An interesting ruling that could affect startups in particular, which often work with “bring your own device” policies, was just issued by the Baden-Baden Regional Court.

In a judgment dated August 24, 2023 (Case No. 3 S 13/23), the court ordered a company to disclose to a customer the names of its employees who had privately processed customer data collected by the company. In addition, the company has been ordered to prohibit its employees from continuing to use the personal customer data on their private communication devices.

In its reasoning, the Regional Court stated that the General Data Protection Regulation (GDPR) provides for the customer’s right to information pursuant to Art. 15 Par. 1 lit. c) GDPR, which in the present case also extended to the plaintiff customer’s employees of the defendant as recipients within the meaning of Art. 4 para. 9 GDPR to whom the applicant’s personal data have been disclosed and who have processed them privately, for example because they have used them on a private account of a social network. It is true that employees of a data controller are in principle not to be regarded as recipients. However, according to the case law of the European Court of Justice (ECJ, judgment of June 22, 2023, C-579/21, para. 75), this only applies if they process the data under the supervision of the controller and in accordance with its instructions. In contrast, in the case to be decided, at least one employee of the defendant had established contact with a customer on her own authority via her private account in order to clarify questions in connection with the purchase of a television. Since it is necessary for the customer to name the employees in order to verify the lawfulness of the processing of her personal data and, if necessary, to be able to assert further claims against the employees to which she is entitled under the GDPR, there is a right to information on the naming of the employees in the present case. A balancing of the rights and freedoms of the customer on the one hand and the employees on the other to be carried out leads to the fact that the use of the customer data on private accounts was carried out unauthorized by the employee of the defendant contrary to the instructions and the usual practices of the company, so that the interest of the employees to remain anonymous is not worthy of protection and has to take a back seat to the interests of the customer to assert her claims under the GDPR.

In addition, the customer is entitled to claim damages pursuant to §§ 823 para. 2, 1004 BGB analogous in conjunction with Art. 1 GDPR, the defendant company is entitled to prohibit the continued use of the plaintiff’s personal data collected by the defendant on private communication devices. The defendant is responsible as an indirect tortfeasor and is obligated to require the defendant’s employees who are subject to its instructions to refrain from the continued use of the customer’s personal data collected in the company in violation of instructions.

The district court did not allow an appeal against the judgment of August 24, 2023. There is therefore no right of appeal against the judgment.

To the background:

The customer had purchased a TV and a wall mount from the defendant company in June 2022. In this context, her name and address were recorded. A few days later, she returned the wall mount, and was inadvertently refunded the much higher purchase price for the TV.

When the oversight was noticed at the company, an employee of the company wrote a message to the customer via her private account on a social network on the same day, drawing attention to the oversight and asking for feedback. In addition, the customer also received another message via Instagram that same day, asking her to contact the Instagram user’s “boss” about this.

In her action against the company, the customer sought information on the employees of the defendant to whom her personal data had been disclosed or transmitted and also requested that the defendant be ordered to prohibit the employees from using the customer’s personal data on private communication devices.

The defendant company has countered the claim.

The district court dismissed the action. In its reasoning, it stated, among other things, that the right to information does not exist because employees of a company are not “recipients” within the meaning of Art. 15 Para. 1 lit. c) GDPR, Art. 4 No. 9 GDPR. The requested order to prohibit the defendant’s employees from using the customer’s personal data on her private communication devices was not justified.

The plaintiff’s appeal was directed against this, in which it continued to pursue its first-instance claims.