Dis­trict Labor Court of Hamm awards dama­ges for delay in pro­vi­ding data pro­tec­tion information

In a judgment of 11 May 2021, the Dis­trict Labor Court of Hamm (Case No. 6 Sa1260/20) gran­ted an action for non-material dama­ges in accordance with Artic­le 82(1) of the GDPR and award­ed a for­mer employee dama­ges for pain and suf­fe­ring in the amount of € 1,000. The court ruled that the delay in pro­vi­ding infor­ma­ti­on in accordance with Artic­le 15 of the GDPR con­sti­tu­ted a per­so­nal data breach.

Facts of the case

The ruling was based on an action for pro­tec­tion against dis­mis­sal brought by a for­mer employee (the plain­ti­ff) against her employ­er (the defen­dant). The plain­ti­ff asser­ted a cla­im to dama­ges for pain and suf­fe­ring in accordance with Artic­le 82 of the GDPR, based on the fact that her request for infor­ma­ti­on in accordance with Artic­le 15 of the GDPR had gone unful­fil­led for more than six months. During this time, the defen­dant had fai­led to pro­vi­de infor­ma­ti­on as to whe­ther it was pro­ces­sing the plain­ti­f­f’s per­so­nal data, or as to the pur­po­ses of the pro­ces­sing or the cate­go­ries of per­so­nal data concerned.

Key points of the ruling

The Dis­trict Labor Court of Hamm ruled that the plain­ti­ff had a cla­im to non-material dama­ges in accordance with Artic­le 82(1) of the GDPR, under which any per­son who suf­fers mate­ri­al or non-material dama­ge due to vio­la­ti­on of the GDPR may assert a dama­ge cla­im against the con­trol­ler or pro­ces­sor. The Dis­trict Labor Court of Hamm ruled that the fail­ure to pro­vi­de the reques­ted infor­ma­ti­on cau­sed the plain­ti­ff non-material dama­ges. But the defi­ni­ti­on of the term “dama­ge” has yet to be cla­ri­fied by the Court of Jus­ti­ce of the Euro­pean Uni­on. The con­clu­si­on that a qua­li­fied vio­la­ti­on of the GDPR is requi­red for a dama­ge cla­im is not evi­dent eit­her from the GDPR its­elf or from the Reci­tals, in the view of the Dis­trict Labor Court of Hamm, and the court rejec­ted the idea of a mate­ria­li­ty thres­hold for vio­la­ti­ons of the GDPR. In other words, the court adopted a broad inter­pre­ta­ti­on of the GDPR for dama­ge actions befo­re Ger­man labor courts.

The award of dama­ges for pain and suf­fe­ring was based on the fol­lo­wing considerations:

  • The court sta­ted that the amount of the fine should be based on the cri­te­ria spe­ci­fied in Artic­le 83(2) of the GDPR, which sta­tes that due regard is to be given to the natu­re, gra­vi­ty and dura­ti­on of the inf­rin­ge­ment, taking into account the natu­re, scope or pur­po­se of the pro­ces­sing con­cer­ned, as well as the num­ber of data sub­jects affec­ted and the level of dama­ge suf­fe­r­ed by them.
  • In this par­ti­cu­lar case, the court took into account “[…] all of the ways in which this spe­ci­fic data breach affec­ted the inju­red par­ty, as well as all cir­cum­s­tances lying in the iden­ti­ty of the offen­der, par­ti­cu­lar­ly tho­se rela­ting to situa­tio­nal aspects of the offen­se and the degree of guilt.”
  • The court con­side­red the fact that the reques­ted infor­ma­ti­on had not been pro­vi­ded pri­or to the ruling to be an aggravating fac­tor for the defendant.
  • The court also found that the plain­ti­ff fai­led to dili­gent­ly pur­sue her request for infor­ma­ti­on: “This indi­ca­tes that the degree to which she was per­so­nal­ly affec­ted by the ina­bi­li­ty to con­trol her per­so­nal data is limi­t­ed and makes it appear that the­re may be legi­ti­ma­te doubts as to the sus­taina­bi­li­ty of her request for infor­ma­ti­on. This cir­cum­s­tance is to be taken into account in deter­mi­ning the amount of the non-material dama­ges, but not for the ques­ti­on as to whe­ther such dama­ges exist.”
  • The fact that the defen­dant was a small busi­ness was given no weight by the court in asses­sing its finan­cial capacity.

Clas­si­fi­ca­ti­on of the decis­i­on and advice for companies

While other courts have avo­ided ruling whe­ther a delay in pro­vi­ding infor­ma­ti­on con­sti­tu­tes an inf­rin­ge­ment in terms of Artic­le 82(1) of the GDPR, and some have even ruled that this is not the case, the Dis­trict Labor Court of Hamm has taken a clear posi­ti­on on this ques­ti­on. Based on the amount of the dama­ges award­ed in this case, such claims may be pro­ble­ma­tic for com­pa­nies and pre­sent an unwan­ted cost fac­tor, par­ti­cu­lar­ly if they begin to pile up and are asser­ted by more than just a few employees or cus­to­mers. The­re are alre­a­dy some pro­vi­ders on the mar­ket which are pro­mi­sing data sub­jects a low-threshold and low-risk way to assert dama­ge claims via legal tech appli­ca­ti­ons. Accor­din­gly, if rulings like this one by the Dis­trict Labor Court of Hamm begin to accu­mu­la­te, com­pa­nies can expect to be con­fron­ted with more dama­ge claims in con­nec­tion with per­so­nal data brea­ches. We the­r­e­fo­re advi­se com­pa­nies to pre­vent this from hap­pe­ning by estab­li­shing a per­ma­nent and sca­lable pro­cess for respon­ding to requests for infor­ma­ti­on, as well as for all other rights of data sub­jects, and ensu­ring that such requests from data sub­jects are ans­we­red befo­re the sta­tu­to­ry deadline.

Plea­se let us know if you have any ques­ti­ons about the right of access in data pro­tec­tion law or if you need our help.

back

Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.