Liability of the Employees for the breaches of personal data protection

The General Data Protection Regulation (hereinafter – GDPR), which entered into force last year, has brought innovation not only to business organization, but also to employment relations. GDPR obliges companies to ensure that personal data protection requirements are enforced, while the failure to comply with their obligations entails the risk of not only receiving substantial fines, but also an additional requirement for the compensation to the injured party.

Taking into consideration that the personal data processing in companies is usually carried out by employees, there is a noticeable tendency to place the responsibilities of the processing of personal data to the employees in charge and to inform them not only about the possible penalties indicated in the GDPR, but also the possibility of terminating their employment contracts due to the breaches of GDPR requirements. In such cases the processing of personal data violating the requirements of GDPR falls under the category of breaches of obligations arising from employment contract.

The question arises, if the actions described above is an appropriate mean to manage the risk of personal data breaches?

 

It should be noted that while data protection related processes (such as breach risk management, data subject requests, response to inquiries, etc.) are implemented in the companies by responsible employees, Part 2 of Article 82 of GDPR establishes that data controller, i.e. the company, employer is liable for any damage resulting from the unlawful processing of personal data. According to the recommendations of the State Data Protection Inspectorate, the company’s employees are not considered as data controllers. Therefore, according to the above mentioned, the company, not its employees, will be directly liable for the damage caused by the unlawful data processing.

 

Proper management of employer risks

In order to prevent breaches of personal data processing and to ensure smooth processing of personal data, we recommend to take the following steps:

· Establish internal company policies that set standards for the processing and protection of personal data and familiarize the employees with it;

· Inform the employees of their obligations with regard to the processing of personal data;

· Instruct the employees on ways and means to ensure the protection of personal data in the company;

· Undertake the technical protection measures (e.g. restrict access to personal data).

Proper implementation of all the above-mentioned processes not only reduces the risk of breaches and damages, but also creates a basis for claiming the damages from the employee for his/ her guilty actions.

Liability of the employees

Material liability of the employees

In cases when despite complying with the BDAR requirements, applying organizational and technical measures to protect personal data, the breaches still appear due to the fault of the employee, the company acquires the right to claim compensation from the employee. However, the scope of the employee’s liability is limited according to the provisions of the Labor Code of the Republic of Lithuania (hereinafter – Labor Code):

· the employee may be required to pay compensation for up to 3 of his/ her monthly average salaries;

· if the breaches appear due to gross negligence of the employee – not more than 6 monthly average salaries;

· in cases of intentional damage, the above-mentioned limitations shall not apply. In order to prove intentional actions of the employee, the company would have to prove that the employee could have acted to prevent the breach, but deliberately did not.

Termination of employment contract

The Labor Code establishes the possibility of termination of employment contract with an employee who commits a breach of obligations under labor law or the employment contract (Article 58 of the Labor Code). In cases when an employee’s duties involve the processing of personal data, this process must also be performed in accordance with legal requirements and the company’s internal rules and procedures. Therefore, in the event of an employee’s breach of duties in relation to the processing of personal data, this may entitle the employer to initiate termination of the employment contract under Article 58 of the Labor Code. However, it is very important to ensure that the termination of employment contract is proportionate mean to the infringement, i.e. assess the degree and consequences of the breach, the circumstances, the fault of the employee, etc.

We kindly inform you that Leinonen Legal Advisors, who apply the provisions of GDPR widely in practice, may assist you in the preparation of documentation related to the implementation of the GDPR requirements and provide related exhaustive and comprehensive legal consultations.

Information above was prepared by Leinonen Lithuania Legal Team.

Recent Posts

6 days ago

Common VAT Mistakes in Lithuania and How to Avoid Them

Value added tax (VAT) – is a tax applied to goods and services in all EU countries. All countries set the rates of this tax…

Continue reading
March 12, 2024

Leinonen Group is searching for an Assistant Controller

Leinonen Group is searching for an Assistant Controller based in Tallinn or Helsinki, to work with Group CFO to develop financial processes and tools in…

Continue reading
March 5, 2024

Liquidation or dormancy of the legal entity? Which option to choose.

In the constantly changing business world, it is sometimes needed not only to expand business activities, but also to suspend them or even to liquidate…

Continue reading