What may at first sound like a minor technical detail actually has a potential for far-reaching consequences for companies across Europe: On 8 May 2025, the German Federal Labour Court (BAG) handed down a landmark ruling (BAG, 8 AZR 209/21) on the processing of personal data in employment relationships. The specific question was whether it was allowed to transmit real employee data to the US parent company during the test phase of new cloud-based human resources management software, or whether stricter standards would apply in this case. The decision is also of considerable importance for Austrian companies.

Facts of case

The plaintiff, a works council chairman and long-standing employee of the company, claimed compensation for non-material damage in the amount of € 3,000 pursuant to Art. 82(1) GDPR from the defendant. The background to this was the transmission of sensitive real data – including salary, private home address, date of birth, social security number and tax ID – to the US parent company for tests of the new HR software "Workday". 

It should also be noted that although a works agreement existed for this purpose, it only permitted the processing of certain data (staff identification number, surname, first name, date of joining the company, date of joining the group, place of work, company name, business telephone number and business email address). However, the data actually transmitted exceeded this scope considerably.

The decision

In its decision, the BAG ruled that the processing of personal data for testing purposes is generally only permissible if anonymised "dummy data" (so-called demo data) are not sufficient to achieve the testing purpose. 

In the case at hand, the BAG did not identify such a requirement and awarded the plaintiff € 200 in non-material damages. The BAG justified this on the grounds that the unauthorised transmission had resulted in a loss of control over the plaintiff's own data. Even if the amount awarded may seem small at first glance, the decision sends a strong signal. This is particularly true given the fact that systematic violations affecting a large number of employees can significantly multiply the financial risks.

Practical consequences for companies

In practice, it is therefore advisable to use anonymised/synthetic data for software testing and, if real data are required, to strictly limit their scope. Moreover, works agreements should be regularly reviewed in light of the GDPR and current case law so as to ensure their effectiveness and practicality.

If you have any questions about the data protection-compliant introduction of new software or the drafting of related works agreements, the KWR Data Protection and Employment Law team will be happy to assist you.