Avalang: Created page with “{{COURTdecisionBOX |Jurisdiction=Germany |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=OVG Saarlouis |Court_Original_Name=Oberverwaltungsgericht des Saarlandes |Court_English_Name=Superior Administrative Court Saarlouis |Court_With_Country=OVG Saarlouis (Germany) |Case_Number_Name=2 A 165/24 |ECLI=ECLI:DE:OVGSL:2025:0513.2A165.24.00 |Original_Source_Name_1=Bürgerservice Saarland |Original_Source_Link_1=https://recht.saarland.de/bssl/document/NJRE001…”
|Jurisdiction=Germany
|Court-BG-Color=
|Courtlogo=Courts_logo1.png
|Court_Abbrevation=OVG Saarlouis
|Court_Original_Name=Oberverwaltungsgericht des Saarlandes
|Court_English_Name=Superior Administrative Court Saarlouis
|Court_With_Country=OVG Saarlouis (Germany)
|Case_Number_Name=2 A 165/24
|ECLI=ECLI:DE:OVGSL:2025:0513.2A165.24.00
|Original_Source_Name_1=Bürgerservice Saarland
|Original_Source_Link_1=https://recht.saarland.de/bssl/document/NJRE001609667
|Original_Source_Language_1=German
|Original_Source_Language__Code_1=DE
|Original_Source_Name_2=
|Original_Source_Link_2=
|Original_Source_Language_2=
|Original_Source_Language__Code_2=
|Date_Decided=13.05.2025
|Date_Published=13.05.2025
|Year=2025
|GDPR_Article_1=Article 15(1) GDPR
|GDPR_Article_Link_1=Article 15 GDPR#1
|GDPR_Article_2=
|GDPR_Article_Link_2=
|GDPR_Article_3=
|GDPR_Article_Link_3=
|EU_Law_Name_1=Article 8(2) EU CFR
|EU_Law_Link_1=https://eur-lex.europa.eu/eli/treaty/char_2012/oj/eng
|EU_Law_Name_2=
|EU_Law_Link_2=
|EU_Law_Name_3=
|EU_Law_Link_3=
|National_Law_Name_1=
|National_Law_Link_1=
|National_Law_Name_2=
|National_Law_Link_2=
|Party_Name_1=Ex-employee (data subject)
|Party_Link_1=
|Party_Name_2=Employer (data controller)
|Party_Link_2=
|Party_Name_3=DPA (Data Protection Authority)
|Party_Link_3=
|Party_Name_4=
|Party_Link_4=
|Party_Name_5=
|Party_Link_5=
|Appeal_From_Body=VG Saarland (DE)
|Appeal_From_Case_Number_Name=5 K 979/22
|Appeal_From_Status=
|Appeal_From_Link=https://recht.saarland.de/bssl/document/NJRE001593041
|Appeal_To_Body=
|Appeal_To_Case_Number_Name=
|Appeal_To_Status=Not appealed
|Appeal_To_Link=
|Initial_Contributor=avalang
|
}}
A court upheld the decision of a DPA not to pursue a complaint because an employee had waived the right of access under [[Article 15 GDPR|Article 15 GDPR]] in a court settlement that ended the employment relationship.
== English Summary ==
=== Facts ===
The data subject was an employee, the controller was the employer.
On 14 January 2022, the data subject requested access to personal data from the controller under [[Article 15 GDPR|Article 15 GDPR]]. They did not respond. On 28 January 2022, the controller terminated the employment.
On 17 February 2022, the data subject lodged a complaint with the Data Protection Authority (DPA) under [[Article 77 GDPR|Article 77 GDPR]]. The data subject alleged that the controller had failed to answer the access request, had taken unauthorised photographs, and had a copy of their vaccination certificate.
On 24 February 2022, the employment relationship ended by a court settlement before the Labour Court. The settlement stated that all claims arising from the employment relationship and its termination, whether known or unknown and regardless of their legal basis, were settled, except for employment documents. By entering the settlement, the data subject agreed to not pursue further claims.
After the settlement, the controller informed the DPA that it had not received an access request from the data subject, had not taken photographs, and had destroyed the vaccination certificate after the employee left.
The data subject continued to raise issues with the DPA, including access to time-tracking data and alleged inaccuracies in the controller’s provided documents. The controller later provided partially redacted time-tracking data.
On 26 July 2022, the DPA closed the administrative procedure, as it considered that the data subject no longer had a right of access under [[Article 15 GDPR|Article 15 GDPR]] because the settlement didn’t allow for this claim.
The data subject challenged the DPA’s decision before the Administrative Court. On 10 July 2024, the court dismissed the action. The data subject appealed.
=== Holding ===
First, the court held that the right of access under [[Article 15 GDPR|Article 15 GDPR]] was, in principle, waivable. Although Article 8(2) of the Charter of Fundamental Rights protects the right of access, the court noted that data protection law is based on self-determination, including the possibility to consent to processing under [[Article 7 GDPR|Article 7 GDPR]]. From this, the court inferred that a data subject could also waive the exercise of the right of access.
Second, the court clarified that a waiver could not generally cover unknown future data processing. However, a waiver relating to past processing was permissible, especially after the end of an employment relationship, where the imbalance between employee and employer no longer existed.
Third, the court held that the specific settlement covered the right of access under [[Article 15 GDPR|Article 15 GDPR]]. The clause settling all claims arising from the employment relationship and its termination, whether known or unknown and regardless of their legal basis, also included secondary claims linked to the employment relationship, such as access rights concerning employee data. The court considered the wording sufficiently clear and found no requirement to explicitly mention data protection rights.
Fourth, the court noted that the data subject already knew about the access request and had raised it before concluding the settlement. Any internal intention not to waive data protection rights was legally irrelevant.
Finally, the court upheld the DPA’s decision to close the procedure. Since the data subject had waived the right of access under [[Article 15 GDPR|Article 15 GDPR]] for past processing through the settlement, the DPA had no obligation to continue enforcement action against the employer.
== Comment ==
”Share your comments here!”
== Further Resources ==
”Share blogs or news articles here!”
== English Machine Translation of the Decision ==
The decision below is a machine translation of the German original. Please refer to the German original for more details.
<pre>
Waiver of the Right to Information under Data Protection Law in Labor Court Proceedings
Principle
1. A waiver of the right to information under Article 15(1) GDPR (juris: EUV 2016/679) in a labor court settlement leading to the termination of an employment relationship is generally permissible. (Paragraph 17)
2. Specific case in which the settlement, due to the comprehensive exclusion of claims formulated therein, covers the right to information under Article 15(1) GDPR (juris: EUV 2016/679). (Paragraph 19)
Hide Procedural History
Procedural History
Lower Court of Saarland, July 10, 2024, 5 K 979/22, Judgment
Judgment
The appeal is dismissed.
The appellant shall bear the costs of the appeal proceedings, with the exception of the intervener’s extrajudicial costs, which the intervener shall bear itself.
The judgment is provisionally enforceable with respect to costs.
The appeal on points of law is not admitted.
Facts of the Case
Paragraph 1
By letter dated January 14, 2022, the plaintiff requested comprehensive information from his then-employer, the intervener, pursuant to Article 15 of the GDPR. The intervener did not respond. On January 28, 2022, the plaintiff was given notice of termination for operational reasons. On February 17, 2022, the plaintiff contacted the defendant via the online complaint form pursuant to Article 77 of the GDPR. In his complaint, he asserted that his request for information pursuant to Article 15 of the GDPR had not been answered by his former employer and that the managing director had taken unauthorized photographs of him; furthermore, the employer had a copy of his vaccination certificate. The employment relationship between the plaintiff and the intervener ended on March 15, 2022, by court settlement before the Saarland Labor Court (Case No.: 1 Ca 228/22) on February 24, 2022. Clause 6 of the settlement states:
Paragraph 2
“With the fulfillment of the settlement, all claims arising from the employment relationship and its termination, whether known or unknown, regardless of the legal basis, are settled, with the exception of employment documents.”
Paragraph 3
By letter dated March 18, 2022, the intervener informed the defendant that it had not received any request for information from the plaintiff; no photographs of him had been taken, and the proof of vaccination had been provided voluntarily by the plaintiff. Furthermore, the relevant copy had been destroyed after the plaintiff left the company. The intervener then referred to the concluded settlement. The plaintiff had informed the defendant out of court, through his legal representative, that he would not be asserting any claims. The plaintiff subsequently complained to the defendant, among other things, that the LEA (performance recording and analysis) time tracking data was missing and that it had to be provided. The information provided by the third party was also incomplete and incorrect; the plaintiff further posed additional questions to the third party. In a letter dated May 3, 2022, the defendant informed the plaintiff that the complaints largely concerned employment law issues, for which the defendant was not responsible. Regarding the data protection issues, the defendant had again requested information from the third party. In a letter dated May 17, 2022, the third party sent the redacted LEA data to the plaintiff and reiterated that the cost-effectiveness analysis did not contain any personal data relating to the plaintiff. Subsequently, in an email dated May 24, 2022, the plaintiff complained, among other things, about the redaction of the client numbers. Subsequently, further correspondence took place between the plaintiff, the defendant, and the intervener, during which the plaintiff objected to the incompleteness of the data information provided by the intervener.
Paragraph 4
By decision dated July 26, 2022, the defendant terminated the administrative proceedings against the intervener. The decision stated that the plaintiff’s right to information under Article 15 GDPR no longer existed due to the labor court settlement reached between him and the intervener on February 24, 2022. This finding applied regardless of which specific data would have been covered by this right. Although guaranteed as a fundamental right under Article 8(2), second sentence, of the Charter of Fundamental Rights of the European Union, the right to information under Article 15 GDPR is a default right and thus subject to contractual agreement between the data subject and the controller as contracting parties. For example, within the framework of an employment settlement, the data subject (creditor) can waive their right to exercise this right by means of a negative acknowledgment of debt pursuant to Section 397 Paragraph 2 of the German Civil Code (BGB). While such a waiver is not possible without limitations, the data subject must retain the right to information from the data controller, particularly regarding future data processing activities that do not yet occur. However, rights to information concerning past data processing, specifically processing activities resulting from data collection prior to the conclusion of the settlement agreement, are generally subject to the parties’ discretion. The settlement agreement concluded between the plaintiff and the intervener before the Labor Court on February 24, 2022, contains a mutual waiver of claims, which, according to the purpose and intent of the provisions contained therein, also extends to the right to information under Article 15 of the GDPR.
] Paragraph 5
On August 25, 2022, the plaintiff filed a lawsuit with the Administrative Court, requesting that the defendant, upon annulment of the decision of July 26, 2022, be ordered to continue the data protection proceedings initiated against the intervener. In support of his claim, the plaintiff argued that the defendant failed to recognize that while the settlement before the Labor Court had settled claims arising from the employment relationship and its termination, it did not cover claims related to data protection. The wording of the settlement was not specific enough to constitute a valid waiver of rights. In particular, he had not waived any future rights. Rights under Articles 12 to 23 of the GDPR cannot, in principle, be waived. Furthermore, the defendant was denying him – without providing a written statement on this matter in the contested decision – his right to rectification under Article 16 of the GDPR regarding demonstrably inaccurate data. The settlement reached before the Labor Court contains a labor law exclusion clause, established by common case law, which relates solely to civil law claims arising from the employment relationship. Excluding all rights of a citizen that have not been explicitly waived by specific mention would violate the rule of law.
Paragraph 6
In its judgment of July 10, 2024 – 5 K 979/22 – the Administrative Court dismissed the action. It found the action admissible but unfounded. The defendant was correct in discontinuing the data protection proceedings initiated against the intervener, as the plaintiff had no right of access under Article 15(1) GDPR against the intervener. This right was precluded by the court settlement reached between the plaintiff and the intervener before the Saarland Labor Court on February 24, 2022. In this respect, it should first be noted that the right to information under Article 15(1) GDPR can, in principle, be effectively waived. While this right is guaranteed as a fundamental right by Article 8(2), second sentence, of the Charter of Fundamental Rights of the European Union (CFR), this does not preclude an effective waiver. As is clear from Article 8(2), first sentence, CFR, there is no data subject being affected if the data subject, with full knowledge of the facts, consents to the processing of their data, provided that such consent is freely given. If it is possible to consent to the processing of one’s data and thus agree to an infringement of the right under Article 8 CFR, then, as a lesser exception, it must also be permissible, in principle, to waive the right to information arising from Article 8(2), second sentence, CFR and Article 15(1) GDPR. It can remain open in the present proceedings whether a general waiver of this right, be it contractual or in the form of a negative acknowledgment of debt within the meaning of Section 397 Paragraph 2 of the German Civil Code (BGB), is permissible. This is particularly questionable if such a waiver is declared for data processing that does not yet exist in the future. The permissibility of such a waiver is generally considered impermissible in legal literature. In contrast, a subsequent waiver of a right of access under Article 15 Paragraph 1 of the GDPR is generally considered permissible. This applies in particular to a waiver within the framework of a settlement. It is therefore permissible, as in the present case, to waive rights of access to information about past data processing within the framework of a court settlement. This applies at least if the settlement relates to processing that resulted from data collections that occurred before the conclusion of the settlement. Therefore, in the present case, it is permissible for the plaintiff to have waived his right to further request information from the intervener pursuant to Article 15 GDPR within the framework of an employment settlement. Clause 6 of the settlement also addresses this issue with sufficient clarity. Since the processing of the data about which the plaintiff is requesting information occurred within the scope of his employment relationship, the court finds it sufficiently clear that the settlement also encompasses a corresponding right of access pursuant to Article 15 GDPR. The wording “all claims arising from the employment relationship and its termination, whether known or unknown, regardless of the legal basis” makes it sufficiently clear that not only direct claims arising from the employment relationship itself, but also secondary claims – such as the claim under Article 15 GDPR – are intended to be covered. In this respect, no additional clarification in the settlement was necessary to confirm that these claims were also included. The fact that the plaintiff may have been mistaken about the scope of the settlement does not preclude the validity of the waiver. It should also be taken into account that the plaintiff had already contacted the defendant via the online complaint form pursuant to Article 77 GDPR before the settlement was concluded, meaning he was fully aware of his right of access under Article 15 GDPR. Therefore, it is also incomprehensible from the perspective of good faith that the plaintiff, on the one hand, concluded a settlement with the intervener, which was intended to settle all claims arising from the employment relationship and its termination, and on the other hand, still insists on the defendant enforcing his right of access under Article 15 GDPR against his former employer.
Paragraph 7
The plaintiff has filed an appeal against this judgment, which was granted by the Administrative Court. In support of his appeal, the plaintiff argues that the Administrative Court wrongly assumed that the right of access under Article 15 GDPR had been effectively waived in the present case. The right of access is a fundamental right of the data subject, equivalent to a basic right, and cannot simply be waived. The GDPR does not provide for an explicit possibility of waiving this right. On the contrary, it emphasizes the paramount importance of this right for the effective enforcement of data protection. This is particularly evident from the recitals of the GDPR. Recital 63 underscores the special significance of the right of access. It states: “A data subject should have the right to access personal data concerning him or her that has been collected and to exercise this right easily and at reasonable intervals in order to be aware of the processing and to verify its lawfulness.” This wording makes it clear that the European legislator has assigned the right of access a central role in the realization of data protection. It should enable data subjects to verify the lawfulness of data processing. Waiving this right would deprive data subjects of this important means of control and contradicts the legislator’s intention. Recital 11 also emphasizes the need to strengthen and precisely define the rights of data subjects. Waiving these rights within the framework of the present (employment law) exclusion clause, which relates solely to claims arising from the employment relationship, would run counter to these objectives and undermine the effectiveness of data protection. The Administrative Court also interpreted the employment law settlement of February 24, 2022, too broadly. The wording “all claims arising from the employment relationship and its termination, whether known or unknown, regardless of the legal basis” cannot simply be extended to data protection claims. Data protection claims, in particular the right of access, exist independently of the employment relationship and survive its termination. They are therefore not automatically covered by an employment law settlement clause. The settlement lacks an explicit mention of data protection claims. With such a far-reaching restriction of rights, a clear and unambiguous formulation would have been necessary. This also follows from the transparency requirement of the GDPR, which is emphasized in Recital 58: “The principle of transparency requires that all information and communications relating to the processing of these personal data be easily accessible and understandable, and written in clear and plain language.” A blanket waiver of the right of access in the present exclusion clause contradicts this transparency requirement, as it restricts the data subject’s ability to obtain information about the processing of their data without this having been communicated clearly and understandably. The court’s interpretation also violates the principle of effectiveness under EU law. It renders the exercise of the right of access granted by the GDPR practically impossible by effectively eliminating the plaintiff’s right of access through an extensive interpretation of the present employment contract settlement clause. The administrative court did not sufficiently consider the purpose of the right of access. This serves not only to inform the data subject but also to monitor the lawfulness of the data processing. Particularly in the context of a terminated employment relationship, there may be a special interest in reviewing data processing, which is why a waiver is not possible. The Administrative Court failed to adequately consider this. It wrongly assumed that an extensive interpretation of the existing employment law exclusion clause constituted a general waiver of data protection rights within the framework of the employment settlement of February 24, 2022. This contradicts the protective purpose of the GDPR and the principle of the inalienability of fundamental rights. Recital 4 of the GDPR emphasizes: “The processing of personal data should serve humanity. The right to the protection of personal data is not an absolute right; it must be viewed in light of its societal function and balanced against other fundamental rights in accordance with the principle of proportionality.” This wording makes it clear that while the right to data protection is not absolute, it fulfills an important societal function. A blanket waiver of this right – as the Administrative Court assumed in the present case – within the framework of an employment law exclusion clause relating to “claims arising from the employment relationship” would completely undermine this function. Furthermore, it must be considered that employment relationships typically involve an imbalance of power between the parties. Recital 43 of the GDPR clarifies: “To ensure that consent is freely given, in specific cases where there is a clear imbalance between the data subject and the controller, particularly where the controller is a public authority, and it is therefore unlikely, in light of all the circumstances of the specific case, that consent was freely given, it should not provide a valid legal basis.” This is regularly the case in employment relationships. Conversely, it follows that a waiver of data protection rights in the present context cannot have occurred due to the lack of a specific declaration of waiver that complies with the transparency requirement. The Administrative Court failed to consider that a waiver of the right of access could also violate the principle of data minimization. This principle is enshrined in Article 5(1)(c) of the GDPR and states that personal data must be adequate, relevant, and limited to what is necessary for the purposes for which they are processed. If the data subject is no longer able to obtain information about the data stored about them, they cannot verify whether the controller is complying with this principle. This could lead to more data being stored than necessary, without the data subject being able to control it. Furthermore, the court of first instance failed to consider that waiving the right of access could also infringe upon the right to data portability enshrined in Article 20 of the GDPR. This right enables the data subject to receive their personal data in a structured, commonly used, and machine-readable format. Waiving the right of access could effectively prevent the data subject from exercising this right as well, since without knowledge of the data stored about them, they would be unable to request its transfer.
The court of first instance also failed to consider that waiving the right of access could infringe upon the right to data portability enshrined in Article 20 of the GDPR. Paragraph 8
The plaintiff requests that
Paragraph 9
the judgment of the Administrative Court of Saarland of July 10, 2024 – 5 K 979/22 – be set aside and that the defendant, upon annulment of the decision of July 26, 2022, be ordered to continue the data protection proceedings initiated against the intervener.
Paragraph 10
The defendant requests that
Paragraph 11
the appeal be dismissed.
Paragraph 12
The defendant argues that the plaintiff’s attempt to derive the postulate of the inalienability of data protection rights, in particular the right of access under Article 15 GDPR, by invoking general principles of the General Data Protection Regulation (GDPR), is unconvincing. The defendant agrees with the plaintiff that the GDPR does not provide an explicit possibility of waiving the rights under Articles 12 et seq. The silence of the law on this point, however, is neither due to an oversight nor to a conscious decision by the European legislator to establish data protection rights as sacrosanct. It simply arises from the fundamental rights doctrine to which the GDPR adheres in this respect, and which generally permits the waiver of fundamental rights and equivalent rights. The fundamental right to data protection under Article 8 of the Charter of Fundamental Rights of the European Union, which excludes informational self-determination and thus data sovereignty, must inherently include the data subject’s right to determine the scope of their legal position in this regard. Against this backdrop, data protection law is not an inalienable or inviolable right to equality or human dignity, the observance of which is primarily owed to the understanding of a free and democratic state. Rather, it is a freedom right that is largely determined by the self-determination, but also the self-responsibility, of each individual. Regarding the possibility of a settlement by way of a waiver of claims, the Administrative Court of Ansbach stated on page 9 of its unpublished judgment of May 3, 2004 – AN 14 K 21.00653: “However, this claim was extinguished by the settlement concluded between the intervener and the plaintiff, represented by his then-authorized representative. Neither the GDPR nor any other legal provisions provide any indication that a settlement regarding a data protection claim would not be possible.” The question for the present proceedings is therefore less about whether the right of access under Article 15 GDPR applies.The issue at hand is not whether the right to information under Article 15 GDPR is fully or partially waivable, but rather whether the plaintiff waived this right through the settlement reached in labor court, and if so, to what extent. The plaintiff primarily argues that the settlement does not explicitly address the right to information under Article 15 GDPR. Regarding his argument that this contradicts the data protection principle of transparency, which requires a clear and unambiguous formulation for a valid waiver, it must be noted that the principle of data protection transparency applies to the processing of personal data, not to the structure of contractual agreements concerning the exclusion and scope of data protection rights. Therefore, it is not the data processing itself, but at most the settlement that might be considered opaque. However, this argument is also unconvincing. This is not a simple or routine contractual agreement between two private parties. Rather, the agreement was formally embedded within court proceedings. In such a court settlement, it can and must be expected of the parties involved that they conclude such a settlement after careful consideration and weighing all relevant aspects. It is difficult to understand why the claim under Article 15 GDPR should not be covered by the universally formulated exclusion clause. As already explained in the contested decision, the very purpose of such a clause is to exclude even those mutual future and past claims that might not have been considered when concluding the settlement. Only in this way can a final separation of the parties be guaranteed. Furthermore, the Administrative Court correctly emphasized that at the time the settlement was concluded, the plaintiff had an outstanding request for information from the data controller. The plaintiff was therefore not unaware of any potential data protection claims under Article 15 GDPR, but had, in fact, actively asserted them beforehand. The fact that he did not attempt to enforce this claim further before the settlement was concluded, or that he did not make it the subject of the settlement, is his own oversight and is to his detriment. The same applies to any error he may have had regarding the scope of the exclusion clause underlying the settlement. The fact that the exclusion of the right to information might effectively prevent the plaintiff from exercising his right to data portability under Article 20 GDPR against the controller does not constitute a violation of data protection law. This is, in fact, a logical consequence, since the present universal exclusion effectively excludes not only Article 15 GDPR but also the right under Article 20 GDPR.
Paragraph 13
The intervener did not file an application.
Paragraph 14
For further details of the facts, reference is made to the contents of the court file and the administrative documents of the defendant.
Grounds for the Decision
Paragraph 15
The appeal is admissible but unfounded.
Paragraph 16
The plaintiff has no claim against the defendant to continue the data protection proceedings initiated against the intervener (Section 113, Paragraph 5, Sentence 1 of the Administrative Court Procedure Act).
Paragraph 17
The Senate agrees with the Administrative Court’s view that the plaintiff’s right of access under Article 15(1) GDPR against the intervener has lapsed due to the waiver declared in the court settlement concluded between the plaintiff and the intervener on February 24, 2022, before the Saarland Labour Court.
Paragraph 18
The right of access under Article 15 GDPR is intended to ensure that the data subject is aware of whether and which data concerning them is being processed. This knowledge of the processing forms the basis for the data subject to verify the lawfulness of the processing. Increasing transparency and facilitating control are two equally important primary objectives of the right of access.1 Granting a right of access at the level of secondary legislation is required in light of Article 8(2), second sentence, of the Charter of Fundamental Rights of the European Union.2
Paragraph 19
If, as is unavoidable in the employment relationship, the employer processes the employee’s personal data, the employee has a right of access pursuant to Article 15(1), first sentence, second half-sentence, of the GDPR, including information about the purposes of the processing, the categories of personal data being processed, the recipients or categories of recipients to whom the personal data have been or will be disclosed, the planned storage period, the existence of a right to rectification or erasure of the personal data or to restriction of processing, or the existence of a right to lodge a complaint. Pursuant to Article 15(3), first sentence, of the GDPR, the employee must also be provided with a (free) copy of the personal data undergoing processing. The right to information about personal data collected by third parties is enshrined in Article 8(2), second sentence, of the Charter of Fundamental Rights of the European Union (CFR) and thus elevated to the status of a (European) fundamental right. This right, enshrined in primary EU law, has found its specific form at the European level in Article 15 of the GDPR. However, the GDPR and its recitals do not directly address the possibility of waiving the rights laid down in the GDPR. Recital 7 only refers to a “clearly enforceable legal framework” that the GDPR aims to create. As is evident from Recital 8, deviations through national legislation are only permissible if the GDPR explicitly allows for restrictions by Member State regulations. Recital 63, which explicitly refers to the right of access under Article 15 of the GDPR, further stipulates that data subjects must be able to exercise their right of access “easily and at reasonable intervals.” Recital 63, paragraph 6, states that while the freedoms and rights of others must be respected, this must not lead to the data subject being “refused any information whatsoever.” The GDPR therefore does not contain specific provisions regarding the data subject’s right to dispose of their data, in this case, the employee. However, the possibility of waiving the right of access under Article 15 GDPR ultimately follows from the very nature of data protection law itself. The concept of disposing of the level of data protection resulting from the GDPR is not, in principle, foreign to the GDPR. According to Article 7 in conjunction with Article 4(1)(11) GDPR, the data subject is free to consent to the processing of their personal data. The possibility of consent is also mentioned in Article 8(2), first sentence, of the Charter of Fundamental Rights of the European Union. This demonstrates that the concept of consent is a cornerstone of data protection. If the principle of self-determination expressed therein allows individuals to decide for themselves on the question of permissible data processing, it follows that the right to information, which only provides insight into the results of the – self-determined – data processing, must also be self-determined by the data subject. While there are arguments that the right to information under Article 15 GDPR is indispensable for the future, otherwise there would be a risk that it could not be effectively enforced and would ultimately be ineffective,3 in the case of a terminated employment relationship – as here – the (generally weaker) employee no longer has a comparable need for protection. Therefore, it is possible to dispose of the right to information for an employment relationship that existed in the past. Article 15 GDPR does not, in any case, impose an obligation on the data subject to request the information, but merely gives them the option to do so. Thus, the employee can decide autonomously – especially after the termination of the employment relationship – whether or not to request information about data collected in the past. Therefore, a waiver of the right of access under Article 15 GDPR in a settlement leading to the termination of the employment relationship is generally possible.
Paragraph 20
The plaintiff cannot successfully argue that the right of access is a fundamental right. The fundamental right to data protection under Article 8 of the Charter of Fundamental Rights of the European Union, from which the right of access is derived, concerns the guarantee of the right to informational self-determination.44 With regard to the aforementioned legal basis of consent, this right is characterized by the data subject’s power to determine the extent to which they control the processing of their data. As the defendant rightly stated, the fundamental right to data protection is therefore not an inalienable right to equality or human dignity, but rather a freedom right. This freedom includes the ability to decide, on one’s own responsibility, whether and to what extent one exercises it. The fact that the employee relinquishes the right to future access to information by waiving this right is unproblematic upon termination of the employment relationship, as the employee’s structural disadvantage compared to the employer no longer necessitates special protection. The plaintiff’s objection in this context is incomprehensible: that a waiver within the framework of the existing (employment law) exclusion clause, which relates solely to claims arising from the employment relationship, would run counter to the goal of enabling the employee to review the lawfulness of data processing and undermine the effectiveness of data protection. A settlement reached before the labor court regarding the termination of the employment relationship typically encompasses rights and claims related to the employment relationship.
Contrary to the plaintiff’s view, the Administrative Court did not interpret the labor court settlement of February 24, 2022, too broadly. Rather, clause 6 of the court settlement concluded between the plaintiff and the intervener before the Saarland Labor Court on February 24, 2022, also covers the right of access under Article 15 GDPR. This is already indicated by the comprehensive wording “all claims arising from the employment relationship and its termination, whether known or unknown, regardless of the legal basis.” Settlement clauses in court settlements that—as in the present case—are expressly intended to cover unknown claims regardless of their legal basis and thus indicate that the parties considered the possibility of claims unknown to them and included them in the intended settlement, are regularly to be understood as a comprehensive exclusion of claims in the form of a constitutive negative acknowledgment of debt. In such cases, the parties do not merely want to settle the legal dispute, but generally aim to comprehensively resolve the employment relationship and settle all claims, regardless of whether they had considered them or not. Any other interpretation would jeopardize the intended peace. The documented intent to settle would be worthless if claims beyond the documented content could give rise to new litigation.55 Based on the “comprehensive settlement” intended by clause 6 of the labor court settlement, the Senate has no doubt that the right of access under Article 15 GDPR is also included. No further clarification was necessary. This is all the more true since the plaintiff was aware of the right of access under Article 15 GDPR at the time and, according to his own submissions, had already asserted it against the intervener. To the extent that the plaintiff stated in the oral proceedings that he was never prepared to waive his right to information under data protection law, and that he deliberately left this open in case the intervener failed to comply with the settlement, he cannot derive any benefit from this. An internal or secret reservation to the effect of attributing a different content to the settlement than that declared is legally irrelevant.66 If the declarant expresses an intention to enter into a legal transaction but secretly reserves the right not to accept the legal consequences, Section 116 Sentence 1 of the German Civil Code (BGB) binds the declarant to his statement. In the interest of protecting commercial transactions, the declarant’s secret intention must remain meaningless. The motive is irrelevant. Only if the recipient of the declaration is aware of the reservation is it considered not worthy of protection, and the declaration of intent is void pursuant to Section 116 Sentence 2 of the German Civil Code (BGB). This rule applies to all declarations of intent and is applicable mutatis mutandis to quasi-legal acts.77 Based on this, it would have been incumbent upon the plaintiff to ensure that his data protection claim was excluded from the settlement agreement. Since this did not occur, the right to information is covered by the comprehensive settlement clause.
The plaintiff cannot successfully argue that data protection claims, in particular the right to information, exist independently of the employment relationship and outlast its termination. While this may be true in principle, the plaintiff’s conclusion that data protection claims are not “automatically” covered by an employment-related settlement clause and that explicit mention of data protection claims in the settlement is required cannot be accepted. There is no legal necessity for an explicit mention and emphasis of data protection claims in the settlement clause. Contrary to the plaintiff’s assertion, the content of the clause is clearly and unambiguously formulated (“all claims arising from the employment relationship and its termination, whether known or unknown, regardless of the legal basis”). No reason is apparent as to why the right of access under Article 15 GDPR should not be covered by this comprehensive clause (“all”). The plaintiff’s objection during the oral proceedings that “legal basis” here refers only to the area of employment law is unconvincing. Apart from the fact that the phrase “regardless of the legal basis” implies openness regarding the origin of the claim, the plaintiff’s data protection claims against the intervener relate to, or result from, the (former) employment relationship. The plaintiff’s reference to the GDPR’s transparency requirement is also irrelevant in this context. This requirement pertains to the processing of personal data, not to the content of a settlement agreement reached in labor court proceedings and the question of whether and to what extent the relevant settlement clause also covers data protection claims. This must be decided by interpreting this clause. In this context, the defendant rightly pointed out that in a court settlement, the parties can be expected to conclude such a settlement thoughtfully and after weighing all relevant aspects. This applies particularly when the data subject is represented by counsel.
The plaintiff’s other objections, intended to support his view that data protection rights cannot be waived, are also unconvincing. Neither the General Data Protection Regulation (GDPR) nor any other legal provisions contain any indication that a settlement regarding a data protection claim is not possible. The principle of effectiveness under EU law is of no help in this regard. While it entails the effective enforcement of the GDPR provisions in accordance with the objectives pursued by the EU legislature,88 it says nothing about whether and to what extent data protection rights can be waived. It is unclear why, as the plaintiff argues, there should be a particular interest in reviewing data processing specifically in the context of a terminated employment relationship. The purpose of the exclusion clause, namely to achieve a final separation of the parties, would be defeated if data protection claims could not be covered by such a settlement from the outset. The employee’s particular need for protection would then no longer exist to the same extent as before. If, even after the termination of the employment relationship, the employee still values the realization of their resulting data protection claims, they are free to remove these claims from the clause in question and subsequently enforce them. In this context, the defendant rightly pointed out that at the time the settlement was concluded, the plaintiff had an outstanding request for information and was therefore not unaware of any potential data protection claims under Article 15 GDPR, but had asserted them beforehand.
The plaintiff’s reference to Recitals 4 and 43 of the GDPR also does not preclude a waiver. Recital 4 merely states that the right to the protection of personal data is not an absolute right and can be balanced against other fundamental rights in accordance with the principle of proportionality. The plaintiff cannot derive any benefit from this, nor from the societal function of the right to data protection, which is also mentioned, in the present context. The same applies to Recital 43: This only addresses the issue of consent (for data processing) in cases of an existing imbalance between the data subject and the controller. However, such an imbalance no longer exists once the employment relationship has ended.
The fact that, by waiving their right of access, the data subject can no longer verify whether the principle of data minimization (Art. 5 para. 1 lit. c GDPR) has been violated, and that they can simultaneously no longer exercise their right to data portability (Art. 20 GDPR) due to a lack of knowledge of the data stored about them, is the logical consequence of waiving their right, but says nothing about whether such a waiver is legally permissible or not.
Recital 43 merely addresses the issue of consent (for data processing) in cases of an existing imbalance between the data subject and the controller. Paragraph 21
The decision on costs is based on Sections 154(2) and 162(3) of the Code of Administrative Court Procedure (VwGO).
Paragraph 22
The ruling on provisional enforceability is based on Sections 167 VwGO and 708 No. 10 of the Code of Civil Procedure (ZPO).
Paragraph 23
The requirements for granting leave to appeal on points of law (Section 132(2) VwGO) are not met.
Paragraph 24
Decision
Paragraph 25
The value in dispute for the appeal proceedings is set at €5,000 (Sections 52(1), 47(2), and 63(2) of the Court Costs Act (GKG)).
Paragraph 26
This decision is final.
</pre>