1. Home
  2. News
  3. The current ruling on the claim for damages
  • Data Protection

The current ruling on the claim for damages

Düsseldorf Regional Labor Court, 12 Sa 1007/23, judgment of 10.04.2024

 

An interesting case, which only life can write, was recently decided by the Düsseldorf Regional Labour Court. This case concerns a number of interesting aspects of data protection in general and employee data protection.

The following can be stated in advance:

  • "Googling" can be expensive
  • Incomplete data protection information as part of an application process can lead to a claim for damages by the applicant.

 

What was it about?

An applicant applied to a university for a position as a fully qualified lawyer. A member of the selection committee had information that the applicant had already made several claims for compensation under the AGG in the past. 

During a subsequent Google search, the selection committee came across a Wikipedia entry which revealed that the applicant had been sentenced in the first instance, albeit not legally binding, to a suspended prison sentence of one year and four months for commercial fraud. The accusation was that he had repeatedly submitted fictitious applications in order to subsequently induce potential employers to pay compensation (in accordance with the AGG) due to alleged discrimination. This phenomenon is commonly known as "AGG hopping". The relevant information from the Wikipedia entry was documented by the selection committee and included in the application process.

The applicant was rejected, whereupon he sued and asserted various claims for compensation, including under the AGG and the GDPR.

The plaintiff was ultimately awarded compensation under Article 82 GDPR in the amount of €1,000.00 for damages resulting from the breach of information obligations.

 

Legal background

According to Article 82 (1) GDPR, any person who has suffered material or non-material damage as a result of a breach of the GDPR is entitled to compensation. The court found an infringement in the fact that the plaintiff (applicant) was not properly informed in accordance with Article 14 (1) d) GDPR regarding the processing of his personal data. Specifically, this concerned the inclusion of Google information about the non-appealable conviction in the application process.

According to the court, this also caused damage to the plaintiff. This was because the plaintiff had been turned into a "mere object" of data processing due to the lack of information and had suffered a "loss of control" regarding the use of his data.

Articles 13 and 14 GDPR relate to information obligations. According to these, the controller who processes data about certain natural persons must inform them about the processing of the data in a transparent manner and in compliance with the criteria described in the articles. Firstly, every applicant has a right to data protection information in accordance with Article 13 (1) GDPR. This is regularly either linked directly in the application process as part of an online procedure or, if applicable, made available immediately after receipt of the application.

If, in addition to the application documents already available, further information about the applicant is collected and considered by the employer in the further selection process, as in this case via the Internet, there is an obligation to provide information about this as well. Article 14 GDPR states that the data controller must provide information that it has not received from the data subject (in this case the applicant/plaintiff) within one month at the latest.

The defendant employer had not done so. In the present case, the applicant should have been informed about the search and the information obtained there and its use, in particular with regard to the criminal proceedings.

 

What should companies bear in mind?

In general, the judgement provides an opportunity to reiterate some fundamental aspects of online research in application processes. HR managers should carefully consider whether and to what extent an internet search should be carried out.

Research on specific job portals, such as LinkedIn or Xing, on which the applicant has deliberately posted information for potential candidates, is of course permissible. On the other hand, researching non-public profiles in social networks is generally taboo. Restraint is also required in other respects, as the applicant's personal rights must always be taken into account.

Legally, it depends on whether it is necessary to obtain further information in order to decide in favour of or against an applicant. (6 para. 1 b GDPR, § 26 para. 1 BDSG). In the present case, the court affirmed the necessity, as the information about a criminal conviction was of considerable importance in view of the advertised position as a fully qualified lawyer and the selection committee also had indications of AGG complaints regarding the applicant, which led to this search.

A search in search engines without a concrete reason can be problematic, as it cannot be considered necessary without corresponding evidence. If necessary, it is better to ask the applicant directly for additional information.

However, if you decide to obtain additional information from other sources, such as search engines, and use it in the application process, it is essential to remember the subsequent obligation to provide information in accordance with Article 14 GDPR.

What should companies bear in mind?

In general, the judgement provides an opportunity to reiterate some fundamental aspects of online research in application processes. HR managers should carefully consider whether and to what extent an internet search should be carried out.

Research on specific job portals, such as LinkedIn or Xing, on which the applicant has deliberately posted information for potential candidates, is of course permissible. On the other hand, researching non-public profiles in social networks is generally taboo. Restraint is also required in other respects, as the applicant's personal rights must always be taken into account.

Legally, it depends on whether it is necessary to obtain further information in order to decide in favour of or against an applicant. (6 para. 1 b GDPR, § 26 para. 1 BDSG). In the present case, the court affirmed the necessity, as the information about a criminal conviction was of considerable importance in view of the advertised position as a fully qualified lawyer and the selection committee also had indications of AGG complaints regarding the applicant, which led to this search.

A search in search engines without a concrete reason can be problematic, as it cannot be considered necessary without corresponding evidence. If necessary, it is better to ask the applicant directly for additional information.

However, if you decide to obtain additional information from other sources, such as search engines, and use it in the application process, it is essential to remember the subsequent obligation to provide information in accordance with Article 14 GDPR.

 

What can you learn from this?

If the provisions of the GDPR are not complied with, this can lead to compensation under Article 82 GDPR. In this case, this even applies due to a lack of data protection information.

 

Outlook on current case law

A number of legal issues relating to the interpretation of the GDPR have been referred to the European Court of Justice (ECJ) by the courts of first instance, which have had to rule on claims under Article 82 GDPR. Of these, two key points have now been clarified by the ECJ.

It has now been clarified that not every breach of the GDPR leads to a claim for damages. Rather, the data subject must have actually suffered damage, which they must also prove. This corresponds to the wording of Art 82 GDPR and prevents the "boundless" assertion of claims for damages by data subjects.

However, it does not depend on the materiality of the damage.  There is no "materiality threshold", nor does Article 82 GDPR provide for one. Damages can therefore also include "mere fears or anxieties" of a data subject affected by a data protection incident that their data could be misused by third parties.

According to Article 82 GDPR, both material damage (physical or financial loss) and non-material damage (non-pecuniary loss) are covered.

Recital 85 of the GDPR contains references to possible damages, such as loss of control over their personal data or restriction of their rights, discrimination, identity theft or fraud, financial loss, unauthorised removal of pseudonymisation, damage to reputation, loss of confidentiality of data subject to professional secrecy or other significant economic or social disadvantages for the natural person concerned.

In the course of future legal disputes, it will depend on whether a data subject can prove that they have suffered damage as a result of the breach of data protection. A mere allegation is not sufficient. However, if they succeed in proving this, fears and anxieties can also trigger a corresponding claim. There is no "materiality threshold", although the damages awarded will naturally be low in the case of minor damage and correspondingly higher the other way round.   In the legal case described above, the Düsseldorf Regional Labour Court expressly listed a "loss of control" as damage. However, the justification of the damage in this regard was very brief in light of the fact that it must have been caused by the failure to provide information in good time in accordance with Art. 14 GDPR. Elsewhere, the court also points out that the plaintiff may have been denied a concrete statement due to a lack of information, with possible negative effects on the application process. 

As the appeal to the Federal Labour Court has been expressly permitted, it is quite possible that this case will have to be decided again by the Federal Labour Court.

 

Conclusion

In general, companies should be aware that breaches of the provisions of the GDPR can also trigger a claim for damages from data subjects. Such claims have also increased. Implementing the compliance regulations of the GDPR is the best protection here. 

Hinweis zu Cookies

Unsere Website verwendet Cookies. Einige davon sind technisch notwendig für die Funktionalität unserer Website und daher nicht zustimmungspflichtig. Darüber hinaus setzen wir Cookies, mit denen wir Statistiken über die Nutzung unserer Website führen. Hierzu werden anonymisierte Daten von Besuchern gesammelt und ausgewertet. Eine Weitergabe von Daten an Dritte findet ausdrücklich nicht statt.

Ihr Einverständnis in die Verwendung der Cookies können Sie jederzeit widerrufen. In unserer Datenschutzerklärung finden Sie weitere Informationen zu Cookies und Datenverarbeitung auf dieser Website. Beachten Sie auch unser Impressum.

Technisch notwendig

Diese Cookies sind für die einwandfreie Funktion der Website erforderlich und können daher nicht abgewählt werden. Sie zählen nicht zu den zustimmungspflichtigen Cookies nach der DSGVO.

Name Zweck Ablauf Typ Anbieter
CookieConsent Speichert Ihre Einwilligung zur Verwendung von Cookies. 1 Jahr HTML Website
fe_typo_user Dieser Cookie wird gesetzt, wenn Sie sich im Bereich myGINDAT anmelden. Session HTTP Website
PHPSESSID Kurzzeitiger Cookie, der von PHP zum zwischenzeitlichen Speichern von Daten benötigt wird. Session HTTP Website
__cfduid Wir verwenden eine "Content Security Policy", um die Sicherheit unserer Website zu verbessern. Bei potenziellen Verstößen gegen diese Policy wird ein anonymer Bericht an den Webservice report-uri.com gesendet. Dieser Webservice lässt über seinen Anbieter Cloudflare diesen Cookie setzen, um vertrauenswürdigen Web-Traffic zu identifizieren. Der Cookie wird nur kurzzeitig im Falle einer Bericht-Übermittlung auf der aktuellen Webseite gesetzt. 30 Tage/ Session HTTP Cloudflare/ report-uri.com
Statistiken

Mit Hilfe dieser Statistik-Cookies prüfen wir, wie Besucher mit unserer Website interagieren. Die Informationen werden anonymisiert gesammelt.

Name Zweck Ablauf Typ Anbieter
_pk_id Wird verwendet, um ein paar Details über den Benutzer wie die eindeutige Besucher-ID zu speichern. 13 Monate HTML Matomo
_pk_ref Wird verwendet, um die Informationen der Herkunftswebsite des Benutzers zu speichern. 6 Monate HTML Matomo
_pk_ses Kurzzeitiger Cookie, um vorübergehende Daten des Besuchs zu speichern. 30 Minuten HTML Matomo
_pk_cvar Kurzzeitiger Cookie, um vorübergehende Daten des Besuchs zu speichern. 30 Minuten HTML Matomo
MATOMO_SESSID Kurzzeitiger Cookie, der bei Verwendung des Matomo Opt-Out gesetzt wird. Session HTTP Matomo
_pk_testcookie Kurzzeitiger Cookie der prüft, ob der Browser Cookies akzeptiert. Session HTML Matomo