May my employer send a judgment with my name to all colleagues?

A workplace dispute fought out in court is tough enough. But what if your employer then emails the ruling, with your name and even your private address, to the entire staff? A Data Protection Authority (DPA) decision of 19 September 2025 (no. 150/2025) sets clear limits here. The answer is no: an employer may not simply distribute a court order containing your personal information, even if it has won the lawsuit.

The facts: a lawsuit won leads to a complaint to the DPA

The case revolved around an employee who, together with several colleagues and trade unions, had brought legal proceedings against her employer concerning the remuneration system. After years of litigation, the Labor Court ruled in favor of the employer in 2021.

The day after the ruling, management sent an e-mail to the entire staff informing them of this "victory." Attached to this email was the full, non-anonymized text of the Labor Court's ruling. As a result, the name, first name and private address of the employee involved and her colleagues were shared with hundreds of co-workers. The employee went to the Data Protection Authority because she felt this was a violation of her privacy.

The DPA's decision: no valid reason for dissemination

The Litigation Chamber of the DPA ruled that the employer has indeed violated the General Data Protection Regulation (GDPR) . The core of the decision rests on the analysis of the ‘legitimate interest’ (Article 6.1.f of the GDPR), the legal basis invoked by the employer to process the data.

The DPA applied a three-step test for this purpose:

1. Is the interest legitimate (Purpose Test)?: Yes. The DPA recognizes that an employer has an interest in informing staff of the outcome of a major lawsuit that could affect the financial health and atmosphere of the company.
2. Is the processing necessary (Necessity test)?: No. This is where things went wrong for the employer. The DPA determined that it was not necessary to share the employee's personal information (name, and certainly not her private address) to achieve the goal. The employer could have perfectly informed of the outcome by quoting the relevant passages or anonymizing the ruling. Identification of the employees involved was not necessary.
3. Is there a balance? (Balancing test): Because the processing was already not necessary, the DPA did not even reach the final balancing act between the employer's interests and the employee's privacy rights.

In addition, the DPA also found that the company's privacy statement was incomplete and that the employer could not prove that it had been properly communicated to staff. The employer received a reprimand for this.

Legal analysis and interpretation

This decision is an important reminder of the strict interpretation of the necessity test in assessing legitimate interest as a justification for processing personal data. Just because an employer has a legitimate purpose does not mean that all means to achieve that purpose are simply permissible. The employer must always choose the least privacy-intrusive method reasonably available.

Interestingly, the DPA did not follow the employee's argument that her union membership was disclosed. Because the ruling mentioned that she was acting in her own name, the DPA said there was no processing of "special categories of personal data" (Art. 9 GDPR).

The observations about the inadequate privacy notice (failure to mention the legal grounds, retention periods and contact details of the DPA) underscore another crucial aspect of the GDPR: accountability. It is not enough to respect the rules; an organization must also be able to demonstrate that it respects the rules through clear and complete documentation.

What this specifically means

• For employees: You have the right to protection of your personal data, even in a strained employment relationship. Even if you lose a lawsuit against your employer, he may not use the ruling to distribute your data unnecessarily. Your name and certainly your private address are protected. The fact that colleagues may have already "known" you had a case pending does not give the employer a free pass.
• For employers: Transparency to your staff is important, but not at the expense of individual employees' privacy. Before communicating about court rulings or other sensitive matter, you should carefully consider. The golden rule is: anonymize personal information unless it is absolutely necessary to disclose it. In addition, make sure your internal privacy policy is up-to-date, complete and demonstrably communicated to your staff.

FAQ (frequently asked questions)

What if everyone at work already knew I was filing that lawsuit? Does that make a difference?
No, that makes no difference. The DPA explicitly ruled that the fact that the identity of the litigants may already have been known does not relieve the employer of its duty to assess the necessity of the data processing. Active e-mail dissemination is a new processing that must comply with the GDPR rules.

My employer sent the email in BCC (Blind Carbon Copy). Isn't that just meant to protect privacy?
The use of BCC protects recipients' e-mail addresses among themselves, but does not alter the content of the attachment. In this case, the DPA ruled that the use of BCC was not "unlawful" per se because the employer argued that some employees used a private e-mail address. However, the crux of the violation was the unnecessary dissemination of personal information in the judgment itself.

What penalty does an employer risk for such a violation?
In this particular case, the DPA opted for a reprimand. This is a formal warning. The DPA took into account that this was a one-time, past violation and that the company had taken steps to improve its policies. In other, more serious or repeated cases, however, this could result in heavy administrative fines.

Conclusion

This Data Protection Authority decision draws a clear line in the sand: an employer's right to internal communications stops where the employee's privacy rights are unnecessarily violated. The necessity test in 6.1.f of the GDPR is no mere formality and requires that the least intrusive approach always be chosen. Anonymous where possible, identifiable only if necessary.