Higher Regional Court of Stuttgart: Consequences of employee data protection misconduct

Higher Regional Court of Stuttgart, judgment of 25 February 2025, 2 ORbs 16 Ss 336/24

In a judgment on administrative offences, the Higher Regional Court (OLG) of Stuttgart has confirmed the liability of a police officer for the unauthorised processing of personal data. The officer had accessed a colleague's data in the police information system "POLAS" without official cause. The court found that the officer was to be classified as the "controller" pursuant to Art. 4 No. 7 GDPR and his conduct as "processing" pursuant to Art. 4 No. 2 GDPR. The court considered a fine of EUR 1,500 to be appropriate. Just recently, the Baden-Württemberg State Commissioner for Data Protection and Information Security had imposed a fine of EUR 3,500 on another police officer for unauthorised access to data from the population register.

Key statements of the judgment

The court ruled that the police officer was a data controller under Article 4(7) of the GDPR because he had processed personal data for his own purposes and not as part of his official duties. The decision followed the guidelines of the European Data Protection Board, according to which an employee who processes data for his or her own purposes is considered a controller. Furthermore, the mere querying of data was recognised as processing in accordance with Art. 4 No. 2 GDPR, whereby a restrictive interpretation of the term "processing" was rejected. The court deemed the imposition of a fine of EUR 1,500 to be appropriate to effectively sanction and deter violations of data protection.

Consequences of the ruling for private employers

The ruling does not only have consequences for civil servants and public sector employees. Employee excesses are not uncommon in the private sector either. Employers should regularly inform their employees about data protection regulations and the consequences of violations. Clear guidelines and procedures for accessing and processing personal data help here. In addition, internal controls and audits should be carried out regularly to ensure that the guidelines are being adhered to.

If an employee does overstep the mark, this is usually considered a serious breach of labour law that can result in disciplinary and labour law consequences, including termination. On the basis of the practice of the data protection authorities in Baden-Württemberg and the judgment of the Higher Regional Court of Stuttgart, employees should be made aware that they may also be held personally liable by the data protection authorities and face substantial fines if they misuse data for their own purposes.