LAG Hessen - 14 Sa 359/22: Difference between revisions
(Created page with "{{COURTdecisionBOX |Jurisdiction=Germany |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=Hessisches LAG |Court_Original_Name=Hessisches Landesarbeitsgericht |Court_English_Name=Regional Labour Court of Hessen |Court_With_Country=Hessisches LAG (Germany) |Case_Number_Name=14 Sa 359/22 |ECLI=ECLI:DE:LAGHE:2023:0127.14SA359.22.00 |Original_Source_Name_1=Hessiches LAG (Germany) |Original_Source_Link_1=https://www.lareda.hessenrecht.hessen.de/bshe/document/...") |
mNo edit summary |
||
Line 68: | Line 68: | ||
=== Facts === | === Facts === | ||
An employer dismissed an employee for having allegedly faked their sick leave. The employer also refused to provide access to the employee’s personal data following an access request pursuant to [[Article 15 GDPR|Article 15 GDPR]]. | An employer dismissed an employee for having allegedly faked their sick leave. The employer also refused to provide access to the employee’s personal data following an access request pursuant to [[Article 15 GDPR|Article 15 GDPR]]. | ||
The data subject brought action against the controller for unjustified dismissal and claimed non-material damages under [[ | |||
The data subject brought action against the controller for unjustified dismissal and claimed non-material damages under [[Article 82 GDPR]] for failure to reply to the access request. | |||
The court of first instance upheld the data subject’s claim and granted €1,000 of compensation for violations of [[Article 15 GDPR#1|Article 15(1) GDPR]]. | The court of first instance upheld the data subject’s claim and granted €1,000 of compensation for violations of [[Article 15 GDPR#1|Article 15(1) GDPR]]. | ||
The controller appealed the decision, arguing that there was no basis for the claim. The data subject appealed the decision, too. In | |||
The controller appealed the decision, arguing that there was no basis for the claim. The data subject appealed the decision, too. In the data subject's opinion, damages awarded were not sufficient. | |||
=== Holding === | === Holding === | ||
The Regional Labour Court of Hessen (Hessisches Landesarbeitsgericht) confirmed that the controller disregarded their duties pursuant to [[Article 15 GDPR|Article 15 GDPR]], as | The Regional Labour Court of Hessen (''Hessisches Landesarbeitsgericht'') confirmed that the controller disregarded their duties pursuant to [[Article 15 GDPR|Article 15 GDPR]], as they did not provide access to requested information within the deadline set forth in [[Article 12 GDPR#3|Article 12(3) GDPR]]. This led to liability for non-material damages. The Court completely refused the idea that Recital 146 GDPR can be interpreted as limiting the applicability of [[Article 82 GDPR|Article 82 GDPR]] to ''processing'' operations infringing the Regulation. To the contrary, non-compliance with an access request can give rise to damages because it occurs ''in the context'' of a processing, even if it cannot be considered "processing" itself. In addition, the Court denied that non-material damages require a certain degree of seriousness to be taken into account. | ||
The court of appeal also increased the | |||
The court of appeal also increased the total amount of the compensation to €2,000. The court stressed that damages have a special and general preventive function, alongside with a compensatory one. However, an even higher compensation was not admissible, as the lack of reply to an access request merely entails insecurity and lack of control over personal data, but not a violation of the data subject’s personality rights. | |||
== Comment == | == Comment == |
Revision as of 10:01, 15 June 2023
Hessisches LAG - 14 Sa 359/22 | |
---|---|
Court: | Hessisches LAG (Germany) |
Jurisdiction: | Germany |
Relevant Law: | Article 15(1) GDPR Article 82 GDPR |
Decided: | 27.01.2023 |
Published: | |
Parties: | |
National Case Number/Name: | 14 Sa 359/22 |
European Case Law Identifier: | ECLI:DE:LAGHE:2023:0127.14SA359.22.00 |
Appeal from: | |
Appeal to: | Unknown |
Original Language(s): | German |
Original Source: | Hessiches LAG (Germany) (in German) |
Initial Contributor: | mg |
A German Court found that failure to comply with an access request, even if it cannot be considered “processing”, can lead to non-material damages. However, compensation in this case is quantitatively limited by the fact that the data subject is not harmed in their personality rights.
English Summary
Facts
An employer dismissed an employee for having allegedly faked their sick leave. The employer also refused to provide access to the employee’s personal data following an access request pursuant to Article 15 GDPR.
The data subject brought action against the controller for unjustified dismissal and claimed non-material damages under Article 82 GDPR for failure to reply to the access request.
The court of first instance upheld the data subject’s claim and granted €1,000 of compensation for violations of Article 15(1) GDPR.
The controller appealed the decision, arguing that there was no basis for the claim. The data subject appealed the decision, too. In the data subject's opinion, damages awarded were not sufficient.
Holding
The Regional Labour Court of Hessen (Hessisches Landesarbeitsgericht) confirmed that the controller disregarded their duties pursuant to Article 15 GDPR, as they did not provide access to requested information within the deadline set forth in Article 12(3) GDPR. This led to liability for non-material damages. The Court completely refused the idea that Recital 146 GDPR can be interpreted as limiting the applicability of Article 82 GDPR to processing operations infringing the Regulation. To the contrary, non-compliance with an access request can give rise to damages because it occurs in the context of a processing, even if it cannot be considered "processing" itself. In addition, the Court denied that non-material damages require a certain degree of seriousness to be taken into account.
The court of appeal also increased the total amount of the compensation to €2,000. The court stressed that damages have a special and general preventive function, alongside with a compensatory one. However, an even higher compensation was not admissible, as the lack of reply to an access request merely entails insecurity and lack of control over personal data, but not a violation of the data subject’s personality rights.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
If you see this message, you do not have Javascript enabled in your browser. Please enable Javascript to use the application.