Managing directors and board members are legally obliged to organize their company in such a way that it complies with all applicable laws. This is known as the duty of legality. This results in a general compliance obligation, which has been increasingly tightened by case law in recent years.
One well-known example is the Siemens-Neubürger case, in which the member of the Executive Board responsible for compliance was held personally liable for a case of corruption at Siemens, which had tragic consequences.
Even under the Data Protection Directive before the General Data Protection Regulation (GDPR) came into force, there was an implicit duty of legality, meaning that there was an obligation to comply with data protection laws. Nevertheless, there were many data protection violations in practice, as specialist departments and employees in particular caused legal violations in their day-to-day business.
To remedy this problem, the GDPR tightened the organizational obligations of companies. In principle, the company itself - and not the data protection officer - is responsible for taking all necessary measures to comply with the legal requirements of the GDPR.
These measures must not only be implemented, but also verifiably documented (so-called accountability). If a data protection authority audits a company, the company must be able to prove that the organizational data protection measures have actually been implemented. If this proof cannot be provided, this already constitutes a data protection breach.
The fact that managers can also be held personally liable for data protection breaches is particularly explosive for managers. Managers are therefore well advised to take the issue of data protection seriously and to organize data protection effectively within their company.
Legal starting position
According to the initial legal position, the company, i.e. the so-called controller, is responsible for implementing data protection measures and ensuring compliance. This legal obligation applies in particular to the managing director or the board of directors as the company's management bodies.
The measures and activities that serve to implement the data protection regulations are referred to as a data protection management system (DMS). Every company within the scope of the GDPR must set up such a DMS. However, the scope and design of such a system can vary greatly. A large, data-critical company such as Facebook must take much more extensive and differentiated data protection precautions than a craft business with 30 employees.
If the company has appointed a data protection officer, this person also plays a role and has legally assigned duties. These include training employees, advising the management and monitoring compliance with data protection regulations. However, according to the initial legal situation, the data protection officer is not obliged to implement the necessary measures. The legal obligation to create and maintain a procedure directory, to conclude order processing contracts, to implement appropriate data security measures and to provide documentation lies with the company.
When appointing an external data protection officer, it should therefore be precisely defined which tasks the data protection officer will take on. Insofar as he or she remains responsible for performing the minimum statutory tasks, the obligation to set up and implement a data protection management system remains with the company.
Delegation of data protection duties
It is legally permissible and often sensible for the company to delegate the implementation of data protection obligations. Tasks can be delegated to the data protection officer as well as to other employees.
However, the delegation of data protection tasks is only effective if the company provides the persons entrusted with the data protection tasks with the appropriate financial and time resources. A sensible and proven organization of data protection in practice provides for the appointment of a responsible managing director, an internal person responsible for implementation, the so-called data protection coordinator, and the statutory role of the data protection officer.
The data protection officer usually has the legal and practical expertise in data protection law and imparts the necessary knowledge for implementation to the data protection coordinator, who takes over the implementation within the company.
Management's duty of legality
The management is legally obliged to create a suitable organizational structure to ensure compliance with data protection requirements. The role of the managing director shifts from an operational to a supervisory role. If data protection violations occur in business operations, the managing director can exculpate himself from personal liability, i.e. defend himself against liability, by proving that he has fulfilled his statutory duties by delegating operational tasks, providing an appropriate budget and ensuring compliance.
They must be able to prove all of this. Monitoring can be carried out, for example, through regular exchanges with the data protection officer or by setting up a reporting system in which data protection reports are prepared at regular intervals, deviations are identified and, if necessary, improvement measures are implemented.
Organizational obligations under data protection law
The GDPR tightens the obligations for the organization of data protection. The company must ensure that all organizational measures required to comply with the GDPR are taken and documented. The management remains responsible for creating an effective data protection organization and providing sufficient resources.
Personal liability of the management bodies
Managers may be personally liable for data protection violations. However, they can exonerate themselves from liability by proving that they have taken all necessary organizational and legal measures. This also includes the clear delegation of tasks and the provision of resources for the implementation of data protection.
Liability of the parent company for subsidiaries
The parent company can also be held liable for data protection breaches by its subsidiaries if it cannot prove that it has adequately monitored and supported the subsidiaries. Monitoring can be carried out by means of a group-wide data protection management system, which also includes the delegation and monitoring of data protection obligations.
Legal consequences of delegation
The role of the managing director changes from an operational to a supervisory role through such an organization. If data protection violations then occur in business operations, the managing director can exculpate himself with regard to personal liability by demonstrating that he has fulfilled his statutory duties: the operational tasks have been delegated, an appropriate budget and resources have been provided and compliance has been monitored.
Practical implementation and reporting
To ensure that all organizational measures are complied with, an effective reporting system must be established. Regular data protection reports, which identify deviations and implement improvement measures where necessary, help to document and monitor compliance.
Conclusion
The clear organization, assignment of roles and responsibilities as well as the delegation of operational data protection activities, which must be ensured by the company management, lead on the one hand to a reduction in liability and on the other hand enable the operational relief of the management in data protection.
However, it is not possible to delegate the management's statutory task of providing an appropriate budget and ensuring compliance with data protection regulations. It is advisable to set out this allocation of roles in writing and make it known within the company.
This should be documented in a data protection guideline based on recognized standards for management systems. The data protection guideline is therefore the central strategic document for setting up an appropriate data protection organization.