© Pete Linforth on Pixabay

Who is actually liable for data protection?

Note: This article has been machine translated and may therefore contain translation errors.

A contribution from

Alexander Brittner, LL.M.

Salary Partner, Attorney at Law

Topics and keywords

The seemingly endless possibilities of electronic data processing lead to greater output, higher efficiency and faster response times – and this with ever newer technologies. At the same time, they harbor the potential for a large number of errors, legal violations or security gaps that can lead to a breach of data protection laws, in particular the General Data Protection Regulation (GDPR).

In such cases, data protection laws provide for painful claims for damages and personal penalties.

In our April 2022 newsletter, we already pointed out that managing directors can also be personally liable in the event of data protection breaches.

In this newsletter, we expand on the issue of liability for data protection breaches and explain the liability risks you face as a company, managing director or employee.

Claims for damages and fines

The framework for fines (Art. 83 GDPR) for breaches of data protection laws has a deterrent effect: The maximum fines are to be up to 20 million euros or 4% of annual global turnover. In addition, claims for damages (Art. 82 GDPR) are also conceivable, which accrue to the respective injured party. This is intended to compensate the injured party for material and – barely quantifiable – immaterial damages.

The liable party is generally the “controller” within the meaning of Art. 4 No. 7 GDPR, i.e. the body responsible for the data processing. As a rule, this is the company itself. The identifiability of a human action is probably also not a prerequisite for the attribution of an infringement to the respective company, although the final clarification of this question is currently pending before the European Court of Justice (ECJ, Case C-807/21).

Liability of the managing director

In its ruling of November 30, 2021 (case no. 4 U 1158/21), the Dresden Higher Regional Court justified a deviation from the above, according to which the managing director can also be personally liable. The director’s liability is determined by the fact that the data processing was initiated by the director himself, a personal profit and his own culpability.

This makes it all the more important for managing directors to attach importance to proper data protection management and to always keep an eye on data processing procedures with the necessary sensitivity.

Liability of employees

The liability of employees for their own data protection violations is also not excluded, but is limited. Negligent actions can also trigger recourse claims by the employer, but only on a pro rata basis. Intentional acts, on the other hand, can also lead to comprehensive liability.

Criminal responsibility

In addition, Section 82 of the Federal Data Protection Act (BDSG) contains criminal offenses that are exclusively linked to personal actions and address the respective perpetrator as a natural person. Employees and shareholders are therefore a particular focus here.

According to these regulations, unauthorized data transfers for enrichment purposes can be punished. In practice, most use cases are likely to be in the area of taking customer lists to a new employer. The sentence is between 3 years imprisonment and a fine.

Result and recommendations for action

As a result, not only companies can be liable for data protection breaches. In addition to severe fines, claims for damages on the part of the injured party are also conceivable. This liability generally applies to the company as the responsible party. In exceptional cases, however, the managing director or the acting employee may also be (jointly) liable. In addition, criminal offenses may have been committed.

Regular employee training, the introduction of data protection-compliant processes and a good compliance system should therefore be emphasized both for employees’ own protection and for prevention and the creation of responsibilities.

Conclusion

Data protection violations do not have to be committed intentionally in order to have personal consequences. They can, for example, simply be side effects of IT use, which could, however, result in financially and personally relevant claims and penalties. This makes professional data protection management that prevents breaches before they occur all the more important.

Downloads

Share this page

Similar posts


Contact

Client Login