Germany: Passion Is Short, Repentance Long – How To Avoid Legal Pitfalls When Appointing A Data Protection Officer

Higher Regional Labor Court of Saxony, February 14, 2014, 3 Sa 485/13

Most companies in some way or another process personal data. Due to the strict regulations of the German Data Protection Act ("Bundesdatenschutzgesetz" – BDSG) companies who reach specific thresholds are obliged to appoint a Data Protection Officer. Most companies are not aware, however, that the Data Protection Officer is protected against dismissal due to statutory law. Therefore, a potential later dismissal of the employee appointed as Data Protection Officer is nearly impossible. Emerging companies are often not aware of these risks and commit costly errors which could have been avoided. A recent court ruling of the Higher Regional Labor Court of Saxony (February 14, 2014, 3 Sa 485/13) clearly shows these potential risks for employers.

What had happened? The employer hired the later claimant as a "consultant" and the employment contract regulated that the employee was to carry out "the tasks of a data protection officer". The contract also stated that the formal appointment as Data Protection Officer would be carried out at a later stage. But things turned out differently: The Company dismissed the consultant before the end of the six month probationary period. The formal appointment as Data Protection Officer was never carried out. The employee did not accept the dismissal and filed a claim for unlawful dismissal. According to the employee, the dismissal was invalid due to his position as Data Protection Officer. Sec. 4 f para.1 sentence 1 BDSG stipulates that the dismissal or revocation from office of a Data Protection Officer requires an important reason. The employee claimed that this regulation applied in his case although a formal appointment had not been carried out. He considered the agreement to appoint him at a later stage as invalid claiming that a postponed appointment would unlawfully compromise the Officer's independence and circumvent the statutory protection of Data Protection Officers against dismissal. Furthermore, the employee claimed that he did carry out tasks which are typical for a Data Protection Officer. As a result, according to the employee, although the probationary period had not ended, a dismissal was not possible due to his condition as Data Protection Officer.

The Higher Regional Labor Court, however, dismissed the employee's claim and denied that he was appointed as Data Protection Officer. According to the court, employer and employee can validly agree that the appointment as Data Protection Officer shall be carried out at a later stage of employment. In such a case, the statutory protection against dismissal is not triggered immediately but only after the formal appointment has taken place.

The court decision is convincing and positive for employers. However, the court explicitly admitted an appeal to the Federal Labor Court (BAG) due to the fundamental significance of the legal problems dealt with in the court ruling. The BAG will have to decide whether it is possible to agree that the appointment as Data Protection Officer shall take place at a later stage of employment. It remains to be seen how the BAG evaluates this legal question.

Please note: This court decision gives occasion to address the often unknown legal risks connected with the appointment of a Data Protection Officer. Pursuant to Section 4 f BDSG companies are obliged to appoint a Data Protection Officer if at least 10 employees carry out tasks related to personal data which is processed automatically or if at least 20 employees are processing personal data manually.

If a company is legally obliged to appoint a Data Protection Officer in order to safeguard his independence, the revocation or dismissal of the Data Protection Officer shall only be possible if an important reason exists, Section 4 f para. 3 BDSG. As a result, the Data Protection Officer is protected against dismissal, e.g. in case of a reduction in force, and can only be dismissed in case of a significant breach of contract. The protection against dismissal shall even continue to apply during a period of one year after the end of his appointment.

Employers should therefore carefully review who is appointed as Data Protection Officer as a later dismissal or revocation from office is nearly impossible. The appointment of a newly hired employee is therefore not recommendable as the protection against dismissal would start immediately and make a dismissal during the probationary period impossible. Picking the wrong person can turn out to be very expensive as a later dismissal of the Data Protection Officer would most probably require a considerable severance payment. Companies can avoid such problems and appoint an experienced external Data Protection Officer who is not an employee. If the company, however, decides to appoint an employee, the appointment should be limited in time (e.g. for a period of two years) in order to avoid a protection against dismissal for an unlimited time. However, the labor courts still have to decide if such an appointment for a limited time is legally possible. As there are good legal arguments in favor of a limited appointment, companies should use this opportunity to mitigate risks.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.