In the event of violations of the General Data Protection Regulation (GDPR), significant fines may be imposed. Victims of the violation may also assert claims for damages.
With the entry into force of the General Data Protection Regulation – GDPR – the requirements for companies regarding data protection have increased enormously and violations of the GDPR can be costly. In cases of particularly serious violations of the protection of sensitive personal data, supervisory authorities can impose fines of up to 20 million euros or up to 4 percent of annual turnover. In addition, there may be claims for damages from those affected, explains the business law firm MTR Legal Rechtsanwälte, which also advises on IT law and data protection.
Not only customers but also employees are entitled to the protection of their data. Thus, the GDPR stipulates that employees can request information about the personal data collected and stored about them. If the employer does not fulfill their duty to provide information, the employee may have a claim for non-material damages, as shown by a judgment of the Labour Court of Oldenburg from February 9, 2023 (Ref.: 3 Ca 150/21).
In the present case, an employee requested information from his former employer about the personal data that had been processed about him. The employer provided information only after considerable delay and sparsely. The employee felt his right to information was violated and asserted claims for damages.
The lawsuit was successful. The Labor Court confirmed his claim for non-material damages amounting to 10,000 euros. The court stated that the employer did not fulfill their obligation to provide information within the prescribed period of one month. The plaintiff did not have to demonstrate what specific damage he incurred, since the claim for non-material damages is intended to have a preventive character according to the GDPR, said the court. According to the court, various factors such as the interest in information, the scope of the information provided, and the period during which the employer refused to provide information are decisive for the amount of damages.
The judgment is further evidence that companies should take data protection seriously, both with respect to customers and employees, as severe penalties may be imposed.
MTR Legal Rechtsanwälte advises on IT law and data protection law.
