Directors and managers are directly liable for data protection breaches
Liability for data protection violations is nothing new. Even before the GDPR came into force, the legal systems of the EU countries provided for civil and criminal sanctions for the violation of data protection provisions. The GDPR now establishes a broad claim for damages in Art. 82 (1):
Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.
This also includes immaterial damages, such as compensation for pain and suffering, e.g., for exposure or discrimination due to data leakage.
In addition, there is the possibility of fines being imposed by the supervisory authorities.
1. The amount of the fines and damages is rising sharply
In recent years, there has been a clear tendency for supervisory authorities to impose significantly higher fines than in the past and for courts to award higher damages to those affected. This is not surprising, as it was the intention of the legislator to establish a robust replacement regime. Recital 146 of the GDPR states:
The concept of damages should be broadly interpreted in the light of the case-law of the Court of Justice in a manner which fully reflects the objectives of this Regulation.
A similar concept applies to administrative fines, which must be "effective and dissuasive" according to Art. 83 (1) GDPR.
This means nothing other than that the claims should be tangible. They must not just be "cost of doing business", which are simply paid for and booked as an expense, only to continue without any improvement in data protection thereafter.
In the case of large companies and serious, systematic violations, fines in the high triple-digit millions are now not uncommon. But even in the case of smaller incidents, the competent authorities now impose tangible sanctions on associations, small businesses, and even private individuals.
2. Against whom are the claims directed?
Liability under the GDPR primarily concerns the "controller". Who this is, is defined in Art. 4 No. 7 of the GDPR:
"controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data (...).
Thus, the first addressee of liability is the company that processes data.
However, a company is managed by people. The managing director(s) must ensure that the company is managed in accordance with the legal requirements. This includes data protection.
If a company has not implemented a structured data protection management and if such is not regularly reviewed and adapted to the current state of the law, technology and circumstances of the business, personal liability of the managing director may be considered from the point of view of organizational negligence.
This liability applies externally, directly to injured parties or authorities. Frequently, however, the company will also take recourse internally against its own management.
It does not help the management to not have known about data protection violations or deficiencies in data processing: it is precisely their task to obtain this knowledge through a suitable organization of the company.
3. Direct liability of the management under the GDPR
Many voices in the legal discussion go much further and see the managing director directly as the "controller" in the sense of the GDPR. After all, it is he or she who ultimately decides how a company processes data.
This broad liability approach is now also being adopted by the courts, for example in Germany by the Higher Regional Court of Dresden in its judgment of 30 November 2021, case No. 4 U 1158/2. The court concluded in the case of a data breach in a GmbH (limited liability company) that the company and its managing director were jointly and severally liable for damages.
For injured parties, this has the advantage that they can choose whether to sue a company or its management - or both.
4. Conclusion: reliable data protection management is a must
A digitally oriented company needs a sensible and reliable data protection management system that is regularly reviewed and adapted to changing requirements. Compliance and adherence to the law make this necessary - but it is also in the self-interest of the management. If this obligation is neglected, there is the threat of escalating liability risks not only for the company, but also directly and immediately for the managing directors themselves.