Judgment: data protection in employment relationships; high standards for a damage claim
The District Labor Court of Baden-Württemberg, in a Judgment of 25 February 2021 (Case No. 17 Sa 37/20) (only in German), ruled on the question of claims for non-material damages in case of violations of the General Data Protection Regulation (GDPR) relating to data transfers to a third country (the US). In its ruling, which we will introduce at length below, the court also dealt with a number of other aspects of data protection law which are highly relevant for companies.
The Facts of the Case
The case involved a dispute between a company and an employee seeking compensation for non-material damages in accordance with Article 82(1) of the GDPR. The defendant, the company, was a member of a corporate group based in the US for which the cloud-based HR information management system Workday (hereinafter, "Workday") was introduced in 2017 on a trial basis. Workday was not used as the Group's HR management system; between April 2018 and May 2018, however, the defendant transferred the plaintiff's personal data to the Group's internal Sharepoint site to be fed into Workday on a trial basis. The company had concluded a works agreement with the works council under which the works council agreed to tolerate use of Workday; this agreement was extended through 31 January 2019 and allowed for preliminary operation. This agreement was replaced by a framework agreement and, in January 2019, an additional agreement was entered into concerning the launch and operation of Workday. Beyond the scope of this agreement, other personal data of the plaintiff were also transferred to the US. The plaintiff considered these transfers to be a violation of the GDPR and sought compensation for non-material damages, arguing that his personal data were not adequately protected from access by the US authorities and that the possibility that his data had been transferred to those authorities could not be ruled out.
The Court's Decision
The District Labor Court of Baden-Württemberg (only in German)dismissed the complaint as unfounded and declined to award the employee damages in accordance with Article 82 of the GDPR. The court noted that the data subject generally bears the burden of proof for the circumstances establishing the claim. In the court's view, the data subject has not entirely succeeded in furnishing the necessary evidence that the defendant should be regarded as the controller for the data processing in question, that the data processing violates the provisions of the General Data Protection Regulation or other relevant national legislation or that this violation was responsible for causing damages to the data subject.
The court did consider the data processing in question to be a "violation of this Regulation," given that this term includes not only the provisions of the GDPR but also all violations of regulations which were issued based on an opening clause, such as e.g. § 26 of the Federal Data Protection Act. The court found that the defendant lacked the necessary legal basis for (continued) storage of the data subject's data in Sharepoint. It noted that, while § 26(4) of the Federal Data Protection Act allows the processing of employee data based on a collective agreement, the processing in the present case cannot be based on § 26(4) of the Federal Data Protection Act in conjunction with the works agreement or on Article 6(1) of the GDPR since the agreement relates exclusively to Workday and does not provide for use of Sharepoint. In the court's view, § 26(1) of the Federal Data Protection Act does not afford a legal basis for processing during the trial period. Under that statute, personal data may be processed if necessary for the aforementioned purposes, but a platform which was not used for HR management purposes is not considered "necessary." The court found that the processing activities through January 2019 also could not be based on Article 6(1)(f) of the GDPR in the absence of a legitimate interest, since the tests could also have been performed with fictional data.
However, the court did not find that these actions violated the provisions in Chapter V of the GDPR concerning the transfer of personal data to third countries like the US. As grounds for this decision, the court pointed out that the transfer had been completed once the data had been transferred and stored by the recipient. Since the transfer was completed prior to 25 May 2018 in the present case, the court correctly ruled that the GDPR does not apply.
At the appeal hearing, the employee for the first time also asserted a claim for compensation of non-material damages based on the defendant's alleged failure in 2017 to provide adequate and timely information in terms of Article 12 of the GDPR and the subsequent Articles. The amendment to the complaint was ruled admissible in the absence of the defendant's consent in accordance with §§ 533 and 263 of the Civil Procedure Code, as it failed to satisfy formal requirements.
This decision is a welcome development for companies because it sets high standards for damage claims based on violations of the GDPR. Specifically, the court clarified that, while the risk of data abuse or loss of control may establish a damage claim in accordance with Article 82(1) of the GDPR, it is necessary to show a causal relationship between the violation and the damages, which has to be explained and proven by the claimant. This makes it much harder for plaintiffs to act in an abusive manner by asserting damage claims based on mere allegations of data processing and GDPR violations. But it should be kept in mind that the court's ruling does not create legal certainty and does not address the question as to when compensation may be sought for non-material damages.
The following are also relevant aspects of the decision:
- The storage of personal data as of 24 May 2018 is to be measured by the standards of the GDPR, but transfers which occur before that date are not subject to the GDPR.
- Violations of § 26(4) of the Federal Data Protection Act in conjunction with a works agreement are not enough by themselves to establish a damage claim. Moreover, violations occurring before the GDPR took effect do not "infect" subsequent lawful processing and trigger a damage claim.
- In the court's view, which can be criticized as overly narrow, neither § 26(1) of the Federal Data Protection Act nor Article 6(1)(f) of the GDPR can serve as the legal basis for software testing, due to lack of necessity. However, processing may be based on § 26(4) of the Federal Data Protection Act provided a collective agreement exists.
- Companies should create processes in order to avoid erroneous or untimely responses to requests for information in accordance with Article 15 of the GDPR. While the decision did not address this question, and although the court ruled that an amendment of the complaint in this direction was inadmissible as part of the appellate proceedings, it also indicated that a damage claim based on the data subject's right of access is not out of the question.