In its ruling of November 30, 2021 (case number 4 U 1158/21), the Dresden Higher Regional Court ordered a company and its managing director jointly and severally to pay damages under the GDPR. The court also considered the managing director to be the responsible party within the meaning of the GDPR. Thus, the shareholder is personally liable in addition to the company.
If the courts were to continue with this decision, it would have serious consequences for practice.
The facts
The plaintiff submitted a membership application to an association. On behalf of the association, the society (more precisely: its managing director) took action to check the plaintiff's criminal background. For this purpose, it commissioned a private investigator, who then provided results relevant to criminal law. Ultimately, the managing director clarified this to the board of directors, who therefore denied the plaintiff membership.
The plaintiff considered this to be a violation of data protection and sued not only the association but also the company with said managing director for damages in the amount of €5,000 pursuant to Article 82 of the GDPR.
The decision of the court
In its decision, the Dresden Higher Regional Court had to clarify several data protection issues. The question that is most moving for practice is whether the managing director who hired the private investigator and forwarded the results is personally liable in addition to the company.
In the context of this question, it had to be clarified whether the managing director himself was the controller and whether his action constituted unjustified processing of personal data. In addition, the question arose as to whether the spying out of data could give rise to a claim for damages under Art. 82 GDPR.
Managing director as responsible person iSv. Art. 4 No. 7 DSGVO
The court first stated that responsibility within the meaning of the GDPR "is to be affirmed whenever a natural or legal person alone or jointly with others can and does decide on the purposes and means of the processing of personal data". If an employee acts in accordance with instructions, his or her responsibility therefore generally does not apply. The managing director, on the other hand, who makes these decisions himself, falls under the concept of a controller within the meaning of the GDPR.
The criticism here is that the court only reproduces the definitions of the GDPR without dealing with them in more detail. In particular, the case law of the ECJ on the interpretation of the term "controller" should have been addressed. The blanket classification of the managing director as the responsible party without addressing his field of activity and dependence on the shareholders' meeting is not very convincing.
Spying as processing of personal data iSv Art. 4 No. 1, 2 DSGVO
The court does not dwell on the question of the processing of personal data. Information relevant under criminal law is personal data within the meaning of Art. 4 No. 1 of the GDPR. By hiring a private detective to spy on the plaintiff and the subsequent disclosure of the obtained data to the board of directors, there is also a processing within the meaning of Art. 4 No. 2 DSGVO. In particular, this refers to the collection, recording, disclosure by transmission and querying.
Unlawfulness of the processing
The plaintiff had not consented to the processing. Thus, the processing is unlawful unless a legal ground for justification applies.
In this regard, the court states that there is also no legitimate interest within the meaning of Art. 6 I lit. f DSGVO. If the interests of the plaintiff and the defendant are weighed, the spying on the plaintiff was not necessary in the first place. The less invasive alternative would have been to request the plaintiff to submit a police clearance certificate.
In addition, the court states that the spying by the private investigator "also [violates] Article 10 of the GDPR, which in principle only permits the processing of personal data concerning criminal convictions and criminal offenses or related security measures under official supervision". This view is definitely criticized, as it would also generally prohibit the employer from requesting certificates of good conduct from employees.
Compensation for damages according to Art. 82 DSGVO
The court finds that the spying out of the data in the present case exceeds the de minimis threshold and can thus result in a claim for damages. In addition, the spied-out data became known to a larger group of people, which violates the plaintiff's interests to a great extent.
Taking into account the "nature, gravity, duration of the breach, degree of fault, measures taken to mitigate the damage suffered by the data subjects, previous relevant breaches and the categories of personal data concerned", the court set the amount of damages at €5,000. However, the court does not go into further detail on a concrete determination of the immaterial damage.
Conclusion
Even if the decision of the Dresden Higher Regional Court in this matter is certainly contestable, there is a risk that further courts will follow the opinion and hold individual managing directors personally liable. Managing directors would then be exposed to a significant liability risk. This increases when they have to make decisions that lead to data processing.
Let our team of experts show you how data processing in your company can be data protection compliant!