MV Regional Labor Court: Conditions for the Dismissal of a Data Protection Officer
Universities and research institutions (which have more than 20 employees) are also required to appoint a data protection officer. In this decision (LAG M-V AZ: 5 Sa 108/19), the court dealt with the requirements to be met by the professional qualifications of a data protection officer and the conditions under which dismissal is possible. The court ruled that the plaintiff, who opposed his dismissal, was sufficiently qualified as a fully qualified lawyer who had apparently studied the requirements of data protection law. In addition, even after a data protection officer has been appointed, the organization continues to be the addressee of the obligations under data protection laws (data protection officer). The data privacy officer acts largely independently as an internal control body and primarily provides assistance in implementing data privacy requirements. An erroneous decision from 2007, is not sufficient to establish unreliability as a data protection officer.
The defendant university hospital employed the plaintiff as data protection officer. At the beginning of 2018, the defendant university hospital and the plaintiff argued about whether he, as data protection officer, should already have done more for the implementation of the GDPR that followed in May 2018. The data protection officer drew attention to the fact that only with the implementation of state law and the regulation of area-specific requirements for data protection could the implementation be complete. Since the basic regulations have been clear since the adoption of the GDPR, the university hospital also doubted the suitability of the data protection officer because of these statements. The latter had indeed dealt with the requirements of the GDPR, as suggested by an article on the requirements published in a trade journal in 2017. However, he had no special qualifications (beyond being a fully qualified lawyer) to adequately fulfill the role of data protection officer.
The data protection officer had participated in the establishment of committees on data protection and organized training sessions for the hospital’s employees. In his understanding, the role of the data protection officer is that of a supervisory body. In no way was he himself – with around 10,000 data processing operations per day – responsible for implementing the requirements of the GDPR in detail. In addition, he had professionally excellent employees.
The university hospital dismissed the man as data protection officer in February, citing a lack of implementation efforts to date and an incorrect assessment in 2007 that had cost the university hospital several hundred thousand euros and raised the question of whether he was reliable at all. In August 2018, after the introduction of the GDPR, the hospital was reprimanded by the State Data Protection Commissioner for an organizational program that had been used internally for several years. The plaintiff had not drawn attention to the problems during his time as data protection officer.
The parties disputed what qualifications a data protection officer must have and whether the man’s conduct was sufficient for dismissal.
The court essentially upheld the plaintiff. The dismissal was invalid. The evaluation standards for this decision are similar before and after the introduction of the GDPR in May 2018, even if they were based on different legal bases.
Prior to May 2018, the state law required that the data protection officer had the necessary expertise and reliability to perform his or her duties (Section 20 (1) sentence 3 DSG M-V old version). According to Art. 37 GDPR, he must have sufficient professional qualification and expertise in data protection law. No specific training or qualification is required. Specifically, the requirements must be based on the size of the organization and the scope and sensitivity of the data processing operations. The plaintiff, as a fully qualified lawyer who, as evidenced by the technical essay, has in any case dealt with the subject matter, is in principle appropriately qualified. In addition, he can rely on professionally qualified employees.
A data protection officer is to be distinguished from the data protection officer (of the organization). The data protection officer must verify compliance with the requirements and, according to the conception of the laws, holds an independent position. Under both the old (Section 20 (2) DSG M-V old version) and the new (Section 6 (4) sentence 1 BDSG) legal situation, dismissal requires serious misconduct with corresponding application of Section 626 BGB. In any case, the measures taken by the plaintiff to monitor the introduction were not so faulty that he seriously breached his duties. It is not sufficient for such a breach of duty that the plaintiff did not point out the data protection problems of an internal organizational program that he had not introduced himself. Finally, the data protection officer cannot oversee every data processing operation.
An employee’s conduct prior to his or her appointment as a DPO has an impact on the employee’s reliability assessment. However, the defendant did not provide sufficiently concrete evidence that such a serious doubt of reliability could be identified in the erroneous assessment of a situation in 2007, which in retrospect turned out to be disadvantageous for the university hospital. Suspicion of intentional injury is not enough unless it is properly substantiated.
© 2024 KPMG Law Rechtsanwaltsgesellschaft mbH, associated with KPMG AG Wirtschaftsprüfungsgesellschaft, a public limited company under German law and a member of the global KPMG organisation of independent member firms affiliated with KPMG International Limited, a Private English Company Limited by Guarantee. All rights reserved. For more details on the structure of KPMG’s global organisation, please visit https://home.kpmg/governance.
KPMG International does not provide services to clients. No member firm is authorised to bind or contract KPMG International or any other member firm to any third party, just as KPMG International is not authorised to bind or contract any other member firm.