In addition to the company, directors are also liable for damages due to violations of the GDPR. This is stated in a ruling by the Higher Regional Court of Dresden (Case No.: 4 U 1158/21).
Legally, it is disputed whether directors, besides the company, can also be held liable for data protection violations towards those affected. The Higher Regional Court of Dresden affirmed this liability in a noteworthy ruling on November 30, 2021, according to the law firm MTR Legal.
The statements of the Higher Regional Court of Dresden on the facts are sparse. As far as can be seen, the plaintiff wanted to be admitted to a registered association. The director had investigations carried out into the plaintiff’s past by a detective. Apparently, it was revealed that the plaintiff had already committed an offense. The results of the investigation were passed on by the director to the board, which then rejected the membership application.
The plaintiff asserted claims for damages due to violations of data protection according to Art. 82 GDPR. Although the Regional Court of Dresden did not award him the damages in the requested amount of 21,000 euros in the first instance, it did award him 5,000 euros. The damages were to be borne jointly and severally by the association and the director. The Higher Regional Court of Dresden confirmed this judgment in the appeal proceedings. The unauthorized data processing by the defendants justified the claim for damages for non-material damage. The espionage and dissemination of the results also exceeded the de minimis threshold.
According to Art. 82(1) GDPR, every person who has suffered material or non-material damage as a result of an infringement of this regulation has the right to receive compensation from the controller or processor.
The Higher Regional Court of Dresden stated that the director of a GmbH is a controller in the sense of the GDPR in addition to the company. Thus, the director is also liable in cases of claims for damages. The Higher Regional Court did not allow an appeal.
If other courts follow the jurisprudence of the Higher Regional Court of Dresden, it could have significant consequences for the liability risks of directors.
Experienced attorneys can provide advice on data protection violations.
