Search
Contact
11.03.2021 | KPMG Law Insights

MV Regional Labor Court: Conditions for the Dismissal of a Data Protection Officer

MV Regional Labor Court: Conditions for the Dismissal of a Data Protection Officer

In a nutshell

Universities and research institutions (which have more than 20 employees) are also required to appoint a data protection officer. In this decision (LAG M-V AZ: 5 Sa 108/19), the court dealt with the requirements to be met by the professional qualifications of a data protection officer and the conditions under which dismissal is possible. The court ruled that the plaintiff, who opposed his dismissal, was sufficiently qualified as a fully qualified lawyer who had apparently studied the requirements of data protection law. In addition, even after a data protection officer has been appointed, the organization continues to be the addressee of the obligations under data protection laws (data protection officer). The data privacy officer acts largely independently as an internal control body and primarily provides assistance in implementing data privacy requirements. An erroneous decision from 2007, is not sufficient to establish unreliability as a data protection officer.

Background

The defendant university hospital employed the plaintiff as data protection officer. At the beginning of 2018, the defendant university hospital and the plaintiff argued about whether he, as data protection officer, should already have done more for the implementation of the GDPR that followed in May 2018. The data protection officer drew attention to the fact that only with the implementation of state law and the regulation of area-specific requirements for data protection could the implementation be complete. Since the basic regulations have been clear since the adoption of the GDPR, the university hospital also doubted the suitability of the data protection officer because of these statements. The latter had indeed dealt with the requirements of the GDPR, as suggested by an article on the requirements published in a trade journal in 2017. However, he had no special qualifications (beyond being a fully qualified lawyer) to adequately fulfill the role of data protection officer.

The data protection officer had participated in the establishment of committees on data protection and organized training sessions for the hospital’s employees. In his understanding, the role of the data protection officer is that of a supervisory body. In no way was he himself – with around 10,000 data processing operations per day – responsible for implementing the requirements of the GDPR in detail. In addition, he had professionally excellent employees.

The university hospital dismissed the man as data protection officer in February, citing a lack of implementation efforts to date and an incorrect assessment in 2007 that had cost the university hospital several hundred thousand euros and raised the question of whether he was reliable at all. In August 2018, after the introduction of the GDPR, the hospital was reprimanded by the State Data Protection Commissioner for an organizational program that had been used internally for several years. The plaintiff had not drawn attention to the problems during his time as data protection officer.

The parties disputed what qualifications a data protection officer must have and whether the man’s conduct was sufficient for dismissal.

Decision

The court essentially upheld the plaintiff. The dismissal was invalid. The evaluation standards for this decision are similar before and after the introduction of the GDPR in May 2018, even if they were based on different legal bases.

  1. Professional qualification of a data protection officer

Prior to May 2018, the state law required that the data protection officer had the necessary expertise and reliability to perform his or her duties (Section 20 (1) sentence 3 DSG M-V old version). According to Art. 37 GDPR, he must have sufficient professional qualification and expertise in data protection law. No specific training or qualification is required. Specifically, the requirements must be based on the size of the organization and the scope and sensitivity of the data processing operations. The plaintiff, as a fully qualified lawyer who, as evidenced by the technical essay, has in any case dealt with the subject matter, is in principle appropriately qualified. In addition, he can rely on professionally qualified employees.

  1. Dismissal due to lack of measures for implementation

A data protection officer is to be distinguished from the data protection officer (of the organization). The data protection officer must verify compliance with the requirements and, according to the conception of the laws, holds an independent position. Under both the old (Section 20 (2) DSG M-V old version) and the new (Section 6 (4) sentence 1 BDSG) legal situation, dismissal requires serious misconduct with corresponding application of Section 626 BGB. In any case, the measures taken by the plaintiff to monitor the introduction were not so faulty that he seriously breached his duties. It is not sufficient for such a breach of duty that the plaintiff did not point out the data protection problems of an internal organizational program that he had not introduced himself. Finally, the data protection officer cannot oversee every data processing operation.

  1. Dismissal due to lack of reliability

An employee’s conduct prior to his or her appointment as a DPO has an impact on the employee’s reliability assessment. However, the defendant did not provide sufficiently concrete evidence that such a serious doubt of reliability could be identified in the erroneous assessment of a situation in 2007, which in retrospect turned out to be disadvantageous for the university hospital. Suspicion of intentional injury is not enough unless it is properly substantiated.

What can readers take away?

  1. A data protection officer does not have to have any particular professional qualifications. In detail, he can also rely on his employees.
  2. The prerequisite for dismissal is serious misconduct due to the independent position of the data protection officer as a supervisory body (analogous to 626 BGB).
  3. Reliability may also be due to misconduct prior to commencing work as a data protection officer.

Explore #more

17.07.2026 | KPMG Law Insights

Action Plan Against Tax Crime: Voluntary Disclosure Allowing for Immunity from Prosecution to Be Abolished

Tax and financial crime will be prosecuted more rigorously in Germany going forward. On July 16, 2026, Federal Minister of Finance Lars Klingbeil and Federal…

15.07.2026 | In the media

KPMG Law Guest Post on the DVNW Procurement Blog: Section 97a of the German Act Against Restraints of Competition (GWB): Slight Relief for Lump-Sum Contracts

On July 1, 2026, the Act on Accelerating the Award of Public Contracts—the Public Procurement Acceleration Act, for short—entered into force. A key change is…

15.07.2026 | In the media

KPMG Law Statement on “tagesschau”: Recycled Building Materials Rarely Used Despite Shortages

Gravel, sand, and crushed stone are becoming scarce and more expensive. Recycled construction materials could help. But despite advanced technology, there are major hurdles, especially…

15.07.2026 | In the media

KPMG Law Statement in *Private Banking* Magazine: How the ECB Plans to Launch the Digital Euro

The banking industry is awaiting the ECB’s decision on which institutions will be selected for the digital euro pilot project. From Germany, Deutsche Bank, Helaba,…

10.07.2026 | KPMG Law Insights

New Packaging Implementation Act tightens obligations for companies

  Co-author: Séverine Sieprath, Director of Audit, KPMG AG Wirtschaftsprüfungsgesellschaft   The Packaging Implementation Act (VerpackDG),…

09.07.2026 | In the media

Op-Ed in *Versicherungsmagazin*: D&O Insurance—A Legal Safety Net in Turbulent Times

Liability risks for executives are increasing significantly: New regulatory requirements such as NIS-2, CSRD, and the Supply Chain Act are expanding the responsibilities of managing

02.07.2026 | KPMG Law Insights

Registered mail with return receipt no longer provides proof of delivery—here are some alternatives

Registered mail with return receipt, when used as part of electronic documentation, no longer constitutes prima facie evidence of a…

02.07.2026 | Deal Notifications

KPMG Law advises the Prinzhorn Group on the acquisition of Stora Enso’s German facilities

KPMG Law has advised Mosburger GmbH, a subsidiary of Dunapack Packaging and part of the Austrian Prinzhorn Group, on the acquisition of Stora Enso’s German…

02.07.2026 | In the media

KPMG Law Interview in Focus Business: EmpCo Is Coming: Sustainability Marketing Becomes a Top Priority

Stricter EU rules set clearer boundaries for climate pledges and social claims. KPMG Law expert Manuela Meyer explains which claims must be verified and how…

29.06.2026 | KPMG Law Insights

Embedding Digital Sovereignty in the Enterprise – Legal Requirements for IT Systems

Digital sovereignty is an important strategic success factor, and many measures are also required by law. Through legislation such as the Data Act, NIS-2, the…

Contact

Julia Hornbostel

Senior Associate

Fuhlentwiete 5
20355 Hamburg

Tel.: +49 40 3609945162
jhornbostel@kpmg-law.com

© 2026 KPMG Law Rechtsanwaltsgesellschaft mbH, associated with KPMG AG Wirtschaftsprüfungsgesellschaft, a public limited company under German law and a member of the global KPMG organisation of independent member firms affiliated with KPMG International Limited, a Private English Company Limited by Guarantee. All rights reserved. For more details on the structure of KPMG’s global organisation, please visit https://home.kpmg/governance.

KPMG International does not provide services to clients. No member firm is authorised to bind or contract KPMG International or any other member firm to any third party, just as KPMG International is not authorised to bind or contract any other member firm.

Scroll