Ex-employee (data subject) – Court Ruling (Germany, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The data subject was an employee, the controller was the employer. On 14 January 2022, the data subject requested access to personal data from the controller under Article 15 GDPR. They did not respond. On 28 January 2022, the controller terminated the employment. On 17 February 2022, the data subject lodged a complaint with the Data Protection Authority (DPA) under Article 77 GDPR. The data subject alleged that the controller had failed to answer the access request, had taken unauthorised photographs, and had a copy of their vaccination certificate. On 24 February 2022, the employment relationship ended by a court settlement before the Labour Court. The settlement stated that all claims arising from the employment relationship and its termination, whether known or unknown and regardless of their legal basis, were settled, except for employment documents. By entering the settlement, the data subject agreed to not pursue further claims. After the settlement, the controller informed the DPA that it had not received an access request from the data subject, had not taken photographs, and had destroyed the vaccination certificate after the employee left. The data subject continued to raise issues with the DPA, including access to time-tracking data and alleged inaccuracies in the controller’s provided documents. The controller later provided partially redacted time-tracking data. On 26 July 2022, the DPA closed the administrative procedure, as it considered that the data subject no longer had a right of access under Article 15 GDPR because the settlement didn't allow for this claim. The data subject challenged the DPA’s decision before the Administrative Court. On 10 July 2024, the court dismissed the action. The data subject appealed. First, the court held that the right of access under Article 15 GDPR was, in principle, waivable. Although Article 8(2) of the Charter of Fundamental Rights protects the right of access, the court noted that data protection law is base
GDPR Articles Cited
The data subject was an employee, the controller was the employer. On 14 January 2022, the data subject requested access to personal data from the controller under Article 15 GDPR. They did not respond. On 28 January 2022, the controller terminated the employment. On 17 February 2022, the data subject lodged a complaint with the Data Protection Authority (DPA) under Article 77 GDPR. The data subject alleged that the controller had failed to answer the access request, had taken unauthorised photographs, and had a copy of their vaccination certificate. On 24 February 2022, the employment relationship ended by a court settlement before the Labour Court. The settlement stated that all claims arising from the employment relationship and its termination, whether known or unknown and regardless of their legal basis, were settled, except for employment documents. By entering the settlement, the data subject agreed to not pursue further claims. After the settlement, the controller informed the DPA that it had not received an access request from the data subject, had not taken photographs, and had destroyed the vaccination certificate after the employee left. The data subject continued to raise issues with the DPA, including access to time-tracking data and alleged inaccuracies in the controller’s provided documents. The controller later provided partially redacted time-tracking data. On 26 July 2022, the DPA closed the administrative procedure, as it considered that the data subject no longer had a right of access under Article 15 GDPR because the settlement didn't allow for this claim. The data subject challenged the DPA’s decision before the Administrative Court. On 10 July 2024, the court dismissed the action. The data subject appealed. First, the court held that the right of access under Article 15 GDPR was, in principle, waivable. Although Article 8(2) of the Charter of Fundamental Rights protects the right of access, the court noted that data protection law is base
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Ex-employee (data subject) in DE
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Ex-employee (data subject) - Germany (2025). Retrieved from cookiefines.eu
Last updated: