Art. 15 GDPR and Access to Personnel Files
The Munich Regional Labor Court addressed in its judgment of June 12, 2025 (Az. 2 SLa 70/25) two claim grounds that are often conflated in practice: the data protection right of access under Art. 15 GDPR on the one hand, and the labor law right to access personnel files on the other. Especially in the context of internal compliance investigations, it becomes clear that these two claims serve different purposes, are subject to different limits, and lead to different legal consequences.
The case arose from an internal compliance investigation concerning alleged misconduct by a senior employee. The employer relied on an externally prepared compliance final report as the basis for employment-related measures but denied the employee both a copy of and access to the report. The employer refused disclosure and access citing the protection of trade secrets, the confidentiality of internal investigations, as well as the rights of whistleblowers and witnesses, particularly regarding data protection obligations and the Whistleblower Protection Act.
Does Art. 15 GDPR grant a right to the disclosure of complete internal compliance reports?
While the labor court had largely upheld the claim, the defendant continued to challenge the disclosure in appeal. The Munich Regional Labor Court was therefore required to reconsider the scope and limits of both the GDPR access claim and the labor law right of inspection.
Access under Art. 15 GDPR
According to the Regional Labor Court, the access right under Art. 15 GDPR serves the purpose of transparency in data processing. It allows the data subject to verify whether and to what extent personal data about them are being processed and whether such processing is lawful. From this perspective, the court derived that the claim is generally directed at information concerning personal data, not at the blanket disclosure of entire internal documents.
Although Art. 15(3) GDPR provides for the provision of a copy of personal data, the court emphasized that this right relates to the personal data themselves, not to the medium or the entire document in which these data are contained. A compliance final report is typically a complex internal document that contains, in addition to the personal data of the data subject, evaluations, legal assessments, organizational information, and personal data of third parties. GDPR does not entitle the data subject to receive the entire document as a whole.
The court also considered the rights and freedoms of third parties, explicitly including whistleblowers, witnesses, and internal investigative structures. A full copy of a compliance report would typically allow conclusions to be drawn about identities, testimony behavior, and internal procedures, thereby infringing upon the legitimate interests of third parties. Against this backdrop, the court consistently denied any claim to a full copy under GDPR.
Right of Access to the Personnel File
Independently, the Regional Labor Court affirmed a claim to inspect the compliance final report as part of the personnel file. The legal basis for this is the labor law right of access under § 26(2) SprAuG, which corresponds substantively to § 83(1) BetrVG.
Crucial was that, after the internal investigation, the report served as the basis for employment-related measures concerning the plaintiff. The court emphasized that the internal classification or confidentiality marking of the document is irrelevant; what matters is its actual function within the employment relationship. When a report is used to evaluate an employee, it is to be included in the personnel file and is generally subject to the labor law right of inspection. If the report contains information from employees whose anonymity was assured, the employer may redact or obscure these passages before granting access, so that neither the identity of the whistleblower nor any conclusions about their identity are revealed. This does not limit the employee’s right of access.
The employer could not refuse access on the basis of the Whistleblower Protection Act (“HinSchG”). The court clarified that the substantive scope of the Act was not triggered in this case. The internal investigation concerned allegations of managerial misconduct, which did not relate to any of the violations described in § 2 HinSchG. The case did not involve reports of criminal or administrative offenses or other breaches covered by the Whistleblower Protection Act. Simply reporting information internally and processing it within a compliance framework, according to the court, is not sufficient to activate the special protection mechanisms of the Act.
Clear Distinction and Key Takeaways
The Regional Labor Court drew a clear distinction: the data protection right of access under Art. 15 GDPR does not justify disclosure of a copy of the compliance final report, particularly with regard to the rights of third parties and internal protection interests. At the same time, a labor law right of access existed for the report, insofar as it had become part of the personnel file. The decision illustrates that data protection law and labor law pursue different protective objectives and are not congruent. While Art. 15 GDPR serves to control data processing, personnel file access is intended to provide transparency over the basis for employment-related measures.
Note
This article is for general informational purposes only and does not cover all possible circumstances. It does not replace individual legal advice or a case-specific review.
Despite careful preparation, no liability is assumed for the accuracy, completeness, or timeliness of the information. For legal evaluation or implementation recommendations in specific cases, professional legal advice should be sought.