The German Federal Labour Court (BAG) has grant an employee €200 in damages because, during a Workday software test, more personal data were disclosed than the works council agreement allowed (case no. 8 AZR 209/21). This ruling is a warning sign for all companies that handle employee data and underscores the importance of GDPR compliance.
Workday Data Leak: When a Software Test Becomes a GDPR Violation
In 2017, an international company tested the cloud‑based HR software Workday. In the process, employee data were transmitted to the group’s parent company. Although a works agreement permitted the sharing of certain data, a data leak occurred: sensitive data such as salary information and addresses were also disclosed. An employee sued.
BAG Ruling: €200 in Damages – Loss of Control Over Data Is Determinative
The BAG confirmed the GDPR violation. The unlawful disclosure of data gave rise to a damages claim of €200. What was decisive was the employee’s loss of control over his personal data.
CJEU Clarification: Works Agreements & GDPR – What Is Permitted?
In advance, the BAG had referred questions to the CJEU regarding the compatibility of works agreements with the GDPR. The CJEU’s answer: works agreements must themselves comply with the GDPR to serve as a legal basis. In the specific case, however, a review of the works agreement was not carried out at the plaintiff’s request.
GDPR & Employee Data: Consequences for Your Company
Works agreements and GDPR in harmony: Works agreements are not a carte blanche. Careful drafting and GDPR compliance are mandatory.
Data minimization – less is more: Process only the data that are strictly necessary. A thorough necessity check is essential.
Loss of control – costlier than expected: Losing control over data can lead to damages, even without direct financial harm.
GDPR compliance: how to protect yourself: Review your data‑processing procedures, draft GDPR‑compliant works agreements, train your employees, and monitor adherence to data protection requirements.
FAQ: GDPR & Employee Data – Your Questions Answered
What does “data minimization” mean under the GDPR? Only the data strictly necessary for the purpose may be collected and processed.
What role do works agreements play in data protection? They can be the legal basis for processing in the employment context, but must meet GDPR requirements.
When does a GDPR violation occur? For example, where data are processed without a legal basis or data subject rights are infringed.
What sanctions loom for GDPR violations? In addition to damages claims, fines of up to €20 million or 4% of worldwide annual turnover may be imposed.
