In certain situations, companies or associations require information about potential employees or members. In some cases, detective agencies are commissioned to gather information about applicants. However, it is imperative to comply with the provisions of the GDPR. According to the Dresden Higher Regional Court, this applies particularly to managing directors.
Why Was a Detective Agency Commissioned?
The defendant is an association specializing, among other things, in organizing vintage car rallies. According to the defendant's statutes, former offenders or individuals with questionable reputations are not admitted to the association. The plaintiff applied for membership. The defendant's managing director, on behalf of the defendant, commissioned a private detective to obtain information regarding criminally relevant facts concerning the plaintiff. The detective uncovered such facts and informed the defendant. Consequently, the defendant did not admit the plaintiff to the association.
The plaintiff was awarded joint and several non-pecuniary damages totaling €5,000.00 against the defendant and its managing director.
Is a managing director personally liable for data protection violations?
The Dresden Higher Regional Court referred to the provision in Art. 4 No. 7 GDPR concerning joint and several liability. According to this article, a natural or legal person who, alone or jointly with others, determines the purposes and means of the processing of personal data, is considered a controller within the meaning of the GDPR.
While Art. 4 No. 7 GDPR generally excludes the responsibility of employees or other staff acting under instruction, this did not apply to the defendant's managing director when engaging the detective.
Is a detective agency permitted to collect data about an individual?
The concise answer is: No!
The plaintiff had not consented to the investigation into his person. The defendant could not invoke a legitimate interest under Art. 6 para. 1 lit. f) GDPR, as the collection of personal data about the plaintiff by a detective agency was not necessary. While preventing individuals with criminal backgrounds is generally a legitimate concern, in this instance, it would have been sufficient to initially request the plaintiff to provide supplementary self-disclosure, and if necessary, a police certificate of good conduct.
Furthermore, the detective agency's investigations violated Art. 10 GDPR. This article stipulates that the processing of personal data concerning criminal convictions and offenses may only be carried out under official authority, which was not the case here.
What is the amount of non-pecuniary damages for a data protection violation?
The Dresden Higher Regional Court awarded the plaintiff €5,000.00 in non-pecuniary damages, rejecting any further payment claims. The court emphasized that the nature, severity, duration of the violation, and the degree of fault must be considered when assessing such damages. While non-pecuniary damages are not precluded as a deterrent sanction under the principle of effectiveness (effet utile), this does not imply that they assume a "punitive character."
The data collected in this case, being related to criminal law, is considered particularly sensitive, thus rendering the violation severe. However, the court took into account, in favor of the defendant, that this was an isolated incident and that the data collected about the plaintiff was only transmitted to the defendant.
Managing Directors Must Exercise Caution
The Dresden Higher Regional Court has clarified that companies and associations are indeed permitted to form an impression of potential employees or members within the scope of their contractual autonomy. However, this informational need is subject to limitations.
Therefore, consider methods of information gathering that infringe less upon the right to informational self-determination of potential employees and/or members.
The Dresden Higher Regional Court's decision is the first to explicitly establish the clear liability of a managing director. Whether this perspective will be upheld in a potential appeal before the Federal Court of Justice (BGH) or by another court remains to be seen.
We consider supplementary self-disclosure or the submission of a police certificate of good conduct to be appropriate measures. Should candidates refuse to provide these, it serves as an indication of a lack of trust, and you should then refrain from collaboration.
We are pleased to assist you with case scenarios in this context. We advise you on permissible methods of information gathering under data protection law and draft appropriate sample letters for you. Should data subjects assert claims against your company or against you as a managing director, we will help you resolve the matter in your best interest.
Sources: Dresden Higher Regional Court, Judgment of 30.11.2021, Ref. 3 O 17493/20
Dresden Regional Court, Judgment of 26.05.2021, Ref. 8 O 1286/19
We look forward to speaking with you. Furthermore, we are readily available to advise you across the entire spectrum of IT, IP, and data protection law.
GoldbergUllrich Attorneys-at-Law 2022
Julius Oberste-Dommes LL.M. (Information Law)
Attorney-at-Law and
Specialist Attorney for Information Technology Law
