A data protection breach not only has consequences for the company concerned, but also for the employee concerned. The consequences under employment law can extend all the way to termination, as recently confirmed by the LAG Saxony.
Current case law
In its ruling of April 7, 2022 (AZ: 9 Sa 250/21), the LAG Saxony clarified that violations of data protection law by an employee can have consequences for the employee under employment law.
The facts of the case: "Clean Desk Policy
The facts to be assessed involved the following: The plaintiff worked as a loan officer for the defendant. The defendant prescribed a "Clean Desk Policy" for all employees. Its main content was that secret and sensitive information must be protected from access by third parties in such a way that relevant documents are locked away, disposed of or appropriately secured in digital form and closed when leaving the workplace. In addition, employees were to shut down the IT systems completely at the end of each working day.
The plaintiff violated this policy several times during her employment. As a result, the defendant employer drew her attention to the policy on several occasions. In each of the subsequent violations, she was given warnings and finally terminated for cause.
View of the courts: Data protection breach is breach of duty
The plaintiff filed an action for protection against dismissal against this, which was initially upheld by the Leipzig Labor Court. Among other things, the plaintiff argued that the "locking away" of relevant documents according to the "Clean Desk Policy" did not mean that she also had to lock the relevant filing cabinet.
However, the LAG Saxony saw the matter differently on appeal: Firstly, the court interpreted the wording of the "Clean Desk Policy" in the same way as the employer and saw an obligation to lock the corresponding cabinets. Furthermore, the court stated that the protective purpose (protection against unauthorized access by third parties) also includes third-party employees who do not have access to the relevant documents themselves as part of their work activities. The employee's conduct was therefore a breach of duty. This could also be established irrespective of whether damage had already occurred.
Significance for data protection breaches in the company
This judgment is particularly significant with regard to one finding: Breaches of data protection can be significant breaches of duty under employment law. represent. The violation of Data protection requirements of the employer is then also a breach of the main obligation in the employment relationship and not just a breach of secondary obligations. This is because the main obligation in the employment relationship is precisely to perform the work in accordance with the employer's lawful instructions. Work instructions that serve to protect data are also part of this.
Misconduct under data protection law can therefore have considerable consequences for employees if they violate the requirements and guidelines of the Employer violated. The employer must be able to rely on compliance with these, as otherwise there may be reportable data protection violations, which could result in fines, claims for damages and sanctions for the employer.
Tips for practice
Employers should always ensure that their employees are appropriately obligated and trained in data protection law. Employees who are fit and sensitized in data protection law are less likely to violate data protection law. It is also important to create structures within the company that promote data protection and the prevention of violations.
Your company is not yet fit in the area of data protection? Our team of experts offers online and individual classroom training as well as services as an external data protection officer. Feel free to contact us!
English 
Deutsch 
Español 
Français 
Polski