Can an internal data protection officer (the generic masculine is used for reasons of simplicity) be dismissed and terminated if his position is no longer economically viable and an external service provider renders the same service more efficiently?
No! In its decision at the end of August 2022, the Federal Labor Court (BAG) emphasized that the termination of a data protection officer for organizational, financial or personnel policy reasons was ineffective and rebuffed any personnel restructuring to that effect.
Specifically, the defendant properly terminated the employment relationship and referred to a restructuring measure for the effectiveness of the termination, which led to the plaintiff no longer needing to work.
The Federal Labor Court declared this dismissal to be invalid, even though only the result of the meeting was known to date (2 AZR 225/20 – the Federal Labor Court). As a result, the BAG followed the decision of the lower courts, according to which the ordinary termination is already ineffective because the plaintiff as data protection officer according to § 38 paragraph 2 in conjunction with § 6 paragraph 4 sentence 2 of the Federal Data Protection Act (BDSG) only extraordinarily for important reasons reason can be terminated. In addition, the lower courts already stated: The restructuring measure described by the defendant does not generally represent an important reason for an extraordinary termination.
With the decision, the BAG deals with two questions that are relevant in practice. On the one hand, the BAG decision incorporates this year’s judgment of the Court of Justice of the European Union (ECJ judgment of June 22, 2022 – C 534/20). The ECJ recognized the German regulation, which links the dismissal and dismissal of an internal data protection officer to an important reason, as permissible.
A violation of European law does not result from the fact that the German regulation exceeds the requirements of the General Data Protection Regulation (GDPR), although this is already directly binding in the member states as a European regulation. The legal purpose of the GDPR results in an – unwritten – competence to set stricter requirements for the dismissal and termination of data protection officers.
On the other hand, the judgment of the BAG forms a further mosaic in answering the question of when there is an important reason for the dismissal or termination of a data protection officer. The decision of the BAG should be taken as an opportunity to answer some relevant questions about the data protection officer from corporate practice:
1. Why is protection against dismissal and dismissal important?
The answer to this question essentially results from Art. 38 Para. 1 GDPR. The data protection officer is not only responsible for informing and advising the person responsible (employer) and the employees with regard to data protection. He also monitors compliance with any data protection regulations, works with the supervisory authority and is their contact point for questions. In short: the data protection officer protects personal data. This includes all information that relates to an identifiable natural person (hereinafter: data subject).
This makes it clear that the interests in connection with data protection are different compared to information security or IT security. Information security is used for the general protection of internal company information, while IT security is used to protect the IT infrastructure. So while information security and IT security correlate with the employer’s interest in taking precautions against external influences, this does not have to be the case with data protection. This becomes particularly clear in the appendix of the following example.
As of 10/30/2020
It goes without saying that we handle your personal data responsibly. If we collect personal data from you, we process it in compliance with the applicable data protection regulations. You can find detailed information in our data protection declaration.
Consent to the use of data for advertising purposes
I agree that Vogel IT-Medien GmbH, Max-Josef-Metzger-Straße 21, 86157 Augsburg, including all companies affiliated with it within the meaning of Sections 15 et seq. AktG (hereinafter: Vogel Communications Group) my E e-mail address for sending editorial newsletters. Lists of the respective associated companies can be accessed here.
The content of the newsletter extends to the products and services of all the companies mentioned above, including, for example, trade journals and specialist books, events and trade fairs as well as event-related products and services, print and digital media offers and services such as other (editorial) newsletters, competitions, lead campaigns, Market research in the online and offline area, subject-specific web portals and e-learning offers. If my personal telephone number was also collected, it may be used for submitting offers for the aforementioned products and services from the aforementioned companies and for market research.
If I call up protected content on the Vogel Communications Group portals, including its affiliated companies within the meaning of §§ 15 ff. AktG, I have to register with additional data for access to this content. In return for this free access to editorial content, my data may be used in accordance with this consent for the purposes stated here.
right of revocation
I am aware that I can revoke this consent at any time for the future. My revocation does not affect the legality of the processing carried out on the basis of my consent up to the time of revocation. In order to declare my revocation, I can use the contact form available at as one option. If I no longer wish to receive individual newsletters to which I have subscribed, I can also click on the unsubscribe link at the end of a newsletter. I can find more information about my right of withdrawal and how to exercise it, as well as the consequences of my withdrawal, in the data protection declaration, section Editorial newsletters.
In practice, employers may have an increased actual interest in installing total surveillance by means of a “keylogger” on their employees in order to monitor their work performance as efficiently as possible. However, this is contrary to the interests of the employee and does not correspond to it.
This mixed situation makes the position of the data protection officer – similar to the works council – a position prone to conflict. In order to be able to exercise his function freely and independently, the data protection officer must be adequately protected from sanctions through dismissal and dismissal – as did the LAG Nuremberg in its decision of February 19, 2020 (Az.: 2 Sa 274/19, para. 72). will.
2. When do I appoint an internal or external data protection officer?
As an employer organized under private law, there is an obligation to appoint a data protection officer, in particular if at least 20 people are usually constantly busy with the automated processing of personal data, with regular employment being decisive (§ 38 Para. 1 Sentence 1 BDSG).
3. When can I terminate or dismiss an internal data protection officer?
As already stated, the internal data protection officer in Germany enjoys extensive protection against dismissal and dismissal. According to § 6 paragraph 4 sentence 1, paragraph 4 sentence 2 BDSG, the dismissal and termination of the internal data protection officer is only permissible if there is an important reason for termination that justifies termination without notice. Simple operational reasons are not enough.
This includes, in particular, serious breaches of duty towards the employer, which make further cooperation seem simply unreasonable and which cannot be remedied by more lenient measures. Experience has shown that case law places very high demands on this. Examples include criminal offenses related to the employment relationship, a reasonable suspicion of such or other serious breaches of duty (usually, only after a warning). Furthermore, the amicable conclusion of a termination agreement remains a viable way to part with a data protection officer.
4. Does the strict protection against dismissal and dismissal apply to every internal data protection officer?
No! Section 38 (2) BDSG stipulates that protection against dismissal for the internal data protection officer only applies if the appointment of a data protection officer is mandatory. If the data protection officer is appointed voluntarily, according to Art. 38 Para. 3 GDPR, he is “only” independent of instructions and may not be dismissed because of the fulfillment of his tasks.
5. Does some kind of protection also exist for external data protection officers?
The external data protection officer is not in an employment relationship with the person responsible and is therefore not employed as a dependent. He is therefore not entitled to any employee rights, in particular no far-reaching protection against dismissal. However, according to Art. 38 Para. 3 Sentence 2 GDPR, there is also an important restriction for the external data protection officer (cf. question 4).
The protection of a data protection officer against termination and dismissal is very high in Germany, at least in the case of a mandatory appointment. For this reason, those responsible and decision-makers are well advised not to assign the position to the person who is just “pulling the shortest match”. Rather, the position of the data protection officer should be seen by companies as one that, as a qualified decision-making aid, proactively and constructively influences the processing of personal data within the company. This can only succeed with qualified personnel.