VG Osnabrück – 7 A 6/24

14 February 2026

Avalang: Fixed a link.

{{COURTdecisionBOX

|Case_Number_Name=7 A 6/24
|ECLI=ECLI:DE::2026:0113.7A6.24.00

|Date_Decided=13.01.2026
|Date_Published=12.02.2026
|Year=2026

|EU_Law_Name_1=
|EU_Law_Link_1=
|EU_Law_Name_2=
|EU_Law_Link_2=

|National_Law_Name_1=
|National_Law_Link_1=
|National_Law_Name_2=
|National_Law_Link_2=

|Initial_Contributor=avalang
|
}}

A court held that a public authority violated [[Article 12 GDPR|Article 12(3)]] and [[Article 15 GDPR#1|Article 15(1) GDPR]] by failing to respond within one month to an access request and by wrongly requiring a reference date.

== English Summary ==

=== Facts ===
On 20 November 2023, the data subject (a business owner) submitted an access request under [[Article 15 GDPR#1|Article 15(1) GDPR]] limited to the controller’s legal department (a municipal authority), requesting a full written response and copies in accordance with [[Article 15 GDPR#3|Article 15(3) GDPR]].

On 12 December 2023, the controller asked the data subject to specify a reference date in order to process the request. On 18 December 2023, the data subject replied that no specific date was required and that the relevant date for the time limit to respond to such requests was the date of receipt.

By letter dated 3 January 2024, the controller informed the data subject that the legal department did not store or process any personal data relating to them.

Following that, the data subject alleged that the controller had not responded within the time limit set out in [[Article 12 GDPR#3|Article 12(3) GDPR]]. They argued that the one-month deadline expired on 22 December 2023 and that the request for a reference date did not suspend or extend the deadline.

The controller argued that the request was excessive and made in bad faith. It submitted that the data subject had repeatedly exercised access rights between 2020 and 2024 in order to pursue unrelated damages claims. It also argued that the one-month period started only after the data subject responded to the request for a reference date.

=== Holding ===
The court first held that a controller must provide information on measures taken under Articles 15 to 22 GDPR without undue delay and in any event within one month of receipt of the request. The period may only be extended by two further months where justified by the complexity or number of requests, and the controller must inform the data subject of the extension and the reasons within the initial one-month period.

The court explained that the triggering event for the time limit was the receipt of the request on 22 November 2023, as the [[Article 12 GDPR]] and [[Article 15 GDPR]] did not require a data subject to specify a reference date for an access request. In the absence of a specified date, an access request shall be interpreted as referring to all processing up to the date of receipt. The court emphasised that the purpose of [[Article 15 GDPR]], read in light of Recital 63, was to enable the data subject to obtain transparency and to verify the lawfulness of processing. Requiring a reference date would undermine that objective.

It also rejected the argument that the request was abusive. The fact that the data subject had previously submitted access requests or pursued damages did not, in itself, constitute misuse of rights.

Finally, the court concluded that the controller’s request for a reference date was not justified and had not provided the information within the set time limit.

== Comment ==
”Share your comments here!”

== Further Resources ==
”Share blogs or news articles here!”

== English Machine Translation of the Decision ==
The decision below is a machine translation of the German original. Please refer to the German original for more details.

<pre>
Facts of the Case: The parties dispute whether the plaintiff was provided with information under data protection law within the prescribed time limit. The plaintiff owns a company that distributes explosive substances based on permits issued under explosives law. He stores these substances in various storage facilities within the state of Lower Saxony. Because the plaintiff fears break-ins at his storage facilities and is also concerned that his knowledge of the security measures in place could make him a victim of kidnapping or extortion, the locations of the storage facilities are not publicly accessible online. Furthermore, for his own protection, the plaintiff obtained blocking orders in various registers, such as the vehicle registration and residents’ registration offices. By letter to the defendant dated November 20, 2023, received by the defendant on November 22, 2023, the plaintiff requested information pursuant to Article 15(1) GDPR regarding his personal data, limited to the legal department of the city administration. The (complete) information should be provided in writing. At the same time, he requested copies in single copies pursuant to Article 15(3) GDPR.

By letter dated December 12, 2023, the defendant asked the plaintiff to specify the date on which he wished to receive the information in order to process his request for information. By letter dated December 18, 2023, which was received by the defendant the following day, the plaintiff responded that the request for the date was unclear. Since no specific date had been mentioned in the request, the date of receipt should be considered. By letter dated January 3, 2024, the defendant then informed the plaintiff that no data relating to him was stored or processed in its legal department. On January 11, 2024, the plaintiff filed a lawsuit. He argues that the defendant was required to respond to his request within one month, i.e., by December 22, 2023, and that the response, dated January 3, 2024, was therefore too late. As a result, he was only able to submit a request for information to the defendant’s main office on January 10, 2024, in order to gain an overview of the processing of his data there. He maintains that inquiring about the deadline was unnecessary and therefore does not justify extending the processing period; in any case, notification pursuant to Article 12(3), third sentence, of the GDPR would have been required. Furthermore, he asserts that the defendant has not yet responded to a single one of his requests for information under Article 15 of the GDPR within the prescribed time limit. Since he continues to reside within the defendant’s jurisdiction, he believes there is a risk of this happening again.

The inquiry regarding the deadline was unnecessary, and therefore does not justify an extension of the processing period; in any event, notification pursuant to Article 12(3), third sentence, of the GDPR would have been necessary. The plaintiff requests a declaratory judgment that the defendant failed to provide the requested information in accordance with Article 12(3) of the GDPR within the prescribed time limit.

The defendant argues that the request for information violates the principle of good faith because the plaintiff is making excessive use of his right to access. The defendant claims that the plaintiff asserted corresponding requests for information against the defendant on a monthly basis between August 2020 and the first months of 2024. The defendant asserts that the plaintiff’s objective is not to obtain the information, but rather to pursue claims for damages. In this regard, the defendant refers to pending proceedings between the parties at the Regional Court of A-Stadt (Case No. H.). In those proceedings, the plaintiff is seeking damages of €250 per month for the aforementioned period. The defendant argues that this logically presupposes the monthly assertion of a right to information, as otherwise, there would be no basis for a claim for damages. Furthermore, there is no violation of Article 12(3) GDPR. The one-month period began to run upon receipt of the letter in which the plaintiff specified the deadline.

The plaintiff contests this and argues that it is untrue that he asserted a right to information in each of 40 consecutive months. Rather, he submits corresponding requests at twelve-month intervals. For further details of the parties’ submissions, reference is made to their written pleadings; for the remaining facts, reference is made to the court files and the administrative records. Grounds for the Decision: A. The action is admissible. I. It is admissible as a declaratory action within the meaning of Section 43(1) of the German Code of Administrative Procedure (VwGO). According to this provision, a declaration of the existence or non-existence of a legal relationship or the invalidity of an administrative act may be sought if the plaintiff has a legitimate interest in a prompt determination.

The relationship between the defendant (as the controller within the meaning of the GDPR) and the plaintiff is a legal relationship within the meaning of this provision. A legal relationship is understood to be the legal relationship between persons or between persons and objects that arises from a set of facts based on a legal norm. While the GDPR does not explicitly state that a person can demand a declaration of a legal violation, the rights under the GDPR are directed at access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18, 21), and data portability (Art. 20). However, it is for the national legal system of each Member State to determine the procedural modalities of legal remedies designed to protect citizens’ rights, provided that these modalities are not less favorable in cases falling under Union law than those governing similar cases under national law (principle of equivalence) and that they do not render the exercise of rights conferred by Union law practically impossible or excessively difficult (principle of effectiveness). Under these conditions, a finding by a controller of an infringement of subjective rights under the GDPR can also establish a legal relationship within the meaning of Section 43(1) of the German Code of Administrative Procedure (VwGO). The general declaratory action provided for in the national procedural code applies to all cases falling within its material scope. Its application also to cases of alleged infringements of rights under the GDPR takes into account the principle of effectiveness. This is because it enables the GDPR to guarantee a high level of protection for the fundamental rights and freedoms of natural persons when processing personal data (see, regarding the foregoing, Federal Social Court [BSG], Judgment of September 24, 2024 – B 7 AS 15/23 R –, juris para. 39-41, with further references).

II. The plaintiff also has a legitimate interest in a prompt declaratory judgment (interest in a declaratory judgment). However, if the relevant legal relationship – as in this case – already lies in the past, special requirements must be placed on the interest in a declaratory judgment. In such cases, there must be a risk of recurrence, an interest in rehabilitation, or a profound infringement of fundamental rights that typically resolves itself quickly. Similarly, a legitimate interest in obtaining a declaratory judgment may lie in the preparation of a claim for official liability, whereby the principle of subsidiarity of declaratory actions enshrined in Section 43 Paragraph 2 Sentence 1 of the German Code of Administrative Procedure (VwGO) must be given particular consideration (see Marsch, in: Schoch/Schneider, 47th Supplement, February 2025, VwGO Section 43, marginal note 35, beck-online; Happ, in: Eyermann, 16th edition 2022, VwGO Section 43, marginal note 34, beck-online).

In the case under consideration here, there is a risk of recurrence. This requires a concrete or sufficiently specific risk that a comparable legal relationship or a comparable (alleged) violation of rights will occur in the future. The mere vague possibility of recurrence is insufficient, as is the desire for clarification of abstract legal questions. Furthermore, the relevant legal and factual circumstances for the assessment must remain essentially unchanged in order for the plaintiff to benefit from the subsequent finding of illegality (see Riese, in: Schoch/Schneider, 47th supplement, February 2025, VwGO § 113 para. 126, beck-online). This is the case here: The plaintiff has stated that he submits a corresponding request for information to the defendant annually. Since he has already asserted several requests for information against the defendant in the past pursuant to Art. 15 paras. 1 and 3 GDPR and continues to reside within the defendant’s jurisdiction, everything indicates that he will continue to submit such requests in the future. The defendant, in turn, maintains, according to its submissions in the proceedings, that the applicant must specify a cut-off date for the request for information, or that the time limit under Art. 12 para. 3 sentence 1 GDPR begins at the earliest upon notification of the cut-off date.

The plaintiff has stated that he submits a corresponding request for information to the defendant annually. B. The action is also well-founded. Pursuant to Article 12(3) GDPR, the controller (here: the defendant) must provide the data subject (here: the plaintiff) with information on the measures taken in response to a request pursuant to Articles 15 to 22 without undue delay and in any event within one month of receipt of the request. This period may be extended by a further two months where necessary, taking into account the complexity and number of requests. The controller must inform the data subject of any extension of this period, together with the reasons for the delay, within one month of receipt of the request. If the data subject makes the request electronically, the information must be provided electronically where possible, unless the data subject indicates otherwise.

The time limit is triggered by the receipt of the request by the controller. Alternatively, the determination of identity pursuant to Article 12(6) GDPR may be used as the determining factor, but this does not require a further decision in the present case. If the data subject is represented by a lawyer and the controller requests a power of attorney, the time limit begins upon presentation of the original power of attorney (see Franck, in: Gola/Heckmann, 3rd ed. 2022, GDPR Art. 12 para. 27, beck-online; Heckmann/Paschke, in: Ehmann/Selmayr, 3rd ed. 2024, GDPR Art. 12 para. 32, beck-online).In contrast, the applicant is not required to specify a cut-off date for the commencement of the time limit. Articles 12 and 15 of the GDPR do not stipulate such a requirement. While the right of access does encompass past data processing (see Ehmann, in: Ehmann/Selmayr, 3rd ed. 2024, GDPR Art. 15 para. 10 and 28, beck-online, and Bienemann, in: Sydow/Marsch GDPR/BDSG, 3rd ed. 2022, GDPR Art. 15 para. 29, beck-online, each citing CJEU, Judgment of 7 May 2009 – C-553/07 -, juris para. 54). However, an unspecified request for information is generally to be interpreted analogously to Sections 133 and 157 of the German Civil Code (BGB) as relating to the time of its receipt, thus encompassing all data processing that took place up to that point. This is supported by the purposes of the right of access, which are to enable the data subject to become aware of the processing of their personal data (transparency) and to verify its lawfulness (facilitating control; see Ehmann, in: Ehmann/Selmayr, 3rd ed. 2024, GDPR Art. 15 para. 1, beck-online; Schmidt-Wudy, in: BeckOK DatenschutzR, 53rd ed. 1.8.2025, GDPR Art. 15 para. 2, beck-online, also with reference to Recital 63 of the GDPR). To effectively fulfill these purposes, the data subject—as is obvious—will generally be interested in obtaining the most complete picture possible of the processing of their data by the controller. Only in exceptional cases might the data subject wish to limit their request to a specific period, and only if their interest relates solely to that period, and this would likely be solely to facilitate the controller’s work. If the data subject is provided with complete information, they can still decide which parts of the information are relevant to them. Neither the plaintiff’s application of November 20, 2023, nor any other circumstances provided any indication that the plaintiff wished to limit their request for information more precisely in terms of time. Therefore, inquiring about a specific date was unnecessary.

The event triggering the time limit was thus the receipt of the application by the defendant on November 22, 2023. The calculation of the time limit is governed by Council Regulation (EEC, Euratom) No 1182/71 of 3 June 1971 laying down the rules on time limits, dates and deadlines (“Time Limits Regulation”, see Franck, in: Gola/Heckmann, 3rd ed. 2022, GDPR Art. 12 para. 27, beck-online). According to Art. 3 para. 2 lit. c of this Regulation, the one-month period stipulated in Art. 12 para. 3 sentence 1 GDPR therefore ended on 22 December 2023. The defendant missed this deadline in the present case. In particular, it also failed to grant an extension of the time limit pursuant to Art. 12 para. 3 sentences 2 and 3 GDPR, regardless of whether the conditions for such an extension were met in this case.

The defendant’s argument that the plaintiff is making its requests for information in an abusive manner does not lead to a different conclusion. Insofar as the defendant refers to the statement of claim in the proceedings before the Regional Court of A-Stadt to substantiate this allegation, it obviously does not contain the information claimed by the defendant. There, the plaintiff asserts a claim for damages for each month in which the defendant failed to provide him with complete data protection information pursuant to Article 15 GDPR in response to his requests of July 1, 2020, and September 1, 2021. The assumption that this constitutes a new monthly request for information is absurd, if only because it would mean that the plaintiff, with his statement of claim dated December 20, 2023, had retrospectively made monthly requests for information over several years. The defendant’s submissions fail to explain what purpose such a procedure would serve for the plaintiff, quite apart from the fact that the wording of the statement of claim does not support such an interpretation. No other (substantiated) indications of an abuse of rights on the part of the plaintiff have been presented, nor are any apparent. In particular, the plaintiff’s conduct is not abusive simply because he has previously (including in court) dealt with the defendant regarding alleged or actual violations of data protection regulations and has also asserted claims for damages in this context.

Regardless, the defendant never argued during the administrative proceedings that the plaintiff’s request was abusive. It is incomprehensible why the defendant, on the one hand, assumes that the plaintiff’s conduct is abusive—which would mean that the defendant is not even obligated to provide information under Article 15(1) GDPR—while, on the other hand, first specifically asking for a cut-off date and then subsequently providing the requested information.

C. The decision on costs is based on Section 154(1) of the Code of Administrative Court Procedure (VwGO).

The decision on provisional enforceability follows from Section 167 of the Code of Administrative Court Procedure (VwGO) in conjunction with Sections 708 No. 11 and 711 of the Code of Civil Procedure (ZPO).
</pre>

Making GDPR compliance easier through new initiatives: a key focus of the EDPB work programme 2026-2027

OGS Zagreb – Pn-877/2023-29