Managing director liable in the event of a GDPR breach

A violation of the General Data Protection Regulation (GDPR) may result in managing directors having to pay compensation alongside the company. That was the verdict of Dresden’s higher regional court, the Oberlandesgericht (OLG) Dresden (case ref.: 4 U 1158/21).

The issue of whether, in addition to the company, managing directors, too, can incur liability towards those affected by data protection infringements is legally controversial. However, we at the commercial law firm MTR Rechtsanwälte can now report that the OLG Dresden answered affirmatively in a remarkable ruling from November 30, 2021.

The Court said little about the facts of the case, but from what we can gather, the plaintiff was seeking to be received into a registered association. When the managing director hired a detective to look into the plaintiff’s past, this apparently revealed that the latter was a former criminal. The managing director then passed these findings on to the executive board, which subsequently rejected the application for membership.

The plaintiff responded by asserting claims for compensation pursuant to Art. 82 GDPR, citing a data protection violation. While he was not awarded compensation at first instance by the regional court in the amount he requested, 21,000 euros, he did receive a sum of 5,000 euros, for which the association and managing directors were held jointly and severally liable. This judgment was later upheld on appeal by the OLG Dresden, which found that the claims for compensation were justified in response to the nonmaterial damage caused by the unlawful processing of data. The spying and subsequent disclosure of the findings were said to have carried the matter over the de minimis threshold.

Art. 82(1) GDPR states that “any person who has suffered material or nonmaterial damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.”

The OLG Dresden concluded that the managing director of a GmbH – a type of private limited liability company – is, together with the company, a controller within the meaning of the GDPR.

Should other courts follow suit, this could have significant implications for the liability risks faced by managing directors.

Lawyers with experience in dealing with data protection violations can provide counsel.