14 Nov Data Protection Officers personally liable for fines
Right now, the question of personal liability for employees are being tried in their role as data protection officers in both Switzerland and the UK. In both cases, companies that have suffered costs under the GDPR are seeking compensation from the Data Protection Officers, who they claim has acted wilfully or blatantly negligent. The outcome could have impact for the whole of Europe, as the national legislations looks similar.
“…there are actions to take to avoid any liability…”
It is a common misconception that a data protection officer never could be personally liable for its responsibilities connected GDPR. However, such an obligation can only arise under specific circumstances and there are actions to take to avoid any liability, which we will describe in this article.
Damages to data subjects and administrative fines from the supervisory authority must, according to GDPR, be directed against the data controller or processor, that is, the data protection officer´s employer and not the data protection officer himself. However, the Data Protection Officer has very clear duties and a responsible and an independent role in the organization as stated in Articles 38 and 39 of the GDPR.
The Data Protection Officer is expected to give active advice to management and to monitor the organization’s compliance with the rules. The organization then have the responsibility for prioritizing and executing actions based on the Data Protection Officers advice. This division of responsibilities can in many cases lead to conflicts since a normal employee gives directives on how the employer should perform tasks. Therefore, Article 38 (3) expressly prohibits penalization against data protection officers. This prohibition states that the DPO must not be dismissed, nor penalized, for performing his tasks. But what if the DPO does not perform his tasks and duties? Could the Data Protection Officer then be personally liable?
“But what if the DPO does not perform his tasks and duties?”
Since GDPR has no explicit disclaimer about personal liability for the Data Protection Officer, personal liability could nevertheless be considered, but then in accordance with tort law. In Sweden, the employee’s liability towards an employer is found in chapter 4 article 1 in the Tort Liability Act (SFS1972:207). An employee may be liable for damages, but several conditions must be fulfilled.
“…caused by the employee’s fault or neglect…”
In order for personal liability to occur, first and foremost, the employer must suffer a loss, which in this context may include, for example, damages payable to data subjects, an administrative fine or a prohibition on further processing of certain personal data. Furthermore, it is required that the employer’s loss has been caused by the employee’s fault or neglect and that there is a clear link between the employee’s actions and the loss that occurred. This may be the case if someone for example fails to take safety precautions or goes against clear instructions. However, the basic notion in Sweden is that employees should not become liable to their employers. The Tort Liability Act states that an employee may be liable for damages only if there are special reasons given the nature of the event, the employee’s position, the injured party’s interest and other circumstances.
“…the role requires explicit competence and involves a great deal of responsibility.”
This means that in order to be liable for damages, it is necessary that the action has been blatantly negligent or has been willful. The employee must also have a high position that requires competence and responsibility. Whether or not the Data Protection Officer can be considered a high position can be debated, but the role requires explicit competence and involves a great deal of responsibility. Not infrequently, the employer has also invested in supplementary education to further strengthen the DPOs unique competence.
“…as it is illegal to insure…”
The employer must also have a clear interest in getting compensation for his loss. Such interest is considered to be particularly present if there is no insurance in place to cover the damage. Sweden do not have any insurances covering fines from authorities, as it is illegal to insure against that kind of sanction. The employer therefore lacks insurance for many of the damages that can be incurred by GDPR.
Considering the above, personal liability could only occur if the Data Protection Officer has failed in his responsibilities to give active advice, although being aware of non-compliant issues and especially if the company claims to be GDPR compliant.
“…no organization in Sweden meets the requirements…”
The Swedish DPAs Integrity Report, published in May 2019, where data protection officers were self-asses their organization’s status of GDPR compliance, concluded that no organization in Sweden meets the requirements set out in the legislation. The DPAs report also shows that there are major deficiencies in the records of processing activities for data-lakes, but also in processes and routines for promptly responding to data subject requests.
At the same time, a majority of people in senior positions taking surveys and giving statements in the media claim that their own organization has met all GDPR requirements. This is despite the fact that extensive deficiencies are identified and, in many cases, also documented by the organization’s data protection officer.
“Such a difference … should not be possible according to GDPR.”
Such a difference between the data protection officer´s and the management’s view should not be possible according to GDPR. If the difference in view has occurred because the Data Protection Officer have chosen what deficiencies to be communicated to the management, and thereby also chosen what deficiencies to not be communicated, this could lead to personal liability. After all, the company’s management cannot act on information they have not received. A data protection officer who deliberately chooses not to report certain deficiencies to the management could be considered to blatantly negligent or even been acting willfully.
“…management cannot act on information they have not received.”
The cases that are now processed in Europe will show whether the Data Protection Officer´s special statue within the company means that personal liability towards the employer may occur. Until there is case law in this area, any data protection officer should therefore make sure that all identified deficiencies in the processing of personal data are both communicated and documented.
It is not the responsibility of the Data Protection Officer to neither prioritize nor execute actions towards improved privacy. This responsibility falls on the data controller or processor.
However, in order to avoid any questions about personal liability, data protection officers should be fully transparent and clear with all deficiencies identified in the organization, and ensure that these are documented at the highest level.
This article has been written by Maria Moberg, Attorney at law and labour law specialist at MAQS and Karl-Oskar Brännström, LL.M, and CEO at Aigine AB.
MAQS Advokatbyrå is one of Sweden’s leading commercial law firms with 140 employees. The firm has 19th-century roots, but today’s MAQS was founded in 2002. Since that time, we have grown quickly to become one of Sweden’s largest law firms, with offices in Stockholm, Gothenburg, and Malmö.