German law gives Data Protection Officers (DPO) a higher level of protection than the GDPR. Under German law, a DPO may only be dismissed or have their role as DPO revoked if there is a so-called ‘good cause’ such as grave misconduct. Under European law, on the other hand, a data protection officer may be dismissed or removed from their role for any reason unless it is because of the performance of their duties as DPO.
In two decisions of 30 July 2020 and of 27 April 2021, the German Federal Labour Court (Bundesarbeitsgericht, BAG) has asked the European Court of Justice for a ruling as to whether this special level of protection for internal data protection officers complies with EU law. Both decisions were preliminary requests for clarification under Article 267 of the Treaty on the Functioning of the European Union.
The first case, which was submitted to the European Court of Justice on 30 July 2020, was about an in-house lawyer who had joined the company on 15 January 2018 and had been appointed as DPO in February 2018. His dismissal was declared on 13 July 2018. This meant having been appointed DPO gave the plaintiff special protection against dismissal at a time when the normal protection would not have been available due to a seniority of less than 6 months. In addition, the special protection for DPOs requires a severe cause, not merely a socially justified reason as required by general German protection against dismissal.
In the second case, submitted to the European Court of Justice on 27 April 2021, the plaintiff, who had been employed by his employer since 1993, had been Chairman of the Works Council for years. In 2015, he had been appointed DPO. In December 2017 and then again in May 2018, his role as DPO was revoked but he remained employed. Under German law, both the role as DPO and the role of a works council member grants special protection against dismissal from the employment contract, and German law grants special protection against the removal from of the DPO role. The employer argued that a conflict of interest arose from the plaintiff´s role as Chairman of the Works Council, meaning there was good cause for his removal as DPO.
The German Federal Labour Court has therefore asked the European Court of Justice whether the stricter requirements of German law are contrary to EU law. In a second question, it has asked if this special German law protection is not compliant with EU law even in those cases where a DPO appointment is mandatory only under German law but not under EU law. By way of explanation, under German law, the requirement for a DPO applies to all organisations with 20 or more employees processing data (having a computer will suffice), under s38 (1) of the Federal Data Protection Act (as well as to organisations with certain data-intensive activities). Under EU law, on the other hand, it only depends on the activity of the organisation or authority and how data intensive its activities are (Article 37 (1) GDPR).
As part of the second decision, the German Federal Labour Court has asked whether a dual role as works council chairperson and DPO constitutes an inadmissible conflict of interest and is therefore a good cause for removal. Previous German case law has held that at least the role of a regular member of the works council (not chair) does not per se create a conflict.
The outcome of the two European Court of Justice cases will be extremely relevant to legal practice. The German legislator’s approach of strengthening the independence of the internal DPO by providing special protection against both dismissal from employment and removal from the DPO role is understandable, but in many cases, it leads to legal disputes. Similarly, the question of whether there is a potential conflict of interest in exercising dual roles as DPO and works council chairperson is significant. In the past, some employers figured that since the works council chairperson already enjoys special protection anyway, it would be a wise idea to appoint them as DPO as well so that special protection is not being granted to two employees.
Both cases are now pending before the European Court of Justice (C-524/20 Leistritz for the dismissal protection question; there is no file number available yet for the removal protection case). As of the time of writing, no hearing has been scheduled for either of the two.
Appointing an external DPO is a solution for German organisations that want to work around the special protection provisions that apply in the current legal situation. A large range of service providers offer their services as external DPOs. While some have a legal background, the majority have a technical background. The monthly or annual fees vary, obviously, depending on their degree of expertise and involvement. The external DPO is not protected against dismissal from their role; employees will merely have to observe the contractual notice period. Another advantage is that they generally have a higher level of expertise and experience in questions of data privacy and data safety than an internal DPO, who must first acquire this expertise, usually by participating in online or live training.
Yet another alternative is the appointment of an existing employee as DPO only for a limited time period. A fixed-term appointment will expire at the end of the term, no protection is applicable. There is no statutory minimum period for such an appointment. Obviously, if the fixed term is too short, this might interfere with the independence which should be part of the DPO role. But so far, in practice, a fixed term of two or three years has been deemed acceptable. The downside is that obviously, each newly appointed employee DPO needs to acquire knowledge, meaning it might seem like a good idea to extend a fixed-term DPO appointment several times to avoid having to train a new internal DPO. But that would involve a high risk of creating an unlimited appointment based on German case law regarding fixed term employment contracts: a series of fixed-term contracts with the same person is subjected to a more critical review the more extensions there are.
