In its ruling of November 30, 2021 (case number 4 U 1158/21), the Dresden Higher Regional Court ordered a company and its managing director jointly and severally to pay damages under the GDPR. The court also considered the managing director to be the responsible party within the meaning of the GDPR. Thus, the shareholder is personally liable in addition to the company.
If the courts were to continue with this decision, it would have serious consequences for practice.
The facts
The plaintiff submitted a membership application to an association. On behalf of the association, the society (more precisely: its managing director) took action to check the plaintiff's criminal background. For this purpose, it commissioned a private investigator, who then provided results relevant to criminal law. Ultimately, the managing director clarified this to the board of directors, who therefore denied the plaintiff membership.
The plaintiff saw this as a violation of the data protection and sued not only the association but also the company with said managing director for damages in the amount of € 5,000 in accordance with Art. 82 GDPR.
The decision of the court
In its decision, the Dresden Higher Regional Court had to clarify several data protection issues. The question that is most moving for practice is whether the managing director who hired the private investigator and forwarded the results is personally liable in addition to the company.
In the context of this question, it had to be clarified whether the managing director himself was the controller and whether his actions constituted unlawful processing. personal data represented. The question also arose as to whether the spying on data could give rise to a claim for damages under Art. 82 GDPR.
Managing director as responsible person iSv. Art. 4 No. 7 DSGVO
The court first stated that liability within the meaning of the GDPR "is always to be affirmed if a natural or legal person legal entity can and does decide, alone or jointly with others, on the purposes and means of the processing of personal data". If an employee acts in accordance with instructions, their responsibility is therefore generally not applicable. The managing director, on the other hand, who makes these decisions himself, falls under the term "controller" within the meaning of the GDPR.
The criticism here is that the court only reproduces the definitions of the GDPR without dealing with them in more detail. In particular, the case law of the ECJ on the interpretation of the term "controller" should have been addressed. The blanket classification of the managing director as the responsible party without addressing his field of activity and dependence on the shareholders' meeting is not very convincing.
Spying as processing of personal data iSv Art. 4 No. 1, 2 DSGVO
With the question of the Processing of personal data The court does not dwell on this for long. Criminally relevant information is personal data within the meaning of Art. 4 No. 1 GDPR. The commissioning of a private investigator to spy on the plaintiff and the subsequent forwarding of the data obtained to the Executive Board also constitutes processing within the meaning of Art. 4 No. 2 GDPR. In particular, the collection, recording, disclosure by transmission and queries are taken into account.
Unlawfulness of the processing
The plaintiff had not consented to the processing. Thus, the processing is unlawful unless a legal ground for justification applies.
In this regard, the court states that there is also no legitimate interest within the meaning of Art. 6 I lit. f DSGVO. If the interests of the plaintiff and the defendant are weighed, the spying on the plaintiff was not necessary in the first place. The less invasive alternative would have been to request the plaintiff to submit a police clearance certificate.
Furthermore, the court states that the spying by the private investigator "also violates Art. 10 GDPR, which prohibits the processing of personal data. personal data on criminal convictions and offenses or related security measures only permitted under official supervision". This view has been criticized, as it would also generally prohibit employers from requesting certificates of good conduct from employees.
Compensation for damages according to Art. 82 DSGVO
The court finds that the spying out of the data in the present case exceeds the de minimis threshold and can thus result in a claim for damages. In addition, the spied-out data became known to a larger group of people, which violates the plaintiff's interests to a great extent.
Taking into account the "nature, gravity, duration of the infringement, degree of fault, measures taken to mitigate the damage caused to the persons concerned, previous relevant infringements and the categories of persons concerned". personal data", the court set the amount of damages at is set at € 5,000. A concrete determination of the immaterial damage however, the court does not go into further detail.
Conclusion
Even if the decision of the Higher Regional Court of Dresden in this matter is certainly contestable, there is a risk that other courts will follow the opinion and hold individual managing directors personally liable. Managing directors would then be exposed to a significant liability risk. exposed. This increases when they have to make decisions that lead to data processing.
Let our team of experts show you how data processing in your company can be data protection compliant!
English 
Deutsch 
Español 
Français 
Polski 
English
Deutsch 
Deutsch 
English 
Español 
Français 
Polski 
Deutsch 
Deutsch 
English 
Español 
Français 
Polski