In December 2021, the Neuruppin Labor Court ordered an employer to pay damages of €1,000 to a former employee under Art. 82 GDPR. The reason for this was that the former employee continued to be mentioned by the employer on its website after termination of the employment relationship.

This could have been avoided by an efficient deletion concept and sustainable management of data subjects' rights. You can find out what you need to know here.

The case - damages under Art. 82 GDPR

The facts of the case, which the Neuruppin Labor Court had to decide, were as follows: The plaintiff was an employee of the defendant. She was employed as an office management employee, but also had an academic degree as a biologist.

In the context of the termination of the employment relationship, the plaintiff informed the defendant that the plaintiff was still named on the defendant's website, in particular as a biologist. In this letter, it was simultaneously pointed out that the references on the website were no longer to be kept and that the plaintiff had, moreover, turned to the State Commissioner for Data Protection after all deadlines set so far had expired.

However, content about the plaintiff continued to appear on the defendant's website, in which she was described as a collaborating biologist. The plaintiff then demanded a cease-and-desist declaration and monetary compensation. The defendant issued the declaration and paid 150€ to the plaintiff.

The plaintiff then filed a lawsuit and claimed €5,000 in damages in court.

The court awarded the plaintiff a claim in the amount of €1,000 (less the amount paid) under Art. 82 GDPR. The requirements of Art. 82 GDPR (breach of the GDPR (data subject rights), resulting damage and liability) were met. The court did not consider it necessary to prove concrete damage. The amount was based on current case law.

With this ruling, the Neuruppin Labor Court continues the labor courts' employee-friendly interpretation of data protection law and impressively demonstrates the high risks for companies when (alleged) data protection violations occur. What is particularly explosive here is that the total amount of damage claims can quickly increase if a violation affects several employees.

Protective measures for employers

In order to protect themselves from such compensation payments, it is not only essential for employers to have an efficient deletion concept, but also a sustainable management of data subjects' rights.

Deletion concept according to DSGVO

The GDPR not only contains requirements for the collection and storage, but also for the deletion of data and even makes this mandatory. Accordingly, the responsible supervisory authorities also monitor this. In the event of violations, high fines are threatened even without the data subject as plaintiff.

The storage of data is only permitted for the period of time necessary for the purpose (storage limitation and purpose limitation of processing). The controller can use a deletion concept to define rules for when which data is to be deleted. Thus, a deletion concept is always individually tailored to the respective controller. In order to develop such a deletion concept, a precise analysis of the processing operations and the data concerned is therefore necessary.

It should also be noted that the data is really deleted at the end, i.e. made unrecognizable.

Management of data subject rights according to DSGVO

The rights of data subjects under the GDPR serve to give data subjects control over their data. Suitable infrastructures must be in place in the company, particularly with regard to requests for information. If requests for information are not adequately complied with, there is a risk of fines here as well.

A request for information can prove to be very extensive and complex in practice. The responsible party must first identify the data subject, adhere to deadlines when responding, and also consider the scope of the request.

To implement this sustainably, suitable data protection processes are essential under the GDPR. The controller should be prepared for requests for information before the first one reaches him. This requires both technical and personnel capacities.

Our experts will be happy to assist you with this!

DSB buchen