To comply with the General Data Protection Regulations (GDPR), companies must have technical and organizational measures in place to protect personal data. In light of the recent decision of the Croatian Personal Data Protection Agency (AZOP) against a leading local security company, one measure that requires closer scrutiny is the prevention of data breaches by employees. What happens if, regardless of various security measures, a careless employee commits a data breach? Will the company be liable for a breach committed by its employee?
AZOP found that the security company committed a breach of personal data even though the breach arose from the actions of one of its employees. The employee recorded video surveillance footage on his/her phone and shared it with a third party; the recording was ultimately made available on social media and in the media. A data subject was thereby exposed to insults and ridicule by the public, and the data controller using the security company’s services reported the breach. The AZOP found that the security company as a data processor enabled the breach by not implementing adequate technical measures to safeguard personal data security, which would have eliminated or minimized the risk of such a breach.
Although it is yet to be seen whether the security company will successfully challenge AZOP’s decision in court, there are a few takeaways from this case even at this stage. First, this decision is a good reminder to employers that they can be liable for their employees’ data breaches. Similar conclusions have been reached in the past both by AZOP (e.g., case UP/I-041-02/18-01/36) and the administrative courts (e.g., case UsI 12/2019-9). This principle also accords with the general civil law rule on the vicarious liability of employers, which stipulates that the employer is liable for damage caused by an employee in the course of or in connection with employment. Second, the decision emphasizes that the employer bears responsibility if the breach occurred due to inadequate preventive measures. In other words, it is up to employers to ensure that work processes are designed to prevent the unauthorized processing of personal data. This principle seems especially relevant in the context of the modern workplace, including remote work, use of personal devices for business purposes, and so on.
What remains unknown is whether the employer would still have been liable for the data breach committed by the employee even if it had applied all the adequate processes and procedures. A literal interpretation of the rule on vicarious liability and the GDPR rules on controllers’ and processors’ obligations would suggest that the answer is no. However, this matter has not yet been expressly clarified by Croatian authorities (as it has in some other jurisdictions, such as the United Kingdom). Either way, it is in the employers’ best interests to apply adequate measures to prevent breaches – both to deter employees from committing them and to demonstrate to the regulators that they “did their part.”
What Measures to Apply?
What is appropriate in one situation may not be in another. Businesses should thus assess whether certain measures are indeed appropriate and sufficient for their specific situations. Evaluation after implementation is important as well.
In the decision described above, AZOP found that the company did not implement appropriate technical measures either before or after the breach. Applying different technical measures is definitely important, but not sufficient to ensure employee compliance. In many cases, the breach is caused by an employee’s careless behavior. Organizational measures aimed at building a culture of security awareness are very important in that regard and it is the employer’s duty to ensure that employees understand their responsibilities concerning data privacy and that they abide by them.
To this end, it is likely that having internal guidance and policies in place would not, on its own, be sufficient. Companies will likely be in a better position, compliance-wise, if they can demonstrate that they actively make employees aware of data protection rules. A good practice is to set up internal employee training or other compliance programs for all employees dealing with personal data. Likewise, checking whether security measures are really being adhered to and investigating incidents should help companies reach and maintain a necessary level of protection.
By Marija Zrno Prosic, Partner, and Lucija Vranesevic, Attorney at Law, CMS Zagreb