Search
Contact
11.03.2021 | KPMG Law Insights

MV Regional Labor Court: Conditions for the Dismissal of a Data Protection Officer

MV Regional Labor Court: Conditions for the Dismissal of a Data Protection Officer

In a nutshell

Universities and research institutions (which have more than 20 employees) are also required to appoint a data protection officer. In this decision (LAG M-V AZ: 5 Sa 108/19), the court dealt with the requirements to be met by the professional qualifications of a data protection officer and the conditions under which dismissal is possible. The court ruled that the plaintiff, who opposed his dismissal, was sufficiently qualified as a fully qualified lawyer who had apparently studied the requirements of data protection law. In addition, even after a data protection officer has been appointed, the organization continues to be the addressee of the obligations under data protection laws (data protection officer). The data privacy officer acts largely independently as an internal control body and primarily provides assistance in implementing data privacy requirements. An erroneous decision from 2007, is not sufficient to establish unreliability as a data protection officer.

Background

The defendant university hospital employed the plaintiff as data protection officer. At the beginning of 2018, the defendant university hospital and the plaintiff argued about whether he, as data protection officer, should already have done more for the implementation of the GDPR that followed in May 2018. The data protection officer drew attention to the fact that only with the implementation of state law and the regulation of area-specific requirements for data protection could the implementation be complete. Since the basic regulations have been clear since the adoption of the GDPR, the university hospital also doubted the suitability of the data protection officer because of these statements. The latter had indeed dealt with the requirements of the GDPR, as suggested by an article on the requirements published in a trade journal in 2017. However, he had no special qualifications (beyond being a fully qualified lawyer) to adequately fulfill the role of data protection officer.

The data protection officer had participated in the establishment of committees on data protection and organized training sessions for the hospital’s employees. In his understanding, the role of the data protection officer is that of a supervisory body. In no way was he himself – with around 10,000 data processing operations per day – responsible for implementing the requirements of the GDPR in detail. In addition, he had professionally excellent employees.

The university hospital dismissed the man as data protection officer in February, citing a lack of implementation efforts to date and an incorrect assessment in 2007 that had cost the university hospital several hundred thousand euros and raised the question of whether he was reliable at all. In August 2018, after the introduction of the GDPR, the hospital was reprimanded by the State Data Protection Commissioner for an organizational program that had been used internally for several years. The plaintiff had not drawn attention to the problems during his time as data protection officer.

The parties disputed what qualifications a data protection officer must have and whether the man’s conduct was sufficient for dismissal.

Decision

The court essentially upheld the plaintiff. The dismissal was invalid. The evaluation standards for this decision are similar before and after the introduction of the GDPR in May 2018, even if they were based on different legal bases.

  1. Professional qualification of a data protection officer

Prior to May 2018, the state law required that the data protection officer had the necessary expertise and reliability to perform his or her duties (Section 20 (1) sentence 3 DSG M-V old version). According to Art. 37 GDPR, he must have sufficient professional qualification and expertise in data protection law. No specific training or qualification is required. Specifically, the requirements must be based on the size of the organization and the scope and sensitivity of the data processing operations. The plaintiff, as a fully qualified lawyer who, as evidenced by the technical essay, has in any case dealt with the subject matter, is in principle appropriately qualified. In addition, he can rely on professionally qualified employees.

  1. Dismissal due to lack of measures for implementation

A data protection officer is to be distinguished from the data protection officer (of the organization). The data protection officer must verify compliance with the requirements and, according to the conception of the laws, holds an independent position. Under both the old (Section 20 (2) DSG M-V old version) and the new (Section 6 (4) sentence 1 BDSG) legal situation, dismissal requires serious misconduct with corresponding application of Section 626 BGB. In any case, the measures taken by the plaintiff to monitor the introduction were not so faulty that he seriously breached his duties. It is not sufficient for such a breach of duty that the plaintiff did not point out the data protection problems of an internal organizational program that he had not introduced himself. Finally, the data protection officer cannot oversee every data processing operation.

  1. Dismissal due to lack of reliability

An employee’s conduct prior to his or her appointment as a DPO has an impact on the employee’s reliability assessment. However, the defendant did not provide sufficiently concrete evidence that such a serious doubt of reliability could be identified in the erroneous assessment of a situation in 2007, which in retrospect turned out to be disadvantageous for the university hospital. Suspicion of intentional injury is not enough unless it is properly substantiated.

What can readers take away?

  1. A data protection officer does not have to have any particular professional qualifications. In detail, he can also rely on his employees.
  2. The prerequisite for dismissal is serious misconduct due to the independent position of the data protection officer as a supervisory body (analogous to 626 BGB).
  3. Reliability may also be due to misconduct prior to commencing work as a data protection officer.

Explore #more

21.02.2024 | KPMG Law Insights, KPMG Law Insights

The Digital Services Act – what does it mean for companies?

The Digital Services Act (DSA) is a key component of the EU’s digital strategy and came into force on November 16, 2022. As a regulation,…

15.02.2024 | KPMG Law Insights

Data compliance management: How to implement it in practice

Part 3 of the article series “Professional tips for data compliance management”   The third part of this series of articles deals with data compliance

14.02.2024 | PR Publications

Guest article in ZURe: Monitoring the implementation of the LkSG

The current issue of ZURe (p. 20 ff.) contains a guest article by KPMG Law Partner Thomas Uhlig (Head of General Business and Commercial Law),…

14.02.2024 | KPMG Law Insights

The AI Act is coming: EU wants to get a grip on AI risks

For many people, artificial intelligence (AI) is the great hope for business, healthcare and science. But there are also plenty of critics who fear the…

09.02.2024 | KPMG Law Insights

Podcast series “KPMG Law on air”: The employment law function

In almost all German companies, the employment law function is located in the HR department and not in the legal department. One of the reasons…

02.02.2024 | KPMG Law Insights

CSDDD: Provisional agreement on the EU Supply Chain Directive

On December 14, 2023, the Council and the European Parliament reached a provisional political agreement on the EU Corporate Sustainability Due Diligence Directive (CSDDD). This…

01.02.2024 | KPMG Law Insights

Podcast series “KPMG Law on air”: Fair play in eSports

eSports is a billion-dollar market that is growing rapidly. This makes it all the more important for the economic players involved to comply with applicable…

24.01.2024 | KPMG Law Insights

How the new unitary patent works – ten facts

The new unitary patent can be applied for at the European Patent Office (EPO) from June 1, 2023. The Implementing Regulations and the Schedule of

22.01.2024 | PR Publications

Guest article in the Börsen-Zeitung on the subject of EU antitrust regulations

Agreements with competitors on sustainability efforts may violate antitrust law. Which legal interest should then take precedence? KPMG Law expert Jonas Brueckner discusses this question…

18.01.2024 | KPMG Law Insights

AI and copyright – what is permitted when using LLMs?

A few months ago, new players entered the legal scene and have since caused numerous legal discussions: Large Language Models (LLM), better known as…

Contact

Julia Hornbostel

Senior Associate

Fuhlentwiete 5
20355 Hamburg

tel: +49 40 3609945162
jhornbostel@kpmg-law.com

© 2024 KPMG Law Rechtsanwaltsgesellschaft mbH, associated with KPMG AG Wirtschaftsprüfungsgesellschaft, a public limited company under German law and a member of the global KPMG organisation of independent member firms affiliated with KPMG International Limited, a Private English Company Limited by Guarantee. All rights reserved. For more details on the structure of KPMG’s global organisation, please visit https://home.kpmg/governance.

 KPMG International does not provide services to clients. No member firm is authorised to bind or contract KPMG International or any other member firm to any third party, just as KPMG International is not authorised to bind or contract any other member firm.

Scroll