In its judgment of 22 June 2022 (Case C-534/20; available here), the ECJ ruled on the question whether the GDPR allows for the applicability of the German provisions governing the termination of a data protection officer’s (DPO) employment pursuant to Paragraph 38 (2) and Paragraph 6 (4) sentence 2 Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG). According to the ECJ, the German provisions, under which a DPO’s employment may only be terminated for just cause, even if the termination is not related to the performance of his or her duties, in principle do not conflict with EU law. However, the realisation of the objectives of the GDPR must not be compromised by the interpretation of the regulations, i.e., the DPO must continue to be sufficiently competent for his or her activities. The German Federal Labour Court (Bundesarbeitsgericht, BAG) followed the ECJ in its ruling of 25 August 2022 (Case 2 AZR 225/20 – available here) and denied that the achievement of GDPR objectives is undermined by the German provisions. Although the BAG did not completely resolve the conflict between German employment protection law and the GDPR in its ruling, it indicates that it does not want to tamper with the strict, traditionally employee-friendly application of employment protection law in favour of data protection.
The BAG had to decide on the lawfulness of a DPO’s employment termination by her employer. The employer, a company governed by private law, which is obliged under German law to appoint a DPO, had terminated the DPO's employment with due notice because of a restructuring measure (i.e., the planned outsourcing of data protection tasks to an external data protection officer). The courts of lower instance held that the termination was invalid because the provisions governing the termination of a DPO’s employment pursuant to Paragraph 38 (2) and Paragraph 6 (4) sentence 2 BDSG were applicable and for this reason the employment relationship could only have been terminated for just cause.
Paragraph 6 (4) BDSG, which also applies to mandatorily appointed DPOs of non-public bodies pursuant to Paragraph 38 (2) BDSG, reads as follows:
"The dismissal of the data protection officer shall be permitted only by applying Paragraph 626 of the German Civil Code accordingly. The data protection officer’s employment shall not be terminated unless there are facts that give the public body just cause to…
Dec 06 2023