In May 2021, the Regional Labor Court of Hamm sentenced an employer to pay a dismissed employee damages of 1,000 euros for pain and suffering because her right to information under Article 15 of the GDPR was violated by the employer.
What happened here and what to look out for to avoid such incidents can be found here.
An employee was dismissed. As a result, she not only filed an action for unfair dismissal, but also claimed that her employer had responded late and incompletely to her request for information (Art. 15 GDPR) and that she was therefore entitled to damages under Art. 82 GDPR.
In particular, the employee had requested information from the employer about the data relating to the recording of working hours. The employer had stored this data during the course of the employment relationship.
The employee did not receive a response in the form of timesheets until seven months after the request. However, the information required under data protection law on the purpose of processing (Art. 15 I lit. a DSGVO) and the category of data processed (Art. 15 I lit. b DSGVO) was missing.
What does the court say?
In the first instance, the Herne Labor Court considered the claim to be unfounded. Although the court assumed a violation of Article 12 III and IV of the GDPR, it did not see this as grounds for a claim for damages by the employee.
In the appeal before the Hamm Regional Labor Court, however, the tide turned: the employee was awarded a claim for damages in the amount of 1,000 euros.
The claim for damages was based on the violation of Art. 12 and 15 GDPR by the employer. Because the employer had answered late and incompletely, the employee suffered non-material damage, which was to be compensated via Art. 82 I GDPR. According to the court, the GDPR does not make a distinction between "qualified infringements" and "minor cases" when it comes to a claim for damages, so that every infringement can lead to an obligation to pay damages.
The amount of the claim for damages was determined by the court. The court took into account the criteria listed in Art. 83 II GDPR for the imposition of fines by supervisory authorities.
However, the court also noted to the employee's disadvantage that she did not pursue her request for information more urgently and that the degree to which she was personally affected was still quite low. Otherwise, the amount of the claim could have been higher.
Consequences for practice
In the development of the case law of the labor courts, there is a clear trend toward compensation for violations of data privacy law in connection with actions for unfair dismissal. In contrast, this trend does not (yet) exist in the ordinary courts.
Article 82 of the GDPR is still interpreted very differently from court to court. This will remain the case until there is a supreme court ruling on the matter. However, this is not expected in the near future.
In practice, however, it is necessary to establish functional organizational processes in order to avoid such incidents altogether. The data protection training of the company's own employees also plays a major role in prevention. Professional advice is recommended to ensure that these two factors are optimally trained.