Real data, real consequences: Why "testing purposes" are no longer an excuse
What began as an internal software test ended up before the Federal Labor Court (BAG): a company used real employee data to introduce a new HR management system - and violated fundamental data protection rules in the process. The BAG ruled on May 8, 2025: Anyone who passes on personal data without a clear legal basis is liable. Even if there is a company agreement.
The ruling is a bombshell for the world of work - because it makes it clear that works agreements are not a legal vacuum. And certainly not a general power of attorney for data processing.
The "Workday" case: More than allowed - and more than wanted
The story begins in 2017: a company is planning to introduce the cloud-based HR system "Workday" across the group. Real employee data is to be used to test the software under realistic conditions. A works agreement is reached with the works council - the transfer of basic data such as name, start date, place of work and business email is permitted.
But more happens during implementation: even highly sensitive information such as salary, home address and tax ID ends up with the parent company. And without any legal basis and without the consent of those affected.
An employee who discovers this takes legal action. Initially without success: the Baden-Württemberg State Labor Court rules it down. But the BAG intervenes with the European Court of Justice - and gets backing. The ECJ makes it unmistakably clear: a works agreement must adhere strictly to the GDPR - and must never go beyond its limits.
Loss of control is damage - and is subject to compensation
The BAG ruled that the unauthorized data transfer had resulted in a loss of control over the company's own information - and it was precisely this loss that was to be compensated as non-material damage in accordance with Art. 82 GDPR. The court thus reaffirmed its previous line: GDPR damage requires more than just a "bad feeling", but it does not necessarily have to be of a financial nature. It is sufficient if those affected can demonstrate in a comprehensible manner that they no longer had their data under control.
At the same time, the BAG clarified that only such data processing is permitted by a company agreement that is also permissible within the meaning of the GDPR - for example on the basis of a legitimate interest or a legal obligation. Simply saying "We have regulated this internally" is not enough.
Data protection in the Group: no self-service store
Data protection rules also apply within a corporate group - without any ifs or buts. Just because data is passed on within the corporate group does not make it any less problematic. Anyone who passes on personal data to third parties - and a parent company is also legally a third party - needs a clear legal basis.
For many companies, this ruling means a rethink: works agreements must be GDPR-compliant, must not contain any loopholes and are not a blank check. The fact that the ECJ and the BAG state this so clearly shows how seriously the protection of employee data is now taken.
Sensitive data must be protected
For a long time, the principle was: whatever is agreed in the company will work. But those days are over. The GDPR is not a paper tiger, and the Federal Labor Court has now made it clear: anyone who passes on sensitive data without good reason - even with good intentions - must pay. The "loss of control" is more than just a legal term. It's about basic trust - and that can't be circumvented with a works council handshake. Works agreements are important - but not a protective shield against the GDPR.
Anyone who uses real data for testing is acting like someone who tries out the alarm system with the original key - it may be efficient, but it is also dangerous. And, in case of doubt, illegal. Companies should rather test with dummy data and work with real rules. Anything else can be expensive.
