What personal liability for CEOs in case of noncompliance with the GDPR?

Publié le 22 March 2019

Since the implementation of the GDPR on 25 May 2018, the penalties imposed by the CNIL (French supervisory authority) for failure to comply accumulating one after the other, be it for insufficient security, lack of transparency, unsatisfactory information and even lack of valid consent. UBER, BOUYGUES TELECOM or GOOGLE LLC are but a few examples of recently sanctioned companies.

In practice, formal notices or sanctions issued by the CNIL for non-compliance only concern the legal entity, the only “person” affected by administrative sanctions. In most cases, the CEO (chief executive officer), in his/her capacity as representative, is only notified of the CNIL’s decision. However, s/he will be responsible for remedying the deficiencies identified by the supervisory authority.

CEOs often tend to neglect their personal responsibility. However, Article 24 of the GDPR provides for the possibility of engaging the controller’s liability.


Thus, in terms of sanctions, the CEO of the organization is not always spared from risks. Indeed, in the event of non-compliance of their company with the GDPR, s/he personally exposes himself to the risk of personal liability.


  • The absence of impunity for the CEO


The criminal liability of the CEO


As the representative of the data controller, the CEO is responsible for ensuring that his/her company complies with the requirements of the GDPR (compliance with the principles of lawfulness of processing, guarantee of data security and integrity, ensure the rights of the data subjects, etc.)


As such, s/he ensures that appropriate technical and organisational measures are put in place within the structure to minimise the risk of sanctions for the company. No need to remind the risk of administrative fines up to 4% of the world’s annual turnover or €20 million.


However, in addition to the sanctions for the legal entity, the CEO may be held personally liable. Indeed, if s/he fails to exercise due diligence in monitoring the implementation of these measures by employees, s/he may be held accountable.


The articulation of the GDPR with French legislation


It goes without saying that the liability of a legal entity does not necessarily shield the CEO in the event of a conviction. If the CNIL finds breaches during an inspection, it has the right to refer the matter to the Public Prosecutor for criminal proceedings against the CEO.


Thus, as soon as the CEO has had personal knowledge of the breaches reported by the supervisory authority, s/he is required to do everything possible to comply with the requirements of the GDPR. In the case of negligence in compliance, s/he can be accused of the following facts:

  • Personal misconduct of the CEO who committed the alleged acts of complicity, breach of trust, concealment or violation of business secrecy;
  • The fault of the employees in the event of an employee’s unintentional fault. In this case, it will be assumed that the CEO has neglected his/her duty to inform or supervise employees.


Articles 226-16 and more. of the French Penal Code provide for a penalty of 5 years’ imprisonment and a fine of €300,000 for a CEO who fails to comply with his obligation to comply (collecting data by fraudulent or unlawful means, processing data despite the opposition of the person concerned, data’s conservation beyond the legal term provided for, etc.)


More frequently, alternative sanctions provided for in Article 131-6 of the Penal Code, which remain equally binding, may be imposed, namely:

  • The prohibition to issue payments on behalf of the company for a period of up to 5 years;
  • The prohibition to exercise a professional, social, commercial or industrial activity for up to 5 years;
  • The prohibition to directly or indirectly direct, administer, manage or control a company.


  • The application of sanctions against CEOs


Case study


In 2013, the IKEA brand was prosecuted during an investigation concerning the “habitual concealment” of offences. Among these offences, IKEA is accused of “unlawful espionage of its employees”, in particular by unofficially checking their criminal records. At the heart of this offence is the protection of personal data, although the CNIL did not initiate this procedure.


IKEA’s CEOs were placed under judicial supervision as representatives for “complicity in the collection of personal data contained in a file by fraudulent, unfair or unlawful means” and “complicity in the violation of professional secrecy”.


To date, the case is still not closed. In 2018, the public prosecutor’s office of the Tribunal de Grande Instance de Versailles (regional court) requested the case to be referred back to the criminal court.


Possible exemptions


The CEO could possibly be exempted if s/he has delegated his powers to another employee, for example to the HR director with regard to processing operations relating to employees. Consequently, the burden of proof of the existence of this delegation of power lies with the CEO and may be provided by any means.


As a result, the delegatee may be held liable for breaches of the law provided that the conditions for delegation meet some conditions:

  • The delegatee shall be provided with the authority, competence and means necessary for carryint out the processing entrusted to him/her;
  • The delegation covers the management of personal data processing.

A delegation of authority to the DPO is inadvisable.


However, the CEO cannot entirely release himself of his responsibilities and delegations must be limited both in their purpose and scope.


To conclude: it is essential for the company’s CEO to be aware of the risks s/he faces in the event of negligence in bringing data processing operations into compliance with the GDPR. In addition to heavy administrative and criminal sanctions, the company’s reputation will likely damaged, which can lead to a certain mistrust on the part of customers, partners and investors.


àIn order to reduce the risk of personal criminal proceedings, the CEO must therefore exercise due diligence in supervising the “GDPR” compliance scheme. This is done through:

  • Developing a processing record and ensuring its update;
  • Keeping evidence of compliance (information provided to data subjects, record of requests processed, etc.) ;
  • Monitoring internal data security (physical security measures of the premises, system logic, etc.)
  • Supervising the implementation of the GDPR project
  • Appointing a data protection officer and meeting regularly with him or her to ensure the company’s ongoing compliance and provide him/her with the necessary support in any difficulties encountered. If you do not wish to appoint a DPO internally, consider outsourcing the function with DPO Consulting.


Marie de Asis-Trem