Update Datenschutz No. 110 | Update Compliance 7/2022 | Update China Desk 3/2022

External liability of the managing director for company’s data protection infringements?

Pursuant to Article 82 (1) GDPR, a data subject who has suffered material or non-material damage as a result of an infringement of the GDPR has the right to receive compensation from the controller or processor for the damage suffered. Article 82 (2) extends this liability for the damage caused by processing which infringes the GDPR to any controller involved in processing, i. e., it also provides for joint and several liability of joint controllers.

But is this right of the data subject to receive compensation also directed against the managing director or management board of a company that infringed data protection law? In a recently published decision, Dresden Higher Regional Court holds that this is the case (Dresden Higher Regional Court, Judgment November 30, 2021, 4 U 1158/21). In its decision, Dresden Higher Regional Court considered the managing director to be a joint controller with a GmbH [limited liability company] and therefore jointly and severally liable under Article 82 (2) sentence 1 GDPR.

This decision is as remarkable as it is wrong in terms of its content. In detail:

Facts of the case

In the case at issue, the GmbH, which was also a defendant, had conducted background research on the plaintiff and thus had indisputably acted in a manner that infringed data protection law. The plaintiff sued the GmbH as the original data controller and its managing director for damages under Article 82 (1), (2) GDPR. Both the court of first instance and Dresden Higher Regional Court considered the data protection infringement to have occurred and affirmed joint liability under Article 82 (2) GDPR of the GmbH and its managing director as joint controllers in accordance with Article 4 (7) GDPR.

Dresden Higher Regional Court does not provide any grounds in its decision as to why the managing director is a joint controller with the GmbH pursuant to Article 4 (7), Article 26 GDPR.


As far as apparent, the classification of the managing director as joint controller with the GmbH as the actual controller is a first in case law and cannot be inferred as correct from either the law or literature. Only those who jointly with others determine the purposes and means of the processing can be joint controllers, Article 4 (7) GDPR. In the case on which Dresden Higher Regional Court ruled, however, this would correctly be the GmbH alone. It determines the purposes and means of the processing of personal data. As the sole legal entity, it also has relevant interests in determining such purposes, since these serve to achieve its intentions.

The managing director, on the other hand, has no interests of his own in the processing of personal data and therefore does not pursue his own purposes with the processing, which is why liability as a joint controller is ruled out from the outset. No such joint controllership can be derived either from the cases adjudged by the CJEU on the issue of joint controllership (C-210/16, C-25/17, and C-40/17) (cf. also Update Data Protection No. 39 and No. 63). In all these cases, the instrument of joint controllership served solely the purpose of transparency and to only enable the filing of a claim against a party by a data subject within the European Union. The decisions were therefore driven by considerations of enforceability. Such transparency and enforceability considerations are, however, inapplicable in a constellation in which a claim can be made against a German GmbH as the controller. There is no need for the managing director as an additional liability subject to enable data subjects to enforce their rights.

It must also be taken into account that the managing director himself merely acts as a corporate body. This position does not give rise to any interest of his own in the processing of personal data, however, which is why the GmbH’s managing director cannot be considered a controller within the meaning of Article 4 (7) GDPR and thus not of Article 82 (2) GDPR either (cf. Backhaus/Schneidereit, jurisPR-HaGesR 2/2022 para. 3).

Dresden Higher Regional Court failed to set out in any way what purposes the managing director should have pursued in the case at issue and why joint controllership should arise solely from his position as a member of the management board. The judgment must be rejected as wrong in terms of its content. It is hoped that this will remain a one-off decision.

Implications for use in practice

The Dresden Higher Regional Court ruling has gained considerable publicity. In view of the fact that data protection infringements are increasingly being asserted and claims for compensation of damages are being made, particularly in disputes under employment law, but also in other disputes between private individuals and companies, it is to be expected that plaintiffs’ lawyers will extend this practice to the executive bodies of the respective companies in the future. Companies will thus incur further expenses and executive bodies will face additional risks, which are supposed to be covered by D&O insurance and other measures.

As always, however, the best protection is good compliance, because if the argument of lawfulness of processing can be used to eliminate the basis for the compensation of damages, there is no room either for joint and several liability of the managing director or of the management board members of companies, which may continue to be wrongly presumed by courts.

Chinese Version:



但是,当事人的这一主张是否也能向违反数据保护的公司的董事总经理(又称为执行董事)或董事会提出呢?德累斯顿高等地区法院在最近公布的一项判决中对此做出了裁决(参见案例OLG Dresden, Urteil vom 30.11.2021, Az. 4 U 1158/21)。在该判决中,德累斯顿高等地区法院认定董事总经理与有限责任公司承担连带责任,因此根据欧盟《通用数据保护条例》第82条第2款第1句,董事总经理应作为连带债务人。












Download as PDF

Contact persons

You are currently using an outdated and no longer supported browser (Internet Explorer). To ensure the best user experience and save you from possible problems, we recommend that you use a more modern browser.