GDPR responsibility: Company, not DPO, liable | IT-Medienrecht

Discover where GDPR responsibility truly lies. A recent ruling clarifies: the company, not the data protection officer, bears liability. Learn more now!

Heilbronn Court Clarifies Primary Responsibility for GDPR Compliance

The GDPR (General Data Protection Regulation) has caused plenty of discussion in companies in recent years. Many were unsure who bears primary responsibility for GDPR compliance. However, a recent ruling by the Heilbronn Labor Court has provided clarity on this important issue.

Background of the Case

The plaintiff, 60 years old, had been employed by the defendant since October 1, 2002. Most recently, he served as an attorney and head of the legal department, where he was instrumental in the company's legal direction and contributed to resolving complex legal challenges.

Due to his expertise and commitment to data protection, he was appointed as the company's data protection officer on December 1, 2018. In this role, he was responsible for monitoring compliance with the GDPR and other data protection regulations.

Despite his many years of service, disagreements arose between him and the defendant's CEO. These differences ultimately formed the background for the legal disputes concerning his employment.

Key Clarifications on GDPR Compliance

In its ruling of September 29, 2022, under case number 8 Ca 135/22, the Heilbronn Labor Court made important clarifications regarding the role and responsibility of data protection officers.

The court explicitly stated that:

Furthermore, the court emphasized that the main responsibility for implementing and complying with the GDPR lies with the company itself, not with the data protection officer. This highlights the central role companies play regarding data protection and the need to actively address GDPR requirements.

Corporate Responsibility for GDPR Implementation

This ruling powerfully underscores the importance for companies to intensively and continuously engage with GDPR requirements. A common misconception is that simply appointing a data protection officer is sufficient for all data protection needs.

While a data protection officer offers valuable advice and support, the ultimate responsibility for compliance with data protection regulations rests solely with the company. Consequently, businesses must invest strategically.

This includes:

It is crucial for companies to be proactive, conduct regular reviews, and stay up-to-date with the latest data protection regulations. This approach ensures correct implementation of the GDPR and other relevant regulations, thereby minimizing potential legal risks.

Conclusion

The ruling by the Heilbronn Labor Court sends a clear signal to all companies. It unequivocally states that the responsibility for GDPR compliance rests with the company itself, not with the data protection officer.

Therefore, it is imperative for businesses to review their current data protection practices. Ensuring they meet all GDPR requirements is crucial to avoid potential penalties and legal disputes, particularly concerning data protection liabilities.