Managing Director's liability
Managing directors are “responsible people” in the sense of the GDPR and are personally liable for data protection violations towards the injured parties.
In a rather unremarkable ruling, the Dresden Higher Regional Court (OLG) made an extremely relevant and disturbing decision for managing directors of corporations. The ruling involved the CEO of a hospital who instructed unlawful data processing. The plaintiff patient directed the action against both the hospital company (defendant 1)) and the management (defendant 2)).
Both the defendant to 1) as the defendedant to 2) are responsible within the context of Art. 4 No. 7 of the GDPR, because of being the starting point for a claim arising from Art. 82 par. 1 GDPR is first of all “responsibility”, which is to be affirmed whenever a natural or legal person alone or jointly with others can and does decide on the purposes and means of the processing of personal data (Gola, ed. Gola, DS-GVO-Kommentar, 2nd ed. 2018, Art. 4 para. 48; Ambrock ZD 2020, p. 429 – according to beck-online). This means that, as a rule, employees who are bound by instructions or other employees are no longer responsible, but this does not apply to the managing director, as it was the case with the second defendant at the time the intervener was commissioned.
According to the clarification of the ruling, employees bound by instructions are generally not liable for data protection violations under Art. 82 of the GDPR.
The OLG Dresden derives the liability of the management from the fact that the management can can decide on the processing of data. Up to now, the legal literature has assumed that managing directors are liable for legal violations against the company within the scope of their tax group status. In this case, however, the scope of liability is extended in such a way that the managing director can be held personally liable for infringements of the law by the injured parties. An “exemption” by the shareholders, the management board or the supervisory board is thus no longer possible in the future, at least for claims for compensation by injured parties.