Employee (data subject) – Court Ruling (Germany, 2024)

The data subject was employed by the controller and requested access to information under Article 15(1) GDPR regarding a transfer decision and a disciplinary warning. The controller responded within the deadline, providing documents and partially redacted records. The data subject claimed the information was incomplete and asserted that years of delayed access left them unable to assess how the personal data was processed. They sought immaterial damages under Article 82(1) GDPR, arguing a loss of control and uncertainty, alternatively relying on national liability doctrines. In the original decision, the labor court dismissed the claim. After a revision, the higher court awarded €2,000 in damages. Both parties appealed to the Federal Labor Court. First, the court opined that mere infringement of the right of access, and the abstract “loss of control” inherent in any such infringement, does not constitute compensable damage, as Article 82 GDPR requires a distinct, concrete harm causally linked to the violation. It considered that negative feelings or fears may qualify as immaterial damage only if objectively justified; a purely hypothetical risk of data misuse is insufficient. Unlike a data breach, delayed or incomplete access does not itself increase misuse risk. As no concrete harm was substantiated, neither GDPR-based nor alternative national-law damage claims succeeded. Hence, the court denied any compensation under Article 82(1) GDPR, as the data subject failed to demonstrate an immaterial damage had occurred.