Data protection violations can be punishable by law. As a managing director, employee or external party, you think you are personally on the safe side, because data protection is supposedly only a matter for the responsible company. However, there are also some personal points of contact that deviate from this principle and make data protection relevant under criminal law for individuals.
We will explain to you what you need to bear in mind to avoid being personally prosecuted.
Criminal law connecting factor
You don’t have to be a “hacker” to be held personally liable for data protection breaches. For example, employees with intent to enrich or harm, business owners, but also whistleblowers can come to the attention of the authorities in the event of legal violations in relation to “data”.
It should be noted that the data protection authorities are showing more initiative now that the coronavirus pandemic has subsided. In Baden-Württemberg alone, the number of checks has doubled compared to the previous year. Now, 71 on-site inspections may still mean a relatively low probability for the individual company. However, complaints or data breaches, for example, are a reason for such an investigation. The data protection authority is even obliged to investigate (Art. 57 para. 1 lit. a, e, f GDPR).
The data protection authorities must then also be provided with a breakdown of processing activities (Art. 30 para. 4 GDPR), which makes the constant maintenance of processing directories absolutely necessary. Otherwise you could also be fined.
Although no one is obliged to incriminate themselves under data protection law, the company itself is obliged to disclose documents such as data protection documentation to the authorities. In addition, searches, seizures and confiscations as well as inventory data information from telemedia service providers are also conceivable.
Overview of criminal offenses
A wide variety of criminal offenses can be considered when it comes to personal data.
Spying on and intercepting data in accordance with Sections 202a et seq. of the German Criminal Code is one such offense. It protects authorized access to data. The focus here could be on IT devices in the home office to which third parties gain unauthorized access. A cold-calling measure by an IT security company would also fall under this if the employee were to gain access to company data without a mandate in order to point out security gaps. Decompiling an object code can also fall under this offense if it reveals passwords.
However, in addition to the classic criminal offenses of the German Criminal Code, there is another important criminal offense in the Federal Data Protection Act. § Section 42 BDSG stipulates that former employees in particular are liable to prosecution if they take customer data to their new employer and use it. The Trade Secrets Act ( GeschGehG) provides for the same in § 23.
It is also worth mentioning that the business owner who intentionally or negligently fails to take the necessary supervisory measures is himself – i.e. personally – in breach of the regulations and can therefore be held liable under the Administrative Offenses Act (§ 130 OWiG). This is particularly applicable to organizational violations in the area of data protection law.
Even whistleblowers must fear consequences if they take an investigative approach and gain access to data in order to uncover facts. This is because the protection of the whistleblower is intended to prevent internal surveillance by bystanders. Unauthorized access to data is therefore also taboo for them.
However, failure to introduce a reporting channel can also result in a fine for the business owner. If required, we can support you with our entry-level solution for just €50 per month, for example. Contact us at any time by telephone or e-mail. You can also find more information on this in our article from December 2023.