ENG

The German Federal Labour Court refers questions on damages pursuant to Art. 82 GDPR and on the legitimacy of data processing based on a collective agreement to the ECJ

Published

Sep 26 2022

Written By

barbara geck Module
Dr. Barbara Geck

Partner
Germany

As a partner and specialist lawyer for employment law in our Frankfurt office, I head our German Employment group and I am a member of our International HR Services groups.

fabian niemann module
Dr. Fabian Niemann

Partner
Germany

I'm a technology, copyright, AI, cyber security and data protection lawyer. My ambition is to provide the best and most suitable advice to clients and, in particular, to guide them through their technology transactions, IT and data in a pragmatic, solution-driven and innovative manner.

carina wirtz Module
Carina Wirtz

Associate
Germany

I am an associate in the employment team based in Frankfurt, and I advise our international and domestic clients on all aspects of individual and collective employment law.

Related

Practices

Regions

Countries

On 22 September 2022, the Federal Labour Court (Bundesarbeitsgericht – BAG) issued an interim ruling (8 AZR 209/21) referring to the European Court of Justice (ECJ) critical questions on data protection for preliminary ruling by the ECJ. These questions relate to two topics:

  1. The requirements and calculation of claims for intangible damages pursuant to Art 82 (1) GDPR.
  2. To what extent the parties to a collective agreement, like a German Shop Agreement (Betriebsvereinbarung) may use discretion on determining how specific data processing may be legitimate and to what extent such agreements are subject to judicial review.

Requirements for damage claims under Art. 82 (1) GDPR

In doing so, the Federal Labour Court summarised the following questions in its order for referral:

  • Does the claim for compensation for non-pecuniary damage under Article 82 (1) of the GDPR require that, in addition to the infringement of privacy rights, the data subject must demonstrate a concrete damage – of some weight – suffered by him or her also in case of non-pecuniary damages (such as the actual loss of control over data)?
  • Does Article 82 (1) GDPR have a special or general preventive character which must be taken into account when assessing the amount of non-pecuniary damage to be compensated?
  • When assessing the amount of non-pecuniary damage to be compensated, does the degree of fault of the data controller or data processor matter? In particular, shall non-existent or minor fault on the part of the data controller or data processor be taken into account?

Collective agreement as legal basis under Sec. 26 FDPA?

Furthermore, questions were included in the decision dealing with the scope of assessment of the parties to a collective agreement. Specifically, questions were included as to whether

  • Sec. 26 (4) of FDPA is to be interpreted to the effect that the other provisions of the GDPR – such as Art. 5, Art. 6 (1) and Art. 9 (1) and (2) – must always be complied with;
  • if the answer is yes whether Sec. 26 (4) FDPA can be interpreted to the effect that the parties to a collective agreement (in this case the parties to a shop agreement) have a margin of discretion in assessing the necessity of data processing which is subject to only limited judicial review;
  • if yes, how the judicial review may be limited to in such a case.

Federal Labour Court sticks to its line on claims regarding non-pecuniary damages

The court decision does not come as a complete surprise with regard to the questions on the requirements for a claim for damages under Art. 82 of the GDPR and already partly coincides with the questions submitted by the Federal Labour Court in its decision (8-AZR-253-20) of 26 August 2021. In doing so, the Federal Labour Court remains true to its previous position and does not decide on the matter itself, but first passes it on to the ECJ for clarification. Still, submitting these questions the Federal Labour Court challenges the concept of German law on non-pecuniary damages also requiring a damage calculation (which could be based on court evaluations) and introduces the idea of punitive damages that is alien to German law and may other EU laws. It may therefore have effects within the whole EU and even beyond the field of data protection or labour law.

Collective Agreements as legal basis for data processing questioned

New questions are raised regarding the requirements for a collective agreement within the meaning of Sec. 26 FDPA and its relationship to the GDPR as well as the scope for assessment by the parties to the collective agreement or a court. Thus, the question arises as to which requirements are to be met in a collective and shop agreement that are to serve as a legal basis for the processing of employee data. This is likely to be of particular importance for employers who process data beyond that relevant under Sec. 26 FDPA for the "establishment of an employment relationship or, after the establishment of the employment relationship, for its implementation or termination or for the exercise or fulfilment of the rights and obligations (...) resulting from a law or a collective agreement, a works agreement or a service agreement (collective agreement)", for example for analysis purposes. While it remains to be seen what requirements this will result in for collective and shop agreements, companies should not solely rely on shop agreements when assessing the legitimacy of the processing employee data

(So far, only the result of the hearing has been published on the website of the Federal Labour Court, which can be found here (German only). )