When an employee misappropriates customer data for personal purposes, the question arises: does the company bear liability for this under the GDPR? In March 2026, the Higher Regional Court (Oberlandesgericht) of Brandenburg issued a landmark ruling on this point, reaffirming a position of immediate relevance to all companies and processors with access to customer data.
Facts of the Case
The proceedings (OLG Brandenburg, judgment of 02.03.2026, 1 U 1/24) concerned a data protection incident that occurred in 2020 at a manufacturer of hardware wallets for cryptocurrencies. Two separate and independent incidents had taken place: first, an employee of the engaged e-commerce service provider gained unauthorised access to the customer database and exported records for personal purposes. Second, unknown hackers exploited a misconfigured API interface to access customer data, which was subsequently published on the internet. The data affected comprised names, addresses, telephone numbers, and email addresses. An aggrieved customer brought a claim for EUR 1,500 in damages pursuant to Art. 82 GDPR.
The Decision: Exemption from Liability under Art. 82(3) GDPR
The OLG Brandenburg dismissed the claim in its entirety. The Senate did acknowledge, in principle, a breach of the GDPR in the form of unauthorised access to personal data within the meaning of Art. 4(12) GDPR. However, it held that the defendant company was exempt from liability under Art. 82(3) GDPR, since it bore no responsibility whatsoever for either of the incidents.
With regard to the employee excess, the court found that the engaged e-commerce service provider had thoroughly vetted its support staff, examining professional qualifications, employment history, and criminal records certificates. A more extensive “four-eyes principle” for support access was held to be disproportionate. The Senate’s core holding reads as follows:
“The case of the so-called employee excess, in which an employee misuses or misappropriates data for personal purposes, does not therefore – provided the employees have been carefully selected as in the present case – give rise to liability on the part of the controller under the GDPR or of its processor. It is rather established that, through this form of data processing, the employee themselves becomes the controller within the meaning of Art. 4(7) GDPR and is consequently directly liable to the data subjects affected by the breach.”
Regarding the hacker attack via the misconfigured API, the court reached the same conclusion: the company had engaged a specialist service provider recommended by the market leader in the field. Nothing further was required; in particular, there was no obligation to obtain security certifications.
Relationship to Other Decisions
The OLG Brandenburg expressly grounds its approach in the decision of the OLG Stuttgart of 25.02.2025 (Ref. 2 ORbs 16 Ss 336/24). In that case, a police officer had accessed data concerning a colleague through the police information system “POLAS” without any official justification. The OLG Stuttgart classified the officer himself as the data protection controller within the meaning of Art. 4(7) GDPR and upheld a fine of EUR 1,500. Any person who processes personal data entirely outside the scope of their official duties and for personal purposes makes an autonomous decision as to the purposes and means of processing and is personally liable for that decision.
It should be noted, however, that comparable factual constellations exist in which courts have reached a different conclusion. The OLG Hamm, in a decision dated 24.07.2024 (Ref. 11 U 69/23), expressly rejected an exculpation based on Section 831 of the German Civil Code (BGB) in the GDPR context, holding that the careful selection and supervision of employees was insufficient to extinguish liability under Art. 82 GDPR. This does not, however, give rise to a direct conflict with the OLG Brandenburg ruling. In the OLG Hamm case, there was no genuine employee excess: an employee of a vaccination centre had inadvertently sent the data of approximately 13,000 individuals as an unprotected Excel attachment. In doing so, she acted within the scope of her official duties, albeit negligently. This distinction is decisive:
- Negligent error in the course of employment (OLG Hamm): the employee acts on behalf of the company but does so defectively. Exculpation pursuant to Section 831 BGB is unavailable, and the company’s liability under Art. 82 GDPR subsists.
- Intentional data misuse for personal purposes (OLG Brandenburg): the employee acts entirely outside the scope of their employment duties. The employee themselves becomes the controller within the meaning of Art. 4(7) GDPR, while the company may exculpate itself under Art. 82(3) GDPR provided it can demonstrate careful personnel selection.
The line of demarcation thus turns not on the distinction between “employee” and “supervisor” but on whether the harmful conduct still falls within the employer’s sphere of activity or steps entirely outside it.
Conclusion and Practical Guidance
The OLG Brandenburg ruling establishes an important line of defence, but it presupposes that companies are in a position to substantiate it when called upon to do so. Companies should document their personnel selection procedures (qualification checks, criminal records enquiries, etc.), record their selection criteria for external service providers in writing, and ensure that data processing agreements and the technical and organisational measures required under Art. 32 GDPR are kept up to date and can be demonstrated at any time. Failing this, an exculpation under Art. 82(3) GDPR will frequently prove unavailing in litigation.
Contact:
Jens Borchardt