In its ruling of 8 May 2025 (8 AZR 209/21), the German Federal Labor Court (“Bundesarbeitsgericht” – BAG) awarded an employee, who was also the chairman of the works council, non-material damages of €200 for a data protection violation. According to the published press release, the case concerned the unlawful intra-group transfer of employees’ personal data during a trial run of the cloud-based HR software “Workday”. The BAG recognized the loss of control over one’s own personal data as compensable damage. The BAG is thus in line with the case law of the Federal Court of Justice (“Bundesgerichtshof” – BGH). In its much-discussed “scraping” ruling against Facebook, the BGH lowered the hurdles for non-material damages by recognizing the damage solely on the basis of the loss of control over one’s own data.
Background
The case centered on the group-wide introduction of “Workday” as a uniform personnel information management system. Before its official roll-out, real employee data was to be used for testing purposes. For this, the German employer transferred employees’ personal data to the group parent company in the United States. To provisionally launch Workday for testing, the employer entered into a “tolerance works agreement” with the works council. This works agreement permitted the transfer of certain basic data (name, date of entry, place of work). However, the employer actually transferred additional personal information, some of which was particularly sensitive, to the US parent company. This included salary information, social security number, tax ID, private home address, date of birth, age, and marital status.
The plaintiff, also the works council chair, sued for €3,000 in non-material damages. He argued that the processing was unnecessary – neither for the employment relationship, as the data had previously been stored in SAP, nor for the test phase of Workday, which could have been conducted with anonymized or fictitious data. In addition, the permitted scope of data transfer under the works agreement had been exceeded, as significantly more personal data had been transferred to the US parent company. This unlawful transfer, he claimed, resulted in loss of control over his data.
Lower courts rejected claim – BAG grants damages
The lower courts denied a compensation claim. The BAG, however, awarded the plaintiff damages in the amount of €200. It confirmed that the transfer of personal data to the US parent company constituted a violation as it went beyond the permitted scope of the works agreement and was therefore not necessary within the meaning of art. 6 (1) (f) GDPR. The BAG then justified the non-material damages on the loss of control caused by the transfer of personal data to the US parent company.
The BAG considered the amount of €200 to be proportionate and reasonable. The €3,000 originally claimed was not considered justified in this amount.
No review of the works agreement
Ultimately, the BAG did not have to rule on the data protection law compliance of the works agreement itself. It had previously referred two questions to the European Court of Justice (ECJ) regarding the admissibility of collective agreements under data protection law pursuant to art. 88 (1) and (2) GDPR (Case C-65/23 – K GmbH). However, during the oral hearing, the plaintiff expressly waived further claims on the unlawfulness of the data processing covered by the works agreement. This meant that this aspect was unfortunately no longer relevant to the decision.
ECJ: works agreements must comply with GDPR standards
The ECJ’s decision of 19 December 2024 (C-65/23 – K GmbH) remains highly relevant in practice when assessing the data protection compliance of works agreements. The key points are that works agreements as a legal basis may specify the general principles of the GDPR, but cannot change or contradict them. In particular, according to the ECJ, the high level of protection for employees’ freedoms and fundamental rights must be guaranteed. Determining the “necessity” of data processing under a collective agreement is subject to full judicial review according to GDPR principles. The level of protection provided by the GDPR cannot be lowered even in view of the works parties’ proximity to the subject matter.
Loss of control as damage – comparison with the BGH “scraping” decision
While €200 may not seem like much, the damages awarded by the BAG are twice as high as those deemed appropriate by the BGH against Facebook. The BGH had made it clear that damages for mere loss of control could not be too high and had awarded “only” €100 in the specific case.
In the scraping case, a large-scale data theft from Facebook led to the publication of stolen data online. The plaintiff argued that since the incident, he had occasionally received unknown contact attempts via text message and email. These contained messages with obvious attempts at fraud and phishing attacks. The BGH ruled that the arguments regarding the loss of control due to the scraping incident and the particular fears and efforts arising from this were sufficient.
As only a press release is available on the case decided by the BAG, it remains to be seen what the plaintiff argued in detail about the loss of control and how the BAG assessed this.
Practical implications
By affirming that damage can be claimed for mere loss of control, the decision has significant practical implications in the employment law context. The full reasoning of the BAG is awaited.
Due to the low threshold for proving damage, it can be expected that more employees will invoke data protection violations to assert claims for damages in future. This is particularly relevant in the context of separation discussions and restructuring. Data protection violations are often used as a strategic lever in dismissal disputes. The BAG decision now makes it easier for employees to assert claims for non-material damages against their employer with relatively little substantiation. The prerequisite is that a violation of personal data has occurred or at least cannot be ruled out. In such cases, however, the loss of control over one’s own data is sufficient to constitute damage.
Careful assessment of the necessity of data processing is one of the key things to do when introducing new IT systems. The case shows that the GDPR requirements apply not only at final implementation but also during testing phases. It must be checked whether anonymized or fictitious data would suffice for the test run.
This applies regardless of whether a works council exists. When planning and negotiating works agreements, employers and works councils should not only consider co-determination issues, but also data protection aspects and incorporate the legal guidelines of the ECJ into their planning at an early stage. If works agreements do not stand up to judicial review and constitute a violation of personal data, the way is open for claims for immaterial damages by a large number of potentially affected parties.
