Germany: BAG – Compensation for Unlawful Data Processing

(Judgment of the Federal Labor Court of May 8, 2025 - 8 AZR 209/21)

Damage, in terms of a loss of control, is to be assumed if data is unlawfully transferred to another Group company.

GDPR principles - in particular Art. 6 GDPR - must always be observed

The Federal Labor Court awarded an employee non-pecuniary damages in the amount of EUR 200.00 after the employer had entered additional personal data into the "Workday" HR management software beyond the agreed limits of a concluded works agreement. This data processing was considered by the courts to be unlawful as the principles of Art. 6 GDPR had not been complied with. In the view of the court, the unlawful transfer of personal data within the Group resulted in a loss of control, which in turn constitutes non-pecuniary damage. 

In connection with the introduction of the HR management software "Workday", the parties to the works agreement had stipulated which data may be entered into "Workday" for test purposes. Since the agreed limits had been exceeded, the employer could not rely on the works agreement as the legal basis for the data processing that had taken place. As the additional data entered into "Workday" was already being processed in SAP for pay-roll purposes, the employer was also unable to invoke legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR to justify the data processing that had taken place.

Against this backdrop, the plaintiff ultimately claimed damages in the amount of EUR 3,000. While the lower courts denied the claim for damages and dismissed the action, the plaintiff partially prevailed in the appeal and the Federal Labor Court awarded damages in the amount of EUR 200.00.

In it’s decision on 22 September 2022, the Federal Labor Court also referred various questions to the ECJ regarding the structure of works agreements relevant to data protection, as the data transfer to "Workday" was at least partially based on a works agreement. However, the clarifying decision of the ECJ of 19 December 2024 (case no. C – 65/23) was no longer to be taken into account by the Federal Labor Court in the present case. Since the plaintiff stated in the oral hearing before the Senate that he was only relying on the data processing that went beyond the existing works agreement to justify his claim for damages under Art. 82 GDPR, the Federal Labour Court was no longer required to carry out a more detailed examination of whether the works agreement complied with the requirements of the GDPR.

Outlook on the development of case law

The decision of the Federal Labor Court is currently only available as a press release. It is not expected that the reasons for the ruling will contain a fundamental statement on the data protection requirements for the design of collective agreements. However, this remains to be seen. In view of the development of case law to date, it is possible that the Federal Labor Court will not miss the opportunity to make a fundamental statement – in the necessary brevity – on the data protection requirements when drafting works agreements. After all, practitioners would certainly welcome such a clarification.

It will also be interesting to see how the Federal Labor Court will assess the loss of control as a damage item in this case and justify the amount awarded.

Most recently, the Federal Labor Court (see judgment of February 20, 2025 – 8 AZR 61/24) found that a loss of control can normally only be justified in a situation in which "the person concerned has a well-founded fear of data misuse. [...] The mere invocation of a certain emotional state is not sufficient. [...] The more serious the consequences of a breach of the General Data Protection Regulation are, the closer there is a well-founded fear of data misuse." However, this clarification was  only issued with regard to claims for damages based on a breach of information rights pursuant to Art. 15 GDPR. Even if the GDPR assumes that requests for information must be fulfilled without delay, the Federal Labor Court believes that an unjustified delay is not necessarily an indication that there is a fear of data misuse.

In contrast, the Federal Court of Justice (see judgment of February 11, 2025 – VI ZR 365/22) recently appeared to interpret the assumption of a loss of control more generously. In its view, the existence of a mere, temporary loss of control was sufficient, which was to be assumed as a rule in the case of unlawful data processing. A further "actual violation of personal rights" or even an impairment that "goes beyond an individually perceived inconvenience or seriously impairs the self-image or reputation" is not necessary to justify the claim for damages under Art. 82 GDPR.

However, as the ECJ has also made it very clear that in order to assume a claim for damages under Art. 82 GDPR, in addition to the description of the breach of the regulation, a damage caused by the breach must also be presented and proven separately, case law will have to be very precise and differentiated in future as to what concrete requirements must be placed on the assumption of a loss of control as a damage item. The limits and scope of the term "loss of control" must be clearly defined. Otherwise, there is a risk of a boundless expansion of the law on damages. The legislator, according to this view, did not want to establish a catch-all offense in the assumption of a loss of control. If, on the other hand, any form of data processing in breach of the regulation is subsumed under loss of control, there is a risk of a systemic expansion of the sanctions regime of the General Data Protection Regulation. In particular, if the finding of a breach of the regulation per se, already constitutes a reasonable assumption of a loss of control, the boundaries of the individual elements of Art. 82 GDPR – breach of the regulation, occurrence of damage and causality – risk becoming blurred. However, this is not the intention and the ECJ has already taken a clear position in this respect. National case law is also bound by this.