Data protection breach costs companies dearly: BAG grants compensation after Workday data affair

The Federal Labor Court has made a landmark decision on data protection in the workplace. In the event of unauthorized data use, employees can expect financial compensation - even if the use of the data for test purposes was agreed in the company.

Loss of control recognized as compensable damage

In a recent landmark ruling from May 8, 2025 (Ref. 8 AZR 209/21), the Federal Labor Court (BAG) clarified that the loss of control over one's own information constitutes immaterial damage for which employers are liable. An employee had successfully sued his employer after the latter had transmitted highly sensitive personal data such as salary details, private addresses and tax IDs to the parent company as part of a software test - far more than permitted in the underlying works agreement.

ECJ shapes interpretation of the GDPR

Following a referral by the BAG, the European Court of Justice (judgment of 19.12.2024, ref. C-65/23) had already set guidelines: Even works agreements are fully subject to the GDPR requirements - especially the principles of purpose limitation and storage limitation. A simple agreement between the works council and the company is not sufficient if the processing is not also lawful under Art. 6 and 9 GDPR.

Lessons learned for HR practice

The decision means for employers: When introducing digital HR systems such as the cloud-based "Workday", a company agreement is not sufficient as a safeguard. The actual use of data must remain strictly within the agreed framework. The BAG builds on previous case law, but requires more than a mere "feeling of disturbance" on the part of the affected party for a claim for damages.