GDPR for companies
New rulings of Düsseldorf Labor Court (Arbeitsgericht Düsseldorf, ArbG) and Munich Regional Labor Court (Landgericht München, LG) may add interesting options for employees in negotiations with their employers. Data protection in the modern world is a huge topic. With the huge number of online sources requiring personal information to be stored locally and, in the cloud, the need for stringent rules to protect information being shared was required. In 2016, The Datenschutz-Grundverordnung 2016/697 (DSGVO) was originally agreed to replace the less encompassing Data Protection Directive 95/46/EC. The DSGVO is the name in German law for the perhaps more universally recognized General Data Protection Regulation (GDPR). This regulation enshrined in European law was passed to both standardize data protection rules across the EU and EEA and enforce the rights of the individual in relation to the data held by organizations. These new regulations placed a huge emphasis on the responsibilities of the data handler to ensure the data being held is safely stored, required for a specific use, and correctly removed when no longer relevant.
After a 2-year transition period, the law came into effect on the 24th of April 2018, at which point the aforementioned data handling companies were legally required to be compliant with the new data protection laws. This had a particular effect on employers, as they now had increased responsibility for the obviously sensitive data they held regarding their employees. Though there were no regulations specifically regarding employee data protection in the GDPR, Article 88 allows individual member states to implement rules, to calibrate with their own local employment law regulations, as long as the local rules implemented further the notions of transparency, safeguarding of employee dignity and fundamental rights as laid out by the GDPR.
Those companies found to be non-compliant in their use of data could find themselves facing fines of up to 20 million Euros or even 4% of their annual worldwide turnover. Furthermore, should any data handler (in this case, the employer) be found to be infringing on the employee’s data protection rights, the employee is offered the right to compensation under Article 82 of the GDPR, the amount of the compensation to be determined by the local competent court of the member state (in our case, Germany).
Steep penalties indeed, but It is fair to say that German courts up until now have been fairly conservative in their application of Art. 82. As the GDPR does not provide any regulation regarding the burden of proof, in most cases brought before the various regional courts, said the burden of proof has fallen squarely on the plaintiff. In other words, unless you can provide documents or other forms of incontrovertible evidence that your employer has infringed upon your rights, you are going to struggle to get a ruling in your favor.
Over the past couple of months, however, this attitude may have changed somewhat.
Court Ruling in Munich
A ruling (Urt. v. 06.04.2020 – Az.: 3 O 909/19) on a case in front of the Munich Regional Labor Court (Landgericht München, LG) has placed further emphasis on the duty of care the data handler has in relation to the storing and providing of an employee or client’s personal data when requested. The case relates to a private person bringing a suit against her financial advisor after being provided what she considered insufficient and incomplete records relating to her data held by the financial advisor. The main thrust of the case was in relation to damages for poor financial advice, but the court offered commentary on a specific aspect relating to Art. 15 Para. 3 of the GDPR.
The plaintiff requested all personal data held by the defendant. The defendant provided all information they held relating to her personal data but did not provide information held on the interactions between the plaintiff and the defendant, such as telephone records and advice documents. This was not sufficient for the plaintiff and they sought damages in this regard as part of their overall suit against the defendant.
Though the overall suit was unsuccessful, the LG Munich commented that the information provided by the defendant was not comprehensive, suggesting that Art. 15 of the GDPR does not include any limitations relating to providing data that pertains to the affected party. Therefore, telephone notes, documents relating to financial advice, letters, et al, should be provided and upheld the plaintiff’s claim against the defendant in this regard. The amount in damages has not yet been asserted and there may yet be an appeal.
Ruling in Düsseldorf
Following an employee leaving a company, said person requested all information they held on him, as is his right pursuant to Art.15 of the GDPR. The information provided by the employer was, according to the employee, both delayed and incomplete, throwing the employer’s data processing system and willingness to share said information into serious question.
The employee brought a complaint against the employer based on incomplete information pursuant to Art. 15. This was heard by the Düsseldorf Labor Court (Arbeitsgericht Düsseldorf, ArbG) who found in favor of the employee and awarded him immaterial damages, pursuant to Art. 82 of the GDPR, in the amount of 5,000 Euros. It should be noted that this decision is not yet finalized, with the employer appealing the decision. This appeal will be heard at a later date in front of the Düsseldorf Regional Labor Court (Landesarbeitsgericht, LAG).
Recent GDPR cases where plaintiffs were awarded damages
As of January 2021, more rulings where the GDPR was violated due to the various forms of unauthorized disclosure of personal data have been uncovered. In summary:
- Pforzheim District Court (AG) (Urt. v. 25.03.2020 – Az.: 13 C 160/19) — Violation of 9 Para. 1 due to unauthorized disclosure of Health data. Award amount: 4,000 Euros
- Darmstadt District Court (LG) (Urt. v. 26.05.2020 – Az.: 13 O 244/19) — Violation of 6 Para. 1 due to unauthorized disclosure of applicant data to a third party and violation of Art. 34 where a notification obligation. Award amount: 1,000 Euros
- Lübeck Labor Court (ArbG) (Beschl. v. 20.06.2020 – Az.: 1 Ca538/19) — Violation of Art. 4 (2) and Art. 6 Para. 1 (b) due to the publication of an employee’s photo on a social network platform by unauthorized persons. Award amount: 1,000 Euros
- Dresden Labor Court (ArbG) (Urt. v. 26.08.2020 – Az.: 13 Ca 1046/20) — Violation of Art. 9 due to unauthorized publication of personal health data. Award amount: 1,500 Euros
- Neumünster Labor Court (ArbG) (Urt. v. 11.08.2020 – Az.: 1 Ca 247 c/20) — Violation of Art. 15 Para. 1 due to late response to a request for information (Auskunftsanspruch). Award amount: 500 Euros per month for the duration of violation occurred for 1,500 Euros in total.
- Cologne Regional Labor Court (LAG) (Urt. v. 14.09.2020 – Az.: 2 Sa 358/20) — Unauthorized publication of a PDF file containing a job profile on the defendant’s website after the plaintiff’s employment relationship ended. Award amount: 300 Euros
Why are these rulings important?
One of the main points to take from these rulings is the change in attitude toward the burden of proof in such cases. The judges in Düsseldorf took the view that the time taken to present incomplete information to the employee was reason enough to be aware of damages. Essentially, the fact that the employer was unable or unwilling to provide the correct information means that the employer breached their responsibilities relating to Art. 15 and this infringed on the employee’s rights to control their own personal information. As a result, the employee was entitled to receive punitive damages from the employer under Art. 82 of the GDPR.
The commentary offered by the LG Munich has broadened the scope of which documents can be requested by the employee in their request to their employer. Previously, employers would generally feel obligated to provide information relating directly to the employee but, with this ruling, pretty much all data must be provided. A very broad interpretation of the commentary may even suggest that internal emails between management discussing employee aspects such as performance may be requested.
This ruling was met with surprise in the legal community due to the possible ramifications. Should the appeals fail, the bar has been set lower for possible damages relating to breaches of the GDPR. This is likely to lead to far more cases being brought against employers, looking for damages pursuant to Art. 82 of the GDPR. As data protection breaches tend to apply to groups rather than individuals, it is also likely that we will see large groups of affected plaintiffs making claims against companies who control data.
The potential of this ruling could be profound in both providing people affected by bad data protection practices a way to garner financial compensation and in forcing companies into ensuring their data protection practices are as secure and transparent as possible.
These are especially interesting developments for those negotiating severance packages with their employer. Requesting employer information relating to the employee pursuant to Art. 15, and therefore possibly increasing the strength of the severance negotiating position, has been a tactic in severance negotiations for some time. There have been examples of employers attempting to delay or present incomplete information to the employee, in an obvious attempt to gain the upper hand in the negotiations. The ruling in Düsseldorf strongly suggests that withholding, delaying, or obfuscating the requested data would result in penalties for the employer, something which would obviously strengthen the claim of the employee. It seems that this ruling has handed a fair amount of leverage to employees looking to seek a large severance package. As attorneys specializing in both employment law and data protection law, this is of particular interest to us.
As an employee, what are my options?
The GDPR in its basic form is there to both safeguard and allow you to control your data. It puts the emphasis on the entities who collect data to make sure this data is secure and accessible to the person as is humanly possible. As an employee, you should always be assured of the following:
- The employer will ensure my data is processed securely and ensure no one who does not need access to my information, has access to my information.
- The employer will not share information without my express consent.
- The employer will only retain my data as long as they need this information for work purposes.
- I will have full and complete access to my data, which will be provided in a timely fashion.
The above examples are, of course, very general but if the employer is unwilling or unable to meet the basic requirements listed above, the employee certainly would have a legal case to bring against those handling the data. The judgment of the court in Düsseldorf mentioned above has made possible large-scale financial compensation for data protection breaches a far more realistic proposition. If your rights in this regard have been infringed, a large compensation payout may be due.
I feel that my data has been mishandled. What should I do?
The first step should always be to speak to your employer and ask them to either provide the relevant information (setting a reasonable timescale in the process) or to confirm in writing if the data has been mishandled (i.e. accidentally shared, lost, stolen, etc.). Gathering information should always be the initial step.
Should you wish to take the issues further, it is advisable to engage the services of specialist data protection attorneys, who can advise you on how to best take your case forward. We at ZELLER & SEYFERT have extensive experience in dealing with such matters. Our Employment Law expert Atty. Dr. Christian Zeller and our Data Protection Law expert Atty. Dr. Christian Seyfert have fought many cases relating to privacy and data protection in front of competent courts here in Germany, the EU, and on the international scene. Should you wish to discuss your specific case, they offer a free initial consultancy, to discuss the merits and offer advice on how to proceed. We can be contacted by telephone at +49 69 58 80 972-40 or by sending an email to firstname.lastname@example.org. We look forward to hearing from you!