4 minute read | October.08.2025
In its judgment of 5 June 2025 (8 AZR 117/24, available in German only), the Federal Labor Court (BAG) ruled on claims for damages related to a recruitment procedure. This decision followed an earlier ruling by the Düsseldorf Higher Labor Court (LAG Düsseldorf) on 10 April 2024 (12 Sa 1007/23, available in German only).
The case involved claims for material damages due to violations in the recruitment process for a public office under Section 280(1) BGB and Section 823(2) BGB in conjunction with Article 33(2) GG, as well as claims for non-material damages under Article 82 GDPR. The BAG sets very strict requirements for background checks and clarifies material and non-material damages in cases of unjustified collection and use of information on an applicant.
A lawyer applied for a position at a university. During the selection process, the university conducted an online search and found a non-final conviction for attempted fraud committed by the applicant. The university rejected the applicant, who subsequently filed a lawsuit challenging the decision.
The applicant argued that the processing was not legally justified. In his opinion, employers do not have a general right to search the internet for applicants using search engines or to use the data collected in the application process. The university did not specifically search for criminal proceedings; rather, they conducted a general search. Otherwise, the applicant could have been asked about this during the job interview. Additionally, the applicant claimed that the university did not inform him about the online search on his criminal proceedings.
The applicant claimed damages under Article 82(1) of the GDPR, asserting that the university’s actions resulted in a loss of control over his personal data and violated his privacy rights.
The university argued that an internet search was necessary to evaluate the applicant’s qualifications. They claimed that the information was publicly accessible and relevant to the hiring decision. The university believed that the pending criminal proceedings raised sufficient doubts about the applicant’s suitability for employment in the legal department. The university maintained that the search was justified, given the circumstances.
The LAG Düsseldorf held that searching for the applicant’s name on a well-known online search engine was permitted under Article 6(1)(b) GDPR (performance or initiation of a contract, here the potential employment relationship). The court argued that if the pre-contractual measure — like in this case — can be traced back to the initiative and intention of the data subject, Article 6(1)(b) GDPR permits the collection and processing of data to the extent necessary for the specific selection process. According to the LAG Düsseldorf, it was necessary for the specific selection process because it is the duty of a public employer to determine and verify the suitability of applicants. However, the court did not decide whether background checks without specific cause are generally justified.
The LAG Düsseldorf, however, held that the university had not fulfilled its information obligations under Article 14 GDPR. The LAG Düsseldorf argued that the university did not inform the applicant of the categories of personal data within the meaning of Article 14(1)(d) GDPR that it had processed.
The university did not inform the applicant that the non-final criminal conviction could be considered an additional circumstance rendering him unsuitable for the position in question. The LAG Düsseldorf decided that if the university bases its selection decision on such a category of data — even if only as a backup — it must inform the applicant specifically about this category of data in accordance with Article 14(1)(d) GDPR.
After considering the circumstances, the court awarded the applicant non-material damages in the amount of EUR 1,000 for this violation.
Citing the CJEU decisions (C-200/23, Agentsia po vpisvaniyata, and C-300/21, Österreichische Post), the BAG argued that the applicant failed to demonstrate a causal connection between the alleged GDPR violations and the claimed material damage in this case. The BAG explained that the alleged data protection violations were errors in the selection process that could not have caused the damage resulting from the non-hiring on their own. Instead, the damage was due to objectively justified doubts about the applicant’s suitability; thus, the university was not obligated to hire the applicant.
The BAG emphasized that multiple GDPR violations occurred. Contrary to the LAG Düsseldorf’s view, the BAG held that there was not only a breach of the information obligations under Art. 14 para. 1 lit. b GDPR. The BAG also found that the university had collected data about the applicant’s pending criminal proceedings without a valid legal basis under Art. 6 and 10 of the GDPR.
However, the BAG clarified that these violations do not mean that the amount of compensation set by the lower court was legally incorrect. Article 82(1) of the GDPR would not require consideration of the severity of the fault. The BAG argued that the compensatory function of the damages claim under Article 82(1) GDPR excludes any consideration of fault as a factor in determining the amount of damages.
The BAG stated that the lower court had thoroughly assessed the applicant’s actual impact, noting that processing the data about the pending criminal case had reduced the applicant to a mere object of the processing, undermining his personal dignity and causing a substantial loss of control. According to the BAG, the LAG had the discretion to award the applicant EUR 1,000 in compensation.
Eva Maria Neubusch (Orrick Scientific Assistant) also contributed to this article.