Data protection as an excuse?
Data protection as an excuse?

Data protection law sets the framework for the processing of personal data. It should not be forgotten that data protection is not an end in itself, and data protection law is not a law of prevention. It should not be misused as an excuse to prevent legitimate data processing. Here is an interesting case from Germany (Higher Regional Court Hamm judgment of April 26, 2023 - 8 U 94/22).


The dispute revolves around the release of a list containing the contact details of the members of an association with over 5000 members. The plaintiff, who is also a member, intended to contact other members to organize resistance against the board's actions and to influence opinion formation within the association. When the board refused to release the list, the plaintiff initially filed a lawsuit. After the lawsuit was dismissed in the first instance, the plaintiff appealed.

The court's decision

The court concluded that the plaintiff has a claim arising from the membership relationship to receive a list of members with their first and last names, and for legal entities, their names, addresses, and email addresses of the members.

It considered the scope of the GDPR to be applicable since, at least concerning natural persons, it involves personal data. However, the court regarded the requested disclosure as covered by Art. 6 para. 1 lit b GDPR.

The court justified this, among other things, as follows:

  • "Data protection law is enabling law, not preventive law. As Art. 6 para. 1 GDPR shows, it is accessory to the respective substantive law and does not oppose what substantive law demands but limits it only according to the teleology of the respective substantive legal area to what is required thereafter."
  • "Data protection law is accessory to civil law [...]. [W]hat is necessary for contractual fulfillment under civil law is also enabled by data protection law."
  • It is not relevant here whether national civil law applies because "what matters is not whether there is a contract within the meaning of the German Civil Code. Rather, what is decisive is whether the teleology of the permission provision in data protection law is fulfilled. In other words, it is crucial whether the legal relationship is established by private autonomy and the relevant obligation is therefore legitimized as an expression of self-determination." The requested disclosure is also considered necessary. The "obligation of the association to transmit a list of members with names, addresses, and email addresses to the member is already justified as necessary for the exercise of membership rights by way of balancing interests. The justification is based precisely on the fact that membership rights could not be effectively exercised or even be rendered meaningless without the obligation to provide information."

Therefore, the list had to be handed over to the member. The Higher Regional Court Hamm combines this with the note that, of course, the member is also subject to the GDPR for handling the list and may be personally liable for violations.

Practical Assessment - Data Protection Law is not Preventive Law

The term "contract" in Art. 6 para. 1 lit b GDPR should be interpreted autonomously by the Union. This can lead to a broad interpretation because a contract fundamentally includes everything that natural persons regulate within the scope of private autonomy. This includes - as in this case example - joining an association and being included in the list of members.

Often there is uncertainty about whether there is a legal conflict when the GDPR comes into play. Many see the GDPR as a superior norm that displaces other statutory provisions. However, the GDPR is designed to fit into the legal system. Data protection law follows (with few exceptions) civil law or public law. For example, there is no conflict between retention requirements due to corporate, tax, or regulatory requirements and the GDPR, as is often claimed in practice in many companies.

Link to the decision

The decision can be accessed under the following link:

Higher Regional Court Hamm, Judgment of April 26, 2023 - 8 U 94/22 (German only)

Do you have further questions?

Do you want to receive advice in the field of data protection law? Feel free to contact us at office@geuer.at or by phone at +43-1-4380072.

Scroll to Top