Can an employer be exempt from liability for breaches of the GDPR caused by employee error? - Court of Justice pronounces on employers’ liability for GDPR breaches

The General Data Protection Regulation (GDPR) provides that a controller or processor is exempt from liability for breaches of the GDPR if it proves that it is not in any way responsible for the event causing the damage. The judgment of 11 April 2024 of the Court of Justice sheds light on the question whether a controller can be exempted from liability under this provision for the default of a person acting under its authority. The answer is negative. The Court clarifies that the controller must ensure that its employees follow instructions.

The facts

A natural person, an independent lawyer, was a customer of a company operating a legal database. After the lawyer discovered that his personal data was being used for direct marketing purposes, he withdrew all his consents and opposed further processing of his personal data, except for newsletters. Despite his objection, he received two advertising letters at his office address a few months later. He therefore claimed damages from the operator of the legal database, based on the GDPR.

The company, the controller, disputed this claim, based, among other things, on the fact that it could not be held liable for a damage caused by a failure of a person acting under its authority (in this case, an employee).

Before ruling on the case, the German Landgericht Saarbrücken submitted some preliminary questions to the Court of Justice regarding liability and damages pursuant to Article 82 of the GDPR.

The judgment

First of all, the Court confirms previous case law in which it held that a breach of the provisions of the GDPR is not in itself sufficient to constitute non-material damage in the sense of the GDPR. The person seeking damages must prove that the breach caused actual damage. A mere breach of the GDPR without damage does not entitle a person to compensation. The Court points out that the preliminary recitals of the GDPR state that the loss of control over personal data can cause non-material damage.

The Court then examines whether an error or omission by a person under the authority of a controller exempts that controller from liability.

According to the GDPR, a company can be exempted from liability if it proves that it is in no way responsible for the event causing damage. So, the question in this case was about whether an employer is responsible for an employee’s breach of the provisions of the GDPR.

The Court recalls that people acting under authority may only process personal data on the instructions of the controller and in accordance with the controller’s instructions. The controller must therefore take the necessary measures to ensure that any person acting under its authority who has access to personal data works only on its instructions, unless the processing follows from a legal obligation. When employees process personal data, the employer must ensure that this is done in accordance with the GDPR. Thus, the controller should do its best to implement a data protection policy and to organise training.

The Court goes further, stressing that the controller must also check whether employees follow its instructions. It cannot escape liability simply by pointing out negligence or fault on the part of someone acting under its authority, but ignoring its instructions. Thus, employers can indeed be held liable for breaches of the GDPR caused by their employees, even if the necessary instructions had been given. Only if the controller can prove that there is no causal link between the damage and its possible non-compliance with the data protection obligation can the controller be exempted from liability.

This strict interpretation is justified, according to the Court. Indeed, it argues that any other approach would undermine the protection that the GDPR aims to provide to natural persons when their personal data is being processed.

Finally, the Court confirms in this judgment that the criteria for determining administrative fines cannot be used for the purposes of assessing compensation. For this, the internal rules of each Member State should be applied.

Action point

The Court of Justice confirmed that employers can be held liable for mistakes made by their employees when processing personal data, even when the employer has given the necessary instructions but the employee has failed to comply with them.

This decision underlines the importance for employers to have a data protection policy, to provide training so that employees correctly comply with the policy and to verify compliance with the policy. Feel free to contact us for further information and legal support in developing and implementing an effective data protection policy.