Data Protection in Corporate Groups: German Federal Labour Court Strengthens Employee Rights Case Commentary, BAG, Judgment of 8 May 2025, Case No. 8 AZR 209/21

The internal transfer of employee data within corporate groups is increasingly subject to scrutiny under labour and data protection law. In its judgment of 8 May 2025 (Case No. 8 AZR 209/21), the German Federal Labour Court (Bundesarbeitsgericht – BAG) further clarified the requirements for lawful processing of personal data in a group context and confirmed the employer’s liability for breaches of the GDPR.

The Facts: Test Phase Using Real Employee Data

In 2017, a company intended to roll out the personnel management software “Workday” throughout the group. To that end, it concluded a works agreement with the works council, which allowed for the transmission of certain personal data of employees to the software solution. This agreement expressly limited the scope to specific master data such as name, date of hire, and professional contact details.

However, during the testing phase, the employer transmitted additional real personal data of employees beyond this agreed scope, including sensitive information such as salary details, marital status, private address, tax identification number, and social security number. This data transmission exceeded the limits of the works agreement and was not covered by its provisions.

The Decision of the Federal Labour Court: Violation of the GDPR

The BAG confirmed a violation of Article 6 sec. 1 letter f GDPR. The data transfer was not necessary to safeguard legitimate interests and breached the General Data Protection Regulation. In particular, there was no appropriate balance between the company’s interests and the fundamental rights of the claimant. The data subject had no influence over the processing and suffered non-material damage within the meaning of Article 82 sec. 1 GDPR—specifically, the loss of control over their personal data.

Works Agreements as Legal Basis? Only if GDPR-Compliant!

Also central to this issue is a judgment of the European Court of Justice (ECJ) from 19 December 2024 (Case C-65/23). The ECJ made it clear that:

• Works agreements can only serve as a legal basis for data processing if they fully comply with the requirements of the GDPR.
• In particular, the principles of purpose limitation and storage limitation must be strictly observed.
• The parties to the agreement must not go beyond the legal framework established by data protection law.

This means: even a seemingly consensual arrangement within the company cannot legitimise unlawful data processing.

Practical Guidance for Companies

• Internal data transfers within a corporate group require careful legal assessment:
• Design GDPR-compliant works agreements: They cannot legitimise data processing that violates data protection law.
• Review legal basis: A legitimate interest under Article 6(1)(f) GDPR exists only if the processing is necessary and the balance of interests clearly favours the company.
• Observe data minimisation: Only transfer data that is strictly necessary for the defined purpose.
• Avoid using real data in testing: Wherever possible, use anonymised data when testing new IT systems.

Conclusion

The BAG’s decision demonstrates that the processing of personal data must be GDPR-compliant even within corporate groups. Companies that rely on works agreements as an allegedly sufficient legal basis must reconsider and review such agreements for full compliance with the GDPR.