05-02-2024Article

Update Data Protection No. 177

Data protection breach – release of the controller from liability due to employees acting contrary to instructions?

In its judgment of April 11, 2024 (Case C-741/21), the ECJ confirmed its previous case law regarding the requirements for immaterial damage when claiming damages for data protection violations. In addition, it has provided a little more certainty on the question of when employers can exempt themselves from liability due to misconduct by their employees.

Overall, the ECJ further strengthens the rights of data subjects.

Background

In the original case, a lawyer had sued a legal database provider before the Regional Court of Saarbrücken for damages pursuant to Art. 82 para. 1 GDPR, as he continued to receive advertising emails despite having repeatedly declared his objection. He based his claim for damages on the argument of loss of control over his data. The database provider, on the other hand, rejected liability, in particular on the grounds that an employee had acted contrary to instructions.

The ECJ then had to rule on questions regarding the interpretation of Art. 82 GDPR.

Reasons for the decision

In principle, pursuant to Art. 82 para. 1 GDPR, any person who has suffered material or non-material damage as a result of a breach of the GDPR is entitled to compensation. The ECJ once again clarified that the mere existence of a breach of the GDPR does not, however, justify a claim for damages within the meaning of Art. 82 para. 1 GDPR. Rather, in addition to a breach of the GDPR, there must be material or non-material damage as well as a causal link between the data protection breach and the damage incurred (see judgment of 25.01.2024, MediaMarktSaturn, C-687/21). The “loss of control” can constitute damage, as expressly stated in recital 85 of the GDPR. Here, the ECJ once again confirmed that even a short-term loss of control is sufficient. However, it is necessary for the data subject to provide proof that they have actually suffered such damage.

However, the ECJ did not comment on the requirements to be met by the person concerned with regard to proving the damage.

Furthermore, the ECJ places strict requirements on the exculpation of employers who wish to avoid liability by referring to their employees' conduct in breach of instructions. According to Art. 82 para. 3 GDPR, on which the provider in the underlying case relied, a controller or processor is exempt from liability if it can prove “that it is not responsible in any respect for the event giving rise to the damage”. The ECJ first clarified that employers cannot rely solely on the negligence or misconduct of their subordinates. Rather, employers must ensure that the persons under their authority carry out their instructions correctly. This is because it would impair the practical effectiveness of the claim for damages under Art. 82 para. 1 GDPR if employers could only exempt themselves from liability by invoking misconduct on the part of the persons under their control. This is not compatible with the aim of the GDPR to ensure a high level of protection for natural persons with regard to data processing.
However, the ECJ did not specify the specific requirements that employers must meet in order to ensure that their employees carry out their instructions correctly and that they can therefore exculpate themselves in accordance with Art. 82 para. 3 GDPR.

Effects on practice

Employers cannot rely solely on their employees acting contrary to instructions in order to be exempt from liability for data protection breaches. A simple instruction issued by the employer to comply with data protection regulations is by no means sufficient. Further measures should therefore always be taken to ensure compliance with the instructions. Only a stringent data protection compliance system with clear responsibilities, controls and regular training as well as other technical and organizational measures can - if at all - ensure that those responsible are not liable for the misconduct of individual employees. However, the possibility of exemption from liability in this way will remain the great exception.

Download as PDF

Contact persons

You are currently using an outdated and no longer supported browser (Internet Explorer). To ensure the best user experience and save you from possible problems, we recommend that you use a more modern browser.