Who is legally responsible when a data-protection error happens in your company—the individual employee or the company as a whole? In an important ruling on October 7, 2025 (Case No. VI ZR 297/24), the German Federal Court of Justice (BGH) provided clarity. The decision strengthens corporate responsibility and redefines the role of employees in data-protection law.
The legal background on responsibility
Article 4(7) GDPR defines who the “controller” of a data processing activity is. It’s the person or entity that decides alone or jointly on the purposes and means of processing. The controller bears full legal responsibility, is liable for violations, and is the main target for fines and compensation claims. In practice, it wasn’t always clear whether an employee who makes a mistake could be considered a controller themselves.
The BGH’s decision in detail
The BGH has now made it clear that employees generally cannot be considered “controllers” under the GDPR. The judges followed the prevailing legal opinion and the case law of the European Court of Justice (ECJ).
The court’s core reasoning:
- Employees are “persons under the authority” of the controller (the employer) as per Article 29 GDPR.
- They act under instructions and the authority of their employer.
- They don’t decide on the fundamental purposes and means of processing—the “why” and “how.” They simply carry out assigned tasks.
So the employer remains the sole controller and must ensure GDPR compliance.
What this means for your company
Responsibility sits clearly with management
The ruling cements that data-protection compliance is a management duty. Leadership can’t shift responsibility onto individual employees, even if they made the operational mistake.
Instructions and training matter more than ever
If the company carries full responsibility, it must enable employees to act in a compliant way. Clear work instructions, understandable data-protection policies, and regular training aren’t optional—they’re necessary.
Employees aren’t off the hook
The ruling isn’t a free pass for careless behavior. While they don’t face GDPR fines from authorities or external claimants, they remain accountable internally. In cases of gross negligence or intent, the employer can seek compensation under labor law.
The focus moves from individuals to systems
The decision pushes companies to stop looking for individual “culprits” and instead build a solid data-protection management system. Good technical and organizational measures (TOMs) are the best protection against violations.
FAQ on employee liability under GDPR
So an employee is never personally liable for a GDPR breach?
Not toward external parties or authorities, at least not with a GDPR fine. But internally, they can be held liable for damages they caused (for example, a paid fine), if they acted culpably.
What if an employee deliberately steals or misuses data?
Then they act outside their authority and can face criminal charges and full personal liability. The protection given to instructed employees no longer applies.
Who is responsible for data in a home-office setup?
The company is still the controller. But it must provide clear rules and technical requirements (like IT-security guidelines) so employees can meet their obligations.
How can a company best fulfill its responsibilities?
By implementing a solid data-protection management system, appointing a data-protection officer, offering regular training, and establishing clear internal rules.
Where can I get professional help with assigning data-protection roles?
A clear structure is key to reducing liability. The experts at sofortdatenschutz.de can help you set up your organization in a compliant way. You can contact them at sofortdatenschutz.de/kontakt/.
