Under the European Union’s General Data Protection Regulation, a Data Protection Officer (DPO) cannot be dismissed or penalised for performing their duties. Although Belgian law and the GDPR do not provide for specific protection compensation for DPOs, the court still awarded compensation equivalent to three months’ salary. However, the DPO’s additional compensation claim for unfair dismissal was denied. 

The appointment of a Data Protection Officer (DPO) is mandatory for certain organisations under the GDPR. This is particularly true for public authorities; organisations that engage in large-scale, regular, and systematic monitoring of individuals; and organisations that process sensitive personal data on a large scale.  

The DPO can be either an employee or an independent service provider. Generally, the DPO is tasked with informing and advising on data protection, monitoring compliance with the GDPR, and acting as a contact point for data subjects and the Data Protection Authority. 

An important aspect of the DPO’s role is that they cannot be dismissed or penalised for reasons related to the performance of their duties. This is one of the safeguards provided to ensure the DPO’s independence. 

The employee was hired under an indefinite-term employment contract for the position of Chief Information Security Officer and Data Protection Officer. After nearly four years of employment, the employee received a dismissal proposal by letter due to dissatisfaction with the work performed. A few weeks later, the employer proceeded with the dismissal of the employee, with the payment of statutory severance compensation but no further compensation for dismissal. 

The employee challenged the dismissal on the grounds that it was related to the performance of his duties as a DPO. He claimed compensation for dismissal of a ‘protected employee’ (which he calculated at three months’ salary) and an additional claim for compensation of 17 weeks’ salary for unfair dismissal.  

The court stated that the employer bore the burden of proof to demonstrate that the dismissal of the employee was unrelated to the performance of his duties as a DPO.  

The employer asserted that the dismissal had nothing to do with the essence of the employee’s tasks as a DPO but was related to a lack of clear communication and mutual understanding. In particular, the employer claimed that the DPO was too theoretical and rigid, making him unable to propose concrete action plans regarding the practical implementation of his recommendations. 

However, the court held that the employer had acknowledged that it placed a priority on the employee’s performance of the Information Security role and therefore showed minimal interest in how the employee fulfilled his duties as DPO. The court ruled that the two roles were in fact intertwined, and that the employer could not demonstrate that the reason for the dismissal was solely related to the performance of the Information Security role. 

Neither Belgian law nor the GDPR provides for compensation in case of the dismissal of a DPO for reasons related to their role. The employee requested compensation of three months’ salary. Referring to case law of the Court of Justice, the court ruled that the Belgian legislation was inadequate in this respect and referred in its assessment to various other legal mechanisms regarding dismissal protection. The court ultimately awarded the three months’ salary requested, but also suggested that it could have awarded a higher amount if the employee had requested it. 

This is one of the first published cases in Belgium where such compensation was awarded following the dismissal of a DPO. 

Regarding the claim for compensation for unfair dismissal, the court stated that it was up to the employee to provide proof. The employer pointed out several issues with the employee’s work. For instance, the employee had only provided ten pieces of advice over four years, the register of processing activities (data register) was not updated after 2019, and the employee failed to inform the employer about the existence of a register of personal data breaches (data breach register) and did not properly maintain this register. 

The court consequently concluded that any prudent and reasonable employer faced with such a situation would have considered dismissal. Consequently, the court found that there was no unfair dismissal and denied recovery on that claim. 

It is essential to clearly distinguish between the different tasks of an employee when they, in addition to their role as DPO, also perform other functions within the same organisation. It is up to the employer to demonstrate that the dismissal is unrelated to the performance of the DPO’s duties. If this is not the case, there is a risk of a claim for damages.