Anyone who works in a company usually has access to customers‘ data. Everyone is aware that they are not allowed to use this data for private purposes. But what are the consequences if this happens anyway? Very few people would expect to be fined.

Let’s just assume …

Suppose you still have money to get from someone. Unfortunately, your debtor has moved in the meantime. You just don’t know where to. You suspect that he might be one of your employer’s customers. And indeed, a glance at the customer database confirms it. With a click of the mouse, you have found his new address. Even though you would certainly never do that: Let’s assume you use his new address to contact him about the money matter. What legal consequences could that have?

The principle of purpose limitation is violated

It is obvious that the principle of purpose limitation has been violated here. The customer has given his data to the company so that the company can use the data. It needs them, for example, to process and deliver orders. The customer would never think that an employee would „divert“ this data for any private purpose. That is not what they were intended for. Therefore, the customer may well complain to the data protection supervisory authority.

The data protection supervisory authority may impose fines

The data protection supervisory authority will take care of the case. Since the GDPR came into force, the data protection supervisory authority has many more powers than before. Among other things, it can impose fines. This can be really expensive in individual cases. Several hundred euros are due very quickly. This also applies, of course, if someone misuses employer data for private purposes.

Who should expect a fine?

The interesting question here is who has to answer for this misuse of data. Is it the employed person who misused the data? Or is it the employer for whom he or she works? Opinions on this differ among regulators.

An „employee excess“ is an ugly matter

Most regulators refer to such a case as „employee excess.“ According to a common definition, this refers to „actions by employees that, when reasonably assessed, cannot be attributed to the scope of the respective entrepreneurial activity.“ That sounds a bit legalistic. But it’s actually pretty clear what is meant by it.

Constant monitoring should not be

No employer can stand behind every employee all the time. And he’s not supposed to do that at all. Therefore, the employer cannot be responsible for everything an employee does at his or her workplace. If the employee takes care of purely private matters there, that is not a matter for the employer. Rather, the employee himself must be responsible for this. This also applies if the employee abuses his or her ability to access official data.

The employee must pay the fine for this.

When data is misused for private purposes, this has considerable consequences for the „perpetrator“. As a result of this misuse, he himself becomes the body responsible for handling the data. As a result, he himself is liable for the misuse of the data. The data protection supervisory authority can initiate fine proceedings against him personally and impose a fine. A fine of 200 or 300 euros is the lower limit in such cases. It can also be more expensive.

A fine for the employer is not a nice alternative

Ultimately, it becomes even more unpleasant for the employee if a supervisory authority does not treat the incident as „employee excess.“ Even then, of course, it has legal consequences. They are directed against the company. After all, someone has to take responsibility for the violation. And if it’s not the employee, it’s the company. In such cases, the principle applies: companies are liable for the misconduct of their employees. Therefore, the responsible data protection authority will impose a fine on the company.

The employer will draw consequences

Of course, the company will not simply shrug its shoulders and take note of this. Rather, it will clarify the misconduct internally, including consequences under employment law. Therefore: Don’t use company data for private purposes! This also applies when it comes to seemingly banal data such as an address. Here, too, the consequences are not worth it.