The General Data Protection Regulation (hereinafter – GDPR), which entered into force last year, has brought innovation not only to business organization, but also to employment relations. GDPR obliges companies to ensure that personal data protection requirements are enforced, while the failure to comply with their obligations entails the risk of not only receiving substantial fines
(please see our
previous message on https://leinonen.eu/lt-en/news/fine-of-eur-61-500-was-issued-in-lithuania-for-the-gdpr-breaches),
but also an additional requirement for the compensation to the injured party.
Taking into consideration that the
personal data processing in companies is usually carried out by employees,
there is a noticeable tendency to place the responsibilities of the processing
of personal data to the employees in charge and to inform them not only about
the possible penalties indicated in the GDPR, but also the possibility of
terminating their employment contracts due to the breaches of GDPR requirements.
In such cases the processing of personal data violating the requirements of
GDPR falls under the category of breaches of obligations arising from
The question arises, if the actions described above is an appropriate mean to manage the risk of personal data breaches?
It should be noted that while data protection related processes (such as breach risk management, data subject requests, response to inquiries, etc.) are implemented in the companies by responsible employees, Part 2 of Article 82 of GDPR establishes that data controller, i.e. the company, employer is liable for any damage resulting from the unlawful processing of personal data. According to the recommendations of the State Data Protection Inspectorate, the company's employees are not considered as data controllers. Therefore, according to the above mentioned, the company, not its employees, will be directly liable for the damage caused by the unlawful data processing.
Proper management of employer risks
In order to prevent breaches of personal data processing and to ensure smooth processing of personal data, we recommend to take the following steps:
· Establish internal company policies that set standards for the processing and protection of personal data and familiarize the employees with it;
· Inform the employees of their obligations with regard to the processing of personal data;
· Instruct the employees on ways and means to ensure the protection of personal data in the company;
· Undertake the technical protection measures
(e.g. restrict access to personal data).
Proper implementation of all the above-mentioned
processes not only reduces the risk of breaches and damages, but also creates a
basis for claiming the damages from the employee for his/ her guilty actions.
Liability of the employees
- Material liability of the employees
In cases when despite complying with the BDAR requirements, applying organizational and technical measures to protect personal data, the breaches still appear due to the fault of the employee, the company acquires the right to claim compensation from the employee. However, the scope of the employee's liability is limited according to the provisions of the Labor Code of the Republic of Lithuania (hereinafter – Labor Code):
· the employee may be required to pay compensation for up to 3 of his/ her monthly average salaries;
· if the breaches appear due to gross negligence of the employee - not more than 6 monthly average salaries;
· in cases of intentional damage, the above-mentioned limitations shall not apply. In order to prove intentional actions of the employee, the company would have to prove that the employee could have acted to prevent the breach, but deliberately did not.
- Termination of employment contract
The Labor Code
establishes the possibility of termination of employment contract with an
employee who commits a breach of obligations under labor law or the employment
contract (Article 58 of the Labor Code). In cases when an employee's duties
involve the processing of personal data, this process must also be performed in
accordance with legal requirements and the company's internal rules and
procedures. Therefore, in the event of an employee's breach of duties in
relation to the processing of personal data, this may entitle the employer to
initiate termination of the employment contract under Article 58 of the Labor
Code. However, it is very important to ensure that the termination of
employment contract is proportionate mean to the infringement, i.e. assess
the degree and consequences of the breach, the circumstances, the fault of the
We kindly inform you that Leinonen Legal Advisors, who apply the provisions of GDPR widely in practice, may assist you in the preparation of documentation related to the implementation of the GDPR requirements and provide related exhaustive and comprehensive legal consultations.
Information above was prepared by Leinonen Lithuania Legal Team.
We will send you articles keeping you up to date with the latest trends and developments in accounting, taxation or legal fields.