In a recent ruling, the Higher Regional Court of Stuttgart (HRC) has set an interesting precedent in the realm of data protection and privacy law. On February 25, 2025, the court fined a police officer EUR 1.500 for the intentional and unlawful processing of personal data. The judgment highlighted the stringent enforcement of the General Data Protection Regulation (GDPR) and, in particular, the conditions under which employees can be held responsible for data protection violations.

A. Case Background

The incident dates back to March 2, 2021, when the officer, using his service computer at the police station, accessed personal data about a colleague who was in custody. The officer had no official reason for this query. The court found that the officer knowingly accessed the data without any legitimate purpose, thus breaching GDPR provisions. The Stuttgart District Court had already convicted the officer in 2023 for the intentional administrative offense of unlawful processing of personal data and imposed a fine according to Art. 83 (1), (2), (5) lit. a) of the GDPR. The police officer had then filed an complaint ("Rechtsbeschwerde") against this decision.

B. Police Officer Acted as a Controller 

The officer's complaint against the fine was deemed admissible but ultimately unfounded. The HRC upheld the initial ruling, emphasizing that the officer acted as a Controller according to Art. 4 (7) GDPR and that the mentioned database query constituted unlawful processing.

Key Legal Findings

• Controller Classification: The court confirmed that the officer acted as a "controller" under Article 4 (7) of the GDPR. This classification is crucial as it determines liability for administrative fines. 
   
• General Principles: Initially, the court explained the general principles of the controller concept noting that some argue that employees do not have decision-making power over the purposes and means of data processing and thus cannot be considered controllers (see Dieterle, ZD 2020, 135).
   
• Ultimately, the court referred to a statement by the European Data Protection Board (EDPB). Referring to paragraph 88 of the Guidelines 07/2020 on the concept of controller and processor in the GDPR, the court held that the data protection violation in question was deliberate and for non-official reasons. It was further established that the employee was not acting contrary to instructions but was not operating in a business-related capacity at all. In this context, the employee evaded supervision and thereby established their own decision-making authority.
   
• Data Query as Processing: Additionally, the court noted that even the mere querying of data falls under the concept of processing.

Implications for Data Protection

The ruling reinforces the importance of adequate data protection compliance and, in particular, sufficient supervision and training activities by the employer. It serves as a warning to employees about the severe consequences of misusing personal data. The decision also clarifies the legal responsibilities of individuals in handling personal data, ensuring that GDPR's objectives of effective penalties are met. Companies can refer to the arguments of the EDPB and the HRC in these typical "employee excess" cases to use this as a defense strategy in fine proceedings.

C. Conclusion

The Higher Regional Court of Stuttgart's ruling is a pivotal decision in tech litigation, emphasizing the accountability of individuals under GDPR. It underscores the necessity for employees to adhere strictly to data protection regulations, ensuring that personal data is processed lawfully and responsibly. This case serves as a critical reminder of the personal and professional repercussions of data misuse and the importance of robust data protection practices.

At Reed Smith's Emerging Technologies Group, we are dedicated to guiding you through the complexities of data and digital-related challenges. Stay informed on the latest developments in privacy and platform litigation by subscribing to our authors and following #TechLitigationNews.