German law: Management’s liability under the GDPR

A CEO was held personally liable for data privacy violations. Katharina A. Weimer and Celin Fischer of Fieldfisher Germany discuss management’s liability for GDPR infringements and the exemptions.

A ruling from 30 November 2021 re-kindled the discussion about top management’s liability. The Higher Regional Court of Dresden (Oberlandesgericht Dresden, OLG Dresden) upheld the decision of the Regional Court of Dresden (Landgericht Dresden, LG Dresden) that the managing director of a company is, in addition to the company itself, a “controller” within the meaning of the GDPR. The court rejected a subsequent objection by the plaintiff. The decision of OLG Dresden is legally binding.

The plaintiff demanded payment of damages from the defendants jointly and severally for violation of his rights under the GDPR. Initially the plaintiff applied for a membership with an association on which the company (defendant no.1) was to decide. The nature of the relationship between the association and the company is not disclosed in the abbreviated reasons for the judgment. The managing director (defendant no. 2), acting on behalf of the company, took the plaintiff’s application for membership with the association as an opportunity to engage a private detective to gain knowledge about the plaintiff in connection with facts relevant under criminal law. While seemingly this was for business reasons, the managing director also had a private interest as the plaintiff was the new life partner of the managing director’s ex-wife. After the private detective shared his findings, the managing director used them as an opportunity to reject the plaintiff’s application for membership with the association after informing its board members of the research results. By spying on the plaintiff to obtain information on his previous convictions, the defendants processed personal data without having a legal basis according to Art. 6 (1) (1) GDPR and without having met the requirements of Art. 10 GDPR for processing criminal convictions, which resulted in violations of the GDPR.

Continue Reading

International Report subscribers, please login to access the full article


If you wish to subscribe, please see our subscription information.