open search
Internationales Arbeitsrecht Neueste Beiträge

Employers liable for employees’ GDPR errors

Print Friendly, PDF & Email
A recent judgment of the European Court of Justice (ECJ) sheds light on the question of whether a data controller can be exempted from liability for the error of a person acting under its authority.

The General Data Protection Regulation (GDPR) provides that a controller or processor is exempt from liability for breaches of the GDPR if it proves that it is not in any way responsible for the event causing the damage. The ECJ held that the controller must ensure that its employees follow instructions, and that this provision may not exempt the controller from liability for breaches caused by employee error. 

The facts

A person doing business as an independent lawyer was a customer of a company operating a legal database. After the lawyer discovered that his personal data was being used for direct marketing purposes, he withdrew all his consents and opposed further processing of his personal data, except for newsletters. Despite his objection, he received two advertising letters at his office address a few months later. He therefore brought an action in the German courts claiming damages from the operator of the legal database, based on the GDPR. 

The company disputed this claim, based, among other things, on the fact that it could not be held liable for damage caused by a failure of a person acting under its authority (in this case, an employee). 

Before ruling on the case, the German court submitted some preliminary questions to the ECJ regarding liability and damages pursuant to the GDPR.

The judgment

First, the Court confirmed previous case law in which it held that a breach of the provisions of the GDPR is not in itself sufficient to constitute non-material damage in the sense of the GDPR. The person seeking damages must prove that the breach caused actual damage. A mere breach of the GDPR without damage does not entitle a person to compensation. The Court pointed out that the preliminary recitals of the GDPR state that the loss of control over personal data can cause non-material damage. 

The Court then examined whether an error or omission by a person under the authority of a controller exempts that controller from liability. According to the GDPR, a company can be exempted from liability if it proves that it is in no way responsible for the event causing damage. So, the question was whether an employer is responsible for an employee’s breach of the provisions of the GDPR. 

The Court noted that people acting under authority may only process personal data on the instructions of the controller and in accordance with the controller’s instructions. The controller must therefore take the necessary measures to ensure that any person acting under its authority who has access to personal data works only on its instructions, unless the processing follows from a legal obligation. When employees process personal data, the employer must ensure that this is done in accordance with the GDPR. Thus, the controller must take all reasonable steps to implement a data protection policy and to organise training. 

The Court went further, stressing that the controller must also check whether employees are following its instructions. It cannot escape liability simply by pointing to negligence or fault on the part of someone acting under its authority, but ignoring its instructions. Thus, employers can indeed be held liable for breaches of the GDPR caused by their employees, even if the necessary instructions had been given. Only if the controller can prove that there is no causal link between the damage and its possible non-compliance with the data protection obligation can the controller be exempted from liability. 

This strict interpretation is justified, according to the Court. It reasoned that any other approach would undermine the protection that the GDPR aims to provide to natural persons when their personal data is being processed. 

Takeaway for Employers

The ECJ confirmed that employers can be held liable for mistakes made by their employees when processing personal data, even when the employer has given the necessary instructions but the employee has failed to comply with them. 

This decision underlines the importance for employers to have a data protection policy, to provide training so that employees correctly comply with the policy, and to verify compliance with the policy.

Ius Laboris

Ius Laboris is a leading international employment law practice combining the world’s leading employment, labour and pension firms. Our role lies in sharing insights and helping clients to navigate the world of labour and employment law successfully.
Verwandte Beiträge
Internationales Arbeitsrecht Neueste Beiträge

ECJ rules data subjects entitled to know of recipients

The decision clarifies the scope of the Data Subject Access Request under the GDPR. The ECJ decided the previously open question of how much detail the employer must provide about the recipients or groups of recipients of the personal data upon request.   The right to information under data protection law Under Article 15 of the GDPR, the data controller (in the employment context, usually the…
Internationales Arbeitsrecht Neueste Beiträge

Where can an employee sue an employer? A recent ruling and its implications for Austrian law

The European Court of Justice has ruled that an employee living in Austria has to bring a legal action against the employer with whom she had an employment contract in Germany, because the main part of her contractual obligations had to be performed in Germany, even if no work was actually performed. A recent European Court of Justice ruling (25 February 2021; C–804/19, Markt24) has clarified the law on where…
Internationales Arbeitsrecht Neueste Beiträge

Schrems II: what are the implications for data transfers from the GCC?

In Schrems II, the European Court of Justice rejected the Privacy Shield as a legitimate basis for personal data transfers: what are the potential consequences for data processing in the Gulf Cooperation Council countries? This article provides guidance. The European Court of Justice’s recent Schrems II decision (case C-311/18) has attracted a lot of attention in data protection circles. One of the key outcomes of…
Abonnieren Sie den kostenfreien KLIEMT-Newsletter.
Jetzt anmelden und informiert bleiben.


Die Abmeldung ist jederzeit möglich.