Appointment of a Data Protection Officer in Germany: You Wanna Avoid Trouble? Then Make Sure You Appoint the Right Person!

more+
less-

Data protection law is on the rise. Courts as well as local authorities become increasingly sensitive to the misuse of any individual’s personal data that applicable statutory provisions in Germany, such as the Federal Data Protection Act (Bundesdatenschutzgesetz, “BDSG”), intend to prevent.

Among the requirements that have to be met by German employers is the compulsory requirement of an appointment of a data protection officer (Datenschutzbeauftragter, “DSB”) for all companies that employ more than nine employees who are permanently engaged in automated data processing or at least 20 persons who are engaged in non-automated data processing. For the assumption of “automated processing”, it is already deemed sufficient that the respective nine employees render their contractual services by using a company computer. Thus, in practice, German law requires from most employers to appoint a data protection officer. A breach of this requirement can lead to significant fines imposed by German authorities.

It is up to the employer to decide whether it wants to appoint an employee of the company as internal DSB or to appoint an external third party. However, it is not yet known to most employers that employees who were appointed as DSB immediately enjoy special protection against dismissals. Following the appointment, their employment may only be terminated for “important reasons” for as long as the appointment lasts and 12 months thereafter. Considering the fact that the assumption of an “important reason” requires a very severe breach of contractual duties, such as a criminal offence, and, as a consequence, is affirmed only very rarely by the courts, the termination of an employee’s employment appointed as DSB is virtually impossible. With regard to these huge legal impact, employers that intend to appoint one of their employees as DSB should consider very carefully their selection.

This risk has once more become obvious by a recent court ruling of the Higher Regional Labor Court of the state of Saxony from February 14, 2014 (3 Sa 485/13):

The employer—an entity engaged in the provision of IT services—hired the claimant as a “system engineer and consultant” on the basis of an employment agreement, which determined, inter alia, that the employee was to carry out “the tasks of a data protection officer.” According to the agreement, however, the necessary official appointment as DSB would be carried out “at a later stage.”

But things turned out differently: The Company dismissed the employee for low performance within the six month probation period and, in particular, before the official appointment took place. Until termination date the employee undisputedly performed the tasks typically assigned to a DSB.

This gave rise to a claim for unlawful dismissal filed by the employee who argued that such dismissal was invalid due to his factual activity as DSB. According to the employee, he could not be treated any different solely because of the lack of an official appointment; after all, he performed contractual services just like an appointed DSB. The refusal of legal protection would unlawfully compromise the required independence of a DSB which is explicitly and strongly protected by the BDSG, and would lead to a circumvention of the rigid protection against dismissal granted to the DSB by German statutory law. If his claim would be denied, it would be in the employer’s sole discretion to postpone the beginning of such protection and to weaken the DSB’s position and the fulfilment of his duties. As a result, according to the employee, although his probation had not ended by the time notice was rendered, the performance of the tasks of a DSB would make the dismissal unlawful.

The Higher Regional Labor Court of Saxony, however, dismissed the employee’s claim and denied him the requested legal protection against dismissals of a DSB. According to the court, the performance of the tasks of a DSB is not an equivalent to the appointment of an employee as DSB; the latter would require the execution of a written document signed by both parties pursuant to Sec. 4 of the BDSG. The court did not show any concern that employer and employee can validly agree to carry out the appointment as DSB at a later stage of employment. If the parties decide to take this approach, the statutory protection against dismissal will not be triggered immediately, but only upon official appointment as DSB.

The court has chosen a very formal, but clear standpoint that allows employers in particular, to agree with an employee that his appointment as DSB shall be conditional upon the survival of the six-month-probation period. Due to the fundamental significance of the legal problems dealt with in the court ruling, the court, however, explicitly admitted an appeal to the Federal Labor Court (BAG). It will be now up to the BAG to further develop their case-law in the field of data protection law which continues to have a growing effect on German employment law.

 

Topics:  Cybersecurity, Data Protection, EU, Popular

Published In: Civil Procedure Updates, Labor & Employment Updates, Privacy Updates, Science, Computers & Technology Updates

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Orrick - Global Employment Law Group | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »