In some situations, companies or associations need information about potential employees or members. In some cases, detective agencies are commissioned to collect information about applicants. In doing so, however, it is mandatory to observe the requirements of the GDPR. According to the OLG Dresden, this also and especially applies to managing directors.
Why was a detective agency hired?
The defendant is an association which, among other things, specialises in organising vintage car rides. According to the defendant's statutes, ex-offenders or people of unsavoury reputation are not admitted to the association. The plaintiff applied for membership. The defendant's managing director hired a private detective on the defendant's behalf to obtain information about criminal facts relating to the plaintiff. The detective investigated such facts and informed the defendant. The defendant then did not admit the plaintiff to the association.
The plaintiff obtained joint and several damages for pain and suffering in the amount of € 5,000.00 against the defendant and its managing director.
Is a managing director personally liable for data protection breaches?
The OLG Dresden referred to the provision in Art. 4 No. 7 GDPR regarding joint and several liability. According to this provision, a natural or legal person who alone or jointly with others determines the purposes and means of the processing of personal data is responsible within the meaning of the GDPR.
According to Art. 4 No. 7 of the GDPR, the responsibility of employees who are bound by instructions or other employees would generally cease. However, this did not apply to the managing director of the defendant when he hired the detective.
Is the detective agency allowed to collect data about a person?
The answer is, in short, no!
The plaintiff had not consented to the search about his person. The defendant could not invoke a legitimate interest pursuant to Art. The defendant could not invoke a legitimate interest pursuant to Art. 1(f) of the GDPR because the acquisition of personal data about the plaintiff by a detective agency was not necessary. Keeping people with a criminal background away is in principle a legitimate concern. In the present case, however, it would have been sufficient to first ask the plaintiff to provide additional information about himself and, if necessary, to submit a police certificate of good conduct.
Moreover, the investigations of the detective agency violated Art. 10 of the GDPR. According to this, the processing of personal data on criminal convictions and offences may only be carried out under official supervision. This was not the case here.
How much is the compensation for pain and suffering in the event of a data protection breach?
The Dresden Higher Regional Court awarded the plaintiff € 5,000.00 in damages for pain and suffering. The court rejected a further claim for payment. The type, severity, duration of the violation and the degree of fault had to be taken into account when assessing the damages for pain and suffering. According to the principle of effectiveness (effet utile), damages for pain and suffering are not excluded even as a deterrent sanction. However, this does not lead to an award for pain and suffering acquiring a "punitive character".
The data collected in this case, which was related to criminal law, was particularly sensitive data, so that the infringement was serious. The court found in the defendant's favour the fact that it was only a one-off infringement and that the data collected about the plaintiff was only transmitted to the defendant.
Managing directors must be careful
The Higher Regional Court (OLG) of Dresden has made it clear that companies or associations are certainly allowed to get a picture of potential employees or members within the framework of their contractual autonomy. However, this need for information has limits.
Therefore, check possibilities of obtaining information that interferes less with the right to informational self-determination of potential employees and/or members.
The decision of the OLG Dresden is the first to also pronounce a clear liability of the managing director. Whether this view will be shared in a possible appeal before the BGH or by another court remains to be seen.
We consider a supplementary self-disclosure or the submission of a police certificate of good conduct to be appropriate means. If candidates refuse to submit a certificate, this is already an indication of a lack of trust. You should then refrain from cooperation.
We will be happy to help you with cases in this context. We advise you on which means of obtaining information are permissible under data protection law and formulate corresponding sample letters for you. If data subjects assert claims against your company or against you as managing director, we will help you to settle the matter in your interest.
Sources: OLG Dresden, judgement of 30.11.2021, ref. 3 O 17493/20
Dresden Regional Court, Judgment of 26.05.2021, Case No. 8 O 1286/19
We look forward to talking to you. Furthermore, we are available to you as advisors in the entire area of IT/IP and data protection law.
GoldbergUllrich Lawyers 2022
Julius Oberste-Dommes LL.M. (Information Law)
Lawyer and
Specialist lawyer for information technology law
