A data protection breach not only has consequences for the company concerned, but also for the employee concerned. The consequences under employment law can extend all the way to termination, as recently confirmed by the LAG Saxony.
Current case law
In its ruling of April 7, 2022 (AZ: 9 Sa 250/21), the LAG Saxony clarified that violations of data protection law by an employee can have consequences for the employee under employment law.
The facts of the case: "Clean Desk Policy
The facts to be assessed involved the following: The plaintiff worked as a loan officer for the defendant. The defendant prescribed a "Clean Desk Policy" for all employees. Its main content was that secret and sensitive information must be protected from access by third parties in such a way that relevant documents are locked away, disposed of or appropriately secured in digital form and closed when leaving the workplace. In addition, employees were to shut down the IT systems completely at the end of each working day.
The plaintiff violated this policy several times during her employment. As a result, the defendant employer drew her attention to the policy on several occasions. In each of the subsequent violations, she was given warnings and finally terminated for cause.
View of the courts: Data protection breach is breach of duty
The plaintiff filed an action for protection against dismissal against this, which was initially upheld by the Leipzig Labor Court. Among other things, the plaintiff argued that the "locking away" of relevant documents according to the "Clean Desk Policy" did not mean that she also had to lock the relevant filing cabinet.
However, the LAG Saxony saw the matter differently in the appeal: First, the court interpreted the wording of the "Clean Desk Policy" in the same way as the employer and saw an obligation to lock the corresponding cabinets. Furthermore, the court stated that the protective purpose (protection against unauthorized access by third parties) also includes third party employees who do not have access to the relevant documents themselves in the course of their work activities. Accordingly, the employee's conduct constitutes a breach of duty. This can also be established irrespective of whether damage has already occurred.
Significance for data protection breaches in the company
This ruling is particularly significant with regard to one finding: data protection violations can constitute significant breaches of duty under employment law. The breach of data protection requirements by the employer is then also a breach of the main performance obligation in the employment relationship and not merely a secondary breach of obligation. This is because the main duty of performance in the employment relationship is precisely to perform work within the framework of the employer's lawful instructions. Work instructions that serve to protect data are also part of this.
Thus, misconduct under data protection law can have significant consequences for employees if they violate the employer's specifications and guidelines in the process. The employer must be able to rely on compliance with these, as otherwise there may be data protection violations that are subject to mandatory reporting, which means threatening fines, claims for damages and sanctions for the employer.
Tips for practice
Employers should always ensure that their employees are appropriately obligated and trained in data protection law. Employees who are fit and sensitized in data protection law are less likely to violate data protection law. It is also important to create structures within the company that promote data protection and the prevention of violations.
Your company is not yet fit in the area of data protection? Our team of experts offers online and individual classroom training as well as services as an external data protection officer. Feel free to contact us!