High Employment Protection for Data Protection Officers is GDPR-Compliant.

 Dismissal of the internal data protection officer is only permissible for good cause.

Hoher Kündigungsschutz für Datenschutzbeauftragte ist DSGVO-konform.

Data protection officers have to ensure that the rules of the GDPR are observed in companies. The intention is to prevent violations from occurring. These GDPR rules are severely sanctioned and can therefore harm the company. Companies can choose whether to appoint an internal or an external data protection officer. If an internal data protection officer is appointed, he or she enjoys a high level of protection against dismissal.

High Protection Against Dismissal for Internal Employees

Hence, employers must plan for an internal data protection officer to enjoy a high level of protection against dismissal. The national German regulations on protection against dismissal of a data protection officer are even stricter than those of the GDPR. But the national regulations are compatible with the General Data Protection Regulation, the Regional Labor Court (Landesarbeitsgericht, LAG) Nuremberg has now decided in a ruling on February 19, 2020 (Ref.: 2 Sa 274/19).

Termination Only For Good Cause 

According to Art. 38 para. 3 of the GDPR, the data protection officer may not be dismissed or put at a disadvantage because of the performance of his duties. The protection in Germany goes even further: According to Art. 6 para. 4 Federal Data Protection Act, the dismissal of the data protection officer is only permissible for good cause. This means that the national regulation is stricter than the European requirements of the GDPR. Nevertheless, the German regulation is compatible with European law, the LAG Nuremberg decided.

The Case

In the concrete case of the LAG Nuremberg, the plaintiff was employed by the defending employer. Furthermore, she was appointed as company data protection officer. Only a few months later she received notice of termination of her employment relationship. This was also intended to terminate her position as data protection officer or, alternatively, to revoke it for good cause.

The plaintiff opposed this. She applied for a ruling that the employment relationship would not be terminated by the notice of termination but would remain unchanged. Her position as data protection officer should not be ended by revocation. She was successful. Like the Labor Court at first instance, the Regional Labor Court Nuremberg also decided that the employment relationship was not ended by the dismissal. Likewise, the plaintiff’s legal position as data protection officer had not been terminated by revocation.

The Reasoning

The Regional Labor Court argued that at the time of the dismissal, the plaintiff had enjoyed the special protection against dismissal for data protection officers pursuant to Articles 38 (2), 6 (4) sentence 2 Federal Data Protection Act. According to this, termination is only permissible for good cause without observing a notice period. This shall remain in force for a further year after the effective dismissal as data protection officer. 

This strict national regulation does not violate the GDPR. According to the Regional Labor Court, specific national regulations are permissible if they do not fall short of the protection of the GDPR. The EU member states were not prevented from taking stricter protective measures in the field of labour law than those provided for in the European regulations.

The Regional Labor Court stated there had been no solid ground for the dismissal of the plaintiff as data protection officer. In particular, the solid ground was not the replacement of an internal data protection officer by an external data protection officer for organizational, financial or personnel management reasons.

Conclusion

With this in mind, employers must carefully consider whether an internal or external data protection officer is more appropriate for the company. appointment of a data protection officer can cost the company dear. It is also important to know that a data protection officer (internal or external) is generally only appointed in the private sector if the number of employees involved in the automated processing of personal data (internal or external) amount to 20 or more.