In a judgment of 11 May 2021, the District Labor Court of Hamm (Case No. 6 Sa1260/20) granted an action for non-material damages in accordance with Article 82(1) of the GDPR and awarded a former employee damages for pain and suffering in the amount of € 1,000. The court ruled that the delay in providing information in accordance with Article 15 of the GDPR constituted a personal data breach.
Facts of the case
The ruling was based on an action for protection against dismissal brought by a former employee (the plaintiff) against her employer (the defendant). The plaintiff asserted a claim to damages for pain and suffering in accordance with Article 82 of the GDPR, based on the fact that her request for information in accordance with Article 15 of the GDPR had gone unfulfilled for more than six months. During this time, the defendant had failed to provide information as to whether it was processing the plaintiff’s personal data, or as to the purposes of the processing or the categories of personal data concerned.
Key points of the ruling
The District Labor Court of Hamm ruled that the plaintiff had a claim to non-material damages in accordance with Article 82(1) of the GDPR, under which any person who suffers material or non-material damage due to violation of the GDPR may assert a damage claim against the controller or processor. The District Labor Court of Hamm ruled that the failure to provide the requested information caused the plaintiff non-material damages. But the definition of the term “damage” has yet to be clarified by the Court of Justice of the European Union. The conclusion that a qualified violation of the GDPR is required for a damage claim is not evident either from the GDPR itself or from the Recitals, in the view of the District Labor Court of Hamm, and the court rejected the idea of a materiality threshold for violations of the GDPR. In other words, the court adopted a broad interpretation of the GDPR for damage actions before German labor courts.
The award of damages for pain and suffering was based on the following considerations:
- The court stated that the amount of the fine should be based on the criteria specified in Article 83(2) of the GDPR, which states that due regard is to be given to the nature, gravity and duration of the infringement, taking into account the nature, scope or purpose of the processing concerned, as well as the number of data subjects affected and the level of damage suffered by them.
- In this particular case, the court took into account “[…] all of the ways in which this specific data breach affected the injured party, as well as all circumstances lying in the identity of the offender, particularly those relating to situational aspects of the offense and the degree of guilt.”
- The court considered the fact that the requested information had not been provided prior to the ruling to be an aggravating factor for the defendant.
- The court also found that the plaintiff failed to diligently pursue her request for information: “This indicates that the degree to which she was personally affected by the inability to control her personal data is limited and makes it appear that there may be legitimate doubts as to the sustainability of her request for information. This circumstance is to be taken into account in determining the amount of the non-material damages, but not for the question as to whether such damages exist.”
- The fact that the defendant was a small business was given no weight by the court in assessing its financial capacity.
Classification of the decision and advice for companies
While other courts have avoided ruling whether a delay in providing information constitutes an infringement in terms of Article 82(1) of the GDPR, and some have even ruled that this is not the case, the District Labor Court of Hamm has taken a clear position on this question. Based on the amount of the damages awarded in this case, such claims may be problematic for companies and present an unwanted cost factor, particularly if they begin to pile up and are asserted by more than just a few employees or customers. There are already some providers on the market which are promising data subjects a low-threshold and low-risk way to assert damage claims via legal tech applications. Accordingly, if rulings like this one by the District Labor Court of Hamm begin to accumulate, companies can expect to be confronted with more damage claims in connection with personal data breaches. We therefore advise companies to prevent this from happening by establishing a permanent and scalable process for responding to requests for information, as well as for all other rights of data subjects, and ensuring that such requests from data subjects are answered before the statutory deadline.
Please let us know if you have any questions about the right of access in data protection law or if you need our help.back