Violations of the General Data Protection Regulation (GDPR) may lead to heavy fines. What’s more, those impacted by a violation can file claims for compensation.
The entry into force of the GDPR brought with it an enormous increase in the demands placed on businesses with regard to the protection of data. Infringing the Regulation can prove to be a costly mistake. Indeed, in cases involving serious infringements relating to the protection of sensitive personal data, the regulatory authorities can impose fines of up to 20 million euros or up to 4 percent of annual turnover. MTR Legal Rechtsanwälte – a commercial law firm whose areas of expertise include IT law and data protection – notes that there is also the prospect of those affected asserting claims for compensation.
And it is not only customers who are entitled to have their data protected, but employees as well. The GDPR stipulates that employees have the right to demand information about their personal data that has been collected and stored. If the employer fails to comply with its obligation to provide information, the employee can bring a claim for non-material damages. That was the outcome, for instance, of a case adjudicated by the Arbeitsgericht Oldenburg – Oldenburg’s labor court – on February 9, 2023 (case ref.: 3 Ca 150/21).
The plaintiff in this case was an ex-employee who had demanded that his former employer provide him with information about any personal data pertaining to him that had been processed by the latter. It was only after a considerable delay that the employer provided what was ultimately only limited information. The employee viewed this as a failure to respect his right to information and subsequently sued for compensation.
Ruling in his favor, the Labor Court awarded the employee compensation for non-material damages in the amount of 10,000 euros, citing the employer’s failure to comply with its obligation to provide information within the prescribed period of one month. The Court held that the plaintiff was not required to show what concrete damage he had suffered, since the claim for non-material damages was intended to have a preventative character according to the GDPR. A number of factors were said to be determinative of the amount of compensation due, such as the interest in disclosure, the scope of the information provided, and the timeframe during which the employer refused to provide the information.
This ruling is yet another reminder that businesses, if they wish to avoid severe penalties, ought to take the protection of data seriously with respect to both customers and employees.
MTR Legal Rechtsanwälte advises clients on IT law and data protection law.