A breach is deemed to have occurred if a person suffers a loss of control over their own data or experiences a restriction of their rights. The judgements also clarified that an employee can demand that the employer delete a warning from the personnel file even after the employment relationship has ended and that the employer must immediately provide applicants with information on whether personal data is being processed.
What data protection rights does an employee have after termination of the employment relationship?
According to German law, an employee has various data protection rights after termination of the employment relationship, which are essentially regulated in the German Federal Data Protection Act (BDSG) and the General Data Protection Regulation (GDPR). The most important claims include:
- Right to information: The employee has the right to demand information about whether and what personal data is stored about them.
- Right to rectification: The former employee may request the correction of incorrect data.
- Right to erasure: Under certain circumstances, the employee can request the erasure of their data, in particular if the data has been processed unlawfully or if storage is no longer necessary.
This applies to the deletion of a warning letter from the personnel file. This is because it serves to reprimand objectionable behaviour and is intended to serve as a warning with regard to the impending termination of the employment relationship. Consequently, storage is no longer necessary after termination of the employment relationship.
- Right to restriction of processing: In certain cases, the former employee may request that the processing of their data be restricted, for example if the accuracy of the data is disputed.
- Right to object: In certain circumstances, the former employee may object to the processing of their data.
What should be protected by the rights?
These rights are available to both employees and job applicants to ensure that their personal data is adequately protected and processed in accordance with applicable data protection laws.
Who is responsible?
The controller within the meaning of Art. 4 No. 7 GDPR is the employer. In addition to the employer, a person who claims to be the “owner” of a company and makes independent decisions on the processing of personal data may also be considered as a controller.
How long is the deadline for providing information?
The employer must provide the employee with information on the measures taken in accordance with Art. 12 para. 3 GDPR without undue delay and in any case within one month of receipt of the request. However, unless there are special circumstances, the employer is not deemed to have acted without undue delay after a period of more than one week.
If the employee sets the employer too short a deadline, the request for information is not invalid, but is governed by the statutory regulations.
What are the sanctions for breaches?
Breaches of the Data Protection Regulation can result in fines, claims for damages and warnings from consumer protection organisations.