The question of whether data subjects can access the data processing agreement (DPA) between a Controller and a Processor frequently arises in the context of data protection disputes or data subject access requests (DSAR). In its decision dated 21 February 2025 (file number: 7 ZB 24.651), the Bavarian Administrative Court (VGH) ruled that data subjects do not have such a right. Below, we have briefly summarized the court's factual and legal key considerations:

A. Factual Background

The defendant, a public broadcasting institution, has been collecting broadcasting fees from the plaintiff since 2013. For this purpose, the defendant engaged the debt collection company P.

The plaintiff now seeks access to the DPA between the defendant and the debt collection company P under Article 28 of the General Data Protection Regulation (GDPR). The Administrative Court (VG) had already dismissed the lawsuit. The VGH has now rejected the application for admission to appeal.

B. No Access Right

The VGH decided that data subjects do not have the right to access such contracts. According to the court, the plaintiff does not have a right to inspect the files following from applicable administrative law against the defendant. The right of access to the file under the Bavarian Administrative Procedure Act (BayVwVfG) requires a legitimate interest for access. In the present case, the court reasoned that the plaintiff did not have such a legitimate interest, as the interest to verify whether a valid data protection agreement with the content prescribed by Article 28(3) of the GDPR had been concluded was not considered as sufficient. 

This is because, according to Art. 51 (1) GDPR, the data protection authority is responsible for monitoring the application of the GDPR, not private individuals. Under Art. 15 of the GDPR, the data subject only has the right to information about their own personal data. They do not have the right to independently verify the lawfulness of a DPA. The court concluded that the plaintiff does not have a legitimate interest in examining the conclusion and lawfulness of a DPA. The application for leave to appeal was therefore rejected.

C. Impact on Businesses

Public companies/institutions will therefore be able to use the Court's reasoning to refuse requests for access to existing DPAs. But overall, the ruling provides a useful argument for both public and private companies in their day-to-day DSAR practices to refuse to disclose DPAs and instead refer claimants to their right to information to the extent regulated by GDPR. This can reduce administrative burdens. In addition, the ruling strengthens the position of data controllers, as DPAs often contain sensitive information on security measures or trade secrets.

At Reed Smith's Emerging Technologies Group, we are dedicated to guiding you through the complexities of data and digital-related challenges. Stay informed on the latest developments in privacy and platform litigation by subscribing to our authors and following #TechLitigationNews.