Düsseldorf Regional Labor Court, 12 Sa 1007/23, judgment of 10.04.2024
An interesting case, which only life can write, was recently decided by the Düsseldorf Regional Labour Court. This case concerns a number of interesting aspects of data protection in general and employee data protection.
The following can be stated in advance:
- "Googling" can be expensive
- Incomplete data protection information as part of an application process can lead to a claim for damages by the applicant.
What was it about?
An applicant applied to a university for a position as a fully qualified lawyer. A member of the selection committee had information that the applicant had already made several claims for compensation under the AGG in the past.
During a subsequent Google search, the selection committee came across a Wikipedia entry which revealed that the applicant had been sentenced in the first instance, albeit not legally binding, to a suspended prison sentence of one year and four months for commercial fraud. The accusation was that he had repeatedly submitted fictitious applications in order to subsequently induce potential employers to pay compensation (in accordance with the AGG) due to alleged discrimination. This phenomenon is commonly known as "AGG hopping". The relevant information from the Wikipedia entry was documented by the selection committee and included in the application process.
The applicant was rejected, whereupon he sued and asserted various claims for compensation, including under the AGG and the GDPR.
The plaintiff was ultimately awarded compensation under Article 82 GDPR in the amount of €1,000.00 for damages resulting from the breach of information obligations.
Legal background
According to Article 82 (1) GDPR, any person who has suffered material or non-material damage as a result of a breach of the GDPR is entitled to compensation. The court found an infringement in the fact that the plaintiff (applicant) was not properly informed in accordance with Article 14 (1) d) GDPR regarding the processing of his personal data. Specifically, this concerned the inclusion of Google information about the non-appealable conviction in the application process.
According to the court, this also caused damage to the plaintiff. This was because the plaintiff had been turned into a "mere object" of data processing due to the lack of information and had suffered a "loss of control" regarding the use of his data.
Articles 13 and 14 GDPR relate to information obligations. According to these, the controller who processes data about certain natural persons must inform them about the processing of the data in a transparent manner and in compliance with the criteria described in the articles. Firstly, every applicant has a right to data protection information in accordance with Article 13 (1) GDPR. This is regularly either linked directly in the application process as part of an online procedure or, if applicable, made available immediately after receipt of the application.
If, in addition to the application documents already available, further information about the applicant is collected and considered by the employer in the further selection process, as in this case via the Internet, there is an obligation to provide information about this as well. Article 14 GDPR states that the data controller must provide information that it has not received from the data subject (in this case the applicant/plaintiff) within one month at the latest.
The defendant employer had not done so. In the present case, the applicant should have been informed about the search and the information obtained there and its use, in particular with regard to the criminal proceedings.
What should companies bear in mind?
In general, the judgement provides an opportunity to reiterate some fundamental aspects of online research in application processes. HR managers should carefully consider whether and to what extent an internet search should be carried out.
Research on specific job portals, such as LinkedIn or Xing, on which the applicant has deliberately posted information for potential candidates, is of course permissible. On the other hand, researching non-public profiles in social networks is generally taboo. Restraint is also required in other respects, as the applicant's personal rights must always be taken into account.
Legally, it depends on whether it is necessary to obtain further information in order to decide in favour of or against an applicant. (6 para. 1 b GDPR, § 26 para. 1 BDSG). In the present case, the court affirmed the necessity, as the information about a criminal conviction was of considerable importance in view of the advertised position as a fully qualified lawyer and the selection committee also had indications of AGG complaints regarding the applicant, which led to this search.
A search in search engines without a concrete reason can be problematic, as it cannot be considered necessary without corresponding evidence. If necessary, it is better to ask the applicant directly for additional information.
However, if you decide to obtain additional information from other sources, such as search engines, and use it in the application process, it is essential to remember the subsequent obligation to provide information in accordance with Article 14 GDPR.
What should companies bear in mind?
In general, the judgement provides an opportunity to reiterate some fundamental aspects of online research in application processes. HR managers should carefully consider whether and to what extent an internet search should be carried out.
Research on specific job portals, such as LinkedIn or Xing, on which the applicant has deliberately posted information for potential candidates, is of course permissible. On the other hand, researching non-public profiles in social networks is generally taboo. Restraint is also required in other respects, as the applicant's personal rights must always be taken into account.
Legally, it depends on whether it is necessary to obtain further information in order to decide in favour of or against an applicant. (6 para. 1 b GDPR, § 26 para. 1 BDSG). In the present case, the court affirmed the necessity, as the information about a criminal conviction was of considerable importance in view of the advertised position as a fully qualified lawyer and the selection committee also had indications of AGG complaints regarding the applicant, which led to this search.
A search in search engines without a concrete reason can be problematic, as it cannot be considered necessary without corresponding evidence. If necessary, it is better to ask the applicant directly for additional information.
However, if you decide to obtain additional information from other sources, such as search engines, and use it in the application process, it is essential to remember the subsequent obligation to provide information in accordance with Article 14 GDPR.
What can you learn from this?
If the provisions of the GDPR are not complied with, this can lead to compensation under Article 82 GDPR. In this case, this even applies due to a lack of data protection information.
Outlook on current case law
A number of legal issues relating to the interpretation of the GDPR have been referred to the European Court of Justice (ECJ) by the courts of first instance, which have had to rule on claims under Article 82 GDPR. Of these, two key points have now been clarified by the ECJ.
It has now been clarified that not every breach of the GDPR leads to a claim for damages. Rather, the data subject must have actually suffered damage, which they must also prove. This corresponds to the wording of Art 82 GDPR and prevents the "boundless" assertion of claims for damages by data subjects.
However, it does not depend on the materiality of the damage. There is no "materiality threshold", nor does Article 82 GDPR provide for one. Damages can therefore also include "mere fears or anxieties" of a data subject affected by a data protection incident that their data could be misused by third parties.
According to Article 82 GDPR, both material damage (physical or financial loss) and non-material damage (non-pecuniary loss) are covered.
Recital 85 of the GDPR contains references to possible damages, such as loss of control over their personal data or restriction of their rights, discrimination, identity theft or fraud, financial loss, unauthorised removal of pseudonymisation, damage to reputation, loss of confidentiality of data subject to professional secrecy or other significant economic or social disadvantages for the natural person concerned.
In the course of future legal disputes, it will depend on whether a data subject can prove that they have suffered damage as a result of the breach of data protection. A mere allegation is not sufficient. However, if they succeed in proving this, fears and anxieties can also trigger a corresponding claim. There is no "materiality threshold", although the damages awarded will naturally be low in the case of minor damage and correspondingly higher the other way round. In the legal case described above, the Düsseldorf Regional Labour Court expressly listed a "loss of control" as damage. However, the justification of the damage in this regard was very brief in light of the fact that it must have been caused by the failure to provide information in good time in accordance with Art. 14 GDPR. Elsewhere, the court also points out that the plaintiff may have been denied a concrete statement due to a lack of information, with possible negative effects on the application process.
As the appeal to the Federal Labour Court has been expressly permitted, it is quite possible that this case will have to be decided again by the Federal Labour Court.
Conclusion
In general, companies should be aware that breaches of the provisions of the GDPR can also trigger a claim for damages from data subjects. Such claims have also increased. Implementing the compliance regulations of the GDPR is the best protection here.