Managing directors are personally liable for damages resulting from data protection violations (OLG Dresden)

Managing Director's liability

Managing directors are “responsible people” in the sense of the GDPR and are personally liable for data protection violations towards the injured parties.

In a rather unremarkable ruling, the Dresden Higher Regional Court (OLG) made an extremely relevant and disturbing decision for managing directors of corporations. The ruling involved the CEO of a hospital who instructed unlawful data processing. The plaintiff patient directed the action against both the hospital company (defendant 1)) and the management (defendant 2)).

The reasons for the verdict were as follows:

Both the defendant to 1) as the defendedant to 2) are responsible within the context of Art. 4 No. 7 of the GDPR, because of being the starting point for a claim arising from Art. 82 par. 1 GDPR is first of all “responsibility”, which is to be affirmed whenever a natural or legal person alone or jointly with others can and does decide on the purposes and means of the processing of personal data (Gola, ed. Gola, DS-GVO-Kommentar, 2nd ed. 2018, Art. 4 para. 48; Ambrock ZD 2020, p. 429 – according to beck-online). This means that, as a rule, employees who are bound by instructions or other employees are no longer responsible, but this does not apply to the managing director, as it was the case with the second defendant at the time the intervener was commissioned.

OLG Dresden, Urteil vom 30.11.2021 - 4 U 1158/21 Abs. II Nr. 1

https://oj.is/2381765

Instruction-bound employees

According to the clarification of the ruling, employees bound by instructions are generally not liable for data protection violations under Art. 82 of the GDPR.

The OLG Dresden derives the liability of the management from the fact that the management can can decide on the processing of data. Up to now, the legal literature has assumed that managing directors are liable for legal violations against the company within the scope of their tax group status. In this case, however, the scope of liability is extended in such a way that the managing director can be held personally liable for infringements of the law by the injured parties. An “exemption” by the shareholders, the management board or the supervisory board is thus no longer possible in the future, at least for claims for compensation by injured parties.

Privacy Shield successor in sight

by Oliver Gönner

The successor to the EU-US Privacy Shield agreement seems to be within reach. In a corresponding declaration, the EU Commission and the U.S. government have set out the cornerstones for international data exchange in a Trans-Atlantic Data Privacy Framework.

Background history:

In the past, both partners had already tried to reach an agreement under the terms of “Safe Harbor Agreement” and “Privacy Shield”. An agreement, that would enable European citizens to handle personal data fairly and in compliance with the law. Both agreements were declared illegal by the ECJ and were therefore invalid.

One of the key points that the ECJ criticized about the agreements was that the access to personal data of European citizens by U.S. security agencies, especially on the basis of FISA Sec. 702, was nearly unrestricted and without significant legal recourse.

In future:

Access should now only be possible within fixed limits.

EU citizens will have the opportunity to file complaints with a “Data Protection Review Court,” a kind of arbitration body, which would then be neutrally reviewed.

The already from the two previous attempts known certification mechanisms for companies, that have to adapt their own internal data protection principles to the European level, have been retained.

Current state:

Currently, all European companies that use U.S. cloud providers find themselves in a legal uncertainty. Increasingly, regulators are reviewing and sanctioning the use of such services. The Gaia X project, which seeks to provide an open European alternative, can not yet offer companies the same service as the one of established U.S. providers.

The Federal Commissioner for Data Protection and Freedom of Information provides a detailed description of the effects and necessary measures: LINK

When using U.S. cloud providers, a transfer impact assessment must always be conducted to evaluate the risks for those affected.

Transfer Impact Assessment

We have ready-to-use TIAs for the well-known American cloud providers such as Atlassian, Microsoft, AWS, Salesforce and others, which only need to be slightly adapted to the specific company use.

jetzt informieren

Outlook for the economy

The announcement creates the hope that legal certainty will emerge in the data transfer with the USA and the still unrivaled American cloud providers.