At the 97th conference on April 3, 2019, the independent federal and state data protection supervisory authorities emphasized the liability of companies under data protection law. Companies are (still) liable for culpable breaches of data protection law by their employees, provided it is not excessive.
Union law / functional definition of an undertaking
The DSK relies on the functional concept of an undertaking, which also applies in the context of the GDPR. Recital 150 of the GDPR refers accordingly to the TFEU:
Where fines are imposed on undertakings, the term “undertaking” should be understood for this purpose within the meaning of Articles 101 and 102 TFEU.
According to this understanding, companies are
any entity carrying out an economic activity, regardless of its legal form and the way in which it is financed.
(also established case law, probably since ECJ, judgment of April 23, 1991 – C-41/90)
It is not necessary for the management of a company to be aware of the specific breach or a breach of the duty of supervision for responsibility to be assigned.
Corporate sanctions law to be modernized
DSK welcomes the modernization measures for corporate sanctions law provided for in the coalition agreement. These are necessary and would then also comply with European antitrust law and the established international standard.
In conclusion, the DSK calls on the federal legislator to take the previous concerns into account in the deliberations on the draft of the Second Act on the Adaptation of Data Protection Law to Regulation 2016/679 and the Implementation of Directive 2016/680.