The correct handling of personal data requires special care by employers. The German Federal Labour Court (BAG, 26.08.2021 – 8 AZR 253/20 (A)) has referred essential questions to the European Court of Justice (ECJ) for clarification. The BAG’s decision, which, if confirmed by the ECJ, could now tighten the standard of due diligence and increase financial risks for companies in the event of breaches of employee data protection.

Facts of the case

The case related to material and non-material damages for breach of data protection provisions in the employment relationship. The plaintiff worked as a system administrator in the IT department of the defendant employer, a medical service of a health insurance company (Medizinischer Dienst der Krankenkassen – MDK). Following a period of sustained illness and sickness absence since November 22, 2017, the plaintiff’s health insurance company requested an occupational health report pursuant to Sec. 275 (1) sentence 1 no. 3 lit. b German Social Code V (Sozialgesetzbuch V) from the defendant MDK on June 6, 2018. The report was issued on June 22, 2018, and contained details regarding the plaintiff’s illness (severe depressive episode without psychotic symptoms). In order to prepare the report, which was filed electronically in accordance with MDK’s internal guidelines, the expert had telephoned the plaintiff’s primary doctor and obtained information from him. Having been notified by his own doctor of this request, the plaintiff requested a copy of the information from a colleague in the IT department, whereupon the colleague photographed the expert opinion and sent the photographs to the plaintiff. Having received a copy of the report, the plaintiff demanded non-material damages according to Art. 82 (1) General Data Protection Regulation (GDPR) in the amount of EUR 20,000 as well as material damages due to the processing of his data in the amount of lost earnings. Both, the Düsseldorf Labour Court (ref. 4 Ca 6116/18) and the Düsseldorf Regional Labour Court (ref. 12 Sa 186/19) had dismissed the claim in the lower instances. They held that the data processing by MDK did not violate the provisions of the data protection legislation.

Decision

The BAG upheld the appeal. The court ruled that MDK had breached the requirements for the processing of health data set out in Art. 9 GDPR and that the plaintiff was therefore entitled to non-material damages pursuant to Art. 82 (1) GDPR. However, certain legal questions regarding the admissibility of the dual role as employer and health assessor as well as the how to determine the assessment of damages were outstanding. Therefore the ECJ was asked for a preliminary ruling pursuant to Art. 267 of the Treaty on the Functioning of the European Union (TFEU).

Possible consequences

If the ECJ confirms the previous employee- and consumer-friendly interpretations of the BAG, companies are likely to face far-reaching liability risks. On the one hand, it should be easier for data subjects/employees to assert claims for damages under the GDPR and, in particular, the enforcement of non-material damages should be more successful, as plaintiffs would only have to prove the existence of a breach of the GDPR and that they were subjectively affected. At the same time, due to strict liability under Art. 82 (3) GDPR, data controllers could only exculpate themselves in exceptional cases, such as when the circumstance giving rise to liability is based on unauthorized access by a third party that succeeded despite all necessary security measures.

On the other hand, the BAG’s judgement is likely to be raised as arguments in existing proceedings. Finally, consumer and trade union lawyers could increasingly use data breaches, in particular cyber-attacks, as well as other breaches of the complex requirements of the GDPR, such as insufficiently answered requests for information, to initiate commercially motivated lawsuits.

Conclusion

With this order for reference, the BAG makes it clear that careful handling of personal data cannot be valued highly enough. The violations of the GDPR can not only lead to severe sanctions of the authorities, but also to high claims for damages from affected parties as well as protracted court proceedings. Employers are advised to review their data protection structures and documentation and, if necessary, be prepared to defend themselves against GDPR claims.