Claiming Damages for Data Protection Breaches: What Employees Should Know
Potential for Financial Compensation in instances of Privacy Violation - Data Protection Violation Punishment: Remuneration for Infringement of Privacy Rights
In a shift for employers, there's a possibility that employees could claim damages if personal data is shared within the company to another entity. This concept emerged from a decision made by the Federal Labor Court in Baden-Württemberg, Germany, during a test of cloud-based software "Workday" for HR management (8 AZR 209/21). The court ruled in favor of the plaintiff, awarding them 200 euros, along with immaterial damages as a result of losing control over their personal data.
The company involved aimed to implement Workday as a unified human resources information management system across their group in 2017. Exactly which employee's data was transferred from the current software to the parent company for testing is unclear, but there was obviously more data exchanged than agreed. Instead of sticking to contractual stipulations like the employee's start date, business telephone number, and email address, the company carelessly shared sensitive information, such as salary information, date of birth, private address, and tax ID.
The plaintiff demanded 3,000 euros in damages, citing regulations in the General Data Protection Regulation (GDPR), arguing that their employer had overstepped the bounds of their works agreement. The lower courts in Baden-Württemberg had initially rejected the plaintiff's claim, but the Federal Labor Court referred the case to the European Court of Justice (ECJ). In a surprising turn of events, the plaintiff has now had partial success before the highest German labor court.
While there seems to be no specific ruling from the Federal Labor Court in Baden-Württemberg concerning the claim of damages for breach of data protection by transferring personal data to another entity, German courts typically follow GDPR and ECJ rulings, which outline that individuals may claim non-material damages for breaches of data protection laws if they can demonstrate harm beyond mere loss of control over personal data.
In relevant cases related to GDPR in Germany:- Courts like the Regional Court Erfurt and others have underlined that loss of control over personal data doesn't inherently equate to damage; evidence of negative consequences, such as psychological harm, is usually necessary.- The Federal Labor Court has addressed data protection issues, but a notable recent case involved the dismissal of a claim for GDPR damages due to delayed information response, not specifically data transfer.
Therefore, employees may potentially claim damages if they can prove specific harm stemming from unauthorized data transfer, in line with broader European legal standards on data protection. Nevertheless, specific rulings from the Federal Labor Court in Baden-Württemberg regarding this particular topic have not surfaced within the available search results.
- The Federal Labor Court in Baden-Württemberg, Germany, based its ruling on a case involving Workday, a cloud-based software for HR management, offering vocational training to employees on the implications of data protection breaches in a workday scenario.
- In the aforementioned case, the plaintiff, who sought damages due to a breach of data protection laws, successfully argued that their employer's transfer of sensitive personal information (such as salary, date of birth, private address, and tax ID) was a violation of the contractual stipulations, potentially setting a precedent for vocational training on data protection within the community policy.
- Vocational training for employees in Germany should emphasize that they may claim damages for breaches of data protection laws if they can demonstrate specific harm, such as psychological harm, stemming from unauthorized data transfer, as outlined by the General Data Protection Regulation (GDPR) and European Court of Justice (ECJ) rulings.
