+49 228 2861 140 60 info@sicoda.de
Managing directors are personally liable for damages resulting from data protection violations (OLG Dresden)

Managing directors are personally liable for damages resulting from data protection violations (OLG Dresden)

Managing Director's liability

Managing directors are “responsible people” in the sense of the GDPR and are personally liable for data protection violations towards the injured parties.

In a rather unremarkable ruling, the Dresden Higher Regional Court (OLG) made an extremely relevant and disturbing decision for managing directors of corporations. The ruling involved the CEO of a hospital who instructed unlawful data processing. The plaintiff patient directed the action against both the hospital company (defendant 1)) and the management (defendant 2)).

The reasons for the verdict were as follows:

Both the defendant to 1) as the defendedant to 2) are responsible within the context of Art. 4 No. 7 of the GDPR, because of being the starting point for a claim arising from Art. 82 par. 1 GDPR is first of all “responsibility”, which is to be affirmed whenever a natural or legal person alone or jointly with others can and does decide on the purposes and means of the processing of personal data (Gola, ed. Gola, DS-GVO-Kommentar, 2nd ed. 2018, Art. 4 para. 48; Ambrock ZD 2020, p. 429 – according to beck-online). This means that, as a rule, employees who are bound by instructions or other employees are no longer responsible, but this does not apply to the managing director, as it was the case with the second defendant at the time the intervener was commissioned.

OLG Dresden, Urteil vom 30.11.2021 - 4 U 1158/21 Abs. II Nr. 1


Instruction-bound employees

According to the clarification of the ruling, employees bound by instructions are generally not liable for data protection violations under Art. 82 of the GDPR.

The OLG Dresden derives the liability of the management from the fact that the management can can decide on the processing of data. Up to now, the legal literature has assumed that managing directors are liable for legal violations against the company within the scope of their tax group status. In this case, however, the scope of liability is extended in such a way that the managing director can be held personally liable for infringements of the law by the injured parties. An “exemption” by the shareholders, the management board or the supervisory board is thus no longer possible in the future, at least for claims for compensation by injured parties.

ECJ: Storing of IP addresses

The storage of IP addresses represents a serious encroachment on the fundamental rights of users. Internet users may always expect that the protection of their identity is preserved and, as a matter of principle, not revealed.

For companies, this decision means that storing the full IP address in server logs is illegal. A legitimate interest in storing this data can no longer be assumed after this ruling.

General data retention has been a controversial topic in Europe for years. The European Court of Justice (ECJ) confirmed the previous case law on data retention in its ruling of April 5, 2022 (Case C-140/20).

In the course of the preliminary ruling, the Irish Supreme Court asked the ECJ to interpret the Cookie Directive. The Irish ruling concerns the practices used in the case of Graham Dwyer, who was convicted of murder, to query the suspect’s mobile data collected as part of the data retention process.

Traffic and location data may be retained generally and indiscriminately to ensure national security, especially with regard to terrorist activities. Traffic data is all information that is stored when a telecommunications service is used, such as the duration, time or data volume of a message.

Not allowed are national laws that provide for general and indiscriminate retention of traffic and location data for the purpose of combating serious crime and preventing serious threats to public security.

IP addresses assigned to the source of a connection may be stored in a general and indiscriminate manner for a period limited to what is absolutely necessary. The general storage of IP addresses represents a serious encroachment on fundamental rights. According to Art. 8 of the Charter, Internet users are entitled to expect that the protection of their personal data is guaranteed and that their identity is not disclosed as a matter of principle. However, the IP address is often the only clue in the case of a crime committed on the Internet that makes it possible to determine the identity of the person, especially in relation to child pornography. Therefore, the general and indiscriminate retention of IP addresses is allowed only if it is made conditional on strict compliance with the substantive and procedural requirements.

General retention of data concerning the identity of users of electronic communications is also permitted.

Providers of electronic communication services may be required, by means of a decision of the competent authority subject to effective judicial review, to immediately back up traffic and location data for a specified period of time (quick freeze).

What this means for the admissibility of evidence relied upon in the criminal proceedings against Graham Dwyer is for the Irish Court to decide, as this remains a matter of Irish law, in accordance with the principle of procedural autonomy of Member States.