As part of a judgement dated 25 February 2021 (docket number: 17 Sa 37/20), the Baden-Wuerttemberg Labour Court of Appeals (the second out of three levels of the German labor court system) has clarified the requirements for an entitlement to immaterial damages in cases of a violation of the General Data Protection Regulation (GDPR). Over recent years, German employees across the country have identified and abused privacy-related GDPR instruments such as data subject access requests to try and gain leverage in settlement negotiations. More recently, claims for damages have also become en vogue in this respect. In this recent ruling, the Baden-Wuerttemberg Labour Court of Appeals has confirmed that, unlike DSARs, such damage claims are not low-hanging fruits for employees. In particular, the reasoning of the ruling will be helpful for companies to argue that the threshold of the burden of proof for damages is quite high. While the decision also provides interesting annotations on the requirements of standard contractual clauses within the meaning of the GDPR, the court did not need to address the scope of a possible entitlement to immaterial damages. As this question is repeatedly raised in courts, it becomes more and more likely that the European Court of Justice will have to rule on this issue in the near future.
The subject of the dispute was the employee’s alleged entitlement to immaterial damages in connection with the transfer of his personal data to the employer’s parent company in the US. The employer prepared to introduce a cloud-based HR information management system (“HR System”). In order to test the HR System, during April and May of 2017 the employer transferred the employee’s personal data to a workshare page of its parent company without the employee’s consent. The employer and the responsible works council agreed a works agreement on the use of the HR System and established categories of data to be used temporarily for this purpose. The personal data of the employees which were transferred were (at least in part) not covered by the works agreement. On 24 May 2018, one day before the effective date of GDPR, the employer and its US-based parent company concluded a comprehensive agreement on the processing of data and its protection. The employee argued that the transfer of his personal data constituted a violation of GDPR since there was no legal basis for the transfer. He further argued that this unlawful state had existed for almost two years and that it was possible that the data had been transferred to authorities within the US. The employee further claimed that he should be awarded immaterial damages for the violation of his privacy rights.
Both the labour court of the first instance and the labour court of appeals dismissed the motion filed by the employee. The Baden Wuerttemberg Labour Court of Appeal noted that processing of personal data for the purpose of testing the HR System was not covered by the works agreement and had no justification in German privacy laws either. The court confirmed that in principle this may lead to an entitlement to immaterial damages under GDPR. The court further noted that GDPR provisions on the transfer of personal data to third countries outside of the EU were not violated in this case. Insofar as personal data had been transferred during April and May of 2017, the provisions of GDPR had not yet come into force and were thus not applicable. Furthermore, the continued processing of data by the parent company after 25 May 2018 was covered by standard contractual clauses which – at the time – were viewed to be lawful.
In the opinion of the court, the burden of proof to demonstrate that a violation of the GDPR had caused a damage fell on the employee. The employer had not violated GDPR provisions in this case. The remaining violation of the Federal Data Protection Act and the works agreement was not enough to establish damages which would have needed to be compensated. The fruit of the poisonous tree doctrine does not apply under German law. Therefore, continued data processing was not “infected” by a violation of legal provisions before the effective date of GDPR. The mere possibility of misuse or transfer of the data by the parent company alone is not enough to show that the employee had incurred damages.