In its judgment of 5 June 2025 (8 AZR 117/24, available in German only), the Federal Labor Court (BAG) ruled on claims for damages related to a recruitment procedure. This decision followed an earlier ruling by the Düsseldorf Higher Labor Court (LAG Düsseldorf) on 10 April 2024 (12 Sa 1007/23, available in German only).
The case involved claims for material damages due to violations in the recruitment process for a public office under Section 280(1) BGB and Section 823(2) BGB in conjunction with Article 33(2) GG, as well as claims for non-material damages under Article 82 GDPR. The BAG sets very strict requirements for background checks and clarifies material and non-material damages in cases of unjustified collection and use of information on an applicant.
Background of the Case
A lawyer applied for a position at a university. During the selection process, the university conducted an online search and found a non-final conviction for attempted fraud committed by the applicant. The university rejected the applicant, who subsequently filed a lawsuit challenging the decision.
University’s Arguments
The plaintiff argued that the processing was not legally justified. In his opinion, employers do not have a general right to search the internet for applicants using search engines or to use the data collected in the application process. The defendant did not specifically search for criminal proceedings; rather, they conducted a general search. Otherwise, the plaintiff could have been asked about this during the job interview. Additionally, the plaintiff claimed that the university did not inform him about the online search on his criminal proceedings.
The plaintiff claimed damages under Article 82(1) of the GDPR, asserting that the university’s actions resulted in a loss of control over his personal data and violated his privacy rights.
Applicant’s Arguments
The university argued that an internet search was necessary to evaluate the applicant’s qualifications. They claimed that the information was publicly accessible and relevant to the hiring decision. The university believed that the pending criminal proceedings raised sufficient doubts about the plaintiff’s suitability for employment in the legal department. The university maintained that the search was justified, given the circumstances.
The LAG Düsseldorf’s Prior Ruling
1. Valid Legal Basis
The LAG Düsseldorf held that searching for the applicant’s name on a well-known online search engine was permitted under Article 6(1)(b) GDPR (performance or initiation of a contract, here the potential employment relationship). The court argued that if the pre-contractual measure — like in this case — can be traced back to the initiative and intention of the data subject, Article 6(1)(b) GDPR permits the collection and processing of data to the extent necessary for the specific selection process. According to the LAG Düsseldorf, it was necessary for the specific selection process because it is the duty of a public employer to determine and verify the suitability of applicants. However, the court did not decide whether background checks without specific cause are generally justified.
2. Information Obligations
The LAG Düsseldorf, however, held that the university had not fulfilled its information obligations under Article 14 GDPR. The LAG Düsseldorf argued that the university did not inform the applicant of the categories of personal data within the meaning of Article 14(1)(d) GDPR that it had processed.
The university did not inform the applicant that the non-final criminal conviction could be considered an additional circumstance rendering him unsuitable for the position in question. The LAG Düsseldorf decided that if the university bases its selection decision on such a category of data — even if only as a backup — it must inform the applicant specifically about this category of data in accordance with Article 14(1)(d) GDPR.
3. Damages
After considering the circumstances, the court awarded the plaintiff non-material damages in the amount of EUR 1,000 for this violation.
The BAG’s Ruling
1. No Material Damages Due to Lack of Causal Link
Citing the CJEU decisions (C-200/23, Agentsia po vpisvaniyata, and C-300/21, Österreichische Post), the BAG argued that the plaintiff failed to demonstrate a causal connection between the alleged GDPR violations and the claimed material damage in this case. The BAG explained that the alleged data protection violations were errors in the selection process that could not have caused the damage resulting from the non-hiring on their own. Instead, the damage was due to objectively justified doubts about the applicant’s suitability; thus, the university was not obligated to hire the applicant.
2. Multiple GDPR Violations/No Valid Legal Basis
The BAG emphasized that multiple GDPR violations occurred. Contrary to the LAG Düsseldorf’s view, the BAG held that there was not only a breach of the information obligations under Art. 14 para. 1 lit. b GDPR. The BAG also found that the university had collected data about the applicant’s pending criminal proceedings without a valid legal basis under Art. 6 and 10 of the GDPR.
3. Severity of Fault Not Considered in Non-material Damages
However, the BAG clarified that these violations do not mean that the amount of compensation set by the lower court was legally incorrect. Article 82(1) of the GDPR would not require consideration of the severity of the fault. The BAG argued that the compensatory function of the damages claim under Article 82(1) GDPR excludes any consideration of fault as a factor in determining the amount of damages.
4. Awarding Non-material Damages of EUR 1,000
The BAG stated that the lower court had thoroughly assessed the applicant’s actual impact, noting that processing the data about the pending criminal case had reduced the applicant to a mere object of the processing, undermining his personal dignity and causing a substantial loss of control. According to the BAG, the LAG had the discretion to award the applicant EUR 1,000 in compensation.
5. Key Takeaways
- Companies doing background checks on applicants should be very clear and precise in their applicant privacy notices. They should describe all potential avenues of gathering information, the categories of information and the purposes.
- Gathering information from publicly available sources may not be justifiable unless there is a specific reason for collecting such information. In other words, companies may not want to do public searches on every applicant.
- Even if companies have conducted such checks in violation of the GDPR, they may still not be compelled to hire the candidate; therefore, they are also not obligated to compensate for the material damage resulting from the rejection of the candidate.
- Applicants may, however, claim non-monetary damages in the amount of, for example, EUR 1,000 should a company have gathered information without legal justification.
To-Dos for Organizations
- Inform the Applicant Properly. Comprehensively inform the applicant about the categories of data that will be processed.
- Update Privacy Notices. Ensure privacy notices are current and accurately reflect data processing practices, providing transparency to individuals about how their data is used.
- Evaluate Use of Background Checks. Carefully consider where background checks are truly needed, and assess their legal justifiability.
[View source.]
