On May 8, 2025, the Bundesarbeitsgericht (Federal Labor Court) made a significant ruling regarding employee rights under the General Data Protection Regulation (GDPR), affirming that workers can seek damages if their employer improperly transfers personal data to another company within the corporate group. This decision stems from a case involving the cloud-based HR management software, Workday, which was being tested by a leading provider of dental technology.
The case revolved around a programmer who had been employed by the company for several years and served as the chairman of the works council. In 2017, the company announced plans to implement Workday as a unified HR information management system across its operations. As part of this initiative, the company transferred the programmer's personal data from the previously used software to the parent company for testing purposes.
A company agreement was established to regulate this preliminary test operation, allowing the transfer of certain data, including the employee's name, entry date, work location, and business contact information. However, the employer went beyond the scope of this agreement, transmitting additional sensitive information such as salary details, private addresses, dates of birth, marital statuses, social security numbers, and tax IDs.
In light of these unauthorized data transfers, the programmer sought damages amounting to 3,000 euros, citing a violation of the GDPR. He argued that the employer exceeded the permissible boundaries outlined in the company agreement. Initially, the lower courts in Baden-Württemberg dismissed his claims, prompting the programmer to escalate the matter to the Federal Labor Court.
On September 22, 2022, the Federal Labor Court suspended the revision proceedings and referred the case to the European Court of Justice (ECJ) for clarification on the interpretation of Union law regarding data protection. The ECJ responded on December 19, 2024, affirming that company agreements must comply with the general requirements of the GDPR, including data minimization principles.
Following the ECJ's ruling, the Federal Labor Court reviewed the case and determined that the programmer was entitled to damages of 200 euros due to the loss of control over his personal data resulting from the transfer to the parent company. The court ruled that the transfer of personal data beyond what was permitted by the company agreement was not necessary, violating the GDPR's stipulations.
The court's decision underscores the importance of strict adherence to data protection laws and emphasizes that employees have rights regarding their personal information, especially in corporate environments where data handling is critical. The ruling serves as a cautionary tale for employers about the necessity of complying with data protection regulations and the potential consequences of failing to do so.
Legal experts suggest that HR professionals should maintain close communication with data protection officers, particularly when implementing large projects like software introductions. This collaborative approach is essential to ensure compliance with complex data protection requirements and to safeguard employee information.
The case has broader implications for data protection practices within organizations, highlighting the need for transparency and accountability in how personal data is managed. As businesses increasingly rely on cloud-based solutions and data sharing, understanding the legal framework surrounding data protection becomes paramount.
This ruling is a reminder that violations of data protection laws can lead to significant legal repercussions for companies, not only in terms of financial penalties but also in terms of reputational damage. Employees are empowered to assert their rights, and organizations must take proactive steps to ensure compliance with data protection regulations.
In conclusion, the Federal Labor Court's ruling on May 8, 2025, marks a pivotal moment in the enforcement of data protection rights for employees in Germany. As the legal landscape surrounding data privacy continues to evolve, it is crucial for employers to prioritize compliance and foster a culture of respect for personal data.
