The liability of managing directors in the event of data privacy violations

Violations of data protection law can cost companies dearly. Fines, in individual cases up to 4% of annual turnover or 20 million euros, are possible under the GDPR, as are claims for damages from those affected by violations. The latter in particular can also reach considerable amounts in the event of the accumulation of many individual cases.

There are therefore good reasons for the managing director to think about his individual liability risk.

Section 43 of the German Limited Liability Companies Act (GmbHG) obliges the managing director to exercise the “due care and diligence of a prudent businessman” and, in Section 2, makes him personally liable in the event of a violation.

Liability in case of fault

As a rule, managing directors are only liable to the company with their private assets in the event of fault. A distinction must be made between fault in tort through action or omission and fault on the part of the executive bodies. The latter already arises if there is an accusation that the managing director did not manage his company appropriately in organizational terms. In such a case, it is not even necessary to have personal knowledge of the specific infringement, for example by an employee.

Liability for data protection violations

With regard to data protection obligations, a number of key risk areas can be identified for the managing director:

  • Lack of own expertise and/or faulty advice.
  • Inadequate information and control of employees
  • Disregard of technical and/or organizational necessities

The following section describes some possible scenarios that can trigger liability on the part of the managing director.

Example: Inadequate risk assessment

The General Data Protection Regulation and the Federal Data Protection Act take a risk-based approach. The higher the risk of a data protection breach for the data subject is to be assessed, the higher the requirements for technical and organizational data protection measures. According to Art. 35, a data protection impact assessment (DPIA) is mandatory in the event of a high risk for the data subject. This must be specifically checked before the introduction of a processing operation. If the controller fails to carry out a DSFA in accordance with Art. 35, although it would have been mandatory to do so, for example because he incorrectly assesses the risk potential for the data subject, this can be considered a culpable breach of the duty of care.

Example: Material defects in the area of technical data protection

According to press reports, one of the biggest data mishaps of the past year occurred because an intern had set a completely inadequate password on a system of considerable importance. As a result, U.S. government agencies and large companies fell victim to a cyberattack with far-reaching consequences.

At a major German car rental company, a corporate database was publicly and freely accessible without password protection for an extended period of time.

During audits in the area of technical data protection, we not infrequently come across systems that are operated with outdated software and significant security gaps.

Example: Lack of education and sensitization

Employees are often unaware of the potential consequences of their actions due to a lack of regular education and awareness-raising. Regular training in data security and data protection is still the exception rather than the rule.

Inadequate passwords, lack of 2-FA authentication, the introduction of infected private devices such as USB sticks, carelessness in dealing with phishing e-mails: the list of possible risks can certainly be continued.

Of course, not all risks can be combated preventively; the cybercriminal scene has become more professionalized in recent years and proceeds in a highly specialized manner based on a division of labor. Nevertheless, no company should forego actively involving employees in a security concept.

It should be in the interest of managing directors to keep their own liability risk as low as possible. This also includes the careful selection of qualified consultants and data protection officers.

Expert advice: Dr. jur. Wolfhard Steinmetz (more about Dr. Steinmetz)

Diese Seite verwendet die Shariff-Lösung der Ct.
Ihre Daten werden erst dann an Dritte übertragen, wenn Sie auf den entsprechenden Button klicken.

Herzlichen Dank fürs Teilen und Bekanntmachen dieser Seite.