Termination and dismissal of data protection officers
Data protection officers are employees or external service providers. The General Data Protection Regulation (GDPR) endows them with a special legal status. In particular, data protection officers are not subject to any instructions in the performance of their duties. In addition, the German Federal Data Protection Act (BDSG) gives them special protection against dismissal. However, this by no means indicates that companies are powerless vis-à-vis their data protection officers. We provide an overview of the legal action to be taken in the event of breaches of duty.
How do I get rid of him or her?
The conceivable constellations are manifold: In principle, the data protection officer can violate his or her duties to his or her employer in many contexts. If the conflicts cannot be resolved by other means, the question may arise as to whether the data protection officer can be terminated or removed. A distinction must be made here: If the data protection officer violates duties that stem precisely from his or her office as data protection officer, termination is ruled out. In such cases, only a dismissal can be considered, as recently ruled by the Labour Court of Heilbronn. Pursuant to § 6(4), Sentence 1 of the German Federal Data Protection Act (BDSG), dismissal is only permissible by applying the provisions on extraordinary termination accordingly. In this respect, there are high hurdles. The data protection officer is precisely not supposed to fear that he or she will be punished by dismissal for consistently performing his or her duties. Dismissal is possible in particular in the event of serious breaches of primary and secondary duties, such as far-reaching neglect of his or her duties to provide information and advice or permanently ignoring monitoring duties.
Who is liable for whom?
In the event of data protection violations, companies can be threatened with financial hardship from various directions. According to Article 82 GDPR, natural persons may claim damages for material or immaterial damage. In addition, data protection supervisory authorities can impose significant fines. The data protection officer him- or herself is not directly exposed to these claims. However, if these claims against companies are based on breaches of duty by the data protection officer, the question of recourse arises. Such recourse can exist in principle according to general contractual principles. In the case of internal data protection officers, the specifics of labour law must be observed. According to the principles of intra-company compensation, the employee is only 100% liable in the event of gross negligence. Furthermore, pursuant to § 619a of the German Civil Code (BGB), the employer must prove that the data protection officer is responsible for the breach of duty. In particular, if the data protection officer does not fulfill his or her monitoring duties at all, without any particular reasons being apparent, claims to full recourse may also be considered. In the case of external data protection officers, these restrictions do not apply; full liability may therefore already exist in the case of slight negligence.
There are good reasons for the legislative decision to grant data protection officers special protection and independence within companies. Nevertheless, companies are not powerless: In the event of serious breaches of duty, dismissal or termination without notice may be considered. If companies are exposed to fines or damage compensation claims due to breaches of duty by the data protection officer, corresponding recourse claims may exist.back