Belgian DPA Clarifies Company Liability for GDPR Breaches by Rogue Employees

Are companies always responsible if their employees cause a data breach under the General Data Protection Regulation (GDPR)? According to a recent decision by the Belgian Data Protection Authority (DPA), the answer appears to be yes, or at least in most cases.

The Case

In this case, a manager at a hospital accessed an employee’s files outside of working hours. The manager wanted to see how the employee might react to being dismissed. By doing this, the manager made an independent decision about how the data would be used, something that was outside their role and authority.

Normally, employees handle personal data on behalf of their employer. The employer is considered the controller (the one who decides how and why data is processed). But there are exceptions. Here, the DPA said that because the manager acted beyond their powers and independently decided how to use the data, the manager was personally responsible and became a controller under the GDPR.

The Key Question

Even though the DPA considered the manager a controller, did the hospital still have to report the data breach under Article 33 of the GDPR (which requires notifying the DPA about breaches)?

The DPA said yes. Even if the hospital was not directly responsible for the manager’s actions, it was still the main data handler. That meant the hospital was in the best position to notice the breach and report it quickly.

Why This Matters

At first, this might seem like a result driven outcome. But when you look at the chain of data handling, the outcome also seems justified. At the time of the breach, the data was still under the hospital’s control. Whether the breach was caused by an external hacker or an internal rogue employee, the hospital’s duty to notify remains the same under the GDPR.