1. Requirements for revoking the appointment of a data protection officer
A data protection officer appointment can be revoked for two reasons:
- for “good cause” within the meaning of § 626 of the German Civil Code (BGB), or
- upon request by the supervisory authority for positions in private companies.
a) “Upon request by the supervisory authority”
In practice, the revocation of an appointment “upon request by the supervisory authority” is of minor significance, as such a request by the supervisory authority is preceded by a time-consuming administrative procedure, including a hearing procedure. In addition, the supervisory authority will, at its due discretion, only request an appointment to be revoked if serious reasons similar to “good cause” pursuant to § 626 BGB are present.
b) Revocation for “good cause”, § 626 BGB
The requirements of § 626 BGB must therefore always be met if a data protection officer appointment is to be revoked. Good cause, which would make it unreasonable for a data protection officer to continue with their activity can include, for instance, betrayal of secrets, continuously neglecting core data protection officer duties, persistent refusal to meet consultation and training obligations or unreliability of the data protection officer that was not identified at the start or which arose subsequently. Personal unreliability is, in particular, the case if the other professional duties of the data protection officer result in conflicts of interest with the role of the data protection officer. This is primarily assumed for board members, managing directors and other persons entrusted with the management of the company. For other managing employees, it depends on the respective individual case. Conflict of interest is assumed for the head of the IT department (German Labor Court, BAG), decision dated March 22, 1994 – 1 ABR 51/93) and may also be assumed for the heads of the legal, human resources and sales departments. However, a conflict of interest with the specific activities of the respective employee may also arise for other employees in the IT, human resources, legal or sales departments (BAG, decision dated March 22, 1994 – 1 ABR 51/93). The first obligation of a lawyer in the legal department under his/her employment contract is to represent the interests of the employer and to advise the employer under data protection law in this regard, a function that does not comply with the necessary independence of a data protection officer. Furthermore, the time period arising from § 626 (2) BGB must be observed. The employer must terminate the appointment within two weeks after becoming aware of the good cause. A data protection officer’s unreliability (identified subsequently) is, however, a continuous violation of the employment contract and the two week notice period does not apply here.
c) Valid termination of employment as a reason for revocation?
Besides the reasons provided for in the statute, a valid termination of employment is also sufficient reason for revoking the appointment (BAG, judgment dated March 23, 2011 – 562/09). However, with its judgment dated January 23, 2014 (2 AZR 372/13), the German Federal Labor Court has to date expressly left open the question of whether the special protection against dismissal extended to data protection officers pursuant to § 4 f (3) BDSG permits extraordinary termination for urgent operational requirements, whether a notional notice period or the end of the one-year period after revocation of the appointment is to be considered when reviewing “good cause” within the meaning of § 626 BGB, and whether the regulations of § 15 (4) and (5) of the German Protection Against Dismissal Act (KSchG) applicable to works councils for company or divisional closures apply analogously to internal data protection officers. All this is debated and controversial in the literature. As the intention of the legislator was to align data protection officers’ protection against dismissal with “Protection against dismissal for other roles, such as works council members” and not providw for “lifelong” protection against dismissal, the better arguments are for an analogous application of § 15 (4) and (5) KSchG (Dzida/Kröpelin, BB 2010, p. 1026).
2. Co-determination rights of the works council?
The selection, appointment and recall of data protection officers is not subject to co-determination by the works council. However, § 99 of the German Works Constitution Act (BetrVG) must be observed for internal data protection officers (e.g. for staff transfers).
3. What does this mean in practice?
- Internal data protection officers should, in all cases, be appointed for a fixed term. Terminating the employment of a data protection officer is, in principle, only possible if the appointment of a data protection officer can be revoked for “good cause”. Only then can an employer terminate the employment contract after one year. It is still unclear whether § 15 (4) and (5) KSchG is analogously applicable to data protection officers. Therefore, it cannot be ruled out that a permanent appointment results in lifelong protection against dismissal.
- However, the fixed term must be for a minimum of four years according to Art. 35 VII DS-GVO (EU General Data Protection Regulation).
- In any case, employers should also consider appointing an external data protection officer and compare the associated costs with the disadvantages under labor law associated with the appointment of an internal data protection officer. After all, terminating a contract with an external data protection officer does not require “good cause”.