Today we are starting a small series on the topic of employee data protection. At irregular intervals, we will provide a brief overview of current developments in the German case law on employee data protection in our blog.
- LAG Nuremberg (Regional Labor Court Nuremberg), judgment of 25 January 2023 (4 Sa 201/22): The breach of the duty to provide information pursuant to Art. 15 GDPR does not give rise to a liability for damages pursuant to Art. 82(1) GDPR.
Pursuant to Art. 82(1) GDPR, any person who has suffered material or immaterial damage due to a breach of the GDPR is entitled to claim damages against the controller or the processor. However, the claim for damages is limited to violations of unlawful data processing within the meaning of Art. 4 No. 2 GDPR. Delayed, incorrect or even completely omitted information to a person would thus not trigger liability.
Note: Landgericht Memmingen (Regional Court of Memmingen) has ruled in a dogmatically similar manner on a breach of information duties (judgment of March 9, 2023 (35 O 1036/22)). According to this judgement, violations of information obligations do not give rise to a claim for damages under Art. 82 GDPR. The controller is only liable for damage caused by processing (of data) that does not comply with the GDPR (Art. 82(2) GDPR). Processing in this sense are only the actions defined in Art. 4 No. 2 GDPR. Failure to comply with the duty to provide information does not constitute such processing.
- VG Hannover (Administrative court Hannover), judgment of 8 February 2023 (10 A 6199/20): The order of the LfD Lower Saxony (State Commissioner for Data Protection of Lower Saxony) against an online retailer to refrain from uninterrupted respective current and minute-by-minute collection and use of certain employee data is unlawful.
An online retailer operates a logistics center in which current and up-to-the-minute quantity and quality data of its employees is continuously collected and used to create quantity performance and quality performance profiles as well as for feedback discussions and process analyses.
According to the VG Hannover, this data processing can be based on Article 88(1) GDPR in conjunction with Section 26(1) Sentence 1 German Federal Data Protection Act (BDSG), alternatively also on Article 6(1) lit. f GDPR, and meets the requirements of data protection law. The online retailer has a legitimate interest in the data processing that is worthy of justification and protection – namely the control of logistics processes, the control of the individual qualification of employees and the creation of objective assessment bases for individual feedback and personnel decisions. The data processing carried out was also suitable and necessary to safeguard these interests. The interference with the right to informational self-determination of the employees according to Art. 8 GRCh and Art. 2 para. 1 i. In conjunction with Article 1(1) of the German Constitution, the interference with the right to informational self-determination of the employees under Article 8 of the Charter and Article 2(1) in conjunction with Article 1(1) of the German Constitution is not disproportionate to the interests of the online retailer that are worthy of protection and are pursued by the data processing, so that the data processing as a whole is appropriate or proportionate in the narrower sense.
- ECJ, judgment of 9 February 2023 (C-560/21): National regulations on the dismissal of a data protection officer that are stricter than the GDPR are generally permissible.
According to this judgment, each Member State is free, in the exercise of its reserved competence, to provide for special, stricter rules for the dismissal of a data protection officer, provided that these are compatible with Union law and in particular with the provisions of the GDPR, especially Article 38(3) sentence 2 GDPR. Article 38(3) sentence 2 GDPR does not fundamentally preclude a national provision such as Section 6(4) sentence 1 BDSG, according to which a data protection officer employed by a controller or processor can only be dismissed for good cause, even if the dismissal is not related to the performance of his or her duties, provided that this provision does not impair the achievement of the objectives of the GDPR.
- ArbG Oldenburg (Labor Court Oldenburg), judgment of 9 March 2023 (3 Ca 150/21): A company that failed to comply with a claim for information under Art. 15(1) of the GDPR by a former employee was ordered to pay €10,000 in non-material damages to the employee.
The data subject asserted a claim for information under Art. 15 GDPR against his former employer, to which the company did not respond for more than 20 months. The data subject then filed a lawsuit for the provision of information pursuant to Art. 15 GDPR and for damages under Art. 82 GDPR. Only in the course of the court proceedings did the defendant provide certain information.
The ArbG Oldenburg ordered the defendant to provide full information and to pay the plaintiff damages for pain and suffering in the amount of €10,000. The judgment states that the violation of the GDPR itself already leads to a non-material damage to be compensated, a more detailed explanation of the damage is not necessary.
Note: It is interesting to note that the LAG Nuremberg (judgment of 25 January 2023 (4 Sa 201/22)) rejected a claim for damages in the event of a breach of the duty to provide information, as the claim for damages under Article 82 GDPR is limited to violations of unlawful data processing within the meaning of Article 4 No. 2 GDPR. Delayed, incorrect or even completely omitted information to a person would thus not trigger liability (see above).
- OLG Dresden (Higher Regional Court Dresden), judgment of 14 March 2023 (4 U 1377/22): A legal entity is not entitled to injunctive relief or removal under data protection law due to the use of data from its employees’ personnel files. Furthermore, a company’s vacation lists do not constitute trade secrets.
According to the clear wording of Art. 4 No. 1 GDPR, legal persons could not rely on the claims contained in the GDPR. The protection of the “personal data” mentioned there would only concern information relating to an identified or identifiable natural person (“data subject”).
Claims for injunctive relief, information and surrender would also not follow from Sections 6, 7, 8 of the German Law on the Protection of Trade Secrets (GeschGehG), since vacation lists of a company would not constitute a trade secret within the meaning of Section 2 No. 1 GeschGehG. They did not contain any economic value within the meaning of Sec. 2 No. 1a GeschGehG.
- ECJ, judgment of 30 March 2023 (C-34/21): A national legal provision cannot be a “more specific provision” within the meaning of Art. 88(1) GDPR if it does not meet the requirements of para. 2 of this article. National legislation on employee data protection must remain inapplicable if it does not comply with the conditions and limits set out in Art. 88(1) and (2), unless it constitutes a legal basis within the meaning of Art. 6(3) GDPR that meets the requirements of that Regulation.
An important decision! Has the ECJ declared Section 26 of the German Federal Data Protection Act (BDSG) inapplicable?
The background to the preliminary ruling was the question of the extent to which Section 23 of the Hessian Data Protection and Freedom of Information Act (HDSIG) (“Data processing for purposes of the employment relationship”) can be the basis for conducting videoconferences of teachers.
The ECJ concluded that Art. 88 GDPR must be interpreted as meaning that a national law cannot constitute a “more specific provision” within the meaning of para. 1 of this article if it does not comply with the requirements of para. 2 of this article. Article 88(1) and (2) GDPR must be interpreted as meaning that national legislation ensuring the protection of the rights and freedoms of employees with regard to the processing of their personal data in the employment context must remain inapplicable if it does not comply with the conditions and limits laid down in that same Article 88(1) and (2), unless it constitutes a legal basis within the meaning of Article 6(3) GDPR which meets the requirements of that Regulation. According to the ECJ’s findings, provisions such as Section 23(1) of the HDSIG and Section 86(4) of the Hessian Civil Servants Act (HBG), which make the processing of personal employee data conditional on it being necessary for specific purposes in connection with the performance of an employment or service relationship, appear to repeat the condition for general lawfulness of processing already set out in Article 6(1)(b) GDPR, without adding a more specific provision within the meaning of Article 88(1) GDPR. Accordingly, such provisions do not seem to have an appropriate regulatory content that is different from the general rules of the GDPR. If the referring court were to find that the provisions at issue in the main proceedings do not comply with the conditions and limits laid down in Article 88 of the GDPR, it would in principle have to disapply those provisions.
The Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) has published an article on the ruling, which you can access here. He assumes that Section 23 HDSIG is not a more specific provision in the sense of Article 88(1) and (2) GDPR and does not meet its requirements as well as those of the GDPR. This has far-reaching consequences, as it follows that Section 26 BDSG, the parallel provision to Section 23 HDSIG in federal law for employee data, also does not meet the requirements of Article 88(1) and (2) GDPR. This would have the consequence that processing operations previously based on Section 26 BDSG would now have to be founded on other legal bases. However, the HmbBfDI also points out that far-reaching data processing that was previously based on Section 26 BDSG should not be suspended or terminated at this point in time, as it is likely that alternative legal bases could be found in each case. However, this would require an examination of the data controller.