In a recent ruling dated 20 February 2025 (Ref.: 8 AZR 61/24), the Federal Labour Court (BAG) once again addressed the requirements for claims for non-pecuniary damages under the General Data Protection Regulation (GDPR). Since claims for non-material damages in particular involve a multitude of legal issues, we would like to take the BAG's ruling as an opportunity to once again highlight the practical relevance of these issues and to classify the BAG's statements in the context of previous case law.
Even though the BAG did not ultimately have to deal in detail with the somewhat complicated facts of the case and the associated legal issues surrounding the provision of information in accordance with Art. 15 GDPR, the key facts of the case are outlined below. The first-instance decision of the Duisburg Labour Court in particular impressively demonstrates how avoidable ‘trouble’ can arise as a result of providing incorrect information.
1. The facts
In a letter dated 1 October 2022, an employee requested his former employer to provide him with information and a copy of his data by 16 October 2022 on the basis of Art. 15 GDPR. The aforementioned provision obliges the controller (in this case, the employer) to provide comprehensive information on data processing. According to Art. 15(1) GDPR, the information provided must include, in particular, information on the data processed, the purposes of processing, the recipients of personal data and the duration of data processing. According to Art. 15(3) GDPR, the data subject may also request a ‘copy’ of their personal data. The right to information is intended to enable data subjects in particular to assess the lawfulness of data processing and, if necessary, to assert further claims (such as the right to erasure under Art. 17 GDPR).
When the employer did not respond to the first letter within the set deadline, the employee sent a reminder letter on 21 October 2022 requesting the desired information and setting a further deadline of 31 October 2022. In a letter dated 27 October 2022 – i.e. still within the one-month period specified in Art. 12(3) GDPR – the employer then provided initial information and a copy of the data still stored by it. However, in a letter dated 4 November 2022, the employee concerned pointed out that the information provided was not only late but also deficient in terms of content. There was a lack of specific information on the duration of data storage, the recipients of the data were not named, and the data copy was incomplete. In a letter dated 11 November 2022, the employer then asked the data subject to further specify his request for information on the recipients of data and the details of the storage period. In a letter dated 18 November 2022, the employee concerned then pointed out that all specific recipients of his data had to be disclosed and that the storage period for data processing also had to be specified in full.
It was not until a letter dated 1 December 2022 – two months after the initial request for information – that the employer responded again, providing further details on the information that was still outstanding. In any case, with this last letter from the employer, all information was provided in full in accordance with Art. 15 GDPR.
2. The decisions in the previous instances
The Duisburg Labour Court ruled in favour of the plaintiff in the first instance and ordered the employer to pay 10,000 euros in damages (judgment of 26 September 2024, ref. 3 Ca 77/24). The Labour Court clarified that the mere fact that the information was not provided immediately (i.e. without culpable delay) was sufficient to justify a claim for non-material damages. In particular, the employer had not explained why it had taken almost four weeks to provide the information for the first time, even though all of the plaintiff's data had already been prepared and compiled two years earlier as a result of a request for information from the employee concerned in 2020. Furthermore, the information about the specific recipients of the processed data and the storage period was provided outside the one-month period specified in Art. 12(3) GDPR and was therefore provided late.
In the appeal lodged by the employer, the Düsseldorf Regional Labour Court rejected a corresponding claim for damages, justifying its decision, among other things, on the grounds that in the case of delayed or incomplete data disclosure, there was no data processing within the meaning of Art. 4 No. 2 GDPR (judgment of 28 November 2023, Ref. 3 Sa 285/23). In addition, the employee concerned had failed to sufficiently substantiate any immaterial damage. In its reasoning, the Düsseldorf Regional Labour Court states in paragraph 42:
"Even if a loss of control can in itself justify immaterial damage, as already apparent from recitals 75 and 85 of the GDPR, blanket assertions and generalities are not sufficient; rather, it must be comprehensibly justified what the immaterial damage consists of. If the alleged damage – as claimed here – consists of a ‘standard damage’ resulting from the loss of control, it must nevertheless be justified individually, beyond the standard, what specific loss of control the plaintiff fears. Otherwise, it would remain a mere empty phrase."
3. The decision of the Federal Labour Court
The ruling of the Federal Labour Court of 20 February 2025 confirms the decision of the Düsseldorf Regional Labour Court and now definitively rejects the employee's claim for damages. The Federal Labour Court justified its decision on the grounds that the plaintiff had not sufficiently substantiated his damage and that the mere feeling of disturbance and the merely perceived loss of control over personal data were not sufficient to justify a claim for damages under Article 82 of the GDPR. The damage claimed must be objectively verifiable and not based solely on subjective feelings, such as the mere feeling of a loss of control. In paragraph 17 of its reasoning, the Federal Labour Court states:
"The Court of Justice of the European Union (hereinafter referred to as the Court) therefore understands a loss of control to mean only a situation in which the data subject has a well-founded fear of data misuse (see BSG 24 September 2024 - B 7 AS 15/23 R - para. 31). Merely invoking a certain emotional state is not sufficient. Rather, the court must examine whether, taking into account the specific circumstances, the feeling "can be regarded as justified. [...]
The more serious the consequences of a violation of the General Data Protection Regulation, the more likely it is that there will be a well-founded fear of data misuse. For example, the publication of sensitive data on the internet due to a data leak will typically constitute a basis for such fears. On the other hand, a delay in providing information does not in itself constitute a loss of control over data in the sense of a risk of misuse, but only a delay in providing the information."
In the opinion of the BAG, objectively verifiable circumstances must therefore always be presented in order to justify a claim for immaterial damages. The BAG distinguishes between situations in which a loss of control can ‘typically’ be affirmed and situations that do not present a corresponding potential for misuse.
The BAG also refers to "a [conceivable] damage in the form of negative feelings" as a result of the delayed provision of information and has further clarified the previous statements in margin number 21:
"The delayed fulfilment of the right to information inevitably raises concerns about a breach of other obligations under the General Data Protection Regulation. This may be seen as a special form of loss of control in the revision, but it can also be understood as a separate case group. Ultimately, this question of classification is not relevant to the decision. If invoking such abstract fears were sufficient to assume damage, any violation of Art. 15 GDPR – if such a violation could justify a claim for damages under Art. 82(1) GDPR – would lead to immaterial damage. The independent prerequisite of damage would thus become meaningless."
The crux of the BAG's decision is thus the existence of actual damage and the requirements for substantiating it.
4. A comparison with previous case law of the BGH
With its latest ruling, the BAG appears to be in conflict with the previous case law of the Federal Court of Justice (BGH). The BGH had already dealt with claims for damages under the GDPR on several occasions and had established guidelines for asserting non-material damage. In a landmark decision, the Federal Court of Justice had already ruled that an alleged loss of control over one's own data can be sufficient to justify a claim for damages under Article 82 GDPR (judgment of 18 November 2024, ref. VI ZR 10/24). However, the specific case concerned a data leak at Facebook, which was also addressed in the ruling of the Federal Labour Court (BAG), which led to the unauthorised publication of personal data. Nevertheless, the Federal Court of Justice clarified that an alleged loss of control neither had to be particularly significant nor could it be further objectified. This fundamental view of the Federal Court of Justice was confirmed once again in another judgment, which concerned violations in the design of access rights to personnel files (judgment of 11 February 2025, ref. VI ZR 365/22). In the aforementioned ruling, the Federal Court of Justice argued that the damage already lay in the temporary loss of control over the personal data, without there having to be a further identifiable violation of personal rights.
5. Significance for practice
In our opinion, on closer inspection, the ruling of the Federal Labour Court does not directly contradict the previous case law of the Federal Court of Justice. The Federal Labour Court merely correctly pointed out that in the case it had to decide, there were relevant differences to the previous cases before the Federal Court of Justice, which allowed for a different legal assessment. For example, it plays a decisive role whether there is a data leak as a result of which data is actually disclosed to unauthorised third parties, or whether it is ‘only’ a case of delayed and/or incomplete disclosure of information. While the facts of the case to be decided by the Federal Court of Justice presented circumstances which, in the opinion of the Federal Labour Court, ‘typically’ give rise to fears of a loss of control, the delayed provision of information is merely a (formal) violation of data protection regulations. Further circumstances justifying a loss of control as immaterial damage were not presented in the case decided by the Federal Labour Court.
It is therefore important to keep a close eye on how the Federal Labour Court rules and justifies its future decisions when it has to decide on a case similar to the one before the Federal Court of Justice. Very recently, for example, the BAG awarded an employee immaterial damages of EUR 200 as a result of a loss of control (judgment of 8 May 2025, ref.: 8 AZR 209/21 – cf. the press release published to date). In this case, the Federal Labour Court had to rule on a situation in which an employee's personal data was transferred within a group of companies when using the ‘Workday’ personnel management software without there being any legal basis for data protection. The situation is similar to the cases before the Federal Court of Justice, as it again concerns an – objectively verifiable – transfer of data to third parties. Even though the grounds for the ruling are not yet available, it can be assumed that the Federal Labour Court ‘typically’ assumed a loss of control in this case.
Note: We will revisit the Federal Labour Court's decision of 8 May 2025 as soon as the grounds for the ruling are available.
The statements made by the BAG in its ruling of 20 February 2025 should therefore not be understood in a generalised manner to mean that the mere loss of control is not to be regarded as immaterial damage within the meaning of Article 82 of the GDPR. The BAG's decision is ultimately in line with previous practice, according to which the specific circumstances of each individual case are always decisive.
Nevertheless, the current ruling of the BAG is to be viewed positively by employers and welcomed accordingly. It sets clear limits for those affected and increases the requirements for asserting claims for non-material damages under the GDPR. In our opinion, the legal opinion of the BAG is understandable and complies with the general requirements of the Code of Civil Procedure. If any subjective perception were to suffice for the existence of non-material damage, there would no longer be any tangible obstacles to asserting a corresponding claim for damages.
Even though the BAG did not have to deal with the delayed provision of information in detail due to the lack of evidence of the alleged damage, the facts of the case should nevertheless be taken as an opportunity to take a closer look at complaint management in companies, which is extremely relevant in practice. It must be understood as a minimum requirement that companies have firmly established processes and template documents in place which, on the one hand, reflect the requirements of the GDPR and, on the other hand, enable the timely fulfilment of data subjects' rights. We are happy to assist you in this regard.