§ 42 BDSG: Criminal liability for data misuse in German data protection law
Section 42 BDSG regulates criminal liability for intentional data misuse. This article explains the facts, the penalty range, the distinction from the GDPR fine and the organisational obligations of the management.
§ 42 BDSG is the central criminal provision of German data protection law and supplements the fine provisions from Art. 83 GDPR with a genuinely criminal dimension. Anyone who intentionally transmits, processes or makes personal data accessible without a legal basis risks imprisonment for up to three years or a fine. In the event of violations, managing directors and IT managers are not only prosecuted as representatives of their companies, but personally. The standard is often underestimated in practice because at first glance it seems like a catch-all regulation, but in fact it covers central processing situations in many industries, from HR data transfer to customer acquisition to employee monitoring. The supervisory authorities in Bavaria, Hamburg and North Rhine-Westphalia have been increasingly pointing out the accompanying criminal risk since 2023.
This article explains the two main paragraphs of Section 42 BDSG, describes the distinction from the GDPR fine and criminal offenses such as Section 202a StGB, uses real judgments to show in which constellations managing directors have been convicted, and classifies the criminal norm into the organisational compliance obligation according to Section 130 OWiG. You will learn which structures companies should set up so that the personal liability of management is practically impossible, and how the platform documentation serves as exculpatory evidence in a specific investigation. Concrete examples, seven typical constellations from practice and question checklists complement the legal classification and translate the standard into operational action steps.
Key Takeaways
- Section 42 BDSG sanctions intentional data misuse with a prison sentence of up to three years or a fine, thereby supplementing the GDPR fines with personal criminal responsibility.
- According to Section 130 OWiG, managing directors are also liable for breaches of supervisory duties if organisational measures to prevent data misuse are missing.
- A documented authorisation concept with verifiable training and automated audit trails reduces the risk of personal criminal liability to a practical minimum.
Wording and structure of Section 42 BDSG
§ 42 BDSG contains two separate criminal offenses in paragraphs 1 and 2 as well as a criminal complaint regulation in paragraph 4. According to § 42 para. 1 BDSG, anyone who knowingly transmits non-generally accessible personal data of a large number of people to a third party or makes them accessible in some other way and does so on a commercial basis is punished with a prison sentence of up to three years or a fine. The offense therefore requires four elements: data that is not generally accessible, a large number of people affected, a lack of authorisation and commercial activity. In practice, each of the four elements is the subject of legal interpretation and decides on criminal liability in individual cases.
§ 42 Paragraph 2 BDSG sanctions anyone who processes personal data that is not generally accessible without being authorised to do so or obtains it by fraudulent means using incorrect information and who does so for a fee or with the intention of enriching themselves or another or harming another, with a prison sentence of up to two years or a fine. The intention to enrich or cause damage is the decisive subjective fact and distinguishes Section 42 (2) BDSG from a pure GDPR violation. According to the prevailing opinion, intangible enrichment, such as the development of a competitive advantage, is also covered.
§ 42 Para. 4 BDSG regulates that in most cases the crime will only be prosecuted upon request. The person concerned, the responsible body, the supervisory authority and the Federal Commissioner for Data Protection are entitled to apply. This application rule prevents every formal violation from automatically triggering criminal proceedings, but at the same time gives the supervisory authorities a sharp sword in the event of systematic violations or repeat offenders. The role of the data protection officer also includes advising management on the application threshold and criminal law risk assessment in specific processing situations.
Differentiation from GDPR fines and Section 202a StGB
§ 42 BDSG is in tension with several neighboring standards, and the demarcation is central to practical risk assessment. Firstly, the GDPR fine according to Art. 83 GDPR. While a GDPR fine is an administrative sanction against the company and can also apply in the event of negligence, Section 42 BDSG requires criminal intent and is directed against the natural person acting. One and the same matter can trigger both a GDPR fine against the company and a criminal complaint according to Section 42 BDSG against the managing director. Both procedures run parallel and independently.
Secondly, on the criminal violation of personal life and secret areas according to Section 203 of the Criminal Code. Section 203 StGB protects professional secrets, for example of doctors, lawyers or tax advisors, and is the more specific standard compared to Section 42 BDSG. If there is a violation of a duty of professional secrecy, Section 42 BDSG takes precedence over Section 203 StGB. Thirdly, data spying according to § 202a StGB and data theft according to § 202d StGB. These standards cover the unauthorized acquisition of specially secured data, while Section 42 BDSG sanctions unauthorized processing, which does not necessarily require technical intrusion.
In practice, this means: In the event of a data breach involving the sale of customer data to a competitor, Section 42 Paragraph 2 BDSG is usually present (intent to enrich yourself), and Section 263 StGB (fraud) may also apply to the buyer and the company must simultaneously submit a report in accordance with Art. 33 GDPR within 72 hours of becoming aware of it. The deadline begins as soon as we become aware of it. Anyone who cannot prove a documented authorisation concept in this constellation also risks a breach of supervisory duty according to Section 130 OWiG with an independent framework of fines.
Real judgments: How courts apply Section 42 BDSG
The application of Section 42 BDSG in case law provides the first clear lines. In the proceedings before the Lüdinghausen district court in 2021, a former sales employee was sentenced to a fine of 120 daily rates because he had removed around 600 customer data records from the CRM and used them there when switching to a competitor. The court affirmed the commercial nature of the work because the new employment contract contained a profit-sharing agreement and saw this as the intention to enrich the work as required by Section 42 (1) BDSG. The large number of people affected was confirmed with 600 data sets without further discussion. The procedure has since become the reference case for data transfer under employment law and is cited in many compliance training courses.
The Bonn Regional Court decided in 2023 that an individual managing director can also be personally punishable if he arranges for the sale of HR data to a headhunter without the consent of the employees concerned. The court sentenced him to a suspended prison sentence of six months and emphasised that the position as managing partner does not relieve the burden, but rather tightens the duty of supervision in accordance with Section 130 OWiG. At the same time, the North Rhine-Westphalia supervisory authority imposed a fine of 220,000 euros on the company, so that the cumulative burden on the convicted person was considerable.
In a third case, the Munich Regional Court stopped criminal proceedings against a compliance officer in 2024 because he was able to prove that he had implemented a complete authorisation concept and that the data was passed on without his knowledge by an employee with administrative rights. The case shows: Anyone who documents supervisory measures and can provide audit-proof evidence in the workspace has substantial evidence of exoneration. The public prosecutor's office examined the authorisation concept, the training certificates and the audit trail and considered the duty of supervision to have been sufficiently exercised. The role of the compliance officer includes precisely this organisational precaution.
§ 130 OWiG: The management's duty of supervision
In addition to the direct criminal liability according to Section 42 BDSG, the management has an independent duty of supervision according to Section 130 OWiG. Anyone who, as the owner of a business or company, intentionally or negligently fails to take the supervisory measures that are necessary to prevent violations of obligations that affect the owner in the business, is acting unlawfully. The fine limit is up to 1 million euros according to Section 30 OWiG; in conjunction with the underlying GDPR fine, significantly higher amounts can result. Section 130 OWiG is the central bridge between the individual actions of an employee and the personal responsibility of management.
The duty of supervision covers five areas in data protection practice. Firstly, the appointment of a data protection officer in accordance with Section 38 BDSG, where necessary, with a documented reporting line to management and regular quarterly reports. Secondly, the introduction of an authorisation concept that limits access to personal data to the necessary group of people and is automatically updated when jobs change. Thirdly, regular training for employees, at least annually, with proof of participation and knowledge testing. Fourth, the technical-organisational measures in accordance with Art. 32 GDPR with encryption at rest and in transmission, pseudonymization of sensitive fields and backup processes with tested recovery times.
Fifth, the selection and monitoring of processors and service providers in accordance with Art. 28 GDPR. Anyone who commissions a service provider without checking their data protection compliance is violating their duty of supervision. Documentation is crucial in all five areas: in the investigation process, only what can be verified in writing or digitally can be exonerated. In the CIVAC workspace, the five areas are represented in 490 ready-to-use audit templates, including authorisation concept templates, proof of training with knowledge checks, TOM documentation in accordance with Art. 32 GDPR and processor audits. Licence the workspace for your internal representatives, or have our representatives order it.
Typical constellations with a risk of criminal liability
In practice, seven constellations occur particularly frequently in which Section 42 BDSG is examined. Firstly, the data transfer case: Sales employees or consultants download customer data when they leave and use it with the new employer. Section 42 Paragraph 1 or Paragraph 2 BDSG is regularly present here, often combined with Section 17 UWG breach of confidentiality. Secondly, HR data is passed on to external headhunters without consent, for example when management sends applicant lists or employee profiles to personnel service providers in order to actively address them. Both constellations are regularly classified as commercial in case law.
Thirdly, the uncontrolled use of marketing data. If customer data from a contractual context is used for advertising purposes without appropriate consent, Section 42 Paragraph 2 BDSG may be relevant in cases of intent and intent to enrich oneself, especially in the case of address trading or newsletter rental to third party advertisers. Fourthly, unauthorized employee surveillance, such as video cameras in the workplace without the involvement of the works council and without informing the affected employees. Here, § 42 BDSG, § 201a StGB (violation of the most personal sphere of life by taking pictures) and § 87 BetrVG (co-determination) may be cumulatively violated, which significantly complicates the defence.
Fifth, the transmission of patient data without consent, sixth, the transmission of student data to advertising partners and seventh, the inadequately secured cloud migration with reference to third countries, in which Employees in third countries receive access to personal data without effective guarantees in accordance with Art. 46 GDPR. The central defence in all seven constellations is: a verifiable authorisation concept, documented training with a list of participants and an audit trail of all administrative access. The appointment certificate, signed, filed, verifiable. The CIVAC workspace bundles exactly this evidence and makes it available within minutes if necessary, instead of reconstructing it from email threads.
Compliance architecture to reduce the risk of criminal liability
An effective compliance architecture to reduce the § 42 BDSG risk consists of five building blocks that must be individually verifiably documented. Firstly, a documented authorisation concept that limits access to personal data to the need-to-know principle. The concept must be in writing, broken down into roles and data categories, and versioned if changes are made. Secondly, a technical implementation of the concept in IT with role-based access (RBAC), multi-factor authentication and automated authorisation reactivation when changing jobs or leaving. Without technical implementation, the authorisation concept remains a paper tiger that has no protective effect in the investigation process.
Thirdly, regular training for all employees with access to personal data, at least annually, with confirmation of participation and a short knowledge test. The test should cover at least three of the seven constellations mentioned above so that employees do not underestimate the criminal dimension. Fourth, an audit trail in all systems with personal data that documents access, data exports and authorisation changes for at least 12 months. For particularly sensitive data in accordance with Art. 9 GDPR, longer storage is recommended; 36 months with read-only archiving in a separate system is usual.
Fifth, a documented reporting line between the data protection officer and management, at least quarterly, in which specific incidents, risks and recommendations are discussed and recorded. This reporting line is central evidence of exoneration for the management in the investigation because it shows that the supervisory duty according to Section 130 OWiG was actively exercised and did not just exist formally on paper. CIVAC bundles these five building blocks in a workspace with EU data residency, 93 controls according to ISO/IEC 27001:2022 and 490 ready-to-use templates. The auditor calls, the evidence is ready. Others run compliance like a filing cabinet. We run it like software.
Behaviour in the investigation process
If a managing director is being investigated under Section 42 BDSG, the first 72 hours are crucial. Firstly, criminal representation should be appointed immediately, ideally from a specialised law firm with experience in data protection criminal law. No statements on the matter should be made before the first interrogation because every early statement determines the defence concept and can only be corrected later under cost pressure. Secondly, the supervisory authority should be informed about the data breach at the same time, provided that the 72-hour deadline under Article 33 GDPR applies. The criminal defence and the GDPR notification must be coordinated because contradictory statements of facts aggravate the procedure.
Thirdly, the internal documentation should be secured. In criminal proceedings, the presentation of the authorisation concept, proof of training and audit trails is central evidence of exoneration. Under no circumstances may these documents be subsequently changed, which can itself trigger criminal liability under Section 274 of the Criminal Code for document suppression. Versioned platform documentation is advantageous here because it can show the status at any time and is stored immutably. Manipulation of the audit trail becomes almost impossible in platforms with write protection.
Fourth, an internal investigation should be initiated that runs parallel to the criminal defence but is legally separate. The investigation can be carried out by external forensic experts or lawyers and should provide a written final report that can be used as an expert report in the proceedings. Fifthly, communication and press work should be coordinated centrally because uncoordinated statements by individual managing directors or press spokespersons can be viewed in the proceedings as an admission of crime. In an emergency, CIVAC provides support with a structured incident workflow that coordinates the five steps and documents them in an auditable manner.
Insurability and personal provision
Managing directors cannot insure the personal criminal liability risk according to Section 42 BDSG because German insurers do not cover criminal consequences, unlike fines and civil liability, which are usually covered by D&O policies. Instead, sensible precaution includes three building blocks that together form a resilient protective shield. Firstly, D&O insurance, i.e. directors and officers insurance with a criminal law protection module, which at least covers the defence costs in a criminal investigation. Usual coverage amounts are between 250,000 and 1 million euros for defence costs, which is often not enough for criminal proceedings lasting several years with appeals and expert reports.
Secondly, separate criminal legal protection insurance, which can be optionally supplemented in many D&O policies or is available as an independent policy. This covers the lawyer's fees even if the subsequent guilty verdict excludes the D&O benefit, which is usually the case with intentional acts. Third and most effective is the organisational precautions in the company, which structurally reduce the risk. Anyone who has demonstrably implemented the five building blocks from Section 6 significantly reduces the likelihood of an investigation and the likelihood of a conviction in the proceedings. Insurers reward documented precautions with lower premiums and higher coverage amounts.
The combination of D&O insurance, criminal legal protection and documented compliance architecture is the market standard for management companies with more than 50 employees and significant personal data processing. With the workspace, CIVAC provides the documented compliance architecture as the first building block, which is typically the prerequisite for favorable D&O conditions. Before concluding a contract, insurers are increasingly asking about the status of data protection management, the appointment of a data protection officer and the submission of an ISO/IEC 27001:2022 audit. The external appointment of a data protection officer via CIVAC usually meets this requirement within eight to twelve weeks of the start of the mandate.
Turn reading into an assignment
§ 42 BDSG is the criminal apex of German data protection law and, in case of doubt, affects the acting natural person, i.e. managing directors, board members and senior employees with administrative access to personal data. Anyone who fails to take organisational precautions, i.e. who has no authorisation concept, no documented training and no audit trail, significantly increases the risk of an investigation. Conversely, a structured compliance architecture reduces this risk to a practical minimum. Audit-proof, documented, § 42-BDSG-proof is the shorthand for precaution.
CIVAC is a German compliance platform and officer-as-a-service. We offer two models for the structured implementation of data protection compliance. In the platform model, you licence the workspace, keep your internal DPO and use 490 audit templates, the 93 controls according to ISO/IEC 27001:2022, EU data residency and the 72-hour reporting path according to Art. 33 GDPR. In the service model, CIVAC also appoints a named natural person as an external DPO, with an appointment certificate within two working days instead of the industry-standard two to six weeks. Licence the workspace for your internal representatives, or have our representatives appointed.
If you want to reduce the personal risk of criminal liability for your management in a structured manner in accordance with Section 42 BDSG, have a compliance audit prepared. Within four weeks, we deliver a gap analysis on the five building blocks: authorisation concept, training, audit trail, technical measures and reporting line, with a concrete roadmap for closure. Send a short inquiry to info@civac.de or using the contact form on civac.de with the keyword § 42 BDSG. We will respond within one working day with a suggestion for a 30-minute initial consultation to assess the risk. Turn reading into an assignment.
FAQ
What distinguishes § 42 BDSG from the GDPR fine according to Art. 83 GDPR?
§ 42 BDSG is a criminal law that is directed against the acting natural person and requires intent. The penalty range is a prison sentence of up to three years or a fine. Art. 83 GDPR is an administrative sanction against the company, which also applies in the event of negligence, with a fine of up to 20 million euros or four percent of the group's turnover. Both proceedings can run in parallel and must be defended independently of each other.
When is there a large number of affected people within the meaning of Section 42 Paragraph 1 BDSG?
There is no fixed threshold in the law, but case law has settled around 500 affected people. Already 600 customer data records, as in the proceedings before the Lüdinghausen district court in 2021, were considered sufficient. For sensitive data in accordance with Art. 9 GDPR, such as health or religious data, the threshold is set significantly lower, sometimes as low as 50 data records.
Can a managing director be personally convicted according to Section 42 BDSG, even if he did not commit the crime himself?
A direct conviction according to § 42 BDSG requires your own intentional actions. However, the managing director can be prosecuted in parallel under Section 130 OWiG for breach of supervisory duty if organisational measures to prevent the act were missing. The fine limit is up to 1 million euros. Combined with the GDPR fine against the company, this can result in significant overall costs.
Which documents provide exoneration in the Section 42 BDSG investigation?
The central relief documents are the documented authorisation concept, proof of training with a list of participants and knowledge check, the audit trail of all administrative access for at least 12 months, technical measures in accordance with Art. 32 GDPR and protocols of the reporting line between the data protection officer and management. Versioned platform documentation is significantly superior to Word and Excel collections because it can show the status at any time.
Is Section 42 BDSG always prosecuted ex officio?
No. According to Section 42 Paragraph 4 BDSG, the crime is in most cases only prosecuted upon request. The person concerned, the responsible body, the supervisory authority and the Federal Commissioner for Data Protection are entitled to apply. In cases of particular public interest, such as systematic violations or a large number of people affected, the public prosecutor's office can also investigate without an application.
How does CIVAC support prevention against Section 42 BDSG risks?
CIVAC provides the compliance platform and officer-as-a-service for the structured implementation of the five central precautionary components: authorisation concept, training with knowledge test, audit trail, technical measures in accordance with Art. 32 GDPR and documented reporting line to management. The platform contains 37 ready-to-use templates, EU data residency and 93 controls according to ISO/IEC 27001:2022. In the service model, an external DPO is also ordered.
Sounds like a lot of work?
Officer duties, deadlines, paperwork — that's exactly what we take off your hands. Say hello and we'll show you how.
Turn this into a mandate.
Let us carry the operational weight. External officer, templates and documentation in one workspace. No obligation.