A. Decision of the court
The Higher Labor Court (LAG) in Hamm ordered an employer to pay damages of EUR 1,000 to an employee pursuant to Article 82 of the GDPR because she had suffered non-material damage because the employer had not complied with her request for information. The lack of control over the data constituted damage.
The decision of the Higher Labor Court of Hamm is based on a legal dispute between an employee and her former employer. The plaintiff initially asserted a claim for information on the hours worked by way of a step-by-step action in order to be able to assert a claim for payment of overtime to be remunerated at a later date. At the same time, she asserted an out-of-court claim for information pursuant to Art. 15 GDPR about all stored data, in particular about hours worked.
After the employer failed to provide information on the hours worked for six months, the plaintiff extended her action at first instance of court to claims for damages under Article 82 of the GDPR, as the failure to provide information also constituted a failure to provide information on personal data. As a result, she had suffered non-material damage.
The Higher Labor Court (LAG) in Hamm, Germany, granted the appeal in part.
In principle, it affirmed the possibility of claiming damages. The working hours of employees recorded by an employer also constitute personal data which is processed by the employer. According to Art. 4 No. 2 of the GDPR, processing especially includes the collection, recording, organization, classification, storage and use of the data. The employer necessarily processes personal data of the employees, such as the existence and duration of an ability to work, the granting of vacation entitlements or also about performance and behavior data. Therefore, according to Art. 15 GDPR, there would be a right to be provided with information about these data.
The court found that an existing employment relationship between the parties did not preclude the assertion of this right to information. The right to information is a fundamental right under Article 8 (2) CFR and Article 6 (1) TEU and is part of the “Magna Charta” of data subjects’ rights (Lemke, der Datenschutzrechtliche Auskunftsanspruch im Arbeitsverhältnis, NJW 2020, 1841ff).
The concept of damage within the meaning of Art. 82 GDPR is not sufficiently defined in the GDPR to be able to assess the facts of the case in the necessary manner. The interpretation of the concept of damage in the case law of the ECJ has also not yet been clarified. The literature is in favor of a broad understanding of the concept of damage. However, the details and the exact scope of the claim are unclear.
Since it cannot be inferred from the GDPR that a claim for damages can only be asserted in the case of a qualified infringement, there is no evidence for the assumption of a materiality threshold. In order to comply with the objectives of the Regulation, the concept of non-material damage of the GDPR must be interpreted in such a way that it cannot only be discrimination, identity theft or fraud, financial loss, damage to reputation, loss of confidentiality of data (subject to professional secrecy), unauthorized cancellation of pseudonymization, or other economic or social disadvantages. Rather, being prevented from controlling one’s own personal data also constitutes immaterial damage.
The plaintiff did not have any control over the personal data in the present case, as the employer did not provide any information on “whether” it processed personal data at all, which categories the processing concerned, whether the data were processed in a formalized manner, whether the data were passed on to third parties and how long they would continue to be stored after termination of the employment relationship.
The severity of the impairment was not required for the existence of a claim for non-material damages. However, this could be taken into account in the amount of the claim. The individual severity of the impairment must also be taken into account in the amount of the claim for damages.
In determining the appropriate amount of damages, the court had taken into account how long the defendant had failed to comply with the right to information and how consistently the plaintiff had pursued the claim.
In the present case, although a period of six months had passed without the claim for information being met, the plaintiff had only asserted the claim for damages in court and had not fully pursued the claim for information. Rather, she had declared the claim settled after she had information about the overtime she had worked. This showed that the fact that she had no control over her personal data did not particularly burden her and that the sustainability of the request for information was doubtful. Overall, the court therefore only considered damages in the amount of EUR 1,000 to be appropriate.
The extent to which the level of financial strength is to be taken into account in the amount of the claim for damages can be left open in the present case, as neither of the parties provided any information in this regard.
Taking into account the objectives of the GDPR to counter the risks arising from the processing of personal data as comprehensively as possible and to make the possibilities of legal protection as efficient as possible, the present decision appears consistent.
As a result of this interpretation, data controllers within the meaning of the GDPR are required to actually comply with requests for information, as otherwise they must fear being held liable for damages. In this respect, the ruling also represents a strengthening of employee rights. The LAG clarifies that employees can also claim this information. The right to information can be asserted not only in connection with the assertion of overtime, but also for the pure creation of an overview of processed data.
At the same time, however, the court does not disregard the fact that not every disregarded right to information represents a serious impairment, and that the pursuit of the right to information is an indication of whether the affected parties actually care about gaining control over their own personal data. By taking into account the severity of the impairment in the amount of damages, the LAG prevents a wave of lawsuits based on trivialities despite the granting of non-material damages.