This ruling by the Administrative Court (VGH) in Munich deals with the question of whether an individual has the right to inspect a data processing agreement concluded between a broadcaster and a debt collection company in accordance with Art. 28 GDPR. The VGH rejected this claim and thus confirmed the decision of the Administrative Court of Munich.
Plaintiff demands access to data processing agreement
The plaintiff has been required to pay the broadcasting fee since 2013. In 2021, the broadcaster commissioned P. GmbH as a debt collection agency to enforce outstanding receivables. Specifically, this concerned outstanding broadcasting fees for the period from April 2014 to June 2015 in the amount of EUR 264.32. In August 2021, the plaintiff applied to the defendant for information pursuant to Section 11 (8) RBStV, which was issued in September 2021. In this information, a debt collection company was also named as a possible recipient of data.
On September 29, 2021, P. GmbH informed the plaintiff in writing that it was acting as a processor within the meaning of Art. 28 GDPR and explained its role in this regard. Thereupon, on October 7, 2021, the plaintiff requested the defendant to inspect the data processing agreement concluded between the broadcaster and P. GmbH pursuant to Art. 28 GDPR. This request was rejected by the defendant. The plaintiff then brought an action before the Administrative Court of Munich with the aim of enforcing access to the contract. The Munich Administrative Court dismissed this action in a ruling dated December 6, 2023. The application for leave to appeal before the VGH Munich was also unsuccessful.
Basis of entitlement for inspection by the data subject
The plaintiff argued that he was entitled to inspect the contract in accordance with Section 11 (8) sentence 1 RBStV. This provision regulates the general right to information about the processing of personal data in connection with the broadcasting fee. The plaintiff interpreted this provision to mean that it also includes disclosure of the specific processing contract. However, the court clarified that this paragraph only grants a general right to information about recipients and categories of personal data. An individual right to inspect the specific contract cannot be derived from this.
In addition, the plaintiff invoked Art. 28 GDPR, which sets out the obligations of controllers and processors. The plaintiff argued that this provision not only regulates contractual obligations, but also implicitly contains a right of access for data subjects. The court rejected this argument and clarified that Art. 28 GDPR does not provide for an individual right of access. Rather, the provision exclusively regulates the obligations that the controller and the processor must fulfill as part of their cooperation.
A further argument of the plaintiff referred to Art. 15 GDPR. According to this provision, data subjects have a right to information about the processing of their personal data. The plaintiff attempted to interpret this right to information in such a way that it also includes the disclosure of internal documents such as the data processing agreement. The court also rejected this argument and clarified that Art. 15 GDPR only grants a right to information about one's own personal data, but does not provide for a general right to inspect internal documents.
Irrelevance of a right to inspect files
The plaintiff attempted to base his right to inspect the order processing contract on an unwritten right to inspect files, which could arise from Art. 29 BayVwVfG. Art. 29 BayVwVfG regulates the right of parties involved in administrative proceedings to inspect files. According to this principle, a party may be granted access to the files relating to the proceedings upon request, provided that a legitimate interest can be demonstrated and there are no overriding public or private interests to the contrary.
In this context, the plaintiff argued that in order to review the legality of the data processing agreement concluded between the broadcaster and P. GmbH, he had to inspect this agreement. He claimed that without this inspection, he would be deprived of the opportunity to check for himself whether the contract complies with the contents prescribed in Art. 28 para. 3 GDPR.
However, the court rejected this argument on the grounds that monitoring compliance with the GDPR - in particular with regard to the content and effectiveness of a data processing agreement - is the task of the competent supervisory authority. An individual right of a data subject to independently review this contract is not provided for by law. Furthermore, the VGH found that the plaintiff did not have a legitimate interest, as would be required to grant the unwritten right to inspect files. In the opinion of the court, the mere desire to verify the legality of such a contract was not sufficient to justify a legitimate interest within the meaning of the applicable regulations.
The court expressly referred to the existing control mechanisms by the competent data protection supervisory authority, which guaranteed the data subjects sufficient legal protection. The plaintiff's attempt to invoke the unwritten right to inspect files was therefore rejected as unfounded
Responsibility of the data protection supervisory authority
Pursuant to Art. 51 Para. 1 GDPR and Art. 21 Para. 1 Sentence 2 BayRG, the Broadcasting Data Protection Officer is responsible for monitoring the data protection compliance of broadcasters. This acts as an independent supervisory authority with the task of monitoring compliance with the General Data Protection Regulation and enforcing its application.
The Broadcasting Data Protection Officer is authorized to take action in the context of a complaint pursuant to Art. 77 GDPR. This option to lodge a complaint gives data subjects the opportunity to initiate a formal review in the event of suspected data protection violations. In this case, the VGH Munich emphasized that data subjects who have doubts about the lawfulness of the processing of their personal data should first and foremost use this option to lodge a complaint.
The court clarified that the supervisory authority is explicitly responsible for checking compliance with Art. 28 GDPR, in particular with regard to the obligations set out in data processing agreements. Private individuals cannot carry out this review independently by directly inspecting the data processing agreement. This clear regulation of responsibilities illustrates the character of the GDPR as a comprehensive and coherent protection instrument that assigns the enforcement and monitoring of data protection requirements to the authorities in particular.
No right to inspect order processing contracts from GDPR
Overall, the court came to the conclusion that neither the Interstate Treaty on Broadcasting Contributions nor the General Data Protection Regulation grant an individual right to inspect order processing contracts. The plaintiff's claim therefore proved to be unfounded.
The court refused to allow the appeal due to a lack of serious doubt as to the correctness of the judgment of the lower court. It also found that the case was not of fundamental importance and that there was no procedural defect.
Reading tip: Federal Fiscal Court - "Disproportionate effort" not a reason for refusing a request for information
Implications for practice
The ruling makes it clear that the General Data Protection Regulation does not provide for a transparency obligation with regard to the disclosure of data processing contracts to individuals. In practice, data subjects who have doubts about the lawfulness of data processing are therefore referred to the competent supervisory authority.
This means for data protection and compliance officers:
- The design of order processing contracts should comply exactly with the requirements of Art. 28 GDPR. However, data subjects have no right to inspect these contracts.
- Data subjects must be informed of their rights to information in accordance with Art. 15 GDPR.
- It is advisable to clearly communicate the contact to the responsible data protection supervisory authority in order to ensure transparency and legal certainty.
The ruling confirms the established case law on the role of the data protection supervisory authority and at the same time clarifies the limits of individual rights when reviewing data processing agreements.
Source: Decision of the Bavarian Administrative Court of 21.02.2025 - 7 ZB 24.651
Do you still have questions about dealing with requests for information? Our experts will support you with individual solutions. Get in touch with us:
☎️ +49 (228) 926165-100
📧 info@2b-advice.com
English 
German 
Italian 
French