Suche
Contact
11.03.2021 | KPMG Law Insights

MV Regional Labor Court: Conditions for the Dismissal of a Data Protection Officer

MV Regional Labor Court: Conditions for the Dismissal of a Data Protection Officer

In a nutshell

Universities and research institutions (which have more than 20 employees) are also required to appoint a data protection officer. In this decision (LAG M-V AZ: 5 Sa 108/19), the court dealt with the requirements to be met by the professional qualifications of a data protection officer and the conditions under which dismissal is possible. The court ruled that the plaintiff, who opposed his dismissal, was sufficiently qualified as a fully qualified lawyer who had apparently studied the requirements of data protection law. In addition, even after a data protection officer has been appointed, the organization continues to be the addressee of the obligations under data protection laws (data protection officer). The data privacy officer acts largely independently as an internal control body and primarily provides assistance in implementing data privacy requirements. An erroneous decision from 2007, is not sufficient to establish unreliability as a data protection officer.

Background

The defendant university hospital employed the plaintiff as data protection officer. At the beginning of 2018, the defendant university hospital and the plaintiff argued about whether he, as data protection officer, should already have done more for the implementation of the GDPR that followed in May 2018. The data protection officer drew attention to the fact that only with the implementation of state law and the regulation of area-specific requirements for data protection could the implementation be complete. Since the basic regulations have been clear since the adoption of the GDPR, the university hospital also doubted the suitability of the data protection officer because of these statements. The latter had indeed dealt with the requirements of the GDPR, as suggested by an article on the requirements published in a trade journal in 2017. However, he had no special qualifications (beyond being a fully qualified lawyer) to adequately fulfill the role of data protection officer.

The data protection officer had participated in the establishment of committees on data protection and organized training sessions for the hospital’s employees. In his understanding, the role of the data protection officer is that of a supervisory body. In no way was he himself – with around 10,000 data processing operations per day – responsible for implementing the requirements of the GDPR in detail. In addition, he had professionally excellent employees.

The university hospital dismissed the man as data protection officer in February, citing a lack of implementation efforts to date and an incorrect assessment in 2007 that had cost the university hospital several hundred thousand euros and raised the question of whether he was reliable at all. In August 2018, after the introduction of the GDPR, the hospital was reprimanded by the State Data Protection Commissioner for an organizational program that had been used internally for several years. The plaintiff had not drawn attention to the problems during his time as data protection officer.

The parties disputed what qualifications a data protection officer must have and whether the man’s conduct was sufficient for dismissal.

Decision

The court essentially upheld the plaintiff. The dismissal was invalid. The evaluation standards for this decision are similar before and after the introduction of the GDPR in May 2018, even if they were based on different legal bases.

  1. Professional qualification of a data protection officer

Prior to May 2018, the state law required that the data protection officer had the necessary expertise and reliability to perform his or her duties (Section 20 (1) sentence 3 DSG M-V old version). According to Art. 37 GDPR, he must have sufficient professional qualification and expertise in data protection law. No specific training or qualification is required. Specifically, the requirements must be based on the size of the organization and the scope and sensitivity of the data processing operations. The plaintiff, as a fully qualified lawyer who, as evidenced by the technical essay, has in any case dealt with the subject matter, is in principle appropriately qualified. In addition, he can rely on professionally qualified employees.

  1. Dismissal due to lack of measures for implementation

A data protection officer is to be distinguished from the data protection officer (of the organization). The data protection officer must verify compliance with the requirements and, according to the conception of the laws, holds an independent position. Under both the old (Section 20 (2) DSG M-V old version) and the new (Section 6 (4) sentence 1 BDSG) legal situation, dismissal requires serious misconduct with corresponding application of Section 626 BGB. In any case, the measures taken by the plaintiff to monitor the introduction were not so faulty that he seriously breached his duties. It is not sufficient for such a breach of duty that the plaintiff did not point out the data protection problems of an internal organizational program that he had not introduced himself. Finally, the data protection officer cannot oversee every data processing operation.

  1. Dismissal due to lack of reliability

An employee’s conduct prior to his or her appointment as a DPO has an impact on the employee’s reliability assessment. However, the defendant did not provide sufficiently concrete evidence that such a serious doubt of reliability could be identified in the erroneous assessment of a situation in 2007, which in retrospect turned out to be disadvantageous for the university hospital. Suspicion of intentional injury is not enough unless it is properly substantiated.

What can readers take away?

  1. A data protection officer does not have to have any particular professional qualifications. In detail, he can also rely on his employees.
  2. The prerequisite for dismissal is serious misconduct due to the independent position of the data protection officer as a supervisory body (analogous to 626 BGB).
  3. Reliability may also be due to misconduct prior to commencing work as a data protection officer.

Explore #more

12.07.2024 | Business Performance & Resilience, In the media

Guest article in the IPE Dach: Necessary contract adjustments for DORA implementation

Deadline January 17, 2025: Financial companies and other service providers should start implementing the rules of the “Digital Operational Resilience Act” today, because the preparations,…

08.07.2024 | In the media

Article in In-house Counsel with KPMG Law Statement: Have software modules delivered, assemble, fine-tune, done

The article from 05.07.2024 contains an article with a statement by KPMG Law expert Kai Kubsch. IT applications for the legal department programmed by…

05.07.2024 | In the media

Guest article in Deutscher AnwaltsSpiegel: Transformation in legal departments

The KPMG Legal Department Report, now in its tenth edition (see here), has established itself as the standard work for general counsel since 2005…

03.07.2024 | KPMG Law Insights

BImSchG amendment to speed up approval procedures

On 17.05.2024, the traffic light parliamentary groups agreed on the amendment to the Federal Immission Control Act (BImSchG). The law is intended to create faster…

01.07.2024 | In the media

Guest article in Business Punk: Startup insolvency – bargain for investors or incalculable risk?

The issue of June 25, 2024 contains a guest article by KPMG Law experts Stefan Kimmel and Gunars Urdze. The Covid-19 pandemic and the…

01.07.2024 | In the media

Guest article in IT-Zoom: The path to safe and ethical AI

The June 25, 2024 issue of IT-Zoom contains a guest article by KPMG Law expert Francois Maartens Heynike and KPMG Law expert Kerstin Ohrem.…

28.06.2024 | KPMG Law Insights

Podcast series “KPMG Law on air”: ESG and employment law

Sustainable corporate governance is increasingly becoming a legal obligation. The HR department is also affected. Because “sustainable” also includes social aspects. Accordingly, companies have numerous…

25.06.2024 | In the media

Guest article in the ESGZ: Is antitrust law becoming “greener”? – An update

The June issue of ESGZ contains a guest article by KPMG Law expert Jacqueline Unkelbach. Sustainability goals and criteria – in a broader sense…

19.06.2024 | In the media

Guest article in the Börsenzeitung: Tackling succession planning for family businesses early on

Experience shows that less is better than nothing – even individual measures can have a major impact. KPMG Law expert Mark Uwe Pawlytta knows which…

13.06.2024 | In the media

Commentary on the Whistleblower Protection Act (HinSchG) published with contributions from KPMG Law

After years of wrangling, the Bundestag and Bundesrat transposed the EU Whistleblowing Directive into national law in 2023: The Whistleblower Protection Act (HinSchG), which has…

Contact

Julia Hornbostel

Senior Associate

Fuhlentwiete 5
20355 Hamburg

tel: +49 40 3609945162
jhornbostel@kpmg-law.com

© 2024 KPMG Law Rechtsanwaltsgesellschaft mbH, associated with KPMG AG Wirtschaftsprüfungsgesellschaft, a public limited company under German law and a member of the global KPMG organisation of independent member firms affiliated with KPMG International Limited, a Private English Company Limited by Guarantee. All rights reserved. For more details on the structure of KPMG’s global organisation, please visit https://home.kpmg/governance.

 KPMG International does not provide services to clients. No member firm is authorised to bind or contract KPMG International or any other member firm to any third party, just as KPMG International is not authorised to bind or contract any other member firm.

Scroll