Many companies introduce their employees by name on the company website. When a German employer fails to delete such information promptly after an employee leaves the company, it can be expensive for the former employer, as a judgment of the Labor Court (Arbeitsgericht, ArbG) of Neuruppin shows in an opinion from December 2021.
Facts of the Case
A biologist, who worked as an office manager, was named on her employer’s public website and introduced as the company’s in-house biologist, although this was not her position. When she left the company, the employee requested that the company delete the information from its website.
When her name and incorrect position still appeared online one year later, she sent her former employer a reminder and demanded that the company issue a cease-and-desist declaration to confirm that it had removed the information and claimed 8,000 euros (approximately $8,453) in damages. The employer deleted the information and provided the requested cease-and-desist declaration but paid only 150 euros (approximately $159) in damages. The employee then brought a claim before the Labor Court in Neuruppin, demanding payment of only 5,000 euros (approximately $5,284) in damages, minus the 150 euros that had already been paid.
The ArbG Neuruppin ordered the former employer to pay 1,000 euros (approximately $1,056) in damages, minus the 150 euros already paid. The court based its decision on data protection law, as the name of the employee is personal data within the meaning of the General Data Protection Regulation (GDPR).
Under Article 82 of the Regulation, when a person suffers damage as a result of a data processing infringement, the person shall have the right to receive damages from the data controller. In this case, it is the former employer that processed the employee’s data without justification after the employee left the company. Due to the accompanying invasion of privacy, even nonmaterial damage will be considered when calculating the amount of compensation to be awarded, which shall expressly serve as a warning and deterrent. In addition, the employer had a duty to delete the data promptly after the employee left the company not just under data protection law, but as a general ancillary obligation of the terminated employment relationship. The court therefore held that compensation amounting to 1,000 euros was appropriate.
The judgment of the ArbG Neuruppin highlights the risk of liability under data protection law, which is particularly virulent when an employee leaves the company. Employers are well advised to update the company website quickly in such cases and delete all information about the former employee. This is especially true when the employment relationship does not end amicably, and additional areas of conflict are best avoided.
The judgment concerns the legal use of employee information on the Internet, whether it is on the company website or social media. Such information can include names, photos and videos of the employee. Considering the not insignificant risk of liability and an increasingly consolidated case law, employers should thoroughly assess their use of employee data in advance. In particular, the employer must ensure that the employee has given their legally effective consent, which covers all purposes, before using any data. When there is subsequently no justification for the use of the employee’s data, such as because the employee did not give their consent, the infringing data must by deleted without delay.
Maximilian Quader is an attorney with Advant Beiten in Munich. © 2022 Advant Beiten. All rights reserved. Reposted with permission of Lexology.