Responsibility of the member of the board of the commercial company for breach of the GDPR
As of May 25, 2018, General Data Protection Regulation (Regulation (EU) 2016/679, hereinafter GDPR or Regulation) becomes enforceable.
It applies if data controller (data collector) or processor, or the data subject (physical person) is EU-based.
GDPR establishes wide corrective powers for supervisory authorities (Data state inspectorate in Latvia), including power to impose an administrative fine of up to EUR 20 000 000, or 4% of its total worldwide annual turnover in the preceding financial year, on the controller or processor in the event of infringement.
Leaving outside of the scope conditions of imposition of an administrative fine for infringement of the Regulation (for more details see Article 29 Working Group Guidelines), this article will analyze liability of members of the board of directors of commercial companies for infringements of the Regulation.
If the commercial company (hereinafter also company) has committed a significant infringement of the Regulation and the supervisory authority imposed a penalty, management board liability institute, which protects the interests of shareholders and creditors of commercial company, may become an issue in question.
In accordance with the first and second paragraphs of Article 169 of the Commercial Law, the members of the management board must act as thorough and diligent owners, and they are jointly and severally liable for the damage inflicted on company by their actions.
The management board must ensure that the company complies with the requirements of the regulatory enactments. The board member is also responsible to the company for unlawful actions taken in company’s own interest.
The obligation to comply with regulatory enactments in the activities of a commercial company obliges the members of the board to keep up to date with all changes that are made in various regulatory enactments, which affects the activities of the company. If a member of the board, in compliance with the company’s management duties entrusted to him, acts contrary to the requirements of the regulatory enactments, then there is no reason to speak about the conformity of such an action with a measure of thorough and diligent owner. In addition, Article 169 of the Commercial Code does not impose an obligation on the company to prove the guilt of the board member.
Thus, regarding observance of the regulatory enactments, including the Regulation, in the activities of a commercial company, the member of the management board must act with the utmost care, since: 1) observance of the regulatory enactments in the activities of a commercial company is one of his basic obligations; 2) the Commercial Law, in derogation from general civil procedure principle of the burden of proof, defines the presumption of guilt of members of the board, and places the burden of proof on a member of the board. In a situation where a member of the board cannot prove that his actions were such as a thorough and diligent owner’s, his fault is presumed. The fact that action of a member of the board does not constitute intentional violation does not bear legal significance, since he is liable for each, including slight negligence. Consequently, it can be concluded that liability does not arise only if the member of the management board proves that he acted as a thorough and diligent owner, that is, without even slight negligence.
At the same time, it should be taken into account that when filing a claim against a member of the board, shareholders or insolvency administrator must prove first, fact and amount of the losses suffered by the society; second, the causal relationship between the loss and the actions of a board member; thirdly, how these losses have reduced equity value or possibility of satisfaction of creditor claims in insolvency proceedings. Member of the board may be released from civil liability by proving that his actions are in accordance with the criteria of a thorough and diligent owner.
Triniti Latvian team lawyers have gained practical experience in the field of personal data protection, providing recommendations in the field and representing clients in disputes with the supervisory authority.
Triniti Baltic team lawyers participated in the development of the General Data Protection Regulation and provided data protection rights trainings. Triniti is able to provide deep and highly valued expertise in the Baltic region to address issues of compliance to the Regulations that require professional legal assessment.