Labor Court of Düsseldorf: EUR 5,000 in damages for defective information under the GDPR
After the Local Court of Wertheim imposed a fine in the amount of EUR 15,000 for failure to provide information, the Labor Court of Dusseldorf ruled on a case in which it found that provision of incomplete or inaccurate information, or failure to provide information in a timely manner, justifies a claim to non-material damages in the amount of EUR 5,000 (only in german).
The plaintiff in this case had worked for the defendant prior to requesting the information. Because this information was not provided in the required manner, in the plaintiff's view, the plaintiff sought damages for pain and suffering from the defendant in the amount of EUR 143,482.81, corresponding to the plaintiff's gross monthly salary for 12 months under the former employment relationship. In making its ruling, the court decided some interesting questions in data protection law as follows:
- If the data subject transmits his or her request for information to anyone in the company, e.g. the doorman (even if the latter is provided by an external service provider), this sets in motion the period for the provision of information in accordance with Article 12(3) Sentence 1 of the GDPR. In other words, companies need to heed requests which come in via all relevant channels, and not just those coming in via a "special data protection channel."
- The court found that the scope of the information which is to be provided is determined by the status at the time of the request for information. If additional personal data relating to the data subject is processed after this time, this information must be included as well if information is not provided in a timely manner (generally within one month). However, there is no need to provide information about data relating to the data subject which had previously been stored by the company but had since been deleted.
- If the defendant transmitted data to another controller in terms of data protection law (e.g. to another company in the same corporate group), the court found that it is not required to provide information about data processing which was performed by this third party on its own responsibility. Instead, the company is only required to identify the persons to whom the data had been disclosed. The company may be required to provide information about any processors it used, in the court's view, but the judgment apparently states that this information has to be expressly requested by the person making the request.
- With regard to the purposes of data processing, the court ruled that the company cannot simply cite the employment relationship as the purpose of processing, "namely its wind-up and termination, for the fulfillment of existing legal obligations and the protection of legitimate interests in accordance with § 26 of the Federal Data Protection Act and Article 6(1)(b), (c) and (f) of the GDPR," as this would fail to provide the necessary transparency. Accordingly, it should be kept in mind when providing information that a specific purpose must be identified for each processing activity and that generalized purposes should be avoided. Keeping proper records of processing activities may be helpful in this regard.
- The court also found that companies are not required to provide information about internal recipients, e.g. if the information was received by employees in specific departments of the company. Accordingly, the company is not required to expressly identify specific departments or individual employees.
- The plaintiff also requested a copy of all data which the company was storing about him, e.g. including e-mails relating to the plaintiff stored in the defendant's IT systems. The Labor Court of Dusseldorf denied this request, citing the principles of good faith and noting that this request is grossly disproportionate to the plaintiff's interest in performance. The District Court of Heidelberg reached the same conclusion in a comparable case.
Based on Article 82 of the GDPR, the court awarded the plaintiff non-material damages in the amount of EUR 5,000 for violations of the GDPR (EUR 500 for each of the first two months in which the defendant failed to provide the information, EUR 1,000 for each of the next three months and EUR 500 for each of the material defects in the information it provided). In summary, the court justified this damage award by noting that the company was "only" guilty of negligence and that more serious violations (in terms of failing to provide information) would require more severe penalties. It is also notable that the court took into account the controller's (i.e. the company's) financial capacity in assessing the amount of the damages. In other words, if the defendant can show that it has limited funds, this may impact the amount of the damages, in the court's view.
It will be interesting to see whether these findings will be upheld, since the court has allowed an appeal.