Marcus Belke
CEO of 2B Advice GmbH, driving innovation in privacy compliance and risk management and leading the development of Ailance, the next-generation compliance platform.
In Germany, internal data protection officers enjoy particularly far-reaching special protection against dismissal under employment law. This regulation is of considerable practical importance for companies. After all, appointing an employee as a data protection officer is not only an organizational compliance decision, but also a personnel law decision with long-term consequences. What this means for the data protection organization of companies.
Special protection against dismissal of the DPO according to BDSG
Section 38 BDSG is the central point of reference for companies. According to this, companies must appoint a data protection officer if they generally have at least 20 people permanently involved in automated data processing. Processing of personal data.
For internal data protection officers, the law refers to Section 6 (4) BDSG. This provision establishes special protection under labor law.
The consequences are far-reaching:
- Ordinary termination of the employment relationship is generally excluded.
- As a rule, termination can only be considered as extraordinary termination for good cause (Section 626 BGB).
- Even after termination of employment, protection against dismissal remains in effect for one year.
The legislator is thus pursuing a clear objective: data protection officers should be able to perform their duties independently without having to fear pressure under labor law.
Case law: High hurdles for DPO termination
Labor court rulings have repeatedly confirmed and specified this protection.
A decision by the Federal Labor Court (BAG, judgment of April 27, 2021 - 2 AZR 225/20). The court clarified that an ordinary dismissal of a data protection officer who has been appointed on a mandatory basis is inadmissible and may even be null and void.
It is also worth noting that, in the opinion of the BAG, this protection also applies if the dismissal is given during the probationary period or the waiting period under the Dismissal Protection Act. The BDSG does not contain any restrictions in this respect.
This makes it clear that special protection against dismissal is not just a theoretical instrument, but can also have a practical impact on personnel decisions.
Classification under European law
The question of the scope of protection against dismissal was also clarified at European level.
The European Court of Justice (ECJ) has ruled that national regulations that only permit the dismissal or termination of a data protection officer for good cause are generally compatible with the GDPR are compatible.
The prerequisite, however, is that such regulations are in line with the objectives of the GDPR, in particular the effective performance of the DPO's duties.
This means for companies: The German special protection against dismissal is within the framework permitted under European law.
Conflicts of interest as grounds for dismissal
Another key point concerns potential conflicts of interest.
Pursuant to Art. 38 (6) GDPR a data protection officer may not perform any tasks that lead to a conflict of interest with his or her supervisory function. Such a conflict exists in particular if the person concerned decides on the purposes and means of data processing.
The ECJ and BAG have substantiated these principles in several decisions.
This became particularly clear in the case of a works council chairman who was also appointed as a data protection officer. The BAG found that the two functions may be incompatible. In such a constellation, there may be a conflict of interests that justifies the dismissal of the data protection officer.
This has an important consequence for companies: they should check for potential conflicts of interest before appointing an employee.
Mandatory or voluntary appointment of the DPO?
A key issue that is often underestimated in practice concerns the legal basis for the appointment of a data protection officer. This is because the special protection against dismissal under employment law pursuant to Section 6 (4) BDSG generally presupposes that the appointment is legally binding.
However, companies are not always obliged to appoint a data protection officer. The relevant requirements are set out in Art. 37 GDPR and from Section 38 BDSG, which provides for additional designation obligations for Germany.
Pursuant to Section 38 (1) BDSG, there is a duty of designation in particular if at least 20 people in a company are generally permanently involved with automated data processing. Processing of personal data are employed. In addition, an appointment may also be necessary if the core activity of the company consists of extensive Processing sensitive data or systematic surveillance of individuals.
The practical difficulty, however, is that companies often appoint a data protection officer even if they are not legally obliged to do so. This happens, for example, for reasons of Compliance, organizational clarity or on the recommendation of consultants.
This voluntary appointment may make sense from an organizational point of view, but has other consequences under employment law.
According to the wording of the law, the special protection against dismissal under Section 6 (4) BDSG only applies if the appointment was made on the basis of a legal obligation. The standard is applicable in the corporate sector via Section 38 BDSG. In the absence of such an obligation, the situation under employment law may be different.
In several decisions, labor courts have emphasized that the special protection against dismissal does not automatically apply if a data protection officer has only been appointed voluntarily. For example, the Hamm Regional Labor Court (18 Sa 271/22) ruled that the special protection against dismissal under the BDSG presupposes that there was a statutory duty of appointment. Otherwise, the data protection officer can in principle be treated like any other employee under employment law.
This raises an important governance question for companies: Was the appointment of a data protection officer actually mandatory or was it voluntary?
Risks for companies
Special protection against dismissal can entail several risks for companies.
Labor law risks
An unlawful termination can lead to the invalidity or nullity of the termination. The employment relationship then continues. In addition, compensation claims may arise, for example in the form of default of acceptance.
Organizational risks
The strong ties under employment law can lead to companies remaining bound to an organizational structure over a longer period of time that no longer fits their governance.
Reputational risks
Conflicts with data protection officers are often reputation-sensitive. Data protection officers are regarded as independent supervisory bodies and are often in contact with supervisory authorities.
Labor law disputes can therefore also be handled outside the company.
Practical consequences and alternative organizational models
The special protection against dismissal means that the appointment of an internal data protection officer should not be regarded as a purely operational decision.
Rather, it is a strategic personnel decision with a long-term binding effect.
In practice, conflicts often arise in the following situations:
- Reorganizations
- international group structures
- Changes to the compliance organization
- Growing regulatory requirements
If the organizational framework changes, it can be difficult to restructure or terminate the role of the data protection officer.
In practice, this often leads to labor law disputes.
Against this background, many companies are examining alternative models for their data protection organization. The most common options include
External data protection officer
An external service provider takes on the role of data protection officer. As a result, there is no longer any obligation under employment law, while professional competence and independence are retained.
Group Data Protection Officer
In groups of companies, a joint data protection officer can be appointed, provided that he or she can be contacted by all the companies concerned.
Hybrid models
In many organizations, a combination of internal and external Data protection team and external data protection officer.
Such models can combine operational proximity with organizational flexibility.
Rethinking data protection organization with Ailance DSB
The internal data protection officer is a central element of the data protection organization in companies. At the same time, the role is exceptionally well protected under labor law.
Anyone who appoints an employee as data protection officer should be aware of these consequences. The decision not only affects Compliance, but also personnel strategy and governance.
Companies are therefore well advised to carefully examine the organizational framework before making an internal appointment.
With Ailance DSB 2B Advice offers a solution that helps companies to set up their data protection organization professionally and flexibly at the same time. The model combines:
Experienced external data protection officers
Scalable data protection processes
digital compliance platform
and Direct access to legal and technical expertise
As a result, companies benefit from a clearly structured data protection organization without the binding effects of an internal appointment under employment law.
An external data protection officer can be a strategically sensible alternative, especially for growing companies, international organizations or complex compliance structures.
Marcus Belke is CEO of 2B Advice and a lawyer and IT expert for Data protection and digital Compliance. He writes regularly about AI governance, GDPR compliance and risk management. You can find out more about him on his Author profile page.
German 
English 
Italian 
French