Too much data in the cloud: employee receives compensation under the GDPR

An employee can assert a claim for damages due to a breach of the General Data Protection Regulation (GDPR) if the employer transfers too much personal information about them directly or indirectly via another company to the cloud. This was clarified by the Federal Labor Court in a ruling on Thursday (Ref.: 8 AZR 209/21). However, the plaintiff will not get rich: he had demanded 3,000 euros as compensation for the non-material damage suffered. The judges in Erfurt, however, set his claim at 200 euros plus interest of five percentage points above the respective prime rate since the GDPR 2018 came into force.

The defendant company had been processing its employees' personal data in-house for many years, including for payroll purposes, using HR management software. In 2017, it planned to switch to the cloud-based solution Workday across the group. The company then transferred the plaintiff's personal data from the previously used software to the group's parent company in order to initially fill the cloud version for test purposes. The provisional operation of Workday was regulated in a works agreement on a tolerated basis.

According to the agreement, the defendant was permitted to transfer the employee's name, start date, place of work, company, business telephone number and email address to a server in the USA. However, the company did not leave it at that, but also sent further data of the plaintiff such as salary information, private residential address, date of birth, marital status, social security number and tax ID.

Plaintiff suffered loss of control

In February 2021, the Baden-Württemberg Regional Labor Court initially denied the claim for damages of the person concerned (Ref.: 17 Sa 37/20). According to this court, a works agreement could have justified data processing even if the latter would not have been permitted at all on the basis of the statutory permissions. The plaintiff's appeal against this ruling before the 8th Senate of the Federal Labor Court has now been at least partially successful. According to the Erfurt judges, to the extent that the defendant company had transferred personal data other than that permitted under the works agreement to the group parent company, this was not necessary and was to be regarded as a GDPR violation.

The Federal Labor Court ruled that the non-material damage suffered by the plaintiff was the loss of control that the employee had suffered as a result of the transfer of excessive information to the parent company. The court no longer had to examine whether the works agreement was structured in such a way that it complied with the GDPR requirements: the plaintiff had stated at the hearing that he would no longer argue whether the transfer of the data covered by the agreement with the works council was also unnecessary.

In the meantime, the 8th Senate had referred the matter to the European Court of Justice (ECJ) in order to clarify open questions of EU law. The Court recently made it clear that a works agreement must contain clear guidelines on the processing of employee data. The GDPR must be observed as a guideline. Furthermore, it is not sufficient to merely state the company's obligations superficially in a works agreement.

(nie)