Ruling of the german supreme civil court (BGH) on GDPR violation: Loss of control over personnel files may result in damage compensation claims of employees

Legal Framework

At the center is Art. 82 (1) GDPR, which grants individuals a right to compensation for data protection violations – including for non-material damages. Relevant national norms were also:

• § 26 BDSG (Data processing for employment purposes)
• § 111a BBG a.F. (Transfer of administrative tasks to civil servants)

In its judgment the german suppreme civil court (BGH) also refers multiple times to ECJ’s precedents on the broad interpretation of non-material damages in data protection violations.

The Case

A federal civil servant repeatedly complained that her personnel file was managed not by authorized employees of the german national agency she worked for, but by civil servants of a german federal state. This practice was only stopped in 2019 following an official complaint. The plaintiff asked the court to rule that her employer was liabil for damages due to a data protection violation under GDPR. She failed in the lower courts – until the german supreme civil court (BGH) ruled on her appeal.

Decision

BGH came to the following results:

• The management of personnel files by civil servants of a german federal state as third party was inadmissible, even if they were obliged to maintain confidentiality.
• Already the mere loss of control over sensitive data constitutes a compensable non-material damage within the meaning of Art. 82 GDPR. Contrary to the opinion of the appellate court, a specific and actual violation of personal rights was not required. Also, the impairment of the individual does not need to be of particular weight, going beyond an individually perceived inconvenience or seriously affecting one’s self-image or reputation.

Relevance for the Private Sector

This ruling also has direct implications for private companies:

• No data transfer without legal basis: Not only within the public service, but also in the private sector, even within a corporate group, access to employee data may only occur if a legal basis (e.g., consent or other condition of lawfulness under Art. 6 GDPR) exists.
• Check your service providers and access circles: Who has access to personnel files and other personal data? If you outsource parts of the administration (e.g., to shared service centers, tax advisors, software providers), you should urgently check and document the data protection lawfulness.
• Take documentation duties seriously: Companies bear the burden of proof for GDPR-compliant data processing. Omissions or unclear responsibilities can lead to claims for damages – even without concrete actual harm.
• Secure training and processes: Sensitize all involved parties in HR to the importance of data protection-compliant file management – including substitutions, handovers, and access by third parties.

What We Can Do for You?

Do you have questions on this topic? Do not hesitate to contact us!