D: Payment of damages under data protection laws and tax evader CD
Category: NachrichtenBy: R. Olschewski - 2B Advice GmbH - the privacy benchmark
One imagines the following fictitious case - German federal offices purchase a CD with the personal data of actual and/or alleged tax evaders.
The seller is (for example) a bank employee who, without permission, saved personal bank data from the systems of the bank, and then offered such data pool for purchase by the tax authorities. On the basis of such data, subsequent criminal tax proceedings are initiated, and back tax payments are assessed.
Under data protection laws, it initially applies that the collection, processing and use of personal data is permissible only within the framework of a narrow appropriation (§ 28 of the Federal Data Protection Act (Bundesdatenschutzgesetz - "BDSG")).
The transmission and use of such data for another purpose are generally also permissible for the prosecution of criminal offenses. However, a criminal prosecution is tied to a formal procedure. As such, a formal preliminary investigation is introduced typically upon a corresponding initial suspicion.
This was not the case for the parties concerned of the data pool. Therefore, the purchase of the data did not take place within the framework of a specific preliminary investigation, and the transmission and use of the data would not be permitted.
However, the impermissible collection and use of personal data make the responsible office liable to pay damages (§ 7 BDSG). That is, all financial disadvantages that the party concerned - in this case, the banking customer - has suffered as a consequence of the impermissible data collection, processing or use are damages eligible for compensation. If two or more offices (such as, for example, the bank or bank employees) have acted illegally, they are jointly and severally liable.
In this respect, the question arises of whether tax evaders concerned can make (for example) the tax authorities liable to pay damages as the purchaser of the data CD, because fiscal interests are not a reason under § 28, para.3 BDSG to override the strict appropriation of the collected bank data.
In addition to any procedural costs and civil penalties, possible compensation for pain and suffering also might have to be examined as a payment of damages item, as such is provided by various state data protection laws.
Parties concerned and advisers are not to disregard aspects of data protection laws for the defense against claims and/or for the justification of recourse. Companies promptly secure themselves against data piracy through suitable measures, and are aware of the risk of data misuse by employees. Some companies manage databases that could be interesting for third parties and the sale of which could be a great temptation for employees. Moreover, in the case of data theft, a company must anticipate claims of the parties concerned, if security measures against this were not taken.
(1108 times viewed)