorized third parties. 

Thus, the application to the body should always be made in writing or by secure electronic means, such as DE-Mail. If the body has an objectively reasonable doubt about the identity, it may request additional information to confirm the identity. This follows from Art. 12 (6) of the GDPR.

Lawfulness of processing
"Without prejudice to Article 11, if the controller has reasonable doubts about the identity of the natural person making the request pursuant to Articles 15 to 21, the controller may request additional information necessary to confirm the identity of the data subject."

Thus, it is not uncommon for the requested office to request a copy of the identity card in order to make such a confirmation. In this way, the applicant at least ensures that the name, address and date of birth can be matched. You do not have to disclose your picture, nationality or ID number. These data may be blacked out if the ID card is requested. The agency must ensure that the data from the ID document is only used to check identity and is not included in the agency's database. When making an application, it is therefore particularly advisable that you describe exactly what information you wish to receive and about what exactly. This enables faster and, above all, more targeted information.

What if the information is finally denied?

Refusal to provide information

Rarely, but nevertheless conceivable, is the final refusal of information to the natural person. In these cases, you are free to file a complaint with the competent data protection supervisory authority. It is important that you include the correspondence with the authority that you have had up to that point in the complaint. It is therefore important that you retain this. For this reason, too, it is always advisable to refrain from making inquiries to the body by telephone or in person. The responsible supervisory authority, for example for the state of NRW, is the LDI (State Commissioner for Data Protection and Freedom of Information).

Frequent mistakes made by bodies in the context of a request for information under Article 15 GDPR are that the request for information is simply ignored, the response only covers the master data, the request is not forwarded within the body or the information is not provided in a timely manner.

Procedure of the request for information

Procedure of the request for information

Data secrecy, personal data, Art. 15 DSGVO, basic data protection regulation, data regulation, lawyer IT law, lawyer IT law, lawyer data protection, lawyer data protection law, lawyer data protection, lawyer data protection law

If information according to Art. 15 GDPR is requested, then the regular process can be divided into different phases. In phase 1, the request for information is sent to the specific office. Within the office, the request is forwarded to the responsible employee. Phase 2 usually involves performing an identity check on the requestor. Phase 3 is the processing phase, in which all the information of the personal data is collected. Phase 4 is the response, usually within a month. In phase 5, the procedure is completed and a documentation with determination and storage period is the consequence.

Information by legal counsel

The help of the legal counsel

According to Art. 15 of the GDPR, a request for information is always something that only data subjects may make use of. This is a personal claim. However, there is nothing to be said against representation, for example by a trusted lawyer. Since the information is personal data, the respective lawyer must also always obtain a power of attorney and present it to the office. It is therefore a matter of the specific legitimation of the representative vis-à-vis the agency. 

A granted power of attorney to the lawyer must therefore refer specifically to the desired right to information pursuant to Art. 15 GDPR refer to. The result of the information is then also transmitted to the lawyer. Since there are no requirements for the power of attorney itself, it can be issued in writing, electronically or verbally. To ensure that the claim for information is successful, the competent office will always ask for the necessary power of attorney from the person requesting the information. However, this must not mean that the request is made more difficult for the person concerned as soon as he does not want to assert it himself.

Claim for damages and compensation for pain and suffering

Damages and compensation for pain and suffering

The GDPR also stipulates that the information, like the correction and deletion of the data, must be provided without delay. However, this must be done within one month at the latest. If this is not the case, claims for compensation or damages may result. This is regulated comparatively by Article 12 (3) of the GDPR.

Transparent information [...] of the data subject
"The data controller shall provide the data subject with information on the measures taken upon request pursuant to Articles 15 through 22 without delay, and in any case within one month of receipt of the request. This deadline may be extended by two months if necessary, taking into account the complexity and number of requests. The controller shall inform the data subject of any extension of the time limit, together with the reasons for the delay, within one month of receipt of the request. If the data subject makes the request electronically, he or she shall be notified by electronic means, if possible, unless he or she indicates otherwise."

If the competent body violates this obligation, this constitutes a violation of the law, whereby according to the provisions of the GDPR both a fine against the body and a claim for damages or compensation for pain and suffering (non-material damage) against the data subject can be a legal consequence. This follows from Art. 82 of the GDPR.

Liability and right to compensation
"Any person who has suffered material or non-material damage as a result of a breach of this Regulation shall be entitled to compensation from the controller or from the processor."

Decision of the Düsseldorf Labor Court

Decision ArbG Düsseldorf

The labor court in Düsseldorf has already ruled that a claim for damages exists due to a failure to provide information or insufficient information in accordance with Article 15 of the GDPR. Thus, it was determined that due to a delay of two months, an amount of € 500.00 in damages is appropriate. For another three months of delay, the damages for pain and suffering amounted to € 1,000.00 each and for inadequate information, as far as the content was concerned, another € 500.00 each in two cases. The defendant had to pay thus 5.000,00 € to the concerning. To be reread under: ArbG Düsseldorf, ZD 2020,649.


In summary, with regard to the information requested under the General Data Protection Regulation (GDPR), legal counsel is always recommended if the information has not been sent at all, or has been sent too late or inadequately. 

Furthermore, in particularly complex cases, it is advisable to consult a lawyer directly so that he can file the request for information pursuant to Art. 15 GDPR. The possibility exists that, as already mentioned above, claims for damages or compensation for pain and suffering may arise, which can be asserted by a lawyer through legal proceedings. Likewise, this ensures that the responsible body will handle your personal data properly in the future.

We would be happy to be the right contact for you and to take full care of your personal data protection concerns.

You need a lawyer in IT law or data protection law?

Then contact us

+49 (0) 2273 - 40 68 504

Law firm for IT law and data protection law in Kerpen, Cologne and Witten

Lawyer for - Labor Law | Criminal Law | IT Law | Data Protection