To avoid fines, the lawful processing of employee data must respect the principle regarding data retention. Employers are obliged to erase data that is no longer required, in particular regarding the publication of employee profiles or data processed in connection with COVID-19. A recent decision (Neuruppin Labor Court, December 14, 2021 – ref. 2 Ca 554/21) emphasizes once again an employer’s obligations to comply with data governance.
Facts of the case
Although the employment relationship had already ended, the employer continued to maintain the plaintiff’s employee profile on the company website. The company initially did not comply with the repeated request from the employee for the profile to be deleted. The employee complained to the State Commissioner for Data Protection after all deadlines regarding the deletion had expired and then demanded damages pursuant to the General Data Protection Regulation (the GDPR) in the amount of €5,000 for the unauthorized use of her name. The employer paid only €150 and so the employee filed an action in the Labor Court.
The Court basically confirmed the plaintiff’s claim for damages, but reduced the amount of the claim. Art. 82 of the GDPR grants a claim for compensation for the damages caused by the incorrect or unauthorized use of personal data and also includes non-material damages due to violations of the general right to privacy. The court held that a data protection violation had undoubtedly occurred because the defendant was made aware of the data protection violation and continued to maintain data about the employee on the company website for months after the employment relationship had ended. The defendant had also recognized that it had violated data protection law by complying with the plaintiff’s request to issue a cease-and-desist declaration and paying €150. In addition, pursuant to Sec. 241 (2) of the German Civil Code, the defendant had violated a general secondary obligation under the employment contract because it would have been obliged to remove all data published in connection with the plaintiff even without the notice from the plaintiff’s lawyer. The court awarded the plaintiff damages in the amount of €1,000 including the €150 already paid. The damages were held adequate in view of the warning and deterrent function of Art. 82 of the GDPR, even if the plaintiff had not presented any non-material damages.
COVID-19-related data: Deletion required
With the end of numerous COVID-19-related legal obligations, the legal requirement to collect and process certain data relating to COVID-19 has ended. This data should have been immediately deleted with the end of those legal obligations. To ensure legal compliance, employers are required to check any personal data they have collected and stored in connection with measures to combat the pandemic. If these measures, and thus the purpose of the data processing, have ceased to exist, the data must be deleted urgently. It is to be expected that data protection authorities, as stated for example by Barbara Thiel, the State Commissioner for Data Protection in Lower Saxony, “will carry out unannounced checks at companies and other institutions this year.” (press release, dated April 19, 2022)
Webinar „Artificial Intelligence and Digitalization in Labor Law“
Recent topics of employee data protection are explored with other topics in our webinar “Artificial Intelligence and Digitalization in Labor Law“, delivered in German language only, on May 12, 2022. To join, please register here.