Callcenter – Court Ruling (Germany, 2024)

The controller (employer) and the data subject (employee) disagreed about the immaterial damages according to Article 82(1) GDPR. The data subject first demanded the removal of two written warnings (one for a data protection violation) from their personnel file on 12 July 2022 which they had received on 29 June 2022. On 13 July 2022, the data subject also sent the controller a request pursuant to Article 15 GDPR and demanded a copy of their personal data. The controller complied on 30 August 2022 and informed the data subject of the data that is processed, but did not include copies of documents. On 02 February 2023, the data subject filed a lawsuit to demand that the controller hands over a copy of the data and €3,000 in compensation (Article 82(1) GDPR) due to a belated and incomplete provision by the controller. The subject alleged that they suffered immaterial damages due to the loss of control over their data. On 01 June 2023, the parties reached a partial settlement before the Labour Court Mainz. The controller agreed to remove both written warnings from the personnel file of the data subject, supply copies of the processed data in the future, and let the data subject access the file after 31 August 2023, while the subject in turn agreed to be more careful in the future about who is included in the mailing list as to not cause another data protection violation. The Labour Court sentenced the controller to pay €1,000 (as opposed to the initially suggested €3,000) to the data subject. The controller appealed this decision and argued that not every violation against the GDPR could constitute immaterial damages and that the other party needed to prove the damages. In case of the data subject, it alleged it needed to be proven how the loss of control caused damages, and that the data was not lost, but lawfully processed. The data subject responded by requesting a dismissal of the appeal and to be paid another €2,000 by the controller for the failure to timely a