Difference between revisions of "LAG Baden-Württemberg - 17 Sa 37/20"

From GDPRhub
(Created page with "{{COURTdecisionBOX |Jurisdiction=Germany |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=LArbG Baden-Württemberg |Court_With_Country=LArbG Baden-Württemberg...")
 
 
(8 intermediate revisions by 4 users not shown)
Line 4: Line 4:
 
|Court-BG-Color=
 
|Court-BG-Color=
 
|Courtlogo=Courts_logo1.png
 
|Courtlogo=Courts_logo1.png
|Court_Abbrevation=LArbG Baden-Württemberg
+
|Court_Abbrevation=LAG Baden-Württemberg
|Court_With_Country=LArbG Baden-Württemberg (Germany)
+
|Court_With_Country=LAG Baden-Württemberg (Germany)
  
 
|Case_Number_Name=17 Sa 37/20
 
|Case_Number_Name=17 Sa 37/20
Line 25: Line 25:
 
|GDPR_Article_3=Article 82 GDPR
 
|GDPR_Article_3=Article 82 GDPR
 
|GDPR_Article_Link_3=Article 82 GDPR
 
|GDPR_Article_Link_3=Article 82 GDPR
|GDPR_Article_4=Article 82(1) GDPR
 
|GDPR_Article_Link_4=Article 82 GDPR#1
 
  
  
Line 43: Line 41:
 
|Party_Link_5=
 
|Party_Link_5=
  
|Appeal_From_Body=Labour Court Ulm
+
|Appeal_From_Body=ArbG Ulm
 
|Appeal_From_Case_Number_Name=5 Ca 18/18
 
|Appeal_From_Case_Number_Name=5 Ca 18/18
 
|Appeal_From_Status=
 
|Appeal_From_Status=
Line 56: Line 54:
 
}}
 
}}
  
Regional Labour Court rules on data processing in the employment context, ensuing data transfers to a third country and potential damages suffered by such a transfer.
+
The regional court of the Land Baden-Württemberg held that a data subject was not entitled to damages under Article 82 GDPR, as the mere anticipation of future data misuse could not be considered damage. Furthermore, there should be a causal link between the violation of the GDPR and any damage suffered.  
  
 
== English Summary ==
 
== English Summary ==
  
 
=== Facts ===
 
=== Facts ===
Court holds that neither §26(1) BDSG nor Art. 6(1)f GDPR legitimize the processing of employee data for software testing purposes. In addition, there is no violation of GDPR for data transfers to a third country that occurred before 25 May 2018. Moreover, standard contractual clauses concluded before entry into force of the GDPR remain valid once GDPR has entered into force. Furthermore, the mere potential threat of loss of control over a data subject’s own data does not does not constitute damage under Art. 82 GDPR.
+
The Plaintiff worked as the defendant's employee.  Employees' data are been processed for billing purposes. For that reason plaintiff's personal data were stored by the employer. The plaintiff by his request, asked for a copy of his data stored by the employer. The request was followed by a lawsuit, from the investigation of which it emerged that the data were transferred to the US' headquarters. The transfer took place before the starting date of the regulation.  
 
 
 
 
 
=== Dispute ===
 
=== Dispute ===
Does the mere threat of a potential data misuse suffice to claim damages under Art. 82 GDPR?
+
Does the mere threat of a potential data misuse suffice to claim damages under Article 82 GDPR?
  
 
=== Holding ===
 
=== Holding ===
The Regional Labour Court maintained that the plaintiff is not entitled to damages under Art. 82 GDPR. That is for the reason that an individual is only entitled to compensation for damages they have „suffered“, hence, the damage must have in fact occurred and not merely been anticipated. In other words, only a violation of the GDPR does not suffice to claim damages. The Court furthermore stated that there needs to be a causal link between the damages suffered and the violation of the law. It is not sufficient for the damage to occur during a processing activity which at some point violated the GDPR.
+
The court held that neither §26(1) BDSG nor Article 6(1)f GDPR legitimize the processing of employee data for software testing purposes. This is due to the fact that for these two legal basis to apply, the element of necessity is lacking. Instead of actual personal data it would have sufficed to use fictitious data to test the software. In this matter the Regional Labour Court acknowledged a violation of the GDPR as well as the BDSG. Furthermore, the mere potential threat of loss of control over a data subject’s own data does not does not constitute damage under Article 82 GDPR, consequently, the plaintiff is not entitled to damages under Article 82 GDPR. That is for the reason that an individual is only entitled to compensation for damages they have „suffered“, hence, the damage must have in fact occurred and not merely been anticipated.  
 
 
The Court also ruled that Art. 6(1)f GDPR as well as §26 BDSG do not constitute a valid legal basis for the processing of employee data for the purpose of software testing. This is due to the fact that for these two legal basis to apply, the element of necessity is lacking. Instead of actual personal data it would have sufficed to use fictitious data to test the software. In this matter the Regional Labour Court acknowledged a violation of the GDPR as well as the BDSG.
 
  
It has been also maintained that the defendant did not violate the GDPR by continuing the processing by the parent company in a third country when the GDPR entered into force on 25 May 2018. This is for the reason that the defendant had concluded the EU Commission’s standard contractual clauses (SCC) before transferring the personal data to the parent company. In addition, it amended the SCC in ways that is sufficient to comply with Art. 28 GDPR.
+
It has been also maintained that the defendant did not violate the GDPR by continuing the processing by the parent company in a third country when the GDPR entered into force on 25 May 2018. This is for the reason that the defendant had concluded the EU Commission’s standard contractual clauses (SCC) before transferring the personal data to the parent company and amended the SCC in ways that is sufficient to comply with Article 28 GDPR.
  
 
== Comment ==
 
== Comment ==

Latest revision as of 15:21, 12 July 2021

LAG Baden-Württemberg - 17 Sa 37/20
Courts logo1.png
Court: LAG Baden-Württemberg (Germany)
Jurisdiction: Germany
Relevant Law: Article 6(1)(f) GDPR
Article 44 GDPR
Article 82 GDPR
§26(1) BDSG
Decided: 25.02.2021
Published:
Parties:
National Case Number/Name: 17 Sa 37/20
European Case Law Identifier:
Appeal from: ArbG Ulm
5 Ca 18/18
Appeal to:
Original Language(s): German
Original Source: Landesrechtsprechung Baden-Württemberg (in German)
Initial Contributor: Florian Kurz

The regional court of the Land Baden-Württemberg held that a data subject was not entitled to damages under Article 82 GDPR, as the mere anticipation of future data misuse could not be considered damage. Furthermore, there should be a causal link between the violation of the GDPR and any damage suffered.

English Summary[edit | edit source]

Facts[edit | edit source]

The Plaintiff worked as the defendant's employee. Employees' data are been processed for billing purposes. For that reason plaintiff's personal data were stored by the employer. The plaintiff by his request, asked for a copy of his data stored by the employer. The request was followed by a lawsuit, from the investigation of which it emerged that the data were transferred to the US' headquarters. The transfer took place before the starting date of the regulation.

Dispute[edit | edit source]

Does the mere threat of a potential data misuse suffice to claim damages under Article 82 GDPR?

Holding[edit | edit source]

The court held that neither §26(1) BDSG nor Article 6(1)f GDPR legitimize the processing of employee data for software testing purposes. This is due to the fact that for these two legal basis to apply, the element of necessity is lacking. Instead of actual personal data it would have sufficed to use fictitious data to test the software. In this matter the Regional Labour Court acknowledged a violation of the GDPR as well as the BDSG. Furthermore, the mere potential threat of loss of control over a data subject’s own data does not does not constitute damage under Article 82 GDPR, consequently, the plaintiff is not entitled to damages under Article 82 GDPR. That is for the reason that an individual is only entitled to compensation for damages they have „suffered“, hence, the damage must have in fact occurred and not merely been anticipated.

It has been also maintained that the defendant did not violate the GDPR by continuing the processing by the parent company in a third country when the GDPR entered into force on 25 May 2018. This is for the reason that the defendant had concluded the EU Commission’s standard contractual clauses (SCC) before transferring the personal data to the parent company and amended the SCC in ways that is sufficient to comply with Article 28 GDPR.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the German original. Please refer to the German original for more details.