Dismissal of a company data protection officer: Requirements under current case law

30 January 2024 2 min read

At a glance

In two recent rulings, the Federal Labour Court (BAG) dealt with the termination of in-house data protection officers.
The BAG stated that data protection officers can only be dismissed if there is good cause for doing so. The BAG found that if the company data protection officer is also the chairperson of the works council, there is a conflict of interest which provides good cause for termination.
Further, the BAG confirmed that the dismissal of the company data protection officer does not necessarily require a partial termination of the employment relationship.

According to the Federal Data Protection Act (BDSG), in-house data protection officers can only be dismissed if there is good cause for doing so (Section 6 para. 4 sentence 1, Section 38 para. 2 BDSG in conjunction with Section 626 para. 1 German Civil Code). The BAG has declared this termination requirement to be compliant with European data protection law (judgment of 6 June 2023 – case no. 9 AZR 621/19).

The BAG's decision on Section 6 para. 4 sentence 1 BDSG makes it clear that the data protection provisions of the BDSG can also have consequences under employment law. Employers must therefore carefully examine whether the dismissal can take place due to the existence of good cause (Section 626 para. 1 German Civil Code) - which is required for extraordinary dismissal.

In the same decision, the BAG confirmed that the dismissal of the company data protection officer does not necessarily require a partial termination of the employment relationship. Rather, the specific terms of the agreement concluded between the parties will be decisive in this respect.

When appointing an employee as data protection officer, it is generally assumed that the employment contract is merely amended and extended for the duration of the assignment. This assumption also applies if no express agreement has been made on this point.

Conflict of interest in the case of simultaneous activity as works council chairperson and as data protection officer

In a further judgment, the BAG found that if the company data protection officer is also the chairperson of the works council, they may be dismissed from their position as data protection officer (judgment of 6 June 2023 – case no. 9 AZR 383/19).

In the opinion of the BAG, there is an irreconcilable conflict of interest in the case of someone simultaneously acting as works council chairperson and as data protection officer, which allows the dismissal of the data protection officer for good cause (Section 6 para. 4 sentence 1 of the German Federal Data Protection Act in conjunction with Section 626 para. 1 German Civil Code).

The conflict of interest arises from the fact that the works council also processes personal data in the exercise of its duties and rights under the German Works Constitution Act. In some cases, the works council also decides which data is to be processed and how, ie it determines the purpose and means of data processing. The chair of the works council is responsible for representing the works council, meaning that they would need to monitor themself as the data protection officer.