© thodonal – Fotolia.com

Companies are liable for data protection breaches by their employees!

Companies are liable for data protection breaches by all employees, not just legal representatives. Regulations in national law that restrict liability would currently contradict this.

At the 97th conference on April 3, 2019, the independent federal and state data protection supervisory authorities emphasized the liability of companies under data protection law. Companies are (still) liable for culpable breaches of data protection law by their employees, provided it is not excessive.

Union law / functional definition of an undertaking

The DSK relies on the functional concept of an undertaking, which also applies in the context of the GDPR. Recital 150 of the GDPR refers accordingly to the TFEU:

Where fines are imposed on undertakings, the term “undertaking” should be understood for this purpose within the meaning of Articles 101 and 102 TFEU.

According to this understanding, companies are

any entity carrying out an economic activity, regardless of its legal form and the way in which it is financed.

(also established case law, probably since ECJ, judgment of April 23, 1991 – C-41/90)

It is not necessary for the management of a company to be aware of the specific breach or a breach of the duty of supervision for responsibility to be assigned.

Corporate sanctions law to be modernized

DSK welcomes the modernization measures for corporate sanctions law provided for in the coalition agreement. These are necessary and would then also comply with European antitrust law and the established international standard.

In conclusion, the DSK calls on the federal legislator to take the previous concerns into account in the deliberations on the draft of the Second Act on the Adaptation of Data Protection Law to Regulation 2016/679 and the Implementation of Directive 2016/680.

Contact person

Free newsletter

Matching contributions

Search

Request