In recent years, companies have faced a rising tide of data subject access requests (DSARs) under Article 15 of the GDPR, often pushing the boundaries of what constitutes ‘personal data.’ This trend has been driven by strategic attempts to use data protection law as a tool for (pre-)litigation discovery, creating significant legal uncertainty and operational burdens for data-rich sectors like technology, insurance and social media, as well as in litigation before labour courts.
The ambiguous scope of what constitutes ‘personal data’ has left many businesses struggling to distinguish between legitimate requests and tactical manoeuvres. A recent decision by the German Federal Court of Justice (FCJ) on 18 December 2025 (I ZR 115/25) now brings a much-needed line in the sand. The ruling offers clarity on the definition of personal data, signalling a welcome pushback against the over-extension of the GDPR’s right of access and reinforcing legal certainty for businesses.
The court’s reasoning: a clear framework
The case concerned a dispute between a policyholder and his private health insurer. The policyholder requested copies of all information related to his premium history, including the timing and amount of premium adjustments, tariff changes and contract terminations, framing his demand as a DSAR under Article 15 GDPR. The regional court had sided with the policyholder, adopting a broad interpretation of ‘personal data.’
Upon appeal, the FCJ overturned the regional court’s judgment and remanded the case for further proceedings. In its decision, the FCJ focused on the central legal question: what is the precise threshold for information to be considered ‘personal data?’
The court began by reiterating the established definition in Article 4(1) GDPR, which requires information to relate to an identified or identifiable natural person. The FCJ clarified that it is not enough for information merely to have an ‘impact’ or ‘effect’ on a person. Instead, the information itself – based on its content, purpose, or effect – must be linked to a person in such a way that they can be identified.
Applying this strict ‘identifiability’ test, the court reasoned that information about premium adjustments or the price of a specific tariff does not, by itself, allow for the identification of a specific policyholder; it is primarily information about a product’s pricing.
The FCJ also drew a sharp distinction regarding communications. While a document originating from a data subject (such as a request to change a tariff) is personal data in its entirety (because the personal information already consists of the fact that the data subject has expressed themselves as stated in the correspondence), the insurer’s subsequent communications about the consequences of that request are not automatically personal. Such documents are only personal data to the extent they contain specific information about the data subject that meets the identifiability threshold. Based on this chain of reasoning, the FCJ concluded that the lower court had applied the wrong legal standard. By focusing on the mere ‘effect’ on the individual rather than true identifiability, it had incorrectly classified all the requested contractual information as personal data. The FCJ therefore overturned the judgment and remanded the case for the lower court to determine whether the requested information could, in fact, be used to identify the policyholder.
A welcome precedent in a divided legal landscape
Before this ruling, German higher regional courts were deeply divided on this issue. Some adopted an expansive view, considering any data with a direct impact on an individual’s contract was personal, whereas others took a more restrictive line, arguing that abstract pricing information without identifying details falls outside the GDPR’s scope. The FCJ has now decisively endorsed the latter, more pragmatic and business-oriented interpretation, requiring demonstrable identifiability rather than merely an impact on an individual
This ruling also reinforces a trend towards a more balanced interpretation of data protection law by Germany's highest civil court. As we noted in a recent briefing on a landmark data retention ruling, this shift follows the I. Senate’s assumption of jurisdiction over data protection cases from the previously more consumer-friendly VI. Senate. The decision to narrowly define ‘personal data’ in this case is another clear indicator that the I. Senate is seeking to balance data subject rights with economic reality and entrepreneurial freedom, continuing the market-oriented logic it established previously.
This approach aligns with the case law of German labour courts, which have held that compliance reports and legal assessments by law firms do not per se and in their entirety constitute personal data under Article 15 and Article 4(1) GDPR – even when the requesting person was the subject of the investigation – thereby establishing that there is no entitlement to full unredacted copies of such documents.
Furthermore, it is consistent with the interpretive framework established by the Court of Justice of the European Union (CJEU), which has consistently required a concrete possibility of identification. The CJEU has previously clarified, for example in the context of IP addresses, that even indirect identifiability is sufficient, but that there must always be a realistic possibility of linking the data to a specific person. The mere theoretical possibility is not enough.
By finding the legal position to be sufficiently clear to not require another referral to the CJEU, the FCJ has signalled its confidence in this restrictive interpretation, thereby promoting legal certainty and reducing over-regulation.
Key takeaways and outlook
For years, companies have been exposed to significant litigation risk from DSARs weaponised for purposes far beyond their original intent. The broad interpretation adopted by some courts created a landscape where businesses could be forced to disclose vast quantities of purely contractual or commercial information, imposing immense costs and administrative burden.
The FCJ’s ruling provides a counter-narrative and a strong legal basis for companies to push back against such overly broad requests. It empowers defendants in data litigation to argue that abstract contractual information is not personal data, particularly where requests are aimed at circumventing standard civil procedure for obtaining evidence. This is a critical development for data litigation mass claims. The decision reflects a judicial effort to strike a more reasonable balance between individual rights and the legitimate operational interests of businesses — a development the European (tech) industry has long awaited. This domestic development is complemented at the European level by the CJEU's recent judgment in Brillen Rottler (C‑526/24), in which the court confirmed that even a first-ever access request under Article 15 GDPR can be refused as ‘excessive’ under Article 12(5) where the controller demonstrates abusive intent – such as the artificial creation of conditions required to obtain compensation. Importantly, the court also held that where the data subject's own conduct constitutes the ‘determining cause’ of the alleged damage, the causal link required for compensation under Article 82(1) is severed. Together with the FCJ's narrowing of what qualifies as personal data, Brillen Rottler provides businesses with an additional line of defence against the strategic weaponisation of access rights (For our detailed analysis, see our blog post).
For businesses, three key takeaways emerge.
- First, companies should critically review their data processing activities and DSAR handling protocols. A robust assessment of whether information genuinely allows for the identification of a natural person is now paramount.
- Second, this decision empowers companies to differentiate more effectively between truly personal data and general contractual or abstract business information. This will help streamline compliance efforts and reduce the burden of responding to overly broad requests.
- Third, proactive documentation of internal data classification and the rationale behind it will be essential. Companies must be prepared to demonstrate why certain data, particularly regarding contractual specifics, does not meet the threshold for ‘personal data’ under the FCJ’s clarified standard. This will strengthen their position against unjustified access requests and potential litigation.
Overall, the FCJ’s decision marks a significant step towards a more balanced and economically rational interpretation of data protection law, affirming that while the protection of individuals is fundamental, it must be balanced with entrepreneurial freedom and legal certainty.
/Passle/5832ca6d3d94760e8057a1b6/SearchServiceImages/2026-04-02-14-11-16-411-69ce7904e02767932c7e432c.jpg)
/Passle/5832ca6d3d94760e8057a1b6/MediaLibrary/Images/5caf47f7abdfea0b306b985f/2021-08-16-10-10-30-866-611a3996400fb311c899dbf1.jpg)