Employee's claim for damages due to employer's data protection violation

If employers violate data protection regulations that also exist to protect employees, this may give rise to claims for damages by employees. In this decision, the Federal Labor Court established important principles regarding the requirements for a claim for damages, but also regarding its appropriate amount.

Facts of the case

The defendant processed the personal data of its employees for payroll purposes, among other things, using human resources management software. In 2017, there were plans to introduce Workday as a uniform human resources information management system throughout the group. The defendant transferred the plaintiff's personal data from the software previously used to the group's parent company in order to populate Workday for testing purposes. The preliminary test operation of Workday was regulated in a works agreement. According to this, the defendant was to be permitted to transfer, among other things, the name, date of entry, place of work, company, business telephone number, and email address. The defendant also transferred other data relating to the plaintiff, such as salary information, private residential address, date of birth, marital status, social security number, and tax ID.

The plaintiff argued that, pursuant to Art. 82(1) GDPR, he was entitled to non-material damages in the amount of €3,000.00 for a violation of the General Data Protection Regulation applicable from May 25, 2018. The defendant had exceeded the limits of the works agreement.

The lower courts dismissed the action. In its decision of September 22, 2022 (8 AZR 209/21 (A) – BAGE 179, 120), the Senate suspended the appeal proceedings and requested the Court of Justice of the European Union (CJEU) to answer legal questions concerning the interpretation of EU law. The ECJ answered these questions in its judgment of December 19, 2024 (C-65/23 – [K GmbH]).

The plaintiff's appeal was partially successful before the Eighth Senate of the Federal Labor Court.

Reasons for the decision

The plaintiff is entitled to damages from the defendant pursuant to Art. 82 (1) GDPR in the amount of €200.00.

(The cited provision reads: “Any person who has suffered material or non-material damage as a result of an infringement of this regulation shall have the right to receive compensation from the responsible party or the data processor.”)

Insofar as the defendant transferred personal data other than that permitted under the works agreement to the parent company, this was not necessary within the meaning of Art. 6(1)(f) GDPR and thus violated the General Data Protection Regulation.

(The cited provision reads: “Processing shall be lawful only if at least one of the following conditions is met: ... f) processing is necessary for the purposes of the legitimate interests pursued by the responsible party or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”)

The plaintiff's intangible damage lies in the loss of control caused by the transfer of personal data to the parent company. During the oral hearing before the Senate, the plaintiff clarified that he no longer claims that the transfer of the data covered by the works agreement was also unnecessary. The Senate therefore did not have to examine whether the works agreement was designed in such a way that the requirements of the General Data Protection Regulation were met.

Practical note

Not everything that is technically possible is also permitted! The processing of employee data (collection, recording, organization, sorting, storage, adaptation or modification, retrieval, consultation, use, disclosure, transmission, dissemination, provision, comparison or linking, restriction, erasure, or destruction) requires a substantive legal basis. As the Federal Labor Court indicates in a marginal note in this decision, the mere existence of a works agreement is not sufficient for this purpose; even if such a works agreement exists, it must be examined in the event of a dispute to determine whether it permissibly authorizes the data agreement. If these requirements are not met, this can lead not only to claims for damages, but also to injunctive relief.

Employers should carefully consider this before purchasing and installing the relevant tools. This applies in particular in cases where a technical device is used to collect data partly in fulfillment of legal obligations (e.g., under the German Driving Personnel Act) and partly for purposes for which there is no legal basis under data protection law. If, in this case, it is not possible to make technical adjustments to the tool used, the employer finds itself in a dilemma: until the tool is replaced, it cannot fulfill its obligation to collect data without violating existing data protection regulations.