In May 2021, the Regional Labor Court of Hamm sentenced an employer to pay a dismissed employee damages of 1,000 euros for pain and suffering because her right to information under Article 15 of the GDPR was violated by the employer.
What happened here and what to look out for to avoid such incidents can be found here.
What happened?
An employee was dismissed. As a result, she not only filed an action for unfair dismissal, but also claimed that her employer had responded late and incompletely to her request for information (Art. 15 GDPR) and that she was therefore entitled to damages under Art. 82 GDPR.
In particular, the employee had requested information from the employer about the data relating to the recording of working hours. The employer had stored this data during the course of the employment relationship.
The employee did not receive a response in the form of timesheets until seven months after the request. However, the information required under data protection law on the purpose of processing (Art. 15 I lit. a DSGVO) and the category of data processed (Art. 15 I lit. b DSGVO) was missing.
What does the court say?
In the first instance, the Herne Labor Court considered the claim to be unfounded. Although the court assumed a violation of Article 12 III and IV of the GDPR, it did not see this as grounds for a claim for damages by the employee.
In the appeal before the Hamm Regional Labor Court, however, the tide turned: the employee was awarded a claim for damages in the amount of 1,000 euros.
The claim for damages was based on the violation of Art. 12 and 15 GDPR by the employer. Because the employer had responded late and incompletely, the employee incurred a immaterial damagewhich is to be replaced via Art. 82 I GDPR. The In the opinion of the court, the GDPR makes a claim for damages The court found that there was no difference between "qualified infringements" and "minor cases", meaning that any infringement could lead to a liability for damages.
The amount of the claim for damages was determined by the court. The court took into account the criteria listed in Art. 83 II GDPR for the imposition of fines by supervisory authorities.
However, the court also noted to the employee's disadvantage that she did not pursue her request for information more urgently and that the degree to which she was personally affected was still quite low. Otherwise, the amount of the claim could have been higher.
Consequences for practice
In the development of the case law of the labor courts, there is a clear trend towards compensation for breaches of Data protection law in connection with actions for unfair dismissal recognize. In contrast, this trend does not (yet) exist in ordinary jurisdiction.
Article 82 of the GDPR is still interpreted very differently from court to court. This will remain the case until there is a supreme court ruling on the matter. However, this is not expected in the near future.
In practice, it is nonetheless necessary to establish functional organizational processes in order to avoid such incidents altogether. Data protection training for your own employees also plays a major role in prevention. In order to optimally train these two factors, we recommend Professional advice.