The unloved Data Pro­tec­tion Offi­cer (DPO)

Ter­mi­na­ti­on and dis­mis­sal of data pro­tec­tion officers

Data pro­tec­tion offi­cers are employees or exter­nal ser­vice pro­vi­ders. The Gene­ral Data Pro­tec­tion Regu­la­ti­on (GDPR) endows them with a spe­cial legal sta­tus. In par­ti­cu­lar, data pro­tec­tion offi­cers are not sub­ject to any ins­truc­tions in the per­for­mance of their duties. In addi­ti­on, the Ger­man Fede­ral Data Pro­tec­tion Act (BDSG) gives them spe­cial pro­tec­tion against dis­mis­sal. Howe­ver, this by no means indi­ca­tes that com­pa­nies are power­less vis-à-vis their data pro­tec­tion offi­cers. We pro­vi­de an over­view of the legal action to be taken in the event of brea­ches of duty.

How do I get rid of him or her? 

The con­ceiva­ble con­stel­la­ti­ons are mani­fold: In prin­ci­ple, the data pro­tec­tion offi­cer can vio­la­te his or her duties to his or her employ­er in many con­texts. If the con­flicts can­not be resol­ved by other means, the ques­ti­on may ari­se as to whe­ther the data pro­tec­tion offi­cer can be ter­mi­na­ted or remo­ved. A distinc­tion must be made here: If the data pro­tec­tion offi­cer vio­la­tes duties that stem pre­cis­e­ly from his or her office as data pro­tec­tion offi­cer, ter­mi­na­ti­on is ruled out. In such cases, only a dis­mis­sal can be con­side­red, as recent­ly ruled by the Labour Court of Heil­bronn. Pur­su­ant to § 6(4), Sen­tence 1 of the Ger­man Fede­ral Data Pro­tec­tion Act (BDSG), dis­mis­sal is only per­mis­si­ble by app­ly­ing the pro­vi­si­ons on extra­or­di­na­ry ter­mi­na­ti­on accor­din­gly. In this respect, the­re are high hurd­les. The data pro­tec­tion offi­cer is pre­cis­e­ly not sup­po­sed to fear that he or she will be punis­hed by dis­mis­sal for con­sis­t­ent­ly per­forming his or her duties. Dis­mis­sal is pos­si­ble in par­ti­cu­lar in the event of serious brea­ches of pri­ma­ry and secon­da­ry duties, such as far-reaching negle­ct of his or her duties to pro­vi­de infor­ma­ti­on and advice or per­ma­nent­ly igno­ring moni­to­ring duties.

Who is lia­ble for whom?

In the event of data pro­tec­tion vio­la­ti­ons, com­pa­nies can be threa­ten­ed with finan­cial hard­ship from various direc­tions. Accor­ding to Artic­le 82 GDPR, natu­ral per­sons may cla­im dama­ges for mate­ri­al or imma­te­ri­al dama­ge. In addi­ti­on, data pro­tec­tion super­vi­so­ry aut­ho­ri­ties can impo­se signi­fi­cant fines. The data pro­tec­tion offi­cer him- or hers­elf is not direct­ly expo­sed to the­se claims. Howe­ver, if the­se claims against com­pa­nies are based on brea­ches of duty by the data pro­tec­tion offi­cer, the ques­ti­on of recour­se ari­ses. Such recour­se can exist in prin­ci­ple accor­ding to gene­ral con­trac­tu­al prin­ci­ples. In the case of inter­nal data pro­tec­tion offi­cers, the spe­ci­fics of labour law must be obser­ved. Accor­ding to the prin­ci­ples of intra-company com­pen­sa­ti­on, the employee is only 100% lia­ble in the event of gross negli­gence. Fur­ther­mo­re, pur­su­ant to § 619a of the Ger­man Civil Code (BGB), the employ­er must pro­ve that the data pro­tec­tion offi­cer is respon­si­ble for the breach of duty. In par­ti­cu­lar, if the data pro­tec­tion offi­cer does not ful­fill his or her moni­to­ring duties at all, wit­hout any par­ti­cu­lar reasons being appa­rent, claims to full recour­se may also be con­side­red. In the case of exter­nal data pro­tec­tion offi­cers, the­se rest­ric­tions do not app­ly; full lia­bi­li­ty may the­r­e­fo­re alre­a­dy exist in the case of slight negligence.


The­re are good reasons for the legis­la­ti­ve decis­i­on to grant data pro­tec­tion offi­cers spe­cial pro­tec­tion and inde­pen­dence within com­pa­nies. Nevert­hel­ess, com­pa­nies are not power­less: In the event of serious brea­ches of duty, dis­mis­sal or ter­mi­na­ti­on wit­hout noti­ce may be con­side­red. If com­pa­nies are expo­sed to fines or dama­ge com­pen­sa­ti­on claims due to brea­ches of duty by the data pro­tec­tion offi­cer, cor­re­spon­ding recour­se claims may exist.


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.