In addition to the company, managing directors are also liable for damages due to GDPR violations. This emerges from a ruling by the Higher Regional Court of Dresden (Case No.: 4 U 1158/21).
Legally, it is disputed whether managing directors can also be held liable to affected parties, in addition to the company, for violations of data protection. The Higher Regional Court of Dresden affirmed this liability in a noteworthy ruling on November 30, 2021, according to the law firm MTR Legal.
The explanations of the Higher Regional Court of Dresden on the matter are sparse. As far as can be seen, the plaintiff wanted to be admitted to a registered association. The managing director therefore had a detective investigate the plaintiff’s past. It apparently emerged that the plaintiff had already been found guilty of offenses. The managing director passed the results of the investigation on to the board, which then rejected the membership application.
The plaintiff claimed damages for data protection violations in accordance with Art. 82 GDPR. The Regional Court of Dresden initially granted him damages not in the demanded amount of 21,000 euros, but at least in the amount of 5,000 euros. The damages were to be jointly and severally borne by the association and the managing director. The Higher Regional Court of Dresden confirmed this judgment in the appeal process. The inadmissible data processing by the defendants justified the claim for damages due to non-material loss. The spying and forwarding of the results also exceeded the de minimis threshold.
According to Art. 82 Para. 1 GDPR,any person who has suffered material or non-material damage due to a breach of this Regulation has the right to compensation from the controller or the processor.
The Higher Regional Court of Dresden stated that the managing director of a GmbH is also a controller within the meaning of the GDPR, in addition to the company. This means that the managing director is also liable for compensation claims. The court did not allow a further appeal.
If other courts follow the jurisprudence of the Higher Regional Court of Dresden, this may have significant consequences for the liability risks of managing directors.
Experienced lawyers can advise on data protection violations.
