The unloved Data Pro­tec­tion Offi­cer (DPO)

Ter­mi­na­ti­on and dis­mis­sal of data pro­tec­tion officers

Data pro­tec­tion offi­cers are employees or exter­nal ser­vice pro­vi­ders. The Gene­ral Data Pro­tec­tion Regu­la­ti­on (GDPR) endows them with a spe­cial legal sta­tus. In par­ti­cu­lar, data pro­tec­tion offi­cers are not sub­ject to any ins­truc­tions in the per­for­mance of their duties. In addi­ti­on, the Ger­man Fede­ral Data Pro­tec­tion Act (BDSG) gives them spe­cial pro­tec­tion against dis­mis­sal. Howe­ver, this by no means indi­ca­tes that com­pa­nies are power­less vis-à-vis their data pro­tec­tion offi­cers. We pro­vi­de an over­view of the legal action to be taken in the event of brea­ches of duty.

How do I get rid of him or her? 

The con­ceiva­ble con­stel­la­ti­ons are mani­fold: In prin­ci­ple, the data pro­tec­tion offi­cer can vio­la­te his or her duties to his or her employ­er in many con­texts. If the con­flicts can­not be resol­ved by other means, the ques­ti­on may ari­se as to whe­ther the data pro­tec­tion offi­cer can be ter­mi­na­ted or remo­ved. A distinc­tion must be made here: If the data pro­tec­tion offi­cer vio­la­tes duties that stem pre­cis­e­ly from his or her office as data pro­tec­tion offi­cer, ter­mi­na­ti­on is ruled out. In such cases, only a dis­mis­sal can be con­side­red, as recent­ly ruled by the Labour Court of Heil­bronn. Pur­su­ant to § 6(4), Sen­tence 1 of the Ger­man Fede­ral Data Pro­tec­tion Act (BDSG), dis­mis­sal is only per­mis­si­ble by app­ly­ing the pro­vi­si­ons on extra­or­di­na­ry ter­mi­na­ti­on accor­din­gly. In this respect, the­re are high hurd­les. The data pro­tec­tion offi­cer is pre­cis­e­ly not sup­po­sed to fear that he or she will be punis­hed by dis­mis­sal for con­sis­t­ent­ly per­forming his or her duties. Dis­mis­sal is pos­si­ble in par­ti­cu­lar in the event of serious brea­ches of pri­ma­ry and secon­da­ry duties, such as far-reaching negle­ct of his or her duties to pro­vi­de infor­ma­ti­on and advice or per­ma­nent­ly igno­ring moni­to­ring duties.

Who is lia­ble for whom?

In the event of data pro­tec­tion vio­la­ti­ons, com­pa­nies can be threa­ten­ed with finan­cial hard­ship from various direc­tions. Accor­ding to Artic­le 82 GDPR, natu­ral per­sons may cla­im dama­ges for mate­ri­al or imma­te­ri­al dama­ge. In addi­ti­on, data pro­tec­tion super­vi­so­ry aut­ho­ri­ties can impo­se signi­fi­cant fines. The data pro­tec­tion offi­cer him- or hers­elf is not direct­ly expo­sed to the­se claims. Howe­ver, if the­se claims against com­pa­nies are based on brea­ches of duty by the data pro­tec­tion offi­cer, the ques­ti­on of recour­se ari­ses. Such recour­se can exist in prin­ci­ple accor­ding to gene­ral con­trac­tu­al prin­ci­ples. In the case of inter­nal data pro­tec­tion offi­cers, the spe­ci­fics of labour law must be obser­ved. Accor­ding to the prin­ci­ples of intra-company com­pen­sa­ti­on, the employee is only 100% lia­ble in the event of gross negli­gence. Fur­ther­mo­re, pur­su­ant to § 619a of the Ger­man Civil Code (BGB), the employ­er must pro­ve that the data pro­tec­tion offi­cer is respon­si­ble for the breach of duty. In par­ti­cu­lar, if the data pro­tec­tion offi­cer does not ful­fill his or her moni­to­ring duties at all, wit­hout any par­ti­cu­lar reasons being appa­rent, claims to full recour­se may also be con­side­red. In the case of exter­nal data pro­tec­tion offi­cers, the­se rest­ric­tions do not app­ly; full lia­bi­li­ty may the­r­e­fo­re alre­a­dy exist in the case of slight negligence.

Sum­ma­ry

The­re are good reasons for the legis­la­ti­ve decis­i­on to grant data pro­tec­tion offi­cers spe­cial pro­tec­tion and inde­pen­dence within com­pa­nies. Nevert­hel­ess, com­pa­nies are not power­less: In the event of serious brea­ches of duty, dis­mis­sal or ter­mi­na­ti­on wit­hout noti­ce may be con­side­red. If com­pa­nies are expo­sed to fines or dama­ge com­pen­sa­ti­on claims due to brea­ches of duty by the data pro­tec­tion offi­cer, cor­re­spon­ding recour­se claims may exist.