Case Background: Application and Google Search
A recent decision by the Federal Labor Court of Germany (BAG) has clarified the obligations of employers under the General Data Protection Regulation (GDPR) when processing personal data during recruitment. The BAG upheld a ruling of the Düsseldorf Regional Labor Court (LAG), ordering a university to pay EUR 1,000 in damages to a lawyer-applicant after the university conducted a Google search on him prior to a job interview.
The lawyer had applied for a temporary position as a “fully qualified lawyer (m/f/d)” to cover maternity and parental leave for about 18 months. To prepare for the job interview, a university official searched the applicant´s name online. This search revealed that the lawyer had previously been convicted of commercial fraud, but this ruling was later overturned by the Federal Court of Justice (BGH). The search also uncovered allegations that the lawyer had submitted fraudulent job applications to claim compensation under the General Equal Treatment Act (AGG). The applicant was not informed during the application process that data would be collected from publicly accessible sources (e.g. Google) as part of the application. In the end, the university deemed the applicant unsuitable and selected another candidate who better met the job requirements.
Legal Issues: Google Search and GDPR Information Obligations
Both the LAG and the BAG found that the university’s actions violated Article 14 of the GDPR. Under Article 14(1)(d) GDPR, when personal data is not obtained directly from the data subject, the data controller (in this case, the university) must inform the individual about the categories of personal data being processed. The university failed to notify the applicant that it had collected and processed information about his criminal conviction, which was obtained through the Google search and used in the hiring decision.
The courts emphasized that the university not only processed personal data without proper notification, but also documented the information without providing the applicant with the legally required details about the data category and its role in the selection process.
Court decision: Damages for Lack of Transparency
The courts confirmed that the lawyer was entitled to EUR 1,000 in damages under Article 82(1) of the GDPR. Importantly, the damages were not awarded because the applicant was rejected for the position, but because the university failed to inform him about the processing of his personal data obtained from the internet and its use in the recruitment process. The applicant argued that the data relating to the criminal proceedings should not have been collected or processed at all during the application process.
The court emphasized that not every GDPR violation automatically results in damages. There must be a casual link between the violation and the harm suffered. In this case, the harm arose from the applicant losing control of his personal data, which resulted in a lack of transparency in the hiring process.
Key Takeaways for Employers
Transparency is Essential: Employers must inform job applicants when they process personal data obtained from third-party sources, such as internet searches, especially if such data influences hiring decisions.
Document and Communicate: Employers should document their data processing activities and ensure that applicants are properly informed about the categories of data collected and the purposes for which it is used.