The case of the OLG Dresden from 30.11.2021 - 4 U 1158/21
Managing directors of a GmbH are personally liable in the event of a data protection breach
How would you assess the case? A car dealer (plaintiff) submits a membership inquiry to the defendant GmbH. The managing director of the GmbH then first hires a detective to find out whether the car dealer is “clean”. The managing director therefore acts on behalf of the GmbH. In fact, the detective finds criminal records in the car dealer’s past, so that the shareholders of the GmbH reject the membership application.
The car dealer then sued the GmbH for damages in the amount of €21,0000 due to a data protection violation committed against him pursuant to Art. 82 I DS-GVO. The GmbH had collected sensitive data without permission. The case ends up before the Regional Court of Dresden.
The exciting question now to be clarified is:
Does the managing director have to be personally liable if the GmbH commits a data protection breach?
In fact, the Dresden Regional Court awarded the plaintiff €5,000 in damages directly against the managing director, and the Higher Regional Court agreed with the amount of this judgment. However, the Dresden Higher Regional Court did not follow the legal reasoning without reservation.
In the opinion of the OLG Dresden, the managing director of a limited liability company is also considered to be a data protection law controller within the meaning of Art. 4 No.7 DS-GVO and can therefore be held personally liable in addition to the company. This was particularly the case because the managing director had commissioned the detective himself and was not merely acting according to instructions. Previously, managing director liability for data protection violations could only be considered if unlawful processing of company data was carried out for the company’s own purposes.
Who is considered to be the responsible party pursuant to Art. 4 No. 7 DS-GVO?
According to Art. 4 No. 7 DS-GVO, one is considered to be a controller if he or she, as a natural or legal person, public authority, agency or other body, alone or jointly with others, determines the purposes and means of the processing of personal data.
This responsibility is decisive for a claim for damages under Art. 82 I DS-GVO. Thus, a managing director may well be liable, in contrast to employees bound by instructions, who are generally not covered.
Does the ruling represent a legal misjudgment?
The legal assessment of the OLG Dresden was not without criticism in this case. On the whole, the judgment lacks a more detailed statement of reasons.
Why is a managing director in any case the controller according to Art. 4 No.7 DS-GVO, even if he sometimes does not decide alone or together with others about the purposes and means of the processing of personal data? In such cases, a more differentiated consideration would be necessary, as otherwise liability for the managing director would be too broad.
It would be quite possible, if not preferable, to consider the managing director as an employee who acts according to instructions. After all, in most cases the managing director also acts in accordance with the instructions of the company.
In the view of data protection authorities, employees are only responsible persons in their own right if they disregard relevant instructions from their employer on their own authority. This should also apply to a managing director, who would then only be liable if he disregards the instructions of the company, i.e. the shareholders’ meeting.
Also with regard to a data protection violation according to Art. 10 DS-GVO, more concrete justifications are missing in the judgment.
Art. 10 DS-GVO allows the processing of personal data in connection with criminal records only under official supervision. The GmbH did not take this regulation into account when hiring the detective. Thus, there is also a data protection violation in this respect. However, this is a very restrictive view of Art. 10 of the GDPR.
What noticeable disadvantage the plaintiff should have suffered in order to assert a claim for damages under Art. 82 DS-GVO is also not specified.
A judgment of the OLG definitely has a higher significance than the judgment of a district or regional court. If other courts follow this opinion, managing directors could be held personally liable for data protection violations to a greater extent in the future.
However, because the ruling has attracted a great deal of criticism, it is conceivable that other rulings will be made in similar cases.
We will be happy to keep you informed of further developments regarding the liability of managing directors in connection with data privacy violations.