In addition to the company, managing directors are also liable for damages due to violations of the GDPR. This is evident from a ruling by the Higher Regional Court of Dresden (Case No.: 4 U 1158/21).
Legally, it is disputed whether, besides the company, managing directors can also be held liable to the affected parties for data protection violations. The OLG Dresden has now affirmed this liability in a noteworthy judgment dated November 30, 2021, according to the commercial law firm MTR Rechtsanwälte.
The statements of the Higher Regional Court of Dresden on the matter are sparse. As far as can be seen, the plaintiff wanted to be accepted into a registered association. Therefore, the managing director had a detective investigate the plaintiff’s past. It apparently emerged that the plaintiff had already committed criminal offenses. The managing director passed the investigation results to the board, which then rejected the membership application.
The plaintiff claimed damages for violation of data protection according to Art. 82 GDPR. The Regional Court of Dresden awarded him, in the first instance, damages not in the requested amount of 21,000 euros, but at least in the amount of 5,000 euros. The damages are to be borne jointly and severally by the association and the managing director. The OLG Dresden confirmed this judgment in the appeals process. The inadmissible data processing by the defendants justifies the claim for damages due to non-material harm. The snooping and passing on of the results also exceeded the de minimis threshold.
According to Art. 82 (1) GDPR, every person who has suffered material or non-material damage due to a violation of this regulation has a right to compensation from the controller or the processor.
The OLG Dresden stated that the managing director of a GmbH is, in addition to the company, a controller within the meaning of the GDPR. Thus, the managing director is also liable for claims for damages. The OLG did not allow the appeal.
If other courts follow the jurisprudence of the OLG Dresden, this could have significant consequences for the liability risks of managing directors.
Experienced attorneys can advise on data protection violations.
