DPIA

The wait is over
Ailance™ DPIA is here!
Learn more

Employee excess: when the employee becomes the (GDPR) controller

An employee excess can not only have consequences under labor law - the employee must expect a fine in the event of a GDPR violation.
Categories:
,

Is a police officer who carries out a database query without official cause to be considered a data controller within the meaning of the General Data Protection Regulation (GDPR)? The Stuttgart Higher Regional Court examined this question in detail - and came to a clear conclusion. Why employee excess can be really expensive.

Police officer uses police information system for private purposes

The police officer concerned had access to the police information system "POLAS" at the police station. This is used to store and retrieve personal data on suspects, accused persons and other relevant persons as part of police investigations.

On March 2, 2021 at around 1:41 a.m., the officer used his work computer to retrieve information about a colleague who was in custody at the time. In doing so, the officer was not acting for official reasons, but out of private interest, which he was aware of. According to the findings of the local court, the officer had specifically searched for personal and criminally relevant data of his colleague without any official reason.

The incident was uncovered by internal control mechanisms, whereupon the responsible department initiated an investigation. As a result, the officer was sentenced to a fine of 1,500 euros by the Stuttgart District Court for intentional and unlawful processing of personal data pursuant to Art. 83 (1), (2), (5) (a) GDPR. The police officer lodged an appeal against this decision.

Reading tip: Data protection risks for customer portfolio data

Employee excess: employees as the responsible party

The Higher Regional Court of Stuttgart dealt in detail with the question of whether a police officer who requests data on his own authority can be considered a controller within the meaning of the GDPR.

The court first established that the civil servant had knowingly and intentionally carried out a database query that was not part of his official duties. In this context, the OLG emphasized that the civil servant had exceeded his official powers and thus acted outside of his professional role. The civil servant had therefore acted outside of official control. His query was therefore not attributable to the police's official area of responsibility.

The Senate based its decision on the so-called "employee excess theory". This describes that employees who process personal data on their own authority and without instructions are considered independent controllers within the meaning of Art. 4 No. 7 GDPR. The court emphasized that autonomous responsibility in such cases arises from the fact that the employee decides on the purpose and means of processing on their own authority.

The Higher Regional Court of Stuttgart followed the guidelines of the European Data Protection Board (EDPB). These state that employees are considered data controllers if they process personal data for private purposes and without official instructions.

The judges rejected the view that there was a need for a special regulation for assaults by employees and pointed out that responsibility for such actions arose directly from the GDPR. The police officer could not invoke a privileged exemption either, as his actions were neither attributable to the employer nor covered by official instructions.

The OLG considered the fine of 1,500 euros to be appropriate and dissuasive. In particular, the official had acted with intent and in deliberate disregard of his duties. In conclusion, the court emphasized the importance of consistent sanctions for data protection violations in order to achieve the deterrent effect required by Art. 83 para. 1 GDPR.

Fine after employee excess

The decision of the Higher Regional Court of Stuttgart makes it clear that data protection violations do not have to be attributed exclusively to an institution or a company. They can also give rise to individual responsibility on the part of employees. In particular, employees who access personal data on their own authority and without official cause are, in the opinion of the court, acting on their own responsibility and can be held directly accountable.

In its decision, the court expressly confirmed the so-called "employee excess theory". According to this legal interpretation, an employee who deliberately and intentionally acts outside of their official duties is no longer bound by their employer's instructions and becomes a data controller themselves in accordance with Art. 4 No. 7 GDPR. As a result of this classification, those affected must not only expect disciplinary or labor law consequences in the event of violations, but may also be subject to fines.

The decision of the Higher Regional Court of Stuttgart thus clarifies the question of responsibility for data protection violations by individuals and shows that data protection violations are not solely the responsibility of the organization as the responsible body. For companies and authorities, this means that they must train and sensitize their employees even more intensively in the area of data protection, as the attribution of misconduct to individuals can have considerable financial and legal consequences.

The imposition of a fine of 1,500 euros also highlights the deterrent effect that data protection violations should also have on individual data controllers. This consistently implements the intention of the GDPR to effectively sanction data protection violations and achieve a deterrent effect.

Recommendations for practice

With this in mind, organizations should consider the following measures:

  1. Training and sensitization: Regular employee training on data protection law and the consequences of unlawful data processing is essential.
  2. Technical and organizational measures: Access to sensitive databases should be strictly regulated and documented. Technical precautions such as logging mechanisms and access controls can help to prevent unauthorized data queries.
  3. Internal guidelines and control mechanisms: Clear internal guidelines on data processing and effective monitoring of compliance with these guidelines are essential.

The decision of the Higher Regional Court of Stuttgart underlines the need for consistent sanctions for data protection violations in order to implement the requirement for "effective, proportionate and dissuasive" sanctions enshrined in Art. 83 (1) GDPR.

Source: Decision of the Higher Regional Court of Stuttgart of 25.02.2025 (2 ORbs 16 Ss 336/24)

Our tip: Ailance™ sets new standards in integrated risk management and can be easily adapted to your company's requirements. Get in touch with us and we will show you what is possible with Ailance™.
☎️ +49 (228) 926165-100
📧  info@2b-advice.com

Contact us
Tags:
Share this post :

Popular categories

Newsletter

Subscribe to our data protection newsletter to receive the latest updates, tips and insights straight to your inbox.
Subscribe

Latest posts

en_USEnglish
de_DEGerman it_ITItalian fr_FRFrench en_USEnglish