High Protection Against Dismissal for Internal Employees
Hence, employers must plan for an internal data protection officer to enjoy a high level of protection against dismissal. The national German regulations on protection against dismissal of a data protection officer are even stricter than those of the GDPR. But the national regulations are compatible with the General Data Protection Regulation, the Regional Labor Court (Landesarbeitsgericht, LAG) Nuremberg has now decided in a ruling on February 19, 2020 (Ref.: 2 Sa 274/19).
Termination Only For Good Cause
According to Art. 38 para. 3 of the GDPR, the data protection officer may not be dismissed or put at a disadvantage because of the performance of his duties. The protection in Germany goes even further: According to Art. 6 para. 4 Federal Data Protection Act, the dismissal of the data protection officer is only permissible for good cause. This means that the national regulation is stricter than the European requirements of the GDPR. Nevertheless, the German regulation is compatible with European law, the LAG Nuremberg decided.
The Case
In the concrete case of the LAG Nuremberg, the plaintiff was employed by the defending employer. Furthermore, she was appointed as company data protection officer. Only a few months later she received notice of termination of her employment relationship. This was also intended to terminate her position as data protection officer or, alternatively, to revoke it for good cause.
The plaintiff opposed this. She applied for a ruling that the employment relationship would not be terminated by the notice of termination but would remain unchanged. Her position as data protection officer should not be ended by revocation. She was successful. Like the Labor Court at first instance, the Regional Labor Court Nuremberg also decided that the employment relationship was not ended by the dismissal. Likewise, the plaintiff’s legal position as data protection officer had not been terminated by revocation.
The Reasoning
The Regional Labor Court argued that at the time of the dismissal, the plaintiff had enjoyed the special protection against dismissal for data protection officers pursuant to Articles 38 (2), 6 (4) sentence 2 Federal Data Protection Act. According to this, termination is only permissible for good cause without observing a notice period. This shall remain in force for a further year after the effective dismissal as data protection officer.
This strict national regulation does not violate the GDPR. According to the Regional Labor Court, specific national regulations are permissible if they do not fall short of the protection of the GDPR. The EU member states were not prevented from taking stricter protective measures in the field of labour law than those provided for in the European regulations.
The Regional Labor Court stated there had been no solid ground for the dismissal of the plaintiff as data protection officer. In particular, the solid ground was not the replacement of an internal data protection officer by an external data protection officer for organizational, financial or personnel management reasons.
Conclusion
With this in mind, employers must carefully consider whether an internal or external data protection officer is more appropriate for the company. appointment of a data protection officer can cost the company dear. It is also important to know that a data protection officer (internal or external) is generally only appointed in the private sector if the number of employees involved in the automated processing of personal data (internal or external) amount to 20 or more.