Data subject awarded damages for unauthorized criminal background check Summary Our remarks The data subject sought membership in an association, • Personal liability can apply to managing directors. and the association’s managing director instructed a The case shows that managing directors can be background check to be carried out on the individual. held personally liable for breaches of GDPR if they The investigation uncovered information on the are found to have acted intentionally or negligently individual’s past criminal convictions, which was in violation of the GDPR. then relayed to the association’s executive board. Subsequently, the association rejected the individual’s • Personal data relating to criminal convictions membership application. The data subject argued that must be processed under official supervision. the controller had breached GDPR, Article 10, since the Collection must happen under official supervision, processing of their personal data related to criminal as required by GDPR, Article 10. This supervision may convictions did not occur under official supervision. be provided by a public authority or by a person or Consequently, they demanded compensation for pain body authorized by EU or Member State law. and suffering. The Decision of the Higher Regional Court of Dresden The Higher Regional Court upheld the decision of the Regional Court of Dresden, awarding the data subject damages in the amount of 5,000 EUR for the following violations: • The processing was deemed unnecessary because the controller could have used less intrusive alternatives like self-disclosure or police clearance certificates. • In terms of liability, the Court found that the managing director was to be considered a controller alongside the company (GDPR, Article 4(7)). • When assessing the non-material damages under GDPR, Article 82, the Court considered the nature, gravity, duration, degree of fault and measures taken to mitigate harm, previous breaches, and categories of personal data. In this instance, the Court found that the breach exceeded the de minimis threshold despite it being a one-time event. The sensitive nature of the personal data collected and disclosed affected the interests of the data subject, which was why the damages already awarded in the amount of 5.000 were deemed appropriate. Published: 30-11-2022 Journal number: N/A Tags: 07 Compensation for non-material damages 62