Court case 14 Sa 359/22 – Court Ruling (Germany, 2023)

An employer dismissed an employee for having allegedly faked their sick leave. The employer also refused to provide access to the employee’s personal data following an access request pursuant to Article 15 GDPR. The data subject brought action against the controller for unjustified dismissal and claimed non-material damages under Article 82 GDPR for failure to reply to the access request. The court of first instance upheld the data subject’s claim and granted €1,000 of compensation for violations of Article 15(1) GDPR. The controller appealed the decision, arguing that there was no basis for the claim. The data subject appealed the decision, too. In the data subject's opinion, damages awarded were not sufficient. The Regional Labour Court of Hessen (Hessisches Landesarbeitsgericht) confirmed that the controller disregarded their duties pursuant to Article 15 GDPR, as they did not provide access to requested information within the deadline set forth in Article 12(3) GDPR. This led to liability for non-material damages. The Court completely refused the idea that Recital 146 GDPR can be interpreted as limiting the applicability of Article 82 GDPR to processing operations infringing the Regulation. To the contrary, non-compliance with an access request can give rise to damages because it occurs in the context of a processing, even if it cannot be considered "processing" itself. In addition, the Court denied that non-material damages require a certain degree of seriousness to be taken into account. The court of appeal also increased the total amount of the compensation to €2,000. The court stressed that damages have a special and general preventive function, alongside with a compensatory one. However, an even higher compensation was not admissible, as the lack of reply to an access request merely entails insecurity and lack of control over personal data, but not a violation of the data subject’s personality rights.