Presumably no „strict liability“ for companies in the case of data protection breaches (liability update!)

Presumably no „strict liability“ for companies in the case of data protection violations

As announced, on April 27, the Advocate General of the ECJ delivered his Opinion on the question referred for a preliminary ruling on strict liability and confirmed that data protection authorities cannot impose strict fines on companies.

However, the data protection supervisory authorities could certainly impose GDPR fines directly on companies, but this would require proof of intentional or negligent action by an employee.

Consequence: Management level must be liable for employees if there is organizational fault

Quote Advocate General: „A legal entity that can be classified as a controller or processor of personal data, must take the consequences – in the form of sanctions – into account. of breaches of the GDPR not only if they were committed by their representatives, managers or directors, but also if the breaches were committed by natural persons (employees in the broader sense) acting in the course of the company’s business activities and act under the supervision of the persons first named.„

Giving instructions, issuing directives and controlling employees is the task of the management level

Continuous data protection management is now all the more important in order for management to be able to prove that, in the event of a data protection breach , no organizational culpability (culpability for selection, culpability for instructions, culpability for control) has led to this data protection breach.

Although, according to the Advocate General’s request, a supervisory authority must prove that there was organizational culpability, it will now suffice that a „lapse“ happened to an employee, which could have happened because the management level simply did not fulfill its management duties.

Quelle: https://www.linkedin.com/pulse/eugh-generalanwalt-spricht-sich-gegen-haftung-f%C3%BCr-aus-tim-wybitul/

Source: https://dejure.org/dienste/vernetzung/rechtsprechung?Gericht=EuGH&Datum=31.12.2222&Aktenzeichen=C-807/21

Now we still have to wait for the formal result of the ECJ. Usually, the ECJ follows the opinion of the Advocate General and answers the questions of the referring court (here: Case C-807/21), which are then used in the continuation of the relevant proceedings.

So …

• Trainings / Awareness
• Instructions / Guidelines
• Managing service providers (order processing, shared responsibility)
• Documentation / Initiate checks / Data protection checks (PDCA cycle)
• etc.