Information requests under GDPR as means of exerting pressure

Means of pressure: Requests for information under the GDPR

Requests for information under Art. 15 of the GDPR have developed in recent years into a strategic tool used by employees and applicants to put pressure on companies. With such a request for information, employees and applicants can demand comprehensive information about the processing of their personal data, which often involves considerable effort for companies. Especially in conflict situations, such as dismissals or labour law disputes, employees use this right strategically to exert additional pressure on the company or to uncover potential violations of data protection regulations.

Legal uncertainties regarding claims for damages

Whether and to what extent a breach of the obligation to provide information – be it through delayed, incomplete or omitted information – can give rise to a claim for damages under Art. 82 GDPR and remains legally controversial. Clarification by the European Court of Justice (ECJ) is still pending.

Decision of the Düsseldorf Regional Labour Court

In its judgment of 21 August 2024 (Ref. 4 SLa 233/24), the Düsseldorf Regional Labour Court ruled that a breach of Art. 15 GDPR may, in principle, justify a claim for (non-material) damages under Art. 82 GDPR.

In the underlying case, the plaintiff asserted his right to information after an unsuccessful application to the defendant. The defendant did not respond initially and later informed the plaintiff that his application documents had been deleted in accordance with the requirements of the GDPR. The plaintiff then asserted a claim for damages in the amount of at least EUR 2,000.00, which he justified on the grounds of emotional distress and a loss of control over his data. The defendant argued that it had fulfilled the right to information, deleted the data lawfully and that there was no damage eligible for compensation.

The Düsseldorf Labour Court dismissed the claim and the appeal before the Higher Labour Court was also unsuccessful, as the claimant could allege a violation of the GDPR but had not substantiated any non-material damage within the meaning of Art. 82(1) GDPR. The court emphasised that, according to the case law of the ECJ, non-material damage could be minor, but had to be specifically demonstrated. A mere loss of control or general negative feelings such as ‘emotional distress’ were not sufficient.

Appeal proceedings and preliminary ruling by the ECJ

The appeal proceedings currently pending before the BAG have been suspended and referred to the ECJ for a preliminary ruling. In the preliminary ruling, the ECJ is to clarify:

• Compensation for delayed or incomplete information: Can a data subject assert a claim for non-material damages under Art. 82 GDPR in the event of a breach of the obligation to provide information under Art. 15 GDPR?
• Uncertainty as non-material damage: Does the uncertainty arising from the breach of the obligation to provide information – in particular the inability to verify the lawfulness of the data processing and to assert rights – constitute non-material damage within the meaning of Art. 82 GDPR?

The ECJ's answers will be decisive in harmonising the hitherto inconsistent case law of the lower courts. While some courts already consider the mere violation of information obligations to be sufficient for a claim for damages, others – such as the Düsseldorf Regional Labour Court – require a substantiated presentation of specific non-material damages.

Consequences for companies

Regardless of the ECJ's decision, it remains essential for companies to process requests for information under Art. 15 GDPR with the utmost care and within the specified time limits. An unanswered or inadequately processed request for information can pose a significant liability risk.

The clarification by the ECJ is expected to help clarify the requirements for demonstrating damage and curb abusive requests for information. Nevertheless, companies should regularly review, document and design their internal processes for handling such requests in accordance with data protection regulations in order to minimise legal risks.