Data protection: German Federal Labor Court tightens requirements for the use of HR software

With its decision of May 8, 2025 (case no. 8 AZR 209/21), the BAG has severely tightened requirements for the handling of personal date in the company, thus creating new liability risks for employers. The decision focused on the question as to under what conditions the disclosure of employee data within the group or to service providers, in particular into third countries such as the US, is permissible and what consequences a violation of the General Data Protection Regulation (GDPR) entails.

For companies, the decision brings tighter requirements for cloud and HR software, forcing them to review works agreements and expand their data protection organization, especially if central HR services are controlled by foreign group companies.

The case: Data transfer to the USA

Since 2017, the international employer had been planning to introduce the cloud-based HR system Workday across the entire group. As part of a software test, it transferred not only anonymized test data to the US parent company, but also sensitive information such as salary data, tax ID, social security number, marital status, date of birth, and private address.

However, the works agreement only permitted the use of anonymized test data. An affected employee therefore sued for damages under Article 82 GDPR, arguing that the loss of control over his personal data alone constituted non-material damage.

Loss of control as damage – new liability risks

The BAG followed this line of argument and awarded the plaintiff a lump sum of EUR 200.00 in damages. The court did not assume any specific abuse or damage, but recognized the unlawful transfer and the associated loss of control as compensable non-material damage.

For employers, this means a significant expansion of liability: an insufficient legal basis for data transfer or a works agreement that is too general in nature can lead to claims for damages.

Precise operating agreements and technical protective measures

The decision underscores the central importance of precise and transparent regulations. Employers cannot rely on blanket statements, but must specify exactly which data is processed for what purpose, who has access to it, how the data is protected technically and organizationally, and on what legal basis the processing takes place.

Although the EU/US Privacy Framework (the successor agreement to the Privacy Shield) currently still applies to the transfer of personal data to the US, and an adequacy decision is required on this basis, it is to be expected that this will be revoked in light of the Trump administration's executive orders. Nevertheless, it is strongly advisable to prepare now for the fact that data transfers to the US will once again only be permitted with strict protective measures and standard contractual clauses or encryption, etc., and that regular risk analyses will be implemented. The BAG makes it clear that companies must not only meet these requirements on paper, but must actually implement and document them.

Need for action by companies

For business practice, the decision means that companies should urgently review and adapt their existing data protection processes and IT infrastructures.

A careful data protection impact assessment is essential, in particular when introducing new software solutions, using cloud services, or outsourcing HR processes abroad. Cooperation with the works council is becoming increasingly important: company agreements must be developed jointly and regularly reviewed to ensure they are up to date and comply with the GDPR.

Signal effect and outlook

Furthermore, the decision sends a signal to the entire economy. It is to be expected that the number of lawsuits seeking compensation for non-material damages due to data protection violations will increase, as the hurdles for a successful claim have been significantly lowered.

Employers are therefore well advised to train their employees regularly, define clear responsibilities for data protection, and seek legal advice at an early stage in case of uncertainty. The documentation of all data protection-related processes and decisions is also becoming increasingly important in order to be able to prove, in the event of a dispute, that all legal requirements have been met.

Conclusion: Data protection as a management task

The BAG decision of May 8, 2025 emphasizes: GDPR compliance is not a minor IT issue, but a matter for senior management. Those who fail to act now risk not only fines, but also substantial claims for damages. Use the decision to put your data protection practices on a legally secure basis – so you can reap the benefits of digitalization without any worries.

Our newsletter keeps you regularly updated on the latest labor law related developments in case law and legislation:

 Subscribe to our newsletter now