BGH Limits the Use of Article 15 GDPR in Claims Purchases: No Transfer as an Ancillary Right, No Standing to Sue in One’s Own Name

In its judgment of 24 February 2026 (case no. VI ZR 430/24), the German Federal Court of Justice (Bundesgerichtshof, “BGH”) dismissed the appeal on points of law brought by a Swiss stock corporation which, based on a claims purchase model, had asserted rights of access under Article 15 GDPR against a private health insurer. The Senate made clear that, in the case at hand, the data protection right of access had neither passed to the claimant by virtue of the agreed assignment nor passed, by analogy to section 401 of the German Civil Code (“BGB”), together with the assigned reimbursement and damages claims as a mere ancillary right. In addition, the assertion of the claim in the claimant’s own name failed because of the specific contractual structure of an authorised procedural standing arrangement.

The decision is significant in practice because it separates the data protection right of access under Article 15 GDPR from civil law claims enforcement models. The BGH does not treat the right of access as a generally available instrument for preparing pecuniary claims but ties its assertion closely to the actual ownership of the claim and the respective authority to conduct the proceedings. The judgment thus sets important limits, particularly for legal tech models, debt collection constellations, and mass claims in the insurance sector.

Facts

The claimant is a stock corporation based in Switzerland whose business model consists of having consumers assign to it, by way of claims purchases, claims against their contractual counterparties so that it can assert them in its own name. In the present dispute, it asserted claims belonging to six policyholders who held private health insurance and private long-term care insurance with the defendant insurer. In 2021, the claimant entered into agreements with those policyholders under which reimbursement claims and damages claims arising from allegedly excessive premiums were to be assigned. At the same time, the agreements provided for authorisations to assert rights of access and data portability claims.

By way of a staged action, the claimant sought, for various years in the period from 2010 to 2018, information on premium income, active tariffs, and premium increases in order, on that basis, to obtain findings that certain premium adjustments were ineffective and to quantify repayment claims. The Regional Court dismissed part of the claims as inadmissible and another part as unfounded. The Higher Regional Court of Hamm dismissed the appeal. In the appeal on points of law, the claimant pursued its claims only insofar as they concerned information under Article 15 GDPR.

The Core Issues of the Proceedings

At its core, the BGH had to decide three questions. First, whether the policyholders had effectively assigned their rights under Article 15 GDPR to the claimant at all. Second, whether the data protection right of access had in any event passed to the claimant, by analogy to section 401 BGB, as an ancillary right together with the assigned reimbursement and damages claims. Third, whether the claimant could at least assert the rights of access in its own name by way of an authorised procedural standing arrangement.

Key Findings of the BGH

No transfer based on the agreed assignment

The BGH first denied, already at the level of contractual interpretation, that rights of access under Article 15 GDPR had passed to the claimant. According to the wording of the assignment agreements, only “reimbursement claims and damages claims” were covered. By contrast, “rights of access and data portability claims” were not assigned but were merely mentioned separately for the purpose of their assertion. The Senate therefore made clear that the agreements could not be construed as showing that the policyholders had intended to transfer their rights under Article 15 GDPR to the claimant as well.

Article 15 GDPR is not a mere ancillary right within the meaning of section 401 BGB

Of practical relevance is the Senate’s further finding that the right of access under Article 15 GDPR also does not pass, by analogy to section 401 BGB, together with the assigned principal claims. According to existing case law, ancillary rights such as rights to information or to an account may pass together with a claim where they serve the enforcement of the principal claim. However, that is precisely not how the BGH understands Article 15 GDPR. According to the judgment, the right was not created to prepare or quantify pecuniary claims, but rather to enable the data subject to become aware of the processing of his or her data and to verify the lawfulness of that processing. In this way, the Senate expressly distinguishes the data protection right of access from classic accessory ancillary rights.

No ruling on the general transferability of Article 15 GDPR

It is equally noteworthy what the BGH did not decide. The Senate expressly stated that the question raised by the appellate court, namely whether claims under Article 15 GDPR are generally transferable, did not arise in the present case. The reason is that, under the specific agreement, no assignment had already occurred. The frequently debated fundamental question of the general transferability of the right of access therefore remains open.

Authorised procedural standing fails because of the specific contractual structure

Nor could the claimant assert the right of access in its own name in the alternative. The BGH classified the issue of authorised procedural standing as a procedural requirement and examined the claimant’s authority to conduct the proceedings independently under German procedural law. In the end, however, the claimant failed because the specific agreement did not contain a sufficiently clear authorisation to assert third-party rights of access in its own name. According to the wording and structure of the contractual clauses, the auxiliary authorisation for the “enforcement of the above-mentioned claims in one’s own name” related only to reimbursement and damages claims, but not to rights of access and data portability claims. In addition, in the Senate’s view, it remained unclear when the scenario envisaged as “purely auxiliary” was supposed to arise at all. To that extent, the action was already inadmissible.

Implications for Practice

The decision is important for companies, first, because it places limits on claims purchase and debt collection models in the data protection context. The BGH prevents Article 15 GDPR from readily becoming an annex-like information-gathering instrument for third parties who have purchased pecuniary claims. In future, controllers will be able to argue, with good reason, that the assignment of repayment or damages claims does not automatically entail an independent standing to assert Article 15 GDPR.

The decision is equally important for the doctrinal classification of the right of access. The BGH does not understand Article 15 GDPR merely in functional terms as a preliminary step in the enforcement of other claims but instead maintains the autonomous data protection purpose of this transparency and control right. From a corporate perspective, this is ambivalent. On the one hand, the judgment limits the usability of Article 15 GDPR in claims purchase models. On the other hand, it also reinforces the autonomous character of the right of access as a data subject right. Companies should therefore not misconstrue the decision as meaning that economically motivated access requests are generally excluded. The Senate rules only on ownership of the claim and authority to conduct proceedings in the specific third-party model before it.

The judgment is particularly relevant for the insurance industry and other sectors characterised by standardised mass business. It concerns constellations in which third parties attempt to combine data protection rights of access with civil law repayment or damages models to prepare mass proceedings more efficiently. In this respect, the BGH provides procedural and substantive legal clarity in favour of controllers, at least where the specific contractual structure does not provide a reliable basis for a transfer of the right or for procedural standing.

What Companies Should Do Now

1. Carefully review standing and the legal basis of the claim

Where companies receive access requests from legal tech providers, debt collection service providers, or claims purchasers, they should in future examine more closely on which legal position the request is based. A distinction must be drawn between the sender’s own claim, a mere authorisation to act in the name of the data subject, and an alleged assertion of a third party’s right in the sender’s own name. The judgment shows that these distinctions may be decisive in the proceedings.

2. Assess contractual structure and authority not only formally, but systematically

The BGH based its decision to a significant extent on the wording and systematic structure of the contractual clauses used. Companies should therefore not stop at labels when reviewing assignment agreements and powers of attorney submitted to them but should carefully analyse which claims are actually covered and how the individual clauses relate to one another.

3. Do not overextend the judgment

The decision does not mean that Article 15 GDPR may in future be asserted only personally and never with the assistance of third parties. The BGH expressly left open the general transferability of the right of access. Nor did it decide that procedural standing is generally excluded in data protection law. Companies should therefore apply the judgment specifically to constellations involving comparable contractual arrangements and comparable claims purchase models.

Conclusion

With VI ZR 430/24, the BGH places clear limits on attempts to reinterpret data protection rights of access, via claims purchase models, as economically exploitable ancillary rights. The Senate clearly separates Article 15 GDPR from the assigned reimbursement and damages claims and rejects a transfer by analogy to section 401 BGB. At the same time, the decision shows that even an authorised procedural standing arrangement is not established merely by broadly worded standard clauses but requires a precise and sufficiently robust legal basis for authorisation. For companies, the judgment is therefore an important signal. Article 15 GDPR remains a strong data subject right, but it cannot readily be transformed into a general instrument of commercial claims enforcement.