Germany: GDPR – Contours for employment-related data protection further sharpened

Data protection requirements are further tightened by the European Court of Justice (ECJ) and German courts, particularly with respect to the use of shop agreements.

Federal Labour Court: Opportunity for landmark ruling missed?

The Federal Labour Court (judgment of 8 May 2025 – 8 AZR 209/21) recently had to rule on an employee's claim for damages under Article 82 GDPR. The employer had entered further personal data into the personnel management software "Workday" for testing purposes beyond the agreed limits of a concluded shop agreement and thus transferred it to another group company. This unlawful transfer of data to another group company resulted in a loss of control as non-pecuniary damage, with the consequence that the plaintiff was awarded damages of EUR 200.00 as compensation (read our article BAG – Compensation for Unlawful Data Processing).

Since the Federal Labour Court had also referred various questions to the ECJ during the proceedings regarding the data protection-relevant structure of shop agreements as a basis for authorisation (see ECJ, judgment of 19 December 2024 – C-65/23), many hoped for a fundamental ruling. They expected it would clearly outline the relevant limits and obligations of data protection in the employment context and thus ensure legal certainty. This ruling fell short of these expectations. During the oral hearing, the plaintiff had limited the subject matter of the dispute. As a result, no further review of the underlying shop agreement's compliance with GDPR principles was necessary. Against this background, the Federal Labour Court did not comment in detail on this issue in its judgment, which is now available. 

Surprisingly, the judgment is very brief overall and there are no explanatory comments on the classification and harmonisation of previous labour and civil law case law. Nevertheless, the judgment contains some findings that make it clear that, although the data protection requirements in the employment context have not yet been conclusively defined, they are nevertheless interpreted and assessed rather strictly, so that it is generally advisable not to take data protection in the workplace lightly. 

1.Urgent need for reform of Section 26 para 1 German Data Protection Act

In the above-mentioned ruling, the Federal Labour Court once again stated that the national basic standard for data processing in the employment context – Section 26 para 1 German Data Protection Act (BDSG) – must remain inapplicable. Since the requirements of the opening clause pursuant to Article 88 GDPR have not been adequately implemented by the German legislature, the standard does not constitute a valid legal basis for data processing.

Two years ago, the continued applicability of Section 26 para 1 BDSG was already questioned by an ECJ judgement (see judgment of 30 March 2023 – C-34/21) (read our article Shop agreements no more a basis for data processing?). In this judgment, the ECJ found that Section 23 HDSIG was incompatible with Article 88 GDPR, the wording of which corresponds to that of Section 26 para 1 BDSG. Because Section 23 HDSIG merely repeated general data protection principles but did not regulate "more" for the protection of personal data, there was no "more specific" provision within the meaning of Article 88 GDPR. However, if an exception is to be allowed for – contrary to the full harmonisation of data protection levels within the Member States actually intended by the legislator –this must also go beyond the GDPR provisions in terms of regulatory content. This was not the case with Section 23 HDSIG. The Federal Labour Court has now also ruled that this applies to Section 26 para 1 BDSG. Here, too, only the general principles are repeated; furthermore, there are no special protective measures in accordance with Article 88(2) GDPR stipulated. 

The legislator should now finally take measures to resolve the known incompatibility issues and establish reliable legal standards for data processing in the employment context.

2.Loss of control as a catch-all provision under Article 82 GDPR?

The grounds for the judgment in the above-mentioned proceedings were also eagerly awaited in light of the legal reasoning behind the assumed loss of control as an intangible item of damage. While the Federal Court of Justice was still much more generous in this regard in February, the Federal Labour Court had imposed even stricter requirements in connection with a delay in complying with a request for information under Article 15 GDPR. It demanded concrete proof of the fear of data misuse to justify the claim for damages (see judgment of 20 February 2025 – 8 AZR 61/24).

Against this background, the brevity of the actual reasoning provided is surprising. The Federal Labour Court simply concurred with the view of the Federal Court of Justice, referring to its case law (see judgment of 11 February 2025 – VI ZR 365722). A brief loss of control over personal data is sufficient to assume liability for damages, especially if this is due to the unauthorised disclosure of data to third parties. However, concrete (further) evidence that the unauthorised transfer resulted in an actual violation of personal rights or other negative consequences "beyond the individually perceived inconvenience" is not required. Unlike in the case of merely delayed disclosure under Article 15 GDPR, the Senate considers that a justified risk of misuse of data must be assumed because the data was transferred without any authorisation and thus a serious breach of data protection occurred. 

However, the consequence of this argument will be that any data processing without a legal basis will immediately lead to the assumption of a loss of control. In this case, however, the factual requirements of Article 82 GDPR – breach of the Regulation and occurrence of damage – are identical. This (once again) opens the door to an endless expansion of the right to damages – particularly the justification of loss of control as a catch-all provision. In view of the development of case law on Article 82 GDPR in recent years, this cannot have been the intention. Data subjects will apparently be able to assert claims for non-pecuniary damages "easily", especially if fundamental data protection principles have been violated.

Strict requirements also apply to the drafting of shop agreements

This development in case law must be viewed with caution, especially when collective norms are used as the legal basis for authorisation under data protection law, as the legal requirements in this regard have also been tightened. 

During the above-mentioned proceedings, the Federal Labour Court took the practical uncertainties surrounding the use of shop agreements as a basis for authorisation under data protection law as an opportunity to refer the matter to the ECJ (C-65/23) for clarification. Finally, the transfer of personal data to "Workday" for testing purposes was also carried out in part on the basis of a shop agreement concluded between the parties. In addition, the Federal Labour Court also considered that the powers of the parties to the shop agreement in the context of data processing required clarification.I In particular the question of whether it can be incumbent on these parties to decide which data can be used for testing software tools.

Therefore, among other things, the scope of the reference in Section 26 para 4 BDSG should be clarified, which states that the special provisions of Article 88 para 2 GDPR must be observed when collective norms are used for data protection purposes. Does this imply that all other GDPR principles must also be complied with? How can the national provisions of the BDSG, which are actually intended to be more specific regulations, be reconciled with the principles of GDPR, particularly when shop agreements are negotiated freely or before conciliation committees? 

The question is therefore whether the general principles of data protection law, such as lawfulness, purpose limitation, transparency and data minimisation (Article 5 GDPR) and necessity of data processing (Article 6 GDPR) must be observed independently when drafting a shop agreement as a basis for authorisation, or whether the parties to the agreement should be granted discretion in this respect. Can the parties to the shop agreement therefore decide for themselves, within the scope of their discretionary power, whether the intended and regulated data processing is "necessary" or not? 

Ultimately, these ambiguities boil down to the debate in practice as to whether a shop agreement can justify data processing that would otherwise be inadmissible under the provisions of GDPR.

ECJ: Company parties may not deviate from GDPR principles

In its judgment of 19 December 2024, the ECJ clearly stated that all general requirements of GDPR must be complied with within the framework of national permissive norms. The exception provided for in Article 88 GDPR does not allow Member States to deviate from the general principles on the protection of personal data. These principles apply in all cases and must also be observed by the parties to the shop agreement. This clearly establishes that a shop agreement cannot legitimise data processing that is otherwise inadmissible.

The possibility of adopting "more specific provisions" in accordance with Article 88 GDPR cannot be used to circumvent the obligations arising from other provisions of the Regulation. Member States may only exercise the discretion granted to them in this respect within the provisions of the Regulation. GDPR has the stated aim of ensuring not only a high level of protection for the processing of personal data within the Member States, but also a high level of protection. A national provision adopted pursuant to Article 88 GDPR – in this case Section 26 para 4 BDSG – must therefore always ensure that not only the requirements of Article 88 GDPR are directly fulfilled, but also all other (general) provisions of GDPR, in particular Articles 5 onwards of GDPR. 

Courts: Comprehensive power of review with regard to GDPR compliance 

The national courts also have comprehensive powers of review in this respect and must examine without restriction whether the principles of GDPR are also complied with in the drafting of collective agreements. This means that the parties to the agreement have no possibility of circumventing the level of protection provided by GDPR in the context of shop agreements and of laying down less stringent conditions for the processing of personal data. In particular, fundamental considerations – such as the necessity of data processing – must not be disregarded. In practice, the parties to the shop agreement will often have special knowledge enabling them to assess the operational necessity of data processing in a specific case. However, this familiarity with the subject matter cannot lead to discretion being exercised in favor of economic considerations at the expense of the protection of personal rights.

The courts must review both the legal provisions enacted within the framework and against the background of GDPR for the purpose of data protection and the collective agreements based on them to determine whether they are consistent with the provisions of the Regulation that must be given priority. Neither is the national legislature permitted, under Article 88 GDPR, to create a legal basis that allows less stringent rules on data processing to be laid down in collective agreements, nor are the parties to the agreement granted discretion to apply the conditions of necessity less strictly or even to waive them altogether. 

In summary, the ECJ requires that, even in the context of data processing based on a shop agreement, compliance with fundamental data protection principles must always be reviewed by the courts in accordance with the principles of Articles 5 onwards of GDPR.

Outlook for legal and business practice

Many of the basic features of the claim for damages under Article 82 GDPR have been shaped by the ECJ in recent months, thereby removing uncertainties regarding the factual requirements for a claim for non-pecuniary damage. The national implementation of these principles still needs to be clarified in some areas in order to provide definitive clarity. It remains to be seen in which direction labour and civil law case law will develop.

The sources of legal uncertainty in practice in this regard are likely to be somewhat mitigated. However, uncertainties remain due to the incompatibility of national data protection regulations with European law. Urgent adjustments are needed here. Particularly in view of the increasing demands of digitalisation and the further development of AI tools, there is an urgent need for the necessary revision of employment data protection regulations in Germany.

Until then, the parties within the company are generally well advised to carefully check compliance with the principles of GDPR when drafting relevant shop agreements. They should strictly measure their approach against the Regulation’s objective, namely to establish a high, uniform level of data protection. If necessary, they should raise the level of protection to a higher, stricter level, but not lower it under any circumstances. It may also be advisable to critically review existing shop agreements and adjust them if necessary. An overly generous approach carries the risk that, in the event of a dispute, the relevant collective provisions will be subject to judicial review and may not stand up to scrutiny. The consequences of any violations can be not only far-reaching, but also expensive. Even if the most recent decisions of the Federal Court of Justice and the Federal Labour Court – as in the most recent cases – have only awarded small, three-digit amounts in damages, this trend should be viewed with caution. The cases ruled on are usually individual decisions, the specific features of which must always be considered regarding the burden of proof and presentation and cannot be applied to all cases.