Ogletree Deakins Ogletree Deakins
Ogletree Deakins > Blog Posts > Blog > Federal Labor Court (BAG): Damages for GDPR Violation

Federal Labor Court (BAG): Damages for GDPR Violation

By Andre Appel
Download PDFPrintShare

Germany’s Federal Labor Court (Bundesarbeitsgericht, BAG) has ruled that the unauthorized transfer of employee data within a corporate group—specifically for the trial use of HR software—can trigger a claim for damages under the GDPR. The case concerned a cloud-based HR software solution. The takeaway for companies is clear: even internal projects must operate within strict data protection boundaries. Works agreements offer only limited protection.

Datenschutz. Person am Laptop berührt virtuelle Abschirmung.

What Happened?

In the case at hand, a company transferred an employee’s personal data—including salary details, date of birth, and tax identification number—to the group’s parent company to populate a new HR software system for test purposes. The transfer was based on a previously concluded works agreement. However, the agreement only permitted the transfer of certain data, such as name, date of hire, and business contact information.

The affected employee claimed non-material damages pursuant to Article 82 (1) GDPR. While the lower courts dismissed the claim, the Federal Labor Court awarded the employee a modest sum of EUR 200 in damages.

The Court’s Decision

According to the BAG, the processing of personal data not authorized by the works agreement was not necessary for the establishment, performance, or termination of the employment relationship as defined by Article 6 (1) (f) GDPR. Therefore, the processing was unlawful, constituting a violation of the GDPR.

For data processing to be lawful—provided it is not required for the performance of an employment contract—the following three conditions must be met:

  • A legitimate interest of the controller or a third party,
  • The necessity of the data processing to pursue that interest,
  • No overriding interests or fundamental rights of the data subject.

In this case, the balancing of interests was decided against the employer, particularly because the disclosure of sensitive personal data for testing purposes was deemed unnecessary. From the perspective of the court in Erfurt, it was not required to use real data to test a new HR system. Using synthetic or fictitious data would have sufficed.

The BAG explicitly recognized a claim for damages due to the loss of control over personal data, aligning itself with the case law of the Court of Justice of the European Union (CJEU). Under Article 82 GDPR, even a non-material injury, without tangible financial consequences, can give rise to compensation.

Implications for Employers

The ruling makes it clear: employers cannot rely on seemingly harmless internal data transfers during software testing. The GDPR fully applies even within a corporate group, and a works agreement cannot substitute for legal necessity or valid consent under data protection law.

Key Take-aways:

  • A works agreement cannot legitimize any form of data processing without limitations.
  • Clear boundaries must be set regarding which data can be processed and for what purposes. For test environments, real data is generally not necessary.
  • Even minor breaches can lead to claims for non-material damages.

Conclusion and Practical Guidance

This decision emphasizes the importance of a responsible approach to handling employee data, including in the context of internal testing. If personal data is processed without a proper legal basis, employers may face compensation claims. Even though the amount awarded in this case was relatively small (EUR 200), repeated violations or larger volumes of sensitive data could result in significantly higher damages.

Employers should conduct a careful GDPR assessment whenever introducing or testing new software. Using synthetic test data is generally a practical and legally safer alternative.

Foto: CL STOCK / Shutterstock.com

Author

Andre Appel
Partner / Attorney / Certified Specialist for Employment Law, Berlin

Topics

Blog

Browse More Insights

Podcasts Seminars Webinars

Sign up to receive emails about new developments and upcoming programs.

Sign Up Now