More than five years have passed since the comprehensive entry into force of the General Data Protection Regulation (GDPR) in May 2018. Nevertheless, essential questions with regard to the processing of personal data are yet to be clarified with satisfactory certainty – this applies in particular to data processing in the employment context. For some time now, however, more and more courts have been dealing with legal issues relating to the processing of personal data – this development is gratifying, especially in light of the fact that each decision increases the body of legal experience in this area.
Especially in the employment context, data protection is becoming increasingly important, so employers would do well not to lose sight of the constantly changing case law. Today we present a recent appeal decision of the Baden-Baden Regional Court (judgment of August 24, 2023 – Case No. 3 S 13/23) which, among other things, deals with the question of the scope of a request for information under data protection law.
In this decision, the Regional Court ordered the defendant company to inform the plaintiff of the name of an employee who had made repeated contact with the plaintiff via private social media channels using personal data stored by the defendant. In addition, the defendant was ordered to prohibit the employees from continuing to use the personal customer data on their private communication devices.
The decision was based on the following facts:
In 2022, the plaintiff purchased a television and accessories from the defendant company. In the process, the plaintiff’s personal data – including her name and address – were recorded and stored. A few days later, she returned the accessories she had purchased, but kept the TV set. The defendant inadvertently reimbursed her for the significantly higher purchase price of the TV set. When this error was noticed, an employee of the defendant contacted the plaintiff via private accounts of two social media services, pointed out the error and the overpayment and asked the customer to contact the defendant company. The contact was made using the plaintiff’s personal data stored by the defendant.
The customer then brought an action before the Local Court (AG Bühl, judgment of February 21, 2023 – Case No. 3 C 210/22) and demanded information about the specific employees of the defendant to whom her personal data had been disclosed or transmitted. In addition, she requested that the defendant be ordered to prohibit the employees from using her personal data on private communication devices and channels.
After the plaintiff was unsuccessful before the Local Court, she was successful in her appeal to the Baden-Baden Regional Court, and the defendant was sentenced in accordance with the application. According to the court, the plaintiff’s right to information arose from Article 15 (1) (c) of the GDPR, because the defendant’s employees in the specific case were to be regarded as data recipients within the meaning of Article 4 (9) of the GDPR. With this assessment, the Regional Court at first glance opposed a recent decision of the European Court of Justice (ECJ, judgment of June 22, 2023 – Case No. C-579/21), according to which employees are generally not to be regarded as data recipients within the meaning of the GDPR. However, the ECJ also made an exception to this principle to the extent that this only applies if employees process the data in the employment context “under supervision and in accordance with the instructions of the controller”. In the present case, however, the processing did not take place within these limits precisely because the employee responsible for contacting her acted on her own authority and using her private social media accounts. For the plaintiff, the naming of the relevant employees was also absolutely necessary in order to verify the lawfulness of the processing of her personal data and to be able to take further measures if necessary. Compared to this interest, any interest of the employee in continued anonymity was in any case less worthy of protection and therefore had to take a back seat.
The plaintiff was also successful in its claim for injunctive relief. The Regional Court considered the defendant to be under an obligation insofar as it had either passed on the plaintiff’s personal data or, in any case, had not adequately secured it against unauthorized access and use. The defendant company was responsible for and obliged to expressly instruct its employees to refrain from the continued use of the plaintiff’s personal data collected in the course of the customer relationship in violation of instructions.
This somewhat unusual decision shows that the right to information pursuant to Article 15 of the GDPR must not be underestimated by companies. Every claim for information, whether in the employment context or beyond, must be carefully examined and answered.
In view of this decision, employers in particular should check and ensure that all personal data with which they come into contact as a result of their work is processed exclusively within the scope of their work and in accordance with appropriate instructions. Any use “with a private touch” (as in the case under discussion) should be avoided at all costs.
Photo: Shutterstock – Isara Naksanee