Germany

Germany: Unlawful Intra-Group Data Sharing Triggers Employee Compensation

Published: © 25-07-2025

Authors: Verena Braeckeler-Kogel, MAES (Basel) and Meike Christine Rehner

The German Federal Labour Court recently ruled that an employee was entitled to compensation under the EU General Data Protection Regulation (GDPR) after his employer unlawfully transferred his personal data to another company within the same corporate group during the testing of a new HR management system.

Background

The employer had entered into a works agreement with the works council, allowing the transfer of certain business-related data within the group for testing purposes of a new HR management system (Workday). However, the employer exceeded the scope of this agreement by also transferring sensitive personal information, including salary details, home addresses, and tax identifiers. The employee argued that this unauthorised transfer resulted in a loss of control over his personal data and claimed non-material damages.

While the claim was dismissed by lower courts, the Federal Labour Court ultimately awarded the employee a modest sum of EUR 200 in non-material damages after referring legal questions to the European Court of Justice. The court ruled that transferring data not covered by the works agreement was unjustified and breached the GDPR. The compensation was granted under Article 82(1) of the GDPR, which provides for damage claims in cases of unlawful data processing.

Key Issues

The court held that the employer had unlawfully transferred personal data beyond what was permitted under the applicable works agreement. This additional data transfer was not necessary for the intended purpose and therefore violated the principles of lawful data processing under the GDPR. As a result, the employee suffered non-material harm in the form of a loss of control over his personal information.

Practical Points

The ruling confirms that, even within a corporate group, personal data may only be shared if the transfer is strictly necessary and/or explicitly authorised.
Employees must be clearly informed about which data is being processed, its purpose, and the legal basis for processing it.
Employers should keep clear records of their data processing activities and carry out regular risk assessments, particularly when introducing new systems or transferring data between different entities.

Authors

Meike Christine Rehner

Partner
Pusch Wahlig Workplace Law

Meike Christine Rehner’s legal practice encompasses all matters of individual and collective labor law. She has particular experience in international and European employment law as well as legal disputes relating to termination of employment. Furthermore, she has particular expertise in work safety law.

Verena Braeckeler-Kogel

Partner
Pusch Wahlig Workplace Law

Verena Braeckeler-Kogel is a partner at Pusch Wahlig Workplace Law based in Cologne, Germany. Verena’s legal practice encompasses all matters of individual and collective labour law. She has particular experience in advising national and international clients in the fields of M&A transactions, restructuring including collective redundancies, plant closures and relocations as well as transfer of […]

Knowledge

Get in touch!

Countries

Get in touch!

Asia-Pacific

Europe

North America

South America

About us

Get in touch!

Knowledge

Get in touch!

Countries

Asia-Pacific

Europe

North America

South America

Get in touch!

About us

Get in touch!

Germany: Unlawful Intra-Group Data Sharing Triggers Employee Compensation

Practical Points

Meike Christine Rehner

Verena Braeckeler-Kogel

Did you like what you read?