Removal of a data protection officer only for cause?
In order to clarify the question whether the German Federal Data Protection Act’s (“BDSG”) requirements for the removal of a data protection officer are in accordance with the European General Data Protection Regulation (“GDPR”), the German Federal Labor Court (“BAG”) on April 27, 2021 filed a reference for a preliminary ruling with the European Court of Justice (“ECJ”).
In the underlying case, the plaintive employee is the chairman of the works council who is partially released from work. With effect from June 1, 2015, he was also appointed as the defendant employer’s and – in parallel – three further group companies’ data protection officer.
By letter dated December 1, 2017 and – after the GDPR came into effect – by another letter dated May 25, 2018, the employer removed the plaintiff (as did the three further group companies) as data protection officer. In his complaint, the plaintiff claimed his legal position as data protection officer would still continue to exist. The defendant held the position there were impending conflicts of interest if the plaintiff served as data protection officer and chairman of the works council at the same time. This would result in a conflict between both offices which constituted a compelling reason for the plaintiff’s removal.
The lower courts upheld the action. The decision as to whether the employer effectively removed the employee from his office as the company’s data protection officer depends on the interpretation of Union law, which is reserved for the ECJ. In Art. 38 Sec. 2 in conjunction with Art. 6 Sec. 4 sentence 1 BDSG, German data protection law provides for high hurdles for a removal. Accordingly, the removal of a company’s data protection officer must be based upon a compelling reason pursuant to Art. 626 BGB (German Civil Code). As such, the dismissal of a data protection officer is subject to stricter requirements than under EU law, according to which, under Art. 38 Sec. 3 sentence 2 GDPR, a removal is not permitted only if it is executed due to the performance of the data protection officer's duties. European law does not require an important reason for removal.
On the basis of previous case law, the BAG does not see a compelling reason for removal in the present case. Therefore, it has addressed the ECJ with the question of whether, in addition to the provision pursuant to Art. 38 Sec. 3 sentence 2 GDPR, (stricter) provisions of the Member States are applicable, which – such as Art. 38 Sec. 2 in conjunction with Art. 6 Sec. 4 sentence 1 BDSG –restrict the possibility of removing a data protection officer compared to the provisions pursuant to EU law.
Should the ECJ consider the BDSG’s requirements for a removal to be in compliance with EU law and as such effective, the BAG also considers it necessary to clarify whether the offices of the chairman of the works council and data protection officer in a company may be held by the same person or whether this leads to a conflict of interest pursuant to Art. 38 Sec. 6 sentence 2 GDPR.
Practical tip
Not many employers will appoint a works council member as data protection officer. Nevertheless, it is important to know whether these offices are compatible. Regardless of the legal dispute’s outcome, one should ensure that works council members are not appointed as company data protection officers due to the existing conflict of interest.
Much more relevant, however, is the question to what extent an employed data protection officer is protected against removal and dismissal. Although the data protection officer is independent in the performance of his or her duties, as an employee he or she is still subject to the employer’s instructions and could be dismissed. The decision of the ECJ remains to be seen.
