Offences committed by an employee against data privacy and information systems security can entail criminal liability for the company for which the employee works, if such company has not adopted the necessary measures to prevent such behavior.
The most recent reform of the Spanish Criminal Code incorporated two new offences that establish criminal corporate liability in relation to the following data privacy related offences:
- Unauthorised access to a system, even if there is no access to the data it contains; and
- Unauthorised interception of communications.
Any failure to adopt (or negligence in the implementation of the necessary prevention measures), usually in the form of a privacy compliance programme, may result in company being convicted, if an employee commits any of the above offences. Therefore, particular emphasis must be placed on prevention and response measures in any compliance plan, and on their connection with the requirements introduced by the GDPR.
The penalties for failing to adopt the required necessary protection measures required under the GDPR can be considered as a very serious infringement which can lead to the imposition of a sanction that can reach 20 million euros or 4 percent of the company's annual turnover.