If you are filing a data access request and it is clear that the intention is something other than finding out whether the processing of the data was lawful, the controller can refuse your request, according to the Higher Court of Nuremberg in Germany.

The court ruled that the data subject was obviously not interested in verifying the lawfulness of the processing, but rather to check whether the adjustments made by the controller — a health insurance company — to the premiums were formally compliant with German insurance law. As a consequence, the court concluded that the request was abusive.

This is both an interesting ruling on its own, and quite relevant in light of CPRA, CDPA, CPA, UCPA and CTCPA. Beware!