Data Subject versus Bavarian public broadcasting authority – Court Ruling (Germany, 2025)

The data subject owed broadcasting fees to the Bavarian public broadcasting authority for services since 2013. In 2021, the public broadcasting authority engaged P. GmbH, a debt-collection agency, to recover outstanding payments. In response to an information request by the data subject under § 11(8) RBStV, the broadcaster confirmed that such agencies could receive personal data as processors within the meaning of Article 28 GDPR. After learning this, the data subject requested access to the controller–processor agreement concluded between the broadcasting authority and P. GmbH, arguing that he was entitled to verify whether it met the formal and substantive requirements of Article 28(3) GDPR. This request was rejected by the broadcasting authority. The data subject then brought an action before the Administrative Court of Munich (VG München), which dismissed the claim, holding that neither § 11(8) RBStV nor the GDPR provided any legal basis for such an inspection right. The data subject subsequently filed an application for leave to appeal with the Higher Administrative Court (VGH München). The Court dismissed the data subject's application for leave to appeal and upheld the decision of the lower court. The Court held that neither the GDPR nor the national broadcasting law (§ 11(8) RBStV) conferred any right for individuals to inspect a controller–processor agreement concluded under Article 28 GDPR. The Court held that the authority to verify compliance with Article 28 GDPR lies exclusively with the competent supervisory authority under Article 51 GDPR, not with private individuals. For data subjects, Article 15 GDPR provides a right of access only to their own personal data, not to contractual documents between a controller and its processor. Accordingly, the Court found that the plaintiff lacked a legitimate legal basis for inspecting the contract, and that the broadcasting authority had lawfully refused the request.