Court case 17 Sa 37/20 – Court Ruling (Germany, 2021)

The Plaintiff worked as the defendant's employee. Employees' data are been processed for billing purposes. For that reason plaintiff's personal data were stored by the employer. The plaintiff by his request, asked for a copy of his data stored by the employer. The request was followed by a lawsuit, from the investigation of which it emerged that the data were transferred to the US' headquarters. The transfer took place before the starting date of the regulation. Does the mere threat of a potential data misuse suffice to claim damages under Article 82 GDPR? The court held that neither §26(1) BDSG nor Article 6(1)f GDPR legitimize the processing of employee data for software testing purposes. This is due to the fact that for these two legal basis to apply, the element of necessity is lacking. Instead of actual personal data it would have sufficed to use fictitious data to test the software. In this matter the Regional Labour Court acknowledged a violation of the GDPR as well as the BDSG. Furthermore, the mere potential threat of loss of control over a data subject’s own data does not does not constitute damage under Article 82 GDPR, consequently, the plaintiff is not entitled to damages under Article 82 GDPR. That is for the reason that an individual is only entitled to compensation for damages they have „suffered“, hence, the damage must have in fact occurred and not merely been anticipated. It has been also maintained that the defendant did not violate the GDPR by continuing the processing by the parent company in a third country when the GDPR entered into force on 25 May 2018. This is for the reason that the defendant had concluded the EU Commission’s standard contractual clauses (SCC) before transferring the personal data to the parent company and amended the SCC in ways that is sufficient to comply with Article 28 GDPR.