The General Data Protection Regulation (GDPR) provides that a controller or processor is exempt from liability for breaches of the GDPR if it proves that it is not in any way responsible for the event causing the damage. The ECJ held that the controller must ensure that its employees follow instructions, and that this provision may not exempt the controller from liability for breaches caused by employee error.

A person doing business as an independent lawyer was a customer of a company operating a legal database. After the lawyer discovered that his personal data was being used for direct marketing purposes, he withdrew all his consents and opposed further processing of his personal data, except for newsletters. Despite his objection, he received two advertising letters at his office address a few months later. He therefore brought an action in the German courts claiming damages from the operator of the legal database, based on the GDPR.

The company disputed this claim, based, among other things, on the fact that it could not be held liable for damage caused by a failure of a person acting under its authority (in this case, an employee).

Before ruling on the case, the German court submitted some preliminary questions to the ECJ regarding liability and damages pursuant to the GDPR.

First, the Court confirmed previous case law in which it held that a breach of the provisions of the GDPR is not in itself sufficient to constitute non-material damage in the sense of the GDPR. The person seeking damages must prove that the breach caused actual damage. A mere breach of the GDPR without damage does not entitle a person to compensation. The Court pointed out that the preliminary recitals of the GDPR state that the loss of control over personal data can cause non-material damage.

The Court then examined whether an error or omission by a person under the authority of a controller exempts that controller from liability. According to the GDPR, a company can be exempted from liability if it proves that it is in no way responsible for the event causing damage. So, the question was whether an employer is responsible for an employee’s breach of the provisions of the GDPR.

The Court noted that people acting under authority may only process personal data on the instructions of the controller and in accordance with the controller’s instructions. The controller must therefore take the necessary measures to ensure that any person acting under its authority who has access to personal data works only on its instructions, unless the processing follows from a legal obligation. When employees process personal data, the employer must ensure that this is done in accordance with the GDPR. Thus, the controller must take all reasonable steps to implement a data protection policy and to organise training.

The Court went further, stressing that the controller must also check whether employees are following its instructions. It cannot escape liability simply by pointing to negligence or fault on the part of someone acting under its authority, but ignoring its instructions. Thus, employers can indeed be held liable for breaches of the GDPR caused by their employees, even if the necessary instructions had been given. Only if the controller can prove that there is no causal link between the damage and its possible non-compliance with the data protection obligation can the controller be exempted from liability.

This strict interpretation is justified, according to the Court. It reasoned that any other approach would undermine the protection that the GDPR aims to provide to natural persons when their personal data is being processed.

The ECJ confirmed that employers can be held liable for mistakes made by their employees when processing personal data, even when the employer has given the necessary instructions but the employee has failed to comply with them.

This decision underlines the importance for employers to have a data protection policy, to provide training so that employees correctly comply with the policy, and to verify compliance with the policy.

*Claeys & Engels