LG Baden-Baden Ruling: Employee Data Processing on Private Devices Affects Startups and GDPR Compliance
This recent judgment, issued on August 24, 2023, by the Baden-Baden Regional Court (Case No. 3 S 13/23), carries significant weight. It specifically impacts startups that frequently implement "bring your own device" (BYOD) policies. The ruling underscores critical aspects of GDPR compliance when employees handle personal data.
The court explicitly ordered a company to disclose the names of employees who had privately processed customer data. Furthermore, the company must now prohibit its employees from continued use of this personal customer data on their private communication devices.
Understanding the Court's GDPR Reasoning
The Regional Court's reasoning centered on the General Data Protection Regulation (GDPR). It affirmed the customer's right to information under Art. 15 Para. 1 lit. c) GDPR. In this specific case, this right extended to the defendant's employees as "recipients."
According to Art. 4 Para. 9 GDPR, recipients are individuals or entities to whom personal data is disclosed. This includes instances where personal data is processed privately, for example, on a private social network account.
While employees of a data controller are generally not considered recipients, the European Court of Justice (ECJ) clarified this. The ECJ's judgment of June 22, 2023 (C-579/21, para. 75) states that employees are only excluded if they process data under direct supervision and according to instructions.
In the present case, an employee initiated contact with a customer independently via a private social media account. This action was taken to clarify purchase-related questions, thus falling outside the scope of supervised processing.
The court emphasized the customer's need to identify these employees to verify the lawfulness of personal data processing. This identification is crucial for asserting any further claims under the GDPR.
Balancing the rights of the customer against those of the employees, the court found the unauthorized use of customer data on private accounts to be contrary to company instructions. Consequently, the employees' interest in anonymity was deemed not worthy of protection and had to yield to the customer's right to assert GDPR claims.
Consequences: Damages and Prohibition of Data Use
Beyond the right to information, the customer was also granted a claim for damages. This claim is based on §§ 823 para. 2, 1004 BGB analogously, combined with Art. 1 GDPR. The defendant company is now mandated to prohibit the ongoing use of the plaintiff's personal data on private communication devices.
The court held the company responsible as an indirect tortfeasor. It must instruct its employees to cease any continued unauthorized use of customer data. This highlights the company's liability for its employees' actions, even when those actions deviate from internal instructions.
Significantly, the District Court did not permit an appeal against this judgment dated August 24, 2023. This means there is no further right of appeal, rendering the decision final.
Background of the Legal Dispute
To understand the nuances of this ruling, it is helpful to review the case's origins:
The Initial Transaction and Error
In June 2022, the customer purchased a television and a wall mount from the defendant company. During this transaction, her name and address were recorded. Shortly after, she returned the wall mount but was mistakenly refunded the significantly higher price of the television.
Employee's Unauthorized Private Contact
Upon discovering the refund error, an employee of the company contacted the customer. This contact was made through the employee's private social media account on the same day, informing the customer of the oversight and requesting a response. The customer also received a separate message via Instagram, asking her to contact the Instagram user's "boss" regarding the matter.
Customer's Demands and Initial Court Proceedings
The customer subsequently filed an action against the company. She sought two main remedies:
- Information regarding the defendant's employees to whom her personal data had been disclosed or transmitted.
- An order prohibiting the defendant's employees from using her personal data on their private communication devices.
The defendant company contested these claims.
District Court's Initial Dismissal and Appeal
Initially, the district court dismissed the customer's action. It reasoned that employees of a company are not "recipients" under Art. 15 Para. 1 lit. c) GDPR and Art. 4 No. 9 GDPR, thus denying the right to information. Furthermore, the requested prohibition against using personal data on private devices was deemed unjustified.
The plaintiff then lodged an appeal, continuing to pursue her original claims from the first instance.
Conclusion
This ruling from the Baden-Baden Regional Court serves as a crucial reminder for companies, especially those with BYOD policies, about the strict requirements of GDPR. It clearly defines the boundaries of employee data handling and the company's responsibility for unauthorized private processing. Businesses must ensure robust internal policies and training to prevent such incidents and mitigate significant legal liabilities.