BAG on GDPR compensation: "annoyance" over delayed information is not enough

Categories:

10,000 euros in damages for a delayed response to a former employee's request for information? The Duisburg Labor Court ordered a company to pay the surprisingly high sum - and was ultimately thwarted by the Federal Labor Court (BAG): although the judges could understand the anger, they did not consider it sufficient for GDPR damages.

Loss of control due to late information?

The plaintiff was employed by the defendant for the whole of December 2016 and thus for a short period of time. In 2020, he requested information about the Processing of his or her personal data in accordance with Art. 15 GDPR and received it. Two years later, in October 2022, he submitted another request for information. He wanted to check whether data was still being processed. The defendant initially did not respond, so the plaintiff repeated his request for information, setting a deadline. Only after another request did the defendant provide a response, which the plaintiff objected to as incomplete.

The plaintiff then claimed non-material damages due to loss of control over his data and demanded at least 2,000 euros in compensation. The Duisburg Labor Court ordered the defendant to pay damages in the amount of 10,000 euros. On appeal, however, the Düsseldorf Regional Labor Court dismissed the claim. The BAG ultimately confirmed this dismissal.

Data misuse must be objectively traceable

In its decision of February 20, 2025 (8 AZR 61/24), the Federal Labor Court clarifies that a claim for non-material damages under Art. 82 para. 1 GDPR only exists if a concrete damage is substantiated and proven by the claimant. First of all, the court emphasizes that only a Infringement against the General Data Protection Regulation - such as delayed information in accordance with Art. 15 GDPR - does not automatically give rise to a claim for compensation. Rather, three conditions must be met cumulatively: a Infringement against the regulation, specific damage and a causal link between the two.

In the specific case, the plaintiff had not succeeded in proving an actual loss of control over his personal data. The court pointed out that neither an unlawful outflow of data nor misuse of the data was alleged. The mere allegation of emotional reactions such as worry or anger was not legally sufficient to prove immaterial damage within the meaning of the GDPR must be justified. The decisive factor is whether there is an objectively comprehensible and justified fear of misuse of data - a merely hypothetical risk is not sufficient.

In its ruling, the BAG refers to the ECJ: "The Court of Justice of the European Union therefore only understands a loss of control to mean a situation in which the affected person has a well-founded fear of data misuse. Merely invoking a certain feeling is not sufficient. Rather, the court must examine whether the feeling "can be regarded as well-founded", taking into account the specific circumstances (ECJ C-340/21). This requires the application of an objective standard. The more serious the consequences of a breach of the General Data Protection Regulation are, the more likely it is that there is a well-founded fear of data misuse. For example, the publication of sensitive data on the internet due to a data leak will typically constitute a basis for such fears. In contrast, a mere delay in providing information does not in itself constitute a loss of control over data within the meaning of the GDPR. risk of misuse, but only a delay in providing the information."

BGH allows loss of control to suffice for GDPR damages

In contrast to the BAG, the BGH allows an alleged loss of control to be sufficient for damages.

For example, in its scraping ruling against Facebook, the Federal Court of Justice strengthened the non-material claims for damages of those affected by data protection violations. By recognizing the mere loss of control as damage, it is no longer necessary to prove concrete psychological or material consequences.

Reading tip: Facebook scraping - BGH awards users damages

In its ruling of 11 February 2025 (case no. VI ZR 365/22), the BGH also recognized that the loss of control over personal data can constitute compensable non-material damage - even without the need to prove a specific further disadvantage.

However, the BGH regularly limits the damages to a low three-digit amount - which makes the compensation almost symbolic.

Implications for practice

Affected parties In future, employees or former employees will have to present concrete and comprehensible immaterial damages. General feelings such as anger or frustration ("being annoyed") are no longer sufficient. This significantly increases the hurdles for claims for damages.

Responsible persons Companies, on the other hand, can breathe a sigh of relief Infringement against the GDPR in the employment law environment does not automatically lead to a claim for payment. Nevertheless, the obligation to provide timely and comprehensive information remains - also in order to avoid damage to the company's image and reputation.

Source: Judgment of the Federal Labor Court dated February 20, 2025 (8 AZR 61/24)

Contact us
Tags:
,
Share this post :

Popular categories

Newsletter

Subscribe to our data protection newsletter to receive the latest updates, tips and insights straight to your inbox.
Subscribe

Latest posts