A car dealer, who later became the plaintiff, submitted a membership inquiry to the GmbH, which later became the defendant. The managing director of the GmbH then commissioned a detective agency to investigate possible criminal offenses committed by the car dealer. In doing so, the managing director acted on behalf of the defendant company. The research then revealed that the plaintiff had been involved in criminal acts in the past. The shareholders of the defendant learned of this and subsequently rejected the plaintiff’s application for membership.
Spying by a detective as a GDPR violation?
The retailer concerned took this as an opportunity to claim damages in court. The basis for this claim should be the GDPR. The court first seized – the Dresden Regional Court – awarded the car dealership damages in the amount of 5,000 euros. The car dealer then appealed to the Dresden Higher Regional Court. However, in its ruling of November 30, 2021 (Ref.: 4 U 1158/21), the court agreed with the opinion of the Regional Court.
The Dresden Higher Regional Court initially found that the spying on the plaintiff by the detective commissioned by the managing director constituted a breach of data protection law. In particular, there was a breach of Article 10 of the GDPR, according to which the processing of personal data relating to convictions or criminal offenses is generally only permitted under official supervision. The managing director should therefore not have commissioned the detective agency in the first place.
Managing director personally liable for GDPR breach
In its ruling, the Higher Regional Court also assumed that not only the defendant company but also its managing director was personally liable for the data protection breach. This is because the managing director is to be classified as a data controller under data protection law. According to Art. 4 No. 7 GDPR, such a capacity is to be affirmed if a person alone or jointly with others can or does decide on the purposes and means of data processing, which applies to the managing director of the GmbH.
The court also assumed that the spying on the plaintiff constituted compensable damage within the meaning of the GDPR. This is because the managing director had passed on sensitive information about the plaintiff’s criminal conduct to the shareholders of the GmbH without authorization. The plaintiff also had to expect that his data would become known in a wider environment. In addition, the data protection breach had led to the plaintiff being denied membership of the company.
Consequences for data protection practice
Should other courts agree with the view expressed here, this would have far-reaching consequences for data protection practice. Managing directors would then have to expect to be held personally liable for data protection breaches – a very high liability risk, the avoidance of which may require extensive compliance measures.
Managing director liability for data protection: Why managing directors are personally liable
In today’s digital world, data protection laws such as the GDPR are becoming increasingly important. A key issue here is the so-called “managing director liability in data protection”. Managing directors of companies bear considerable responsibility when it comes to protecting personal data. Companies and their managers often underestimate the consequences that a breach of data protection guidelines can have. Particularly with regard to managing director liability for data protection, it is clear that data protection breaches not only affect the company, but that managing directors can also be held personally liable.
A central element of managing director liability in data protection is the definition of the data controller. According to Article 4 of the GDPR, a person is classified as a data controller if they decide on the purposes and means of data processing. As managing directors make decisions about data processing in this role, they are directly responsible for compliance with data protection regulations. Failure in this area can have far-reaching consequences. In addition to the financial penalties and loss of reputation, managing directors may be exposed to personal liability risks, particularly if central data protection regulations have been breached.
GDPR and the personal liability of the managing director
The GDPR (General Data Protection Regulation) stipulates that data processing that violates the principles of the regulation will be sanctioned. Within the scope of managing director liability for data protection, a managing director can be held personally liable if they violate or disregard the requirements of the GDPR. A typical example of such a breach would be the unlawful commissioning of a detective agency that collects personal data without a sufficient legal basis. Such a case shows how important precise compliance with the GDPR rules is in order to avoid liability risks.
Compliance and prevention: How managing directors can minimize liability in data protection
One effective way to minimize the risks of managing director liability in data protection is to implement comprehensive compliance measures. Through regular data protection training and the establishment of a data protection management system, companies can ensure that all relevant legal requirements are met. The introduction of an internal data protection officer can also contribute to better compliance with the GDPR. Managing directors should regularly inform themselves about current data protection developments and ensure that all data protection processes in the company are transparent and legally compliant.
Managing director liability Data protection is an increasingly relevant topic that deserves special attention. Managing directors should not underestimate the liability risk and take preventative measures to ensure that they and their company meet the requirements of the GDPR.
