A. Decision of the court
The Higher Labor Court (LAG) in Hamm ordered an employer to pay damages of EUR 1,000 to an employee pursuant to Article 82 of the GDPR because she had suffered non-material damage because the employer had not complied with her request for information. The lack of control over the data constituted damage.
The decision of the Higher Labor Court of Hamm is based on a legal dispute between an employee and her former employer. The plaintiff initially asserted a claim for information on the hours worked by way of a step-by-step action in order to be able to assert a claim for payment of overtime to be remunerated at a later date. At the same time, she asserted an out-of-court claim for information pursuant to Art. 15 GDPR about all stored data, in particular about hours worked.
After the employer failed to provide information on the hours worked for six months, the plaintiff extended her action at first instance of court to claims for damages under Article 82 of the GDPR, as the failure to provide information also constituted a failure to provide information on personal data. As a result, she had suffered non-material damage.
The Higher Labor Court (LAG) in Hamm, Germany, granted the appeal in part.
In principle, it affirmed the possibility of claiming damages. The working hours of employees recorded by an employer also constitute personal data which is processed by the employer. According to Art. 4 No. 2 of the GDPR, processing especially includes the collection, recording, organization, classification, storage and use of the data. The employer necessarily processes personal data of the employees, such as the existence and duration of an ability to work, the granting of vacation entitlements or also about performance and behavior data. Therefore, according to Art. 15 GDPR, there would be a right to be provided with information about these data.
The court found that an existing employment relationship between the parties did not preclude the assertion of this right to information. The right to information is a fundamental right under Article 8 (2) CFR and Article 6 (1) TEU and is part of the “Magna Charta” of data subjects’ rights (Lemke, der Datenschutzrechtliche Auskunftsanspruch im Arbeitsverhältnis, NJW 2020, 1841ff).
The concept of damage within the meaning of Art. 82 GDPR is not sufficiently defined in the GDPR to be able to assess the facts of the case in the necessary manner. The interpretation of the concept of damage in the case law of the ECJ has also not yet been clarified. The literature is in favor of a broad understanding of the concept of damage. However, the details and the exact scope of the claim are unclear.
Since it cannot be inferred from the GDPR that a claim for damages can only be asserted in the case of a qualified infringement, there is no evidence for the assumption of a materiality threshold. In order to comply with the objectives of the Regulation, the concept of non-material damage of the GDPR must be interpreted in such a way that it cannot only be discrimination, identity theft or fraud, financial loss, damage to reputation, loss of confidentiality of data (subject to professional secrecy), unauthorized cancellation of pseudonymization, or other economic or social disadvantages. Rather, being prevented from controlling one’s own personal data also constitutes immaterial damage.
The plaintiff did not have any control over the personal data in the present case, as the employer did not provide any information on “whether” it processed personal data at all, which categories the processing concerned, whether the data were processed in a formalized manner, whether the data were passed on to third parties and how long they would continue to be stored after termination of the employment relationship.
The severity of the impairment was not required for the existence of a claim for non-material damages. However, this could be taken into account in the amount of the claim. The individual severity of the impairment must also be taken into account in the amount of the claim for damages.
In determining the appropriate amount of damages, the court had taken into account how long the defendant had failed to comply with the right to information and how consistently the plaintiff had pursued the claim.
In the present case, although a period of six months had passed without the claim for information being met, the plaintiff had only asserted the claim for damages in court and had not fully pursued the claim for information. Rather, she had declared the claim settled after she had information about the overtime she had worked. This showed that the fact that she had no control over her personal data did not particularly burden her and that the sustainability of the request for information was doubtful. Overall, the court therefore only considered damages in the amount of EUR 1,000 to be appropriate.
The extent to which the level of financial strength is to be taken into account in the amount of the claim for damages can be left open in the present case, as neither of the parties provided any information in this regard.
Taking into account the objectives of the GDPR to counter the risks arising from the processing of personal data as comprehensively as possible and to make the possibilities of legal protection as efficient as possible, the present decision appears consistent.
As a result of this interpretation, data controllers within the meaning of the GDPR are required to actually comply with requests for information, as otherwise they must fear being held liable for damages. In this respect, the ruling also represents a strengthening of employee rights. The LAG clarifies that employees can also claim this information. The right to information can be asserted not only in connection with the assertion of overtime, but also for the pure creation of an overview of processed data.
At the same time, however, the court does not disregard the fact that not every disregarded right to information represents a serious impairment, and that the pursuit of the right to information is an indication of whether the affected parties actually care about gaining control over their own personal data. By taking into account the severity of the impairment in the amount of damages, the LAG prevents a wave of lawsuits based on trivialities despite the granting of non-material damages.
TCI is represented as a group of boutique law firms which and were founded in July 2011 with offices in Berlin, Mainz and Munich.
TCI’s industry focus is on “Technology”, “Communication”, “Information”, on which the short name and brand “TCI” is based. The legal focus is on technology-related contract law and litigation including arbitration, IT law, telecommunications law, public procurement and antitrust law, franchise and distribution law, employment law, copyright law and intellectual property law.
With several years of professional experience, each of the founding partners of TCI had previously gained in other specialized commercial law firms and renowned large law firms, they wanted to realize their vision of a boutique law firm in which renowned legal personalities known in the market work together on the basis of a democratic internal structure with a flat hierarchy. This recipe for success has fully proven itself.
Truiken Heydn , TCI founding partner commented: ” We would like to thank our clients and the many colleagues who recommend us again and again for the trust they have placed in us. We are pleased that the approach of a boutique law firm has proven its worth over the 10 years and we will continue to pursue it consistently. This allows us to focus on core areas and provide the best possible service to our clients. Areas of law that we do not handle ourselves are covered by cooperations with other law firms. This allows us to support clients beyond our focus and opens up many other advantages of working with other law firms. One example of this is our collaborations in the M&A environment.”
Meanwhile, the expert team of the law firm alliance has grown to 14 partners and 3 associates. TCI and its lawyers have won numerous national and international awards (e.g. Best Lawyers, FOCUS, Who’s Who Legal) throughout the firm’s history. In addition, they have made a name for themselves as specialist authors, lecturers and speakers.
The transaction: CompuGroup Medical (CGM) acquires the entire shares in Meta IT GmbH, based in St. Ingbert.
Meta IT is a highly specialized healthcare software vendor with two core products: MetaKIS offers hospitals a powerful application for the billing of Diagnosis Related Groups (DRG), revenue assurance, performance management and benchmarking. MetaIPSS actively and comprehensively supports all relevant processes in a hospital’s hygiene management. The browser-based solutions can be integrated into all relevant hospital information systems (HIS) and interact seamlessly with the CGM solution suites for acute care hospitals.
The two companies have been working well and successfully together for some time. Now, the joint commitment is to be further intensified and extended to new areas, e.g. in the increasingly important topic of quality management. Other CGM customer groups, such as rehabilitation facilities, will also benefit from this. MetaIPSS in particular also offers a lot of potential for an expansion or internationalization of the target market.
The TCI team led by Stephan Schmidt supported the transaction and was responsible for the legal due diligence and negotiation of the SPA in the areas of IT/IP, data protection and labor law.
The MUTTER & KRUCHEN team led by Dr. Carsten Kruchen supported the transaction and was responsible for the legal due diligence and negotiation of the SPA in the area of corporate law.
TCI Rechtsanwälte (IT, IP, data protection, employment law): Stephan Schmidt, Sabine Brumme, Stephan Breckheimer, Joscha Falkenhagen
MUTTER & KRUCHEN (corporate law): Dr. Carsten Kruchen, Jessica Werner
CompuGroup Medical is one of the world’s leading e-health companies, generating annual revenues of EUR 837 million in 2020. The company’s software products to support all medical and organizational activities in medical practices, pharmacies, laboratories and hospitals, its information services for all stakeholders in the healthcare system and its web-based personal health records serve a safer and more efficient healthcare system. The foundation of CompuGroup Medical’s services is its unique customer base of more than 1.6 million users, including physicians, dentists, pharmacies and other healthcare professionals in outpatient and inpatient settings. With its own locations in 18 countries and products in 56 countries worldwide, CompuGroup Medical is the e-health company with one of the largest reach among healthcare providers. Around 8,000 highly qualified employees stand for sustainable solutions in the face of constantly growing demands in the healthcare sector.
TCI Rechtsanwälte advises national and international clients primarily in the areas of IT/IP law and data protection law. In addition to contract law advice, TCI Rechtsanwälte also supports clients in corporate acquisitions and sales and IP compliance.
MUTTER & KRUCHEN assists clients in corporate acquisitions and sales as well as in more comprehensive reorganizations of corporate and group structures. In addition, MUTTER & KRUCHEN provides independent and partner-led advice on corporate and capital markets law to listed and medium-sized companies, family-owned companies and their shareholders, experienced founders and investors as well as foundations.
TCI Rechtanwaelte is once again proud Gold Plus Sponsor of the International Technology Law Association’s (ITechLaw) World Technology Law Conference. The conference will take place from 8 to 10 June 2021 as an online event. Registrations are still possible at the following link: https://www.itechlaw.org/conferences/2021-world-technology-law-conference.