German Federal Labor Court Grants Damages Under the GDPR for the Use of Employee Data: 7 Things for Companies to Consider

On May 8, 2025, the Federal Labor Court Bundesarbeitsgericht (“BAG”) issued a significant ruling concerning an employee’s claims for damages due to unlawful data transfers within a corporate group. The BAG ruled that works council agreements alone cannot legitimize data processing unless they fully comply with EU General Data Protection Regulation (“GDPR”) standards.

Companies must ensure that any data processing is necessary and justified through a documented balance of interests or can be based on other legal justifications, even when a works council agreement is in place. The court also emphasized the importance of assessing whether data transfers are truly needed or if the goal can be achieved through less intrusive methods.

Intra-group data transfers must be supported by a valid legal basis.

The BAG addressed the issue of intra-group data transfers, particularly involving U.S.-based third-party service providers. The case involved an employee claiming damages after their employer allegedly violated GDPR by transferring personal data to the parent company to test a cloud-based HR software. Although a works council agreement regulated certain data transfers, additional personal data like salary, private address and tax ID were transferred without legal basis.

Prior to its decision, the BAG referred the case to the European Court of Justice (“CJEU”), which emphasized that any personal data processing in the employment context must adhere to GDPR standards (CJEU, Judgment of December 19, 2024, C-65/23). The BAG followed the CJEU's decision, finding that the data transfer could not be justified by the employer's legitimate interests under Article 6(1)(f) GDPR. The BAG also found that the loss of control over the employee's data constituted an immaterial damage under Art. 82 GDPR and granted the plaintiff damages in the amount of EUR 200 (as the German Federal Court similarly ruled in its lead decision previously).

What companies should do

Companies should consider the following proactive measures to avoid potential liability and damage claims:

• Map your data. Perform a thorough mapping of all personal data collected, stored, and processed within the organization to identify potential risks and ensure compliance.
• Assess data-processing activities. Regularly review and update data-processing activities to ensure they meet GDPR requirements. This includes assessing the necessity and legality of data processing operations.
• Draft records of processing. Draft and maintain comprehensive records of all data processing activities, including the purposes, legal basis and categories of data processed, to demonstrate compliance with GDPR.
• Have intra-group agreements in place. Implement agreements governing data transfers within the corporate group, ensuring they comply with GDPR standards.
• Limit group data transfers. Regularly assess whether data transfers are necessary and minimize data sharing to reduce risks associated with unauthorized access or breaches.
• Perform appropriate transfer risk assessments. Evaluate the risks associated with data transfers, particularly to third countries or within the group, and implement measures to mitigate identified risks.
• Update Your Privacy Notices. Ensure privacy notices are current and accurately reflect data processing practices, providing transparency to individuals about how their data is used.

Our team helps companies build out and maintain robust GDPR compliance frameworks. We are committed to helping our clients determine their obligations, defend their practices, and update their compliance programs. Please contact one of the authors (Dr. Christian Schröder, Dr. Odey Hardan) for more information.