February 6, 2023
Employment
Decision of the Federal Labor Court (BAG) on special protection against dismissal for company data protection officers
In its ruling of August 25, 2022, the Federal Labor Court (BAG, Urt. v. 25.8.2022, Az. 2 AZR 225/20) clarified that employers can only terminate compulsorily appointed company data protection officers for good cause within the meaning of Section 626 (1) of the German Civil Code (BGB). They thus enjoy a similar level of special protection against termination as works council members (for whom the bar is even higher due to the required consent of the works council body). The special protection against dismissal for compulsorily appointed data protection officers results from the German Federal Data Protection Act (BDSG) (Section 38 (1) sentence 1, (2) in conjunction with Section 6 (4) sentence 2 BDSG). But why is this worth reporting at all? Well, once because of the interface of labor and data protection law, of course, but also because of this:
Background of the decision
The ruling of the BAG is based on a legal dispute concerning the validity of an ordinary termination of a company data protection officer (declared by the employer before the German protection against dismissal came into effect, namely during the so-called six-month waiting period (in principle there are no restrictions on dismissal during this period)). When terminating the employment relationship, the employer referred to a restructuring measure which had resulted in the data protection officer no longer having to be employed. The function of the company data protection officer was to be outsourced and performed by an external data protection officer.
In the course of these proceedings, the BAG expressed doubts as to whether the (far-reaching) special protection against dismissal for internal, compulsorily appointed data protection officers was compatible with European Union law and therefore initiated a preliminary ruling procedure pursuant to Section 267 TFEU (Treaty on the Functioning of the European Union) at the European Court of Justice (ECJ). The reason for the doubts was that the European standard of Article 38 (3) sentence 2 of the General Data Protection Regulation (GDPR) only provides for a prohibition of dismissal and discrimination of the data protection officer “because of the performance of his/her duties”. The BAG therefore asked whether the German special protection against dismissal (inadmissibly) goes beyond the European level of protection and violates the requirement of full harmonization.
The ECJ has denied this and stated (ECJ, Judgment of 22.6.2022, Case No. C-534/20) that European law does not preclude special protection against dismissal granted under national law, provided that the values of the GDPR are not impaired. Rather, the member states are in principle free to enact more employee-friendly regulations that go beyond EU law in the area of protection against dismissal. Against this background, the following decision is not surprising, but it does contain important “guidelines”.
Key statements of the BAG ruling
- The special protection against dismissal granted under German law does not violate the valuations of the GDPR. Data protection is not impaired by the granting of the additional protection against termination.
- The special protection against dismissal is also compatible with national constitutional law. In particular, there is no infringement of the employers’ freedom to exercise their profession pursuant to Article 12 (1) of the German constitution. Although there is an encroachment on this fundamental right, this can be justified by the intended guarantee of effective data protection. This is because the special protection against dismissal ensures that the data protection officer can perform his or her duties effectively and independently.
- Consequently, there is special protection against termination in favor of the compulsorily appointed in-house data privacy officers, which excludes the ordinary termination of their employment relationship. This even applies during an agreed probationary period and the waiting period pursuant to Section 1 (1) of the German Dismissal Protection Act.
What employers must now consider
It is important to note that the special protection against dismissal only applies to compulsorily appointed internal data protection officers. Pursuant to Section 38 (2) BDSG, voluntarily appointed data protection officers are not protected against removal and do not enjoy special protection against termination pursuant to Section 6 (4) BDSG. There is only an obligation to appoint a data protection officer in companies that employ at least 20 persons who are involved in the processing of personal data.
Employers should think carefully about whether to go down the path of an internal data protection officer (instead of external assignment), because this is basically irreversible. Employers thus create another group of non-terminable employees, because:
In principle, extraordinary termination fails in practice. The high hurdles can hardly be overcome realistically. However, extraordinary termination for operational reasons is not completely ruled out, even in the case of internal data protection officers who have been mandatorily appointed. For example, extraordinary termination for operational reasons can be effective if there is no possibility of ordinary termination and this would mean that the employer would have to continue to pay the employee for years without any corresponding work performance due to the discontinuation of the employment opportunity. Such a special situation is admittedly extremely rare.
A fixed-term appointment as a “work-around” is only possible under very limited conditions for internal data protection officers who have been appointed on a mandatory basis. The time limit on the appointment must be designed in such a way that the independence and impartiality of the data protection officer is not impaired. The Federal Commissioner for Data Protection and Freedom of Information therefore recommends that the time limit may not be less than a substantial duration and must generally be at least 4 years. In addition, it is not clear whether there must be an objective reason for a time limit and what the requirements for such an objective reason are. Various opinions are held on the question of whether a fixed term for the purpose of testing the data protection officer constitutes a sufficient objective reason. There is no case law or clear official recommendation on this. In contrast, the employment relationship of an external data protection officer can be terminated without further notice or limited in time. Accordingly, termination of the cooperation with external data protection officers is possible in a flexible manner.
The company data privacy officer can be relieved of his/her duties as data privacy officer without being dismissed at the same time. However, this also requires good cause within the meaning of Section 626 (1) BGB.
Outside of restructuring measures at company level (mergers) or (partial) transfers of businesses and the resulting automatic elimination of the data protection officer, the termination of the appointment and employment relationship of an internal company data protection officer is therefore de facto hardly possible.
| If you have any questions concerning the material discussed in this client alert, please contact the following members of our Employment practice: Walter Born +49 69 768063 382 wborn@cov.com Nadine Kramer +49 69 768063 351 nkramer@cov.com |
Covington & Burling LLP, an international law firm, provides corporate, litigation and regulatory expertise to enable clients to achieve their goals. This communication is intended to bring relevant developments to our clients and other interested colleagues. Please send an email to unsubscribe@cov.com if you do not wish to receive future emails or electronic alerts.