Skip to content

In Germany, the ordinary termination of an internal data protection officer is not possible.

special protection

Special protection against dismissal for data protection officers

In Germany, data protection officers enjoy special protection against dismissal. Whilst this topic is not relevant for everyone who has to deal with GDPR compliance, it illustrates how national law makers have used opening clauses in the GDPR and that you need to monitor new developments on those as well at the national level as we do.

In Germany, data protection officers enjoy special protection against dismissal. Whilst this topic is not relevant for everyone who has to deal with GDPR compliance, it illustrates how national law makers have used opening clauses in the GDPR and that you need to monitor new developments on those as well at the national level as we do.

Introduction 

Data privacy officers have an exposed role with potential for conflict. Therefore, German law provides that internal data protection officers of public and non-public bodies may only be dismissed without notice for good cause (Sections 6(4), 38(2) BDSG). In the case of non-public bodies, termination is also possible at the request of the supervisory authority (cf. Section 40 (6) sentence 2 BDSG).

The regulation ensures that public authority and company data protection officers can perform their duties independently and free from fear of reprisals. However, the national regulation in the BDSG goes beyond the level of protection of the European GDPR. Article 38 (3) sentence 2 GDPR merely states that data protection officers may not be dismissed or penalised for performing his tasks. The termination with notice of a data protection officer for other reasons is thus not fundamentally excluded under the GDPR. 

The BAG had to deal with the question of the compatibility of both regulations and also reached out to the ECJ for clarification. In the underlying case, an employee who had been appointed as a data protection officer, among other things, had sued her employer because she was terminated with notice during the probation period in the first six months after the start of the employment relationship. 

No conflict with European law 

In the preliminary ruling proceedings brought by the BAG, the ECJ ruled that divergent national regulations on the protection of data protection officers against dismissal are compatible with the GDPR, as long as they do not impair the achievement of the objectives of the GDPR (ECJ, ruling of June 22, 2022 – C-534/20). This would be the case if the dismissal of a data protection officer by the controller not acting in accordance with the GDPR would be prevented or made unreasonably difficult.

Apart from that, the EU Member States are free to extend the protection against dismissal. After all, they have the legislative competence in the area of employment law. The purpose of the GDPR is precisely not to regulate the employment relationship, but to protect personal data. The BAG based its decision on this and consequently found the regulation in the BDSG to be permissible. 

No unjustified interference with the employer’s fundamental rights 

According to the court, the fundamental rights of employers would not be significantly affected by the special protection against dismissal standardized in the BDSG. So, the BAG saw an encroachment on the freedom of occupation (Art. 12 GG). However, the regulation would in fact be necessary to ensure that the data protection officer does not have to fear any disadvantages due to the independent exercise of his activity. The employer would also be free to decide whether to appoint an employee protected by the provision or an external person as data protection officer. As described below, external persons do not fall within the scope of protection of the discussed provision. 

What needs to be considered with regard to the dismissability of data protection officers? 

The special protection against dismissal for data protection officers of public and non-public bodies exists for those who are in an employment relationship with the controller/processor, i. e. internal employees.  

The special protection against termination exists… 

… whether the termination is related to the performance of the data protection duties or not. 

… even when the activity as a data protection officer is only one part of the employee’s job.  

… also immediately in the case of newly hired employees – not after the probation period for example. 

… continues for one year after the end of the activity as data protection officer (Section 6 (4) sentence 3 BDSG). 

The special protection against dismissal does not extend to external data protection officers. They are in a service relationship with the controller and therefore do not require the same level of protection. Regarding their dismissal, however, the European law Article 38 (3) sentence 2 DS-GVO continues to apply.

This means that even in their case, the ordinary or extraordinary termination may not take place solely because the data protection officer fulfils his/her duties pursuant to Article 39 (1) of the GDPR. Although the Member States are free to grant special protection against dismissal, which Germany has also made use of with regard to internal data protection officers, the level of protection of the GDPR for the dismissability of data protection officers may not be undercut in any case.    

If you have any more questions or concerns in connection with the appointment, dismissal or termination of data protection officers, we will be happy to assist you. 

NOCH FRAGEN?

Wir freuen uns auf Ihre Anfrage zu diesem und weiteren Themen!