Update: Scope of protection against dismissal and removal of the data protection officer - incompatibility with chairpersonship of the works council

The interplay of European law and national law with regard to the legal position of the data protection officer ("DPO") has repeatedly occupied both the German Federal Labour Court (“BAG”) and the European Court of Justice (“ECJ”) in recent years. After the ECJ ruled on 22 June 2022 (Ref.: C-534/20; available here) that the protection against dismissal under sec. 38 para. 2 in conjunction with sec. 6 para 4 sentence 2 German Data Protection Act (German: “Bundesdatenschutzgesetz”, short form: “BDSG”) is compatible with the European requirements of Art. 38 para. 3 sentence 2 General Data Protection Regulation (“GDPR”) (German: “Datenschutz-Grundverordnung”, short form: “DSGVO”), the BAG followed this ruling in its decision of 25 August 2022 (Ref.: 2 AZR 225/20) and declared that the objectives of the GDPR are not affected by the protection against dismissal in this respect. Finally, the ECJ and the BAG had to clarify whether the strict requirements for the dismissal of a DPO according to sec. 6 para. 4 sentence 1 BDSG are in conformity with European law.

Furthermore, the BAG ruled that the position as chairperson of the works council is incompatible with the role of the DPO, thus a removal due to conflict of interest is lawful.

I. Reminder: BAG decision on the (in)effectiveness of an ordinary dismissal of the DPO

In the context of its decision on the ordinary dismissal of a DPO by a company organised under private law as employer, the BAG was first faced with the question of whether the national special protection against dismissal under the BDSG is compatible with EU law. Pursuant to sec. 38 para. 2 in conjunction with sec. 6 para. 4 sentence 2 BDSG, the DPO is entitled to special rights of protection against dismissal under German law, according to which he or she can only be dismissed for good cause (and therefore not ordinarily). The conformity with EU law could be doubted in this respect, as under these national special rights of protection against dismissal, stricter conditions are applied to the dismissal of a DPO than under the data protection law provision on protection against dismissal in Art. 38 para. 3 sentence 2 GDPR. The ECJ concluded that Art. 38 para. 3 sentence 2 GDPR does not conflict a national regulation according to which a DPO employed by a controller or a processor can only be dismissed for cause, even if the dismissal is not related to the performance of his or her task, provided that this regulation does not interfere with the achievement of the objectives of the GDPR.

The ECJ also defined the limit when such an impairment by the national protective regulations exists in the case of a termination by the employer. This is when the protection against dismissal:

"prohibits any dismissal of a data protection officer who no longer possesses the professional qualities required for the performance of his or her tasks or who does not perform his or her tasks in accordance with the GDPR by a controller or processor".

This result is justified by the objective of the GDPR regulation: It is to ensure the functional independence of the DPO as well as the effectiveness of the regulations of the GDPR and therefore a high level of data protection. In contrast, the national regulations on the DPO's protection against dismissal primarily serve social policy.

However, according to the decision of the BAG, the regulation in the BDSG is within these limits in that "only" the threshold of significance of a "good cause" must be reached. Thus, the ordinary termination of a DPO remains excluded due to the special rights of protection against dismissal.

With regard to the German regulation, however, it was still not clearly clarified whether and when a termination may be justified on data protection grounds. By referring to the fact that the removal of the DPO is regularly sufficient to ensure the objectives of the GDPR and that a termination is then not necessary, the BAG indicates that the impairment of the GDPR purpses alone would not be enough for a termination. Thereby the BAG states that a removal of the DPO from his role, which under German law also requires the existence of good cause, can be declared below the threshold of extraordinary termination. Whether and, if so, in which cases it considers a dismissal in the interest of data protection - as required by the ECJ - to be possible remains open.

Therefore, in the future, the labour courts will have to deal in particular with the question of when the lack of qualification of a DPO or the non-fulfilment of his or her official duties justifies the existence of an important reason entitling to dismissal. In this regard, the Heilbronn Labour Court (ArbG Heilbronn) has already decided in its decision of 29 September 2022 (Ref.: 8 Ca 135/22) that conduct of the DPO that is purely contrary to his duties can only lead to sanctions under labour law if the breach of duty correlates with misconduct in the employment relationship. Further decisions remain to be seen.

In this context, it is important to note that according to the LAG Saxony (decision of 17 March 2023, Ref.: 4 Sa 133/22), the deputy DPO is also subject to the special rights of protection against dismissal under the BDSG.

II. Further development of case law leads to clarity regarding the removal of a DPO

The question of the conformity of German law with the GDPR also occurred to the BAG with regard to the removal of the DPO according to sec. 6 para. 4 sentence 1 BDSG, since here, too, the national regulation has stricter requirements than EU law. In this case, the DPO was removed on the argument that there was a conflict of interest if the DPO was also the chairperson of the works council. The BAG also suspended the proceedings in this case and referred0 the following question to the ECJ for a preliminary ruling:

"Is Art. 38 sec. 3 sentence 2 of the GDPR to be interpreted as precluding a provision of national law, such as, in this case, sec. 38 para. 1 and 2 in conjunction with sec. 6 para 4 sentence 1 of the BDSG, which makes the removal of the data protection officer by the controller, who is his employer, dependent on the conditions set out therein, irrespective of whether it takes place in the context of the performance of his duties?"

The ECJ concluded on 9 February 2023 (Ref.: C-560/21; available here) (again) that Art. 38 GDPR does not preclude a national rule under which a DPO employed by a controller or processor may be removed only for cause, even if the removal is not related to the performance of his or her duties, provided that such rule does not prejudice the achievement of the objectives of the GDPR.

In this respect, one can speak of a continuation of the case law on special rights of protection against dismissal. This is also shown the fact that the wording of the ECJ rulings is almost completely identical. In addition, the justification is also based on the objectives of the GDPR to preserve the functional independence of the DPO and to ensure the effectiveness of the provisions of the GDPR. The similarity to the decision of 22 June 2022 is also evident with regard to the defined limits, so that stricter national protection would not be permissible here either if any removal by a controller or processor of a DPO who no longer has the professional qualities required for the performance of his or her duties or who does not perform his or her duties in accordance with the GDPR were prohibited.

III. The BAG's decision: No impairment of the objectives of the GDPR by the removal regulation

As expected, the BAG followed this decision of the ECJ in its judgment of 6 June 2023 (Ref.: 9 AZR 621/19) and stated that there was no impairment of the achievement of the objectives of the GDPR. The conditions under which the DPO can be removed with legal effect would be raised to the threshold of "good cause", but not made completely impossible or unreasonably difficult. To underline that a DPO is not protected from any loss of his or her legal position, the BAG cites the possibility of a request for removal by the responsible authorities of the federal under sec. 40 para. 6 sentence 2 BDSG. In this context, the BAG also states that the termination of the employment relationship of a DPO is regularly not necessary in addition to his or her dismissal.

Furthermore, the BAG gives examples of "important reasons":

• These include reasons that are related to the function and activity of the DPO and make a further fulfilment of this function impossible or at least endanger it considerably (e.g. betrayal of secrets or a permanent violation of the supervisory duties as DPO).
• Also, the termination of the underlying employment relationship can be understood as good cause.
• In addition, good cause can be assumed if the DPO does not have the necessary expertise or reliability to perform the duties. The BAG specifically uses this group of cases to establish conformity with the GDPR, because when examining whether the DPO lacks the necessary expertise and reliability, it is important to determine whether the continued employment of the DPO threatens to result in a (further) violation of data protection provisions and thus an impairment of the objectives pursued by the GDPR.

In the specific case, the BAG decided that a conflict of interest in particular may call into question the reliability of the DPO. Following the decision of the ECJ, the BAG stated that a conflict of interest relevant to removal regularly exists if the DPO also holds a position that has as its object the determination of the objectives and means of processing personal data. This, in turn, has to be examined in the context of a case-by-case assessment, taking into account the organisational structure and the internal regulations of the respective institution. The specific case of the BAG has therefore been referred back to the LAG Saxony in order to determine in particular the information necessary for the assessment of the individual case. In this respect, the jurisdiction is to be further observed.

IV. Conflict of interest if DPO is also chairperson of the works council

In another decision from 6 June 2023 (Ref.: 9 AZR 383/19), the BAG dealt with a case in which the chairperson of the works council was also appointed as DPO in addition to his honorary office. Following a letter from the Thuringian State Commissioner for Data Protection and Freedom of Information, the chairperson of the works council was removed as DPO due to a conflict of interest. The BAG had to clarify to what extent a conflict of interest actually existed. In principle, the DPO can also perform additional tasks and duties. A limit is crossed if the DPO holds positions in which the determination of the objectives and means of processing personal data (also) belongs to the scope of duties.

This was the case here. By decision of the works council, within the framework of various participation and co-determination rights, e.g. according to sec. 87 para. 1 no 6 of the Works Council Constitution Act (German: “Betriebsverfassungsgesetz”, short form: “BetrVG”), it is decided under which specific circumstances the works council requests personal data from the employer and in which way these data are subsequently processed. In contrast, the task of the DPO includes the control of the employer's data processing and therefore also of any data transfers to the works council. In this respect, the DPO would be obliged in the specific case, for example, to check the works council's protection concept for compliance with data protection law requirements with regard to data transfers by the employer, which he himself would have initiated as chairperson of the works council. In the opinion of the BAG, this and other activities in which a chairperson of the works council decides on the objectives and means of processing personal data result in an irresolvable conflict of interests, so that the functional independence of the DPO is no longer maintained and there is a reason for removal.

However, the BAG does not clarify whether this can also be applied to the individual works council member.

V. Consequences for practice

The strict German law on protection against dismissal and removal once again stands up to European review. The special protection against removal and termination is (still) compatible with the European regulations. Thus, companies in Germany that are obliged to appoint a DPO and have appointed an internal DPO for this objective cannot in any case terminate the employment relationship ordinarily and even in the case of removal, the employer must show good cause within the meaning of sec. 626 of the German Civil Code (German: “Bürgerliches Gesetzbuch”, short form: “BGB”) which does not necessarily have to be related to the performance of the DPO's duties. However, apart from the few examples mentioned, when exactly such good cause can be assumed remains (still) vague.

In particular, companies must weigh up whether the removal of the DPO - which the BAG considers to have priority over the termination - is (still) reasonable for them while maintaining the employment relationship.

Since the legal obstacles with regard to both the extraordinary termination and the removal of the DPO are relatively high and, in addition, the ambiguities described above still exist, in practice the fixed-term appointment of a DPO or the use of an external DPO are likely to remain the most legally secure instruments for employers to maintain the necessary flexibility in the appointment of the DPO.