Avalang: Created page with “{{COURTdecisionBOX |Jurisdiction=Germany |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=LAG Düsseldorf |Court_Original_Name=Landesarbeitsgericht Düsseldorf |Court_English_Name=Regional Labour Court Düsseldorf |Court_With_Country=LAG Düsseldorf (Germany) |Case_Number_Name=3 Sa 285/23 |ECLI=ECLI:DE:LAGD:2023:1128.3SA285.23.00 |Original_Source_Name_1=Justiz NRW |Original_Source_Link_1=https://nrwe.justiz.nrw.de/arbgs/duesseldorf/lag_duesseldorf/j2023…”
|Jurisdiction=Germany
|Court-BG-Color=
|Courtlogo=Courts_logo1.png
|Court_Abbrevation=LAG Düsseldorf
|Court_Original_Name=Landesarbeitsgericht Düsseldorf
|Court_English_Name=Regional Labour Court Düsseldorf
|Court_With_Country=LAG Düsseldorf (Germany)
|Case_Number_Name=3 Sa 285/23
|ECLI=ECLI:DE:LAGD:2023:1128.3SA285.23.00
|Original_Source_Name_1=Justiz NRW
|Original_Source_Link_1=https://nrwe.justiz.nrw.de/arbgs/duesseldorf/lag_duesseldorf/j2023/NRWE_LAG_D_sseldorf_3_Sa_285_23_Urteil_20231128.html
|Original_Source_Language_1=German
|Original_Source_Language__Code_1=DE
|Original_Source_Name_2=
|Original_Source_Link_2=
|Original_Source_Language_2=
|Original_Source_Language__Code_2=
|Date_Decided=28.11.2023
|Date_Published=28.11.2023
|Year=2023
|GDPR_Article_1=Article 4(2) GDPR
|GDPR_Article_Link_1=Article 4 GDPR#2
|GDPR_Article_2=Article 12(3) GDPR
|GDPR_Article_Link_2=Article 12 GDPR#3
|GDPR_Article_3=Article 15 GDPR
|GDPR_Article_Link_3=Article 15 GDPR
|GDPR_Article_4=Article 82(1) GDPR
|GDPR_Article_Link_4=Article 82 GDPR#1
|GDPR_Article_5=
|GDPR_Article_Link_5=
|GDPR_Article_6=
|GDPR_Article_Link_6=
|EU_Law_Name_1=
|EU_Law_Link_1=
|EU_Law_Name_2=
|EU_Law_Link_2=
|National_Law_Name_1=
|National_Law_Link_1=
|National_Law_Name_2=
|National_Law_Link_2=
|Party_Name_1=Ex-employee (data subject)
|Party_Link_1=
|Party_Name_2=Employer (controller)
|Party_Link_2=
|Party_Name_3=
|Party_Link_3=
|Party_Name_4=
|Party_Link_4=
|Appeal_From_Body=AG Duisburg (DE)
|Appeal_From_Case_Number_Name=3 Ca 44/23
|Appeal_From_Status=
|Appeal_From_Link=https://nrwe.justiz.nrw.de/arbgs/duesseldorf/arbg_duisburg/j2023/3_Ca_44_23_Urteil_20230323.html
|Appeal_To_Body=Bundesarbeitsgericht (DE)
|Appeal_To_Case_Number_Name=8 AZR 61/24
|Appeal_To_Status=Appealed – Confirmed
|Appeal_To_Link=https://openjur.de/u/2515722.html
|Initial_Contributor=avalang
|
}}
A court held that the delayed or initially incomplete fulfillment of an information request based on [[Article 15 GDPR|Article 15 GDPR]] does not constitute non-material damages under [[Article 82 GDPR|Article 82 GDPR]] because it is not a data processing violation.
== English Summary ==
=== Facts ===
The data subject was employed by the controller in December 2016.
In October 2022, the data subject requested access to their personal data under [[Article 15 GDPR|Article 15 GDPR]], which the controller complied with. The data subject then sent another request and set a deadline until 16 October 2022. The controller did not respond by that date, and after multiple reminders and new deadlines, it provided a response that was delayed and incomplete, missing data on storage duration and recipients.
The controller later supplemented the information by early December 2022.
The data subject claimed that the controller violated its [[Article 15 GDPR|Article 15 GDPR]] duties by failing to provide timely and complete information, causing immaterial harm (loss of control over data). They sought compensation under [[Article 82 GDPR|Article 82 GDPR]].
In the previous decision, the lower court awarded €10,000. The controller appealed the decision.
=== Holding ===
First, the court held that a delayed or initially incomplete data access response does not constitute “data processing” as defined in [[Article 4 GDPR#2|Article 4(2) GDPR]]. It pointed out that a missed or belated answer is not an active processing act but “non-processing” of data, and thus cannot trigger compensation under [[Article 82 GDPR|Article 82 GDPR]], which requires an actual unlawful processing breach.
The court also held that an immaterial damage claim must be tied to concrete harmful processing. Generalized assertions like “loss of control” or “frustration” are insufficient and must be proven.
As a result, the court amended the first-instance decision and dismissed the data subject’s claim for non-material damages.
Revision (appeal) to the Federal Labour Court was permitted.
== Comment ==
A further decision is expected under BVerfG – 1 BvR 1490/25.
== Further Resources ==
”Share blogs or news articles here!”
== English Machine Translation of the Decision ==
The decision below is a machine translation of the German original. Please refer to the German original for more details.
<pre>
1. FACTS OF THE CASE:
2. The parties are in dispute regarding the plaintiff’s claim for payment of non-material damages pursuant to Article 82 GDPR.
3. The plaintiff was employed by the defendant’s predecessor in title at the Duisburg location from December 1 to 31, 2016.
4. In 2020, the defendant, upon his request, provided him with information pursuant to Article 15 GDPR by letter dated September 7, 2020, the contents of which are set out on pages 155 et seq. of the first-instance file.
5. By letter dated October 1, 2022 (page 18 of the first-instance file), received on the same day, the plaintiff requested the defendant to provide him (again) with information and a copy of his data by October 16, 2022, based on Article 15 GDPR. When the defendant failed to respond, the plaintiff, by letter dated October 21, 2022 (page 21 of the first-instance file), received on the same day, reiterated the requested information, setting a further deadline of October 31, 2022. By letter dated October 27, 2022, the contents of which are set forth on pages 24 et seq. of the first-instance file, the defendant provided information and a copy of the data still stored. By letter dated November 4, 2022 (pages 53 et seq. of the first-instance file), the plaintiff pointed out to the defendant that the information provided was not only late but also deficient in content. It lacked specific details regarding the duration of data storage, the recipients of the plaintiff’s data were not identified, and the data copy was incomplete. Reference is made to the further content of the plaintiff’s letter. In a letter dated November 11, 2022 (pages 58 et seq. of the first-instance file), received on the same day, the defendant asked the plaintiff to specify his request for information regarding the recipients of his data and to indicate the categories for which he required information about the specific recipients. Furthermore, she clarified her previous statements regarding the storage period and the data copy. In a letter dated November 18, 2022, the contents of which are referenced on pages 64 et seq. of the first-instance file and which was received by the defendant on the same day, the plaintiff pointed out, among other things, that the specific recipients of his data should be disclosed and that the storage period should also be specified.
In a letter dated December 1, 2022, the contents of which are referenced on pages 71 et seq. of the first-instance file, the defendant responded and further clarified her information. In any event, as was undisputed in the appeal proceedings by the statement of defense dated July 31, 2023 (page 9, sheet 103 of the appeal file), all necessary information had been provided.
7The plaintiff contacted the defendant by further letters dated December 9 and 30, 2022, the contents of which are set forth on pages 77 and 80 of the first-instance file, and in the latter letter demanded payment of €2,000 in compensation by January 6, 2023. The defendant did not respond.
8With his lawsuit, filed with the Duisburg Labor Court on January 7, 2023, and served on the defendant on January 17, 2023, the plaintiff pursued his claim for payment of compensation in court. He argued that the defendant had violated the GDPR and was therefore obligated to pay monetary compensation. He claimed his right to information had been violated multiple times. Firstly, the defendant should have provided information without undue delay, as required by Article 12 of the GDPR, which it failed to do. He also asserted his right to exercise his right of access at reasonable intervals, even if information had previously been provided. He maintained that it was irrelevant what the requesting individual already knew, but rather what the data controller was still processing about the requesting data subject. His request for information was not an abuse of rights, he argued. On the contrary, he regularly inquires with companies, authorities, etc., with whom he is in contact, about what data they process and how precisely. He wanted his contractual partners to be aware of the data processing and to regularly review the lawfulness of the processing. The defendant is also precluded from invoking the defense of abuse of rights, as she failed to notify him of this within the one-month period and to inform him of his right to lodge a complaint with the supervisory authority, Art. 12 para. 4 GDPR. Furthermore, exercising the rights for extraneous reasons does not, in any case, fulfill the criteria for “manifestly unfounded” within the meaning of Art. 12 para. 5 GDPR. The plaintiff argued that he is entitled to non-material damages due to the defendant’s breaches of her duty to provide information under Art. 15 GDPR. The data protection breach itself constitutes non-material damage, without the need for any further circumstances. In addition, he suffered non-material damage in the form of a loss of control, as he was unable to verify the lawfulness of the processing and therefore could not exercise any rights he might have. This is not an insignificant loss. The statute of limitations cannot yet have expired, as the defendant is still processing his data. Since the claim for damages must have a deterrent effect on the responsible party, the financial strength of the defendant, whom the plaintiff describes as a “billion-dollar landlord,” must be taken into account when determining the amount of damages.
9The plaintiff ultimately requested in the court of first instance that
10the defendant be ordered to pay him monetary compensation, the amount of which is to be determined at the court’s discretion, but which should not be less than €2,000, plus default interest at a rate of five percentage points above the respective base interest rate from the date the action was filed.
11The defendant requested that
12the action be dismissed.
13The defendant argued that the plaintiff was not entitled to the claimed damages. There was a lack of proof of non-material damage. The plaintiff had not demonstrated any further damage beyond potential annoyance over alleged legal infringements by the defendant, and in particular, none that exceeded a certain threshold of significance. Furthermore, the defendant did not violate the GDPR. There was no violation of Article 15 GDPR. The information was not provided late, as there were special circumstances that justified the one-month deadline. This was not a standard request for information that could have been answered quickly by the HR department at the push of a button. Rather, due to the potential for conflict—after the plaintiff had already submitted a request for information in 2020 and subsequently claimed damages—the defendant had the request reviewed by the HR department, the legal department, and the data protection officer. Since the plaintiff had already been informed of the specific recipients of his data in 2020, there was no discernible objective reason why he needed this information again. The plaintiff is systematically exploiting GDPR claims for profit and is acting abusively. This is a manifestly unfounded and excessive request under Article 12(5), third sentence, GDPR. Because it was not apparent how the information could benefit the plaintiff. No legitimate interest in obtaining it was discernible.
14The Duisburg Labour Court, in its judgment of 23 March 2023, ordered the defendant to pay €10,000 in damages plus interest, reasoning that the defendant, as the plaintiff’s former employer and thus as the data controller within the meaning of Article 4 No. 7 GDPR, had repeatedly and intentionally violated the obligation under Article 12(3), first sentence, GDPR to provide information without undue delay pursuant to Article 15 GDPR. The information provided on 27 October 2022 was already deemed not to have been provided without undue delay, i.e., without culpable hesitation. The defendant failed to explain precisely why it required almost four weeks for this, given that all of the plaintiff’s data had already been processed and compiled two years prior, and the task at hand merely involved data comparison and identifying changes compared to 2020. Furthermore, even considering the defendant’s legal argument that it had one month to provide this information, the disclosure of the specific recipients of the processed data and the specific deletion date was still late. This information was not provided by letter dated October 27, 2022, nor by letter dated November 11, 2022, but only by letter dated December 1, 2022, two months after receipt of the request for information. This was, in any case, too late. Moreover, the defendant also failed to adequately inform the plaintiff of the specific recipients of his personal data in its letter of December 1, 2022. The plaintiff is also entitled to request information at reasonable intervals about what data the controller still processes concerning him. The request for information was made here at a reasonable interval after two years, and whether the information provided is identical to that provided in 2020 will only become clear to the plaintiff after repeated review and information from the defendant. Furthermore, the plaintiff’s request for information is neither manifestly unfounded nor excessive within the meaning of Article 12(5), sentences 2 and 3, GDPR. Even if one were to consider that an abuse of rights defense could be raised in addition to Article 12(5) GDPR, no abuse of rights can be established in the present case. The defendant only raised the defense on February 21, 2023, and thus not within one month of the request as required by Article 12(4) GDPR. The plaintiff has suffered non-material damage as a result of the defendant’s breach. Specific evidence of damage is not required. Rather, the violation of the GDPR itself already leads to compensable non-material damage. Furthermore, the plaintiff also suffered a loss of control due to the defendant’s inadequate and delayed response, which qualifies as non-material damage and can be claimed under Article 82(1) GDPR. The defendant infringed upon the plaintiff’s right of access and thus the central data subject right. This also violated the plaintiff’s fundamental European right under Article 8(2), second sentence, of the Charter of Fundamental Rights. Due to the months-long delay and inadequate response, the plaintiff was left in uncertainty and prevented from verifying whether and how the defendant processed his personal data. The severity of the non-material damage is irrelevant for establishing liability under Article 82(1) GDPR and only affects the amount of the claim. In this case, the Labor Court considers damages of €10,000 to be appropriate.
15The judgment of the Duisburg Labour Court was served on the defendant via her legal representative on 2 May 2023. She filed an appeal with the Düsseldorf Regional Labour Court on 4 May 2023 through a brief from her legal representative, which she substantiated with a brief from her attorney received by the Regional Labour Court on 30 June 2023.
16The defendant continues to pursue her objective of having the action dismissed in its entirety, reiterating and elaborating on her arguments from the first instance. The action should not have been granted on the merits, because any alleged violation of the right of access under Articles 12(3) and 15 GDPR does not give rise to a claim for damages under Article 82 GDPR. The delayed or incorrect provision of information does not constitute data processing within the meaning of Article 4(2) GDPR. According to Recital 146 of the GDPR, the subject of a claim under Article 82 of the GDPR is the damage suffered by a person as a result of processing that is not in compliance with the GDPR. Functionally, the supervisory authority is competent to sanction the breach of the right to information pursuant to Article 83(5)(b) of the GDPR. Furthermore, the Labor Court incorrectly found violations of Article 15 of the GDPR by the defendant, which could not be inferred from the facts of the case, by referring to a delay of several months and an insufficient response. The timeline of the access request and the plaintiff’s subsequent inquiries, as well as the defendant’s phased response to the request, are undisputed. The Labor Court’s conclusion cannot be derived from this. Responding to a request for information in a phased procedure, as implemented here by the defendant, is standard practice and accepted by supervisory authorities and courts, since Article 15 of the GDPR does not establish a right to receive copies of personal data in the form of duplicates of entire files. Furthermore, the claim of a months-long delay in providing the information was unfounded. Rather, in the first stage, the defendant informed the plaintiff of the categories of recipients of his personal data and provided a comprehensive extract from the personnel data processing system. The plaintiff’s follow-up inquiry, in which he sought confirmation that his data had been transmitted to his health insurance provider, the relevant tax office, and the employment agency, was not anticipated. The plaintiff had already received this information in a letter dated September 7, 2020, in connection with his earlier request. The defendant therefore assumed that he was primarily interested in the changes that had occurred in the interim. The defendant’s question to the plaintiff regarding his interest in accessing archived data was also in accordance with the law, as evidenced by Section 34 Paragraph 1 Number 2 of the German Federal Data Protection Act (BDSG). There was no delay in providing the information because the defendant, with its initial disclosure, implicitly submitted a request for an extension pursuant to Article 12 Paragraph 3 of the GDPR. The applicable three-month period was thus significantly undercut. Even assuming a delay, no adverse consequences for the plaintiff are apparent or have been alleged. Against this background, the Labor Court granted the plaintiff’s claim to a surprisingly high extent, exceeding the minimum amount claimed by five times and a first-instance court settlement proposal by ten times. This is in no way justified. The defendant cannot be accused of deliberately delaying the provision of information, nor are there multiple violations, and no damage to the plaintiff is apparent at all, nor is any such damage merely alleged in general terms as a loss of control.
17The defendant requests that
18the judgment of the Duisburg Labour Court of 23 March 2023 – 3 Ca 44/23 – be amended and the action dismissed.
19The plaintiff requests that
20the appeal be dismissed.
21He defends the contested judgment by reiterating and elaborating on his arguments from the first instance. Like the Labour Court, he maintains that violations of Articles 12(3) and 15 GDPR also fall under the claim for damages pursuant to Article 82(1) GDPR. According to the wording of the provision, it covers every violation of the GDPR and not merely data processing that is contrary to the regulation. The legislative history and one of the central objectives of the GDPR—namely, to give data subjects more control over their data and strengthen their rights—argue against excluding claims for damages, particularly in cases of a breach of the right of access. Regardless, the process of providing access, even considered in isolation, constitutes data processing within the meaning of Article 4(2) GDPR. The regulation’s concept of processing is to be interpreted broadly and includes even the mere use of data. The processing of an access request, in turn, constitutes the use of data and thus data processing within the meaning of Article 4(2) GDPR. Upon receipt of the access request, the plaintiff’s personal data is collected and stored and then used to process the request. The defendant committed the temporal violations of Article 15 GDPR correctly identified by the labor court. The plaintiff disputes that the defendant’s proposed phased approach to providing access does not comply with the legal requirements and is not accepted by data protection authorities and courts. Furthermore, he had already clearly stated in his request for information dated October 1, 2022, that he desired comprehensive information and a copy of all data. Therefore, there was no reason for the defendant to inquire further or to provide the information in stages. Rather, their approach suggests an underlying stalling tactic, which is inadmissible. In any case, the information was not provided within the prescribed time limit. The statutory one-month period applies only to complex cases, which the plaintiff’s case does not fall into. The information should therefore have been provided without undue delay, which in any event does not allow for a period longer than approximately nine days. The plaintiff himself had even given the defendant an extended deadline of two weeks, which they also exceeded. It is undisputed that they first responded on October 27, 2022, and that they only provided all the necessary information on December 1, 2022. Thus, they violated both the requirement of promptness and exceeded the maximum period of one month. The defendant had not submitted a request for an extension of the deadline, not even implicitly in the letter of October 27, 2022. Furthermore, the legal requirements under Article 12(3), second sentence, GDPR for such an extension were clearly not met, and in any case, such a request would have had to be justified under Article 12(3), third sentence, GDPR, which also failed to do so. Finally, the defendant had also violated the plaintiff’s right to information in substance by only disclosing the specific recipients of his data and the specific duration for which it processed his data upon request. His right to receive a copy of his data under Article 15(1), second sentence, and (3), first sentence, GDPR was also violated. The provision of Section 34(1), second number, of the German Federal Data Protection Act (BDSG) does not preclude his request for information. Firstly, invoking this provision in the ongoing court proceedings was too late, and secondly, there are already concerns regarding the conformity of this provision with European law, as the plaintiff further explains. Finally, the labor court correctly determined that the plaintiff had suffered non-material damages and accordingly correctly assessed the damages at €10,000. The plaintiff suffered non-material damages due to the loss of control. If the controller – in this case, the defendant – fails to comply with a request for information, or does so improperly or inadequately, the data subject – here, the plaintiff – cannot control the data stored about them. Logically, anyone who does not know which of their own data is being processed and how exactly cannot control it. This loss of control constitutes a standard damage within the meaning of Recitals 75 and 85 of the GDPR. Furthermore, the plaintiff also experienced a restriction of their rights. The right of access serves not only to exercise control but also to exercise rights to rectification (Art. 16 GDPR), erasure (Art. 17 GDPR), restriction of processing (Art. 18 GDPR), and objection (Art. 21 GDPR). Anyone who doesn’t know exactly how their data is being processed and has no control over that data cannot logically exercise any further rights. This restriction of other data subject rights constitutes further damages within the meaning of Recitals 75 and 85 of the GDPR. Furthermore, the plaintiff has suffered a third type of non-material damage. The entire situation causes the plaintiff considerable worry and anxiety about the fate of his data. The defendant not only violated his right to information in terms of timing and content, but has also still not reported its data breach to the state data protection authority in accordance with Article 33 of the GDPR. The plaintiff is therefore afraid that the defendant will continue to misuse his data in the future. He is also annoyed with the defendant. It is extremely frustrating that he now has to invest time, effort, and, especially in the second instance due to the mandatory legal representation, also money, simply because the defendant is unwilling to comply with even the most basic data protection regulations and has geared its business towards continuous violations.
22Regarding the parties’ further submissions, reference is made to the written pleadings exchanged by both parties, including attachments, in the first and second instances, as well as to the minutes of the hearings.
23REASONS FOR THE DECISION:
24I.
25The defendant’s appeal is admissible. It is permissible pursuant to Section 64, paragraphs 1 and 2(b) of the German Labour Courts Act (ArbGG). Furthermore, it was filed and substantiated in due form and time.
26II.
27The appeal is also well-founded. The plaintiff has no claim for damages against the defendant under Article 82(1) GDPR, the only applicable legal basis here, due to the delayed and incomplete fulfillment of his right of access under Articles 15 and 12(3) GDPR. For neither does the claim for damages under Article 82(1) GDPR inherently cover the case of delayed and initially incomplete information, nor has the plaintiff—independently of this and thus independently supporting the decision—been able to convincingly demonstrate any specific non-material damage incurred.
28In detail:
291. The Appeal Chamber concurs with the Labour Court’s assessment that neither the plaintiff’s request for information nor the assertion of damages constituted an abuse of rights.
30It is also recognized in the area of data protection law that the abusive or fraudulent reliance on Union law is not permitted. However, abuse of rights in this sense requires the presence of both an objective and a subjective element. Objectively, it must be evident from an overall assessment of the circumstances that, despite formal compliance with the conditions stipulated by the Union regulation, the objective of that regulation is not achieved. With regard to the subjective element of the offense, it must be evident from a number of objective indicators that the essential purpose of the actions in question is to obtain an unjustified advantage. This is because the prohibition of abuse does not apply if the actions in question can have any other explanation than the obtaining of an (unjustified) advantage (see ECJ – Opinion of the Advocate General of 20 July 2017 – C-434/16, BeckRS 2017, 118086, paras. 43 et seq.; Lembke, Der datenschutzrechtliche Auskunftsanspruch im Anstellungsbeziehung, NJW 2020, 1841, 1845 with further references).
31 Applying these principles, there are no sufficient indications to support the conclusion that the plaintiff’s request for information constituted an abuse of rights and that his subsequent claim for damages was also an abuse of rights. It may seem peculiar that, after only one month of employment, which also dates back many years, and following a data disclosure already provided in 2020 (which was quite unremarkable in content), and without any specific indications of unlawful data use and processing by the defendant, the plaintiff nevertheless submits another request for information only two years later. It is also striking that the plaintiff appears to be acting professionally and, despite not being a lawyer, is nevertheless very adept at handling data protection law, as can be clearly seen from the out-of-court and first-instance correspondence.
32However, none of this constitutes an abuse of rights. Firstly, it must be considered that Article 15 GDPR does not require a specific legal interest in the requested information (Franck in: Gola/Heckmann, GDPR/BDSG, 3rd edition, Article 15 GDPR, para. 1), but rather serves, per se, the enforcement of the fundamental right under Article 8(1) and (2), second sentence, of the Charter of Fundamental Rights, as the plaintiff rightly emphasizes. Neither the plaintiff’s request for information as such, nor the fact that it was made with regard to a short-term employment relationship that ended years ago, nor the fact that it was made again in 2022, therefore constitutes an abuse of rights objection. The GDPR’s objective of enabling the plaintiff to verify the lawful processing of his personal data by the defendant can be achieved and may even necessitate a renewed request for information after two years. At least certain data belonging to the plaintiff continues to be stored by the defendant—lawfully, which is not in dispute here—to fulfill legal obligations. Therefore, the plaintiff also has a continuing, legally protected interest in receiving information at reasonable intervals in order to verify that the data processing remains lawful. It is not apparent that the plaintiff’s request for information was solely intended to pursue claims for damages. His professional conduct does not support this conclusion. On the contrary, the defendant must be held accountable for the fact that, given the plaintiff’s repeated requests, the very limited data still available about him, and the information already provided two years prior, the defendant could have easily fulfilled the request within a very short time and thus avoided the present legal proceedings altogether.
The plaintiff’s request could have been fulfilled quickly, had the defendant repeatedly made such requests, and given the very limited data still available about him and the information already provided two years prior, the defendant could have avoided the present legal proceedings altogether. 33Apart from this: Even if the plaintiff intends to request information from numerous responsible bodies that store data about him in order to verify compliance with legal regulations and, in the event of non-compliance, to assert further rights, this cannot be considered an abuse of rights. For what the plaintiff is doing is exercising his rights, not abusing them. As was already the case in the context of the German General Equal Treatment Act (AGG), it is not uncommon for professionally acting plaintiffs to bring important legal questions before the highest courts and thus serve the purpose – in the latter case, effective protection against discrimination, in the former, effective protection of personal data – of the European directives or, in this case, the General Data Protection Regulation (GDPR). The assumption that the plaintiff is merely attempting to gain an unjustified advantage here therefore lacks any objectively verifiable factual basis.
34The Labour Court also correctly determined that the specific requirements for a manifestly unfounded or excessive request for information within the meaning of Article 12(5) GDPR are not met. The plaintiff’s request for information was not manifestly unfounded, and the single repetition does not, by definition, meet the requirement of “frequent” repetition within the meaning of Article 12(5), second sentence, GDPR. Furthermore, after two years, the repeated request cannot be considered excessive.
352. Contrary to the legal opinion of the plaintiff and the Labour Court, the claim for damages asserted here under Article 82(1) GDPR fails from the outset because, in the case of delayed or incomplete data disclosure under Articles 12(3) and 15 GDPR, there is no data processing within the meaning of Article 4(2) GDPR, which is a prerequisite for the claim for non-material damages under Article 82(1) GDPR.
36a. According to Article 82(1) of the GDPR, any person who has suffered material or non-material damage as a result of an infringement of the GDPR has the right to compensation from the controller or processor. Recital 146 of the GDPR states that this provision aims to ensure that the controller or processor compensates for damages suffered by a person as a result of processing that is not compliant with the GDPR. The remainder of Recital 146 also clearly refers throughout to damages resulting from non-compliant data processing.
… 37In some cases, it is already inferred from the direct wording of Article 82(1) GDPR and its purpose that the claim for damages comprehensively covers all legal infringements of the Regulation, irrespective of whether these are based on data processing within the meaning of the legal definition in Article 4(2) GDPR (Higher Regional Court of Cologne, judgment of 14 February 2022 – 15 U 137/21, juris, para. 24; Regional Labor Court of Lower Saxony, judgment of 22 October 2021 – 16 Sa 761/20, juris, para. 187; EUArbRK/Franzen, 4th edition, Article 82 GDPR, para. 10; Frenzel in: Paal/Pauly, GDPR/BDSG, 3rd edition, Article 82 GDPR, para. 8; Schwartmann/Keppeler/Jacquemain in: Schwartmann/Jaspers/Thüsing/Kugelmann, GDPR/BDSG, 1st edition, Art. 82 GDPR para. 6; Franck in: Gola/Heckmann, GDPR/BDSG, 3rd edition, Art. 15 GDPR para. 72; Schmidt-Wudy in: BeckOK DatenschutzR, 46th edition (as of November 1, 2023), Art. 15 GDPR para. 23.1; Boehm in: Simitis/Hornung/Spiecker, DatenschutzR, 1st edition, Art. 82 GDPR para. 10).
38In contrast, it is argued that it follows from Recital 146, first sentence, of the GDPR, but also from Article 82(2) GDPR and from the legislative history, that only data processing in violation of the Regulation can give rise to claims for damages under Article 82 GDPR, and that this does not include, in particular, the delayed or incomplete provision of data under Article 15 GDPR (Regional Labour Court Nuremberg, judgment of 25 January 2023 – 4 Sa 201/22, juris, para. 21 with concurring commentary by Sorber, DSB 2023, 218, 219; Regional Labour Court Baden-Württemberg, judgment of 27 July 2023 – 3 Sa 33/22, juris, para. 78; Higher Social Court North Rhine-Westphalia, judgment of 3 August 2023 – L 7 AS 1044/22, juris; Regional Court Fulda, judgment of March 14, 2023 – 3 O 73/22, juris, para. 33; Düsseldorf Regional Court, October 28, 2021 – 16 O 128/20, juris, para. 35; Sorber/Lohmann, No damages for mere violation of the GDPR, BB 2023, 1652, 1654 et seq.; Kreße in: Sydow/Marsch, GDPR/BDSG, 3rd edition, Art. 82 GDPR para. 7; left open by the Federal Labour Court, May 5, 2022 – 2 AZR 363/21, juris, para. 11).
39The latter view should be followed. As the Nuremberg Regional Labor Court has already correctly stated, “when interpreting a Union provision, not only the wording but also its context and the objectives pursued by the regulation to which it belongs must be taken into account. The legislative history of a Union provision can also provide relevant indications for its interpretation (cf.ECJ, Judgment of 24 March 2021 – C-603/20 PPU, juris). Taking these principles into account, it follows in particular from Recital 146 of the GDPR, which provides a generally suitable and important guideline for interpretation (see Paal/Pauly, GDPR/BDSG, 3rd edition 2021, Introduction, para. 10), that the claim for damages is limited to violations of unlawful data processing within the meaning of Article 4(2) GDPR and that delayed, incorrect or even completely omitted information to a person pursuant to Article 15(1) GDPR therefore does not give rise to liability. This interpretation is supported not only by the wording of Recital 146, which, like Article 82(2) GDPR, which specifies the liability obligation, always refers only to “data processing” that violates the GDPR, but also by the legislative history of Article 82 GDPR. The corresponding original provision in Article 77 of the Commission’s draft (COM(2012) 11) stipulated the following regarding liability for damages: “Any person who suffers damage as a result of unlawful processing or any other act inconsistent with this Regulation shall have the right to claim compensation from the controller or processor.” This draft thus clearly went further in its wording than, for example, the later version of the Parliament’s proposal (document 9565/15), which, in the draft of Article 77 GDPR, limited liability for damages to damages suffered by a person as a result of processing that is not in accordance with this Regulation. The original recital 118 (COM (2012) 11) and the later recital 146 themselves were, from the outset, limited in their wording only to unlawful or inconsistent data processing. Thus, according to the correct view, in the present constellation of a breach of the duty to provide information under Article 15 GDPR, the only possible sanction under Article 83(5)(b) GDPR remains. (This is the verbatim opinion of the Nuremberg Regional Labor Court of January 25, 2023 – 4 Sa 201/22, juris, para. 21). The Appeals Chamber fully concurs with this view.
40From the perspective of the Appeals Chamber, this view also corresponds to the current case law of the European Court of Justice. In its decision of May 4, 2023 (C-300/21, juris, para. 36), the Court expressly clarifies that Article 82(2) GDPR specifies the liability provision, the principle of which is laid down in Article 82(1) GDPR, by stating that the three prerequisites for a claim for damages are:
41-processing of personal data in violation of the Provisions of the GDPR,
42-damage suffered by the data subject and
43-a causal link between the unlawful processing and that damage.
44The CJEU also refers to the explanations in Recital 146, which confirm this interpretation, as well as Recitals 75 and 85, all of which refer to unlawful data processing (CJEU of 4 May 2023 – C-300/21, juris, para. 37).
45b. The delayed and/or incomplete provision of data pursuant to Articles 12(3) and 15 GDPR does not constitute unlawful data processing that could give rise to a claim for damages under Article 82(1) GDPR.
46Data processing is legally defined in Article 4(2) GDPR. It means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. Data processing includes the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
47aa. The failure to provide information about data cannot itself be subsumed under the elements of this rather broad concept of data processing. The failure to provide information about data does not, in itself, constitute processing, but rather the opposite: the non-processing of data. If the controller fails to provide information to the data subject, then their personal data is neither collected, recorded, organized, structured, stored, adapted, altered, retrieved, consulted, used, disclosed or otherwise made available. It is also not aligned, combined, restricted, erased or destroyed. Rather, all of this is precisely what is omitted.
48bb. The delayed or incomplete provision of information likewise does not constitute data processing. This is not a disclosure by transmission (contra: Higher Regional Court of Cologne, judgment of July 14, 2022 – 15 U 137/21, juris, para. 24), because this refers to the disclosure of personal data to recipients within the meaning of Art. 4 No. 19 GDPR or third parties within the meaning of Art. 4 No. 10 GDPR, and the data subject does not belong to either of these groups (Eßer in: Eßer/Kramer/von Lewinski, GDPR/BDSG, 8th edition, Art. 4 GDPR para. 52 with further references), nor is it a use (Eßer in: Eßer/Kramer/von Lewinski, GDPR/BDSG, 8th edition, Art. 4 GDPR para. 55).
49Even if one were to take a different view and subsume the provision of information under the catch-all term “use of personal data,” the causal link to a potential damage. Such damage would only be conceivable if the information provided were inaccurate, i.e., factually incorrect. This is not the case here.
50However, if, as in this case, the plaintiff is not challenging factually incorrect information, but rather its delayed and incomplete provision, then the processing itself is not the cause of any damage to the plaintiff. The damage claimed by the plaintiff relates—again—to the temporary or partial omission of the processing of their personal data. It is not the information itself—if one considers it processing—that is the cause of any impairment or material or immaterial disadvantage to the plaintiff, but rather the failure to provide the information in a timely and complete manner. The plaintiff cannot, however, claim damages for the delay under Article 82(1) GDPR, but at most under Section 286 of the German Civil Code (BGB). According to this provision, however, the plaintiff is not entitled to non-material damages, and the plaintiff is not claiming material damages for the delay.
51To To clarify once again in conclusion: The effective protection of the plaintiff’s personal data, as intended by the GDPR, is not called into question by this interpretation of Article 82 GDPR, which, in the opinion of the Appeals Chamber, is necessarily the following based on its wording, systematic context, and legislative history. The plaintiff undoubtedly has the right of access under Articles 12(3) and 15 GDPR, and this right can be enforced through legal action if it is disregarded. Furthermore, material damages resulting from delay can be claimed under Section 286 of the German Civil Code (BGB). In addition, there is the possibility of administrative offenses under Article 83(5)(b) GDPR. Should it also emerge from a data disclosure – whether provided within the prescribed time limit or subsequently – that processing has indeed occurred in violation of the regulation, the plaintiff’s claim for compensation, encompassing both material and non-material damages, under Article 82(1) GDPR remains fully valid. However, what the plaintiff is claiming here is not damage caused by data processing in violation of the regulation, but rather (alleged) damage caused by the failure to provide information or the delay in doing so. Processing of personal data. This case does not fall within the scope of Article 82 GDPR.
523. Irrespective of the explanations in section II.2, and thus independently supporting the decision, the plaintiff’s claim for compensation for non-material damage under Article 82(1) GDPR is also precluded because he has not convincingly demonstrated such damage.
53. While the European Court of Justice, in its judgment of 4 May 2023 (C-300/21, juris, paras. 49, 51), already cited, held that compensation for non-material damage may not be made subject to a threshold of significance, the Court also emphasized that this interpretation does not mean that a person affected by a breach of the GDPR that has had adverse consequences for him is relieved of the burden of proving that these consequences constitute non-material damage within the meaning of Article 82 GDPR (ECJ, 4 May 2023 – C-300/21, juris, para. 50). Not every minor infringement of the GDPR, therefore, automatically constitutes non-material damage; rather, the damage itself must be substantiated (see CJEU of 4 May 2023 – C-300/21, juris, paras. 33, 36, 42, 50; also Higher Regional Court of Hamm of 15 August 2023 – 7 U 19/23, juris, paras. 160 et seq.; Regional Labor Court of Baden-Württemberg of 27 July 2023 – 3 Sa 33/22, juris, para. 82; Regional Labor Court of Hamm of 2 December 2022 – 19 Sa 756/22, juris, paras. 132 et seq.).
54In this context, even if a loss of control constitutes a It is perfectly possible to substantiate claims for non-material damage, as is already evident from recitals 75 and 85 of the GDPR – no blanket statements or generalities are acceptable; rather, a comprehensible explanation must be provided of what the non-material damage is supposed to consist of. If the alleged damage – as claimed here – is to consist of a “typical” loss of control, then, beyond the typical nature of such damage, a specific individual explanation must be provided of the particular loss of control the plaintiff fears. Otherwise, it would remain mere empty phrases (see also Higher Regional Court of Hamm, judgment of August 15, 2023 – 7 U 19/23, juris, para. 160; Regional Labor Court of Baden-Württemberg, judgment of July 27, 2023 – 3 Sa 33/22, juris, para. 82).
55The plaintiff has failed to provide this specific explanation of non-material damage, as the defendant rightly points out. The plaintiff has provided no information whatsoever, for example, regarding which of the few [unclear] [unclear] [unclear] [unclear] [unclear] [unclear] at all. Given that the information was only provided after two months instead of two weeks – and thus, as the appeals chamber also assumes, belatedly – he suffered a loss of control over his personal data stored there. Even the plaintiff himself does not claim – despite his evidently low opinion of his former employer, who has been vilified as a “billionaire landlord” – an unlawful data breach or unauthorized data storage. He had already received information in 2020, which he also does not claim was incorrect or that it had given him any reason to fear at that time that the defendant – to quote the plaintiff again – was “misusing” his data. So why should the information provided here, albeit somewhat belatedly, but indisputably in its entirety on December 1, 2022, according to the plaintiff’s own appeal submissions, now have specifically triggered a loss of control? This question remains unanswered; the plaintiff’s submissions in this regard amount to nothing more than generalities.
56The same applies to the plaintiff’s general expression of fear that the defendant will misuse his data and to his claim of being annoyed by the defendant’s behavior. General statements of anger and frustration are insufficient to establish concrete non-material damages (see Fuhlrott/Fischer, Limitation of Non-Material Damages in Cases of Violation of the Right to Information?, NZA 2023, 606, 610). Even if exceeding a threshold of materiality is not required to demonstrate damages, the requirement remains that the damages, even in cases of low severity, must be substantiated concretely and not with generalities. The plaintiff’s submissions do not meet this requirement. His “fear” of the defendant misusing his data, which he also fails to explain in detail, is in no way comprehensibly justified. Why is the plaintiff allegedly driven by this fear, when the defendant indisputably did not misuse the data from his employment relationship, which lasted only four weeks in 2016, during the six years prior? As long as this remains unclear to the appeals chamber from the plaintiff’s submissions, awarding non-material damages—especially in the amount of a whopping €10,000—based on such sweeping allegations would open the floodgates to abuse on the plaintiff’s part. This is not the purpose of the GDPR and would only discredit a sensible and necessary legislative objective by turning supposed, unspecified, and unexplained fears of loss into a mass-market source of revenue.
Unless otherwise specified or explained, fears of loss would be exploited to create a lucrative source of income. 57Insofar as the plaintiff ultimately alleges a restriction of his rights under Articles 16, 17, 18, and 21 GDPR as non-material damage, this also fails to establish a conclusive demonstration of damage. It has neither been demonstrated nor is it apparent that claims for rectification, erasure, restriction of processing, or even objection to data processing would be justified in this respect. However, the plaintiff could easily have provided a concrete demonstration of this since December 1, 2022, and thus within the present court proceedings.
58III.
59The decision on costs is based on Sections 64(6) of the German Labor Court Act (ArbGG), 525, and 91(1) of the German Code of Civil Procedure (ZPO).
60IV.
61The appeal on points of law is granted pursuant to Section 72(2)(1) of the German Labor Court Act (ArbGG) for the clarification of fundamental legal questions relevant to the decision.
62 INSTRUCTIONS ON LEGAL REMEDIES
63 The plaintiff may file an appeal against this judgment.
64
65
The defendant has no right of appeal against this judgment.
67 The appeal must be filed in writing or electronically with the Federal Labour Court (Bundesarbeitsgericht) within a non-extendable deadline* of one month.
68 Federal Labour Court (Bundesarbeitsgericht) Hugo-Preuß-Platz 1
6999084 Erfurt Fax: +49 361 2636-2000
70
71 The non-extendable deadline begins upon service of the judgment in its complete form, but no later than five months after its pronouncement.
… 72For lawyers, public authorities, and legal entities under public law, including associations formed by them to fulfill their public tasks, there is a general obligation, pursuant to Sections 46g sentence 1 and 72 paragraph 6 of the German Labor Court Act (ArbGG), to file appeals exclusively as electronic documents from January 1, 2022. The same applies to authorized representatives for whom a secure transmission channel is available pursuant to Section 46c paragraph 4 no. 2 of the ArbGG.
73The appeal must be filed by an authorized representative. Only the following are authorized to act as representatives:
741. Lawyers,
752. Trade unions and employers’ associations, as well as federations of such associations, for their members or for other associations or federations with a comparable purpose and their members,
763. Legal entities whose shares are wholly owned by one of the organizations referred to in paragraph 2, provided that the legal entity exclusively provides legal advice and representation in court to that organization and its members or to other associations or federations with a comparable purpose and their members, in accordance with its articles of association, and provided that the organization is liable for the actions of the representatives.
77 In the cases referred to in paragraphs 2 and 3, the persons signing the notice of appeal must be qualified to hold judicial office.
78 A party authorized to act as a representative may represent itself.
79 The electronic form is satisfied by an electronic document. The electronic document must be suitable for processing by the court and bear a qualified electronic signature of the responsible person, or be signed by the responsible person and submitted via a secure transmission channel in accordance with Section 46c of the German Labor Court Act (ArbGG) and the more detailed provisions of the Ordinance on the Technical Framework for Electronic Legal Transactions and on the Special Electronic Mailbox for Public Authorities (ERVV) of November 24, 2017, as amended. Further information on electronic legal transactions can be found on the Federal Labor Court’s website: www.bundesarbeitsgericht.de. * A statutory deadline is absolute and cannot be extended.
80 Klein Löb Schöne
</pre>