03-30-2022Article

Update Datenschutz No. 110 | Update Compliance 7/2022 | Update China Desk 3/2022

External liability of the managing director for company’s data protection infringements?

Pursuant to Article 82 (1) GDPR, a data subject who has suffered material or non-material damage as a result of an infringement of the GDPR has the right to receive compensation from the controller or processor for the damage suffered. Article 82 (2) extends this liability for the damage caused by processing which infringes the GDPR to any controller involved in processing, i. e., it also provides for joint and several liability of joint controllers.

But is this right of the data subject to receive compensation also directed against the managing director or management board of a company that infringed data protection law? In a recently published decision, Dresden Higher Regional Court holds that this is the case (Dresden Higher Regional Court, Judgment November 30, 2021, 4 U 1158/21). In its decision, Dresden Higher Regional Court considered the managing director to be a joint controller with a GmbH [limited liability company] and therefore jointly and severally liable under Article 82 (2) sentence 1 GDPR.

This decision is as remarkable as it is wrong in terms of its content. In detail:

Facts of the case

In the case at issue, the GmbH, which was also a defendant, had conducted background research on the plaintiff and thus had indisputably acted in a manner that infringed data protection law. The plaintiff sued the GmbH as the original data controller and its managing director for damages under Article 82 (1), (2) GDPR. Both the court of first instance and Dresden Higher Regional Court considered the data protection infringement to have occurred and affirmed joint liability under Article 82 (2) GDPR of the GmbH and its managing director as joint controllers in accordance with Article 4 (7) GDPR.

Dresden Higher Regional Court does not provide any grounds in its decision as to why the managing director is a joint controller with the GmbH pursuant to Article 4 (7), Article 26 GDPR.

Assessment

As far as apparent, the classification of the managing director as joint controller with the GmbH as the actual controller is a first in case law and cannot be inferred as correct from either the law or literature. Only those who jointly with others determine the purposes and means of the processing can be joint controllers, Article 4 (7) GDPR. In the case on which Dresden Higher Regional Court ruled, however, this would correctly be the GmbH alone. It determines the purposes and means of the processing of personal data. As the sole legal entity, it also has relevant interests in determining such purposes, since these serve to achieve its intentions.

The managing director, on the other hand, has no interests of his own in the processing of personal data and therefore does not pursue his own purposes with the processing, which is why liability as a joint controller is ruled out from the outset. No such joint controllership can be derived either from the cases adjudged by the CJEU on the issue of joint controllership (C-210/16, C-25/17, and C-40/17) (cf. also Update Data Protection No. 39 and No. 63). In all these cases, the instrument of joint controllership served solely the purpose of transparency and to only enable the filing of a claim against a party by a data subject within the European Union. The decisions were therefore driven by considerations of enforceability. Such transparency and enforceability considerations are, however, inapplicable in a constellation in which a claim can be made against a German GmbH as the controller. There is no need for the managing director as an additional liability subject to enable data subjects to enforce their rights.

It must also be taken into account that the managing director himself merely acts as a corporate body. This position does not give rise to any interest of his own in the processing of personal data, however, which is why the GmbH’s managing director cannot be considered a controller within the meaning of Article 4 (7) GDPR and thus not of Article 82 (2) GDPR either (cf. Backhaus/Schneidereit, jurisPR-HaGesR 2/2022 para. 3).

Dresden Higher Regional Court failed to set out in any way what purposes the managing director should have pursued in the case at issue and why joint controllership should arise solely from his position as a member of the management board. The judgment must be rejected as wrong in terms of its content. It is hoped that this will remain a one-off decision.

Implications for use in practice

The Dresden Higher Regional Court ruling has gained considerable publicity. In view of the fact that data protection infringements are increasingly being asserted and claims for compensation of damages are being made, particularly in disputes under employment law, but also in other disputes between private individuals and companies, it is to be expected that plaintiffs’ lawyers will extend this practice to the executive bodies of the respective companies in the future. Companies will thus incur further expenses and executive bodies will face additional risks, which are supposed to be covered by D&O insurance and other measures.

As always, however, the best protection is good compliance, because if the argument of lawfulness of processing can be used to eliminate the basis for the compensation of damages, there is no room either for joint and several liability of the managing director or of the management board members of companies, which may continue to be wrongly presumed by courts.

Chinese Version:

董事总经理对于公司违反数据保护是否应承担外部责任?

根据欧盟《通用数据保护条例》第82条第1款,遭受物质或非物质损害的当事人有权向数据控制者或数据处理者主张相应的损害赔偿。第82条第2款将该损害赔偿责任扩大到任何参与非法处理的数据控制者,即规定了连带责任,包括连带控制者。

但是,当事人的这一主张是否也能向违反数据保护的公司的董事总经理(又称为执行董事)或董事会提出呢?德累斯顿高等地区法院在最近公布的一项判决中对此做出了裁决(参见案例OLG Dresden, Urteil vom 30.11.2021, Az. 4 U 1158/21)。在该判决中,德累斯顿高等地区法院认定董事总经理与有限责任公司承担连带责任,因此根据欧盟《通用数据保护条例》第82条第2款第1句,董事总经理应作为连带债务人。

这一判决非常值得关注,因为它究其内容是错误的。具体分析如下:

案情介绍

在本案件中,同为被告的有限责任公司对原告进行了背景调查,但调查方式违反了数据保护的规定,这一事实认定是毫无争议的。根据欧盟《通用数据保护条例》第82条第1款和第2款,原告不仅起诉了最初的数据控制者即有限责任公司,还同时起诉了该公司的董事总经理,并据此主张损害赔偿。一审法院和德累斯顿高等地区法院均认定违反数据保护的事实成立,并且根据《通用数据保护条例》第4条第7项,认定该有限责任公司及其董事总经理为共同控制者,根据《通用数据保护条例》第82条第2款,认定二者应承担连带责任。

德累斯顿高等地区法院根据欧盟《通用数据保护条例》第4条第7项和第26条,认定董事总经理应与有限责任公司承担连带责任。然而,其判决中并没有给出认定理由。

案例分析

这是首次在法院判决中出现这种将有限责任公司作为实际控制者而董事总经理作为共同控制者的分类。然而,无论是根据欧盟《通用数据保护条例》还是根据相关法律文献,这种分类都不能说是正确的。理由是:根据《通用数据保护条例》第4条第7项,只有就个人数据的处理目的和方式共同做出决定的人或组织,才能被视为共同控制者。但是在本案中,正确的认定本应是有限责任公司是唯一的控制者。该有限责任公司决定个人数据的处理目的和方式。另外,作为唯一的法人,该公司对于处理目的的确定是有相应的利益的,因为这有助于实现其预期目的。

与之相反,董事总经理对于个人数据的处理是没有任何个人利益的,对于数据处理也毫无个人目的,这就是为什么从一开始就要排除将董事总经理视为联合控制者而承担责任的原因。另外,这种连带责任也无法从欧洲法院就连带责任问题作出判决的案例中推导出来,参见案例C-210/16、C-25/17和C-40/17。在这些案例中,“连带责任”的这一概念仅用于确保透明度,并允许欧盟境内当事人可以向任何一方提出诉求。因此,欧洲法院的这些判决是基于可执行性的考量。然而,在一家德国有限责任公司作为控制者可以被追究责任的情况下,这种对于透明度和可执行性的考量是不合适的。为了使当事人能够行使其权利,是无需将董事总经理作为附加责任主体的。

此外还必须考虑到,董事总经理本人仅仅是作为公司的一个职能部门而已。该职位并不会产生对于个人数据处理的任何个人利益,这就是为什么不能将有限责任公司的董事总经理视为欧盟《通用数据保护条例》第4条第7项意义上的控制者,且不能由此将其视为《通用数据保护条例》第82条第2款的控制者。

德累斯顿高等地区法院在其判决中并没有说明,董事总经理在该案中追求何种个人目的,以及如何仅仅从总经理这一职位而产生了连带责任。鉴于实质内容错误,该法院判决有必要被撤销。希望该案件判决仅仅是个案情形。

对实践的影响

德累斯顿地区高等法院这一判决受到了广泛的关注。鉴于个人与公司之间的纠纷,特别是劳动法纠纷,越来越多地涉及到违反数据保护并提出损害赔偿请求,预计原告律师今后也会将这种做法扩展到各个公司的职能部门。这意味着,公司要承担额外的成本,公司的职能部门要承担额外的风险,该风险应由董事及高级经理人员责任保险和其他措施来予以降低。
然而,最好的保护始终是公司实践良好的合规性。因为如果数据处理是合法的,那么损害赔偿请求就没有依据,也就继而避免了法院要求公司的管理层或董事会成员承担连带责任这种错误判决出现的可能性。

Download as PDF

Contact persons

You are currently using an outdated and no longer supported browser (Internet Explorer). To ensure the best user experience and save you from possible problems, we recommend that you use a more modern browser.