A car dealer, who later became the plaintiff, submitted a membership inquiry to the GmbH, which later became the defendant. The managing director of the GmbH then commissioned a detective agency to investigate possible criminal offenses committed by the car dealer. In doing so, the managing director acted on behalf of the defendant company. The research then revealed that the plaintiff had been involved in criminal acts in the past. The shareholders of the defendant learned of this and subsequently rejected the plaintiff’s application for membership.
Spying by a detective as a GDPR violation?
The retailer concerned took this as an opportunity to claim damages in court. The basis for this claim should be the GDPR. The court first seized – the Dresden Regional Court – awarded the car dealership damages in the amount of 5,000 euros. The car dealer then appealed to the Dresden Higher Regional Court. However, in its ruling of November 30, 2021 (Ref.: 4 U 1158/21), the court agreed with the opinion of the Regional Court.
The Dresden Higher Regional Court initially found that the spying on the plaintiff by the detective commissioned by the managing director constituted a breach of data protection law. In particular, there was a breach of Article 10 of the GDPR, according to which the processing of personal data relating to convictions or criminal offenses is generally only permitted under official supervision. The managing director should therefore not have commissioned the detective agency in the first place.
Managing director personally liable for GDPR breach
In its ruling, the Higher Regional Court also assumed that not only the defendant company but also its managing director was personally liable for the data protection breach. This is because the managing director is to be classified as a data controller under data protection law. According to Art. 4 No. 7 GDPR, such a capacity is to be affirmed if a person alone or jointly with others can or does decide on the purposes and means of data processing, which applies to the managing director of the GmbH.
The court also assumed that the spying on the plaintiff constituted compensable damage within the meaning of the GDPR. This is because the managing director had passed on sensitive information about the plaintiff’s criminal conduct to the shareholders of the GmbH without authorization. The plaintiff also had to expect that his data would become known in a wider environment. In addition, the data protection breach had led to the plaintiff being denied membership of the company.
Consequences for data protection practice
Should other courts agree with the view expressed here, this would have far-reaching consequences for data protection practice. Managing directors would then have to expect to be held personally liable for data protection breaches – a very high liability risk, the avoidance of which may require extensive compliance measures.