German court rules job rejection reasons are not personal data under GDPR

The Mainz Labor Court has ruled that employers are not required to disclose their reasons for rejecting job applicants under Article 15 of the General Data Protection Regulation (GDPR), according to a judgment issued on April 8, 2024.

In case 8 Ca 1474/23, the court determined that while personal data must be broadly interpreted under GDPR Article 4(1), an employer's decision-making rationale does not constitute personal data of the rejected candidate.

According to the court documents, the case originated when a job applicant requested information about why their September 2023 application was rejected. After receiving a rejection notice, the applicant formally requested both the reason for rejection and a complete copy of their personal data under Article 15 GDPR.

The employer's initial response on October 18, 2023, simply stated they had selected another candidate, directing the applicant to submit further inquiries to a designated email address. This limited response prompted legal action.

In its detailed reasoning, the court explained that while characteristics like language skills would qualify as personal data, the employer's decision to select a candidate based on such skills does not. The judgment states that selection decisions may be entirely subjective, based on "gut feeling," and therefore relate to the employer as the decision-maker rather than the applicant.

The court ordered the employer to pay €5,000 in compensation for failing to properly fulfill their GDPR obligations regarding data access requests. While acknowledging that the actual damage suffered was minimal, the court emphasized the preventive function of such penalties, citing the need for serious consequences to ensure data protection laws are taken seriously.

The judgment references Article 83 GDPR, which bases administrative fines on company annual revenue, suggesting that civil proceedings should similarly consider an organization's size when determining appropriate compensation.

Notably, the court dismissed the applicant's demand for an "true copy" of all personal data, ruling that this request was fulfilled by the employer's later disclosure statement. Since the only stored data consisted of application materials originally submitted by the candidate, the court found the request for copies would constitute an abuse of rights under German Civil Code Section 242.

The ruling establishes several key principles for handling personal data in recruitment:

• Employers must promptly respond to data access requests
• The mere existence of a dedicated email address for data requests does not satisfy GDPR obligations
• Information about internal decision-making processes is not considered personal data
• Compensation for GDPR violations serves both remedial and deterrent purposes

Legal experts note this decision could significantly impact how employers handle data access requests in recruitment processes across Germany. The court's interpretation of what constitutes personal data provides clarity for organizations managing candidate information while maintaining their discretion in hiring decisions.

The case highlights the increasing intersection between data protection rights and employment law, demonstrating how GDPR compliance affects standard recruitment practices. The substantial compensation awarded, despite minimal actual damage, signals courts' willingness to impose meaningful penalties for procedural violations of data protection regulations.

This ruling adds to the growing body of GDPR jurisprudence in Germany, offering concrete guidance on the scope of personal data in employment contexts while reinforcing the serious consequences of non-compliance with data subject access requests.