• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
easy GDPR - we make compliance with GDPR easy

easyGDPR

We make implementing General Data Protection Regulation Easy

  • Home
  • Services
    • Software
      • easyGDPR Quickcheck
      • (DEP) easyGDPR lite
      • (DEP) easyGDPR Standard
      • Data Subject Requests
      • Sophos
    • IT Security
    • network checkup
    • SME digitization funding
    • Data protection consulting
      • Data protection
      • Cybersecurity
    • Training
      • Data protection
      • Cybersecurity
  • Partner
    • Resellerprogramm
    • Affiliate programm
  • GDPR
    • GDPR News
    • FAQ
    • GDPR Decisions
    • GDPR penalties
    • GDPR legal text
  • Shop
  • Contact
    • Contact
    • Newsletter registration
  • Login
    • Shop / Affiliate Program
    • easyGDPR Software
  • German
  • English

New regulation for data protection officers in Germany as of December 2019

03/12/2019 by Maria Steindl-Schindler

The GDPR stipulates in Article 37 that companies that carry out extensive monitoring or extensive processing of personal data need a data protection officer. The German Bundesrat (upper house of parliament ) has tightened this regulation in § 38 BDSG and required all companies with at least 10 employees who work with personal data to have a data protection officer.

After the Bundesrat gave its approval to the 2nd Data Protection Adaptation and Implementation Act EU (2nd DSAnpUG -EU) on 20.09.2019, the final version of the law was published in the Federal Law Gazette. The amendments made herein to the Federal Data Protection Act and numerous other laws thus entered into force on November 26, 2019. It includes not only adjustments to employee data protection, for example, but also a fundamental adjustment to the obligation to appoint a data protection officer.

Data protection officers in Germany

The German legislator has made use of the opening clause of the Art. 37 par. 4 P. 1 DSGVO made use of. § Section 38 of the German Federal Data Protection Act (BDSG ) previously required German data controllers to appoint a data protection officer if “as a rule, at least 10 persons are permanently involved in the automated processing of personal data”. The current amendment increased this limit to 20 people. This eliminates the obligation for many smaller companies to appoint a data protection officer.

For small businesses, this means a cost savings.

But how can data protection officers who have already been appointed be recalled?

Each data protection officer shall, pursuant to. Article 38 GDPR independently and freely perform its duties. This applies in particular to internal data protection officers. External data protection officers are essentially bound by the service contract they have concluded, which ends, for example, at the end of the agreed contract term. Unscheduled termination is therefore generally only possible if there is good cause.

The increase in the statutory upper limit for the obligation to appoint a data protection officer constitutes such an important reason.

It is more difficult to remove internal company data protection officers in Germany.

The internal company data protection officer generally enjoys protection against dismissal. Once appointed, he or she may be dismissed only for good cause. This follows from § 6 para. 4 S. 1 i.V.m. § 38 para. 2 BDSG as well as a corresponding application of § 626 BGB. Good cause can be seen in particular in a neglect of duties as a data protection officer, serious failures to provide advice or glaring deficiencies in expertise.

A disagreement with the employer is not a reason to dismiss the data protection officer. The GDPR prohibits the dismissal of the data protection officer on the basis of his proper performance of his duties. The data protection officer may not be dismissed if he or she performs his or her duties and thus becomes a “nuisance”.

Special protection against dismissal

The internal company data protection officer additionally enjoys a special right of termination from § 6 para. 4 S. 2 i.V.m. § 38 para. 2 BDSG. According to this, employees who have been appointed as internal company data protection officers can only be dismissed if the conditions for extraordinary (immediate) termination are met. This protection against dismissal shall furthermore continue for one year after the end of the activity as internal data protection officer. This is intended to ensure that disagreeable company data protection officers cannot simply be removed and that employees also do not have to expect immediate reprisals after the end of their activities.

Category iconNews Tag iconGermany

Primary Sidebar

IT-Security Whitepaper Downloaden
  • German
  • English
  • Data Protection Statement
  • Terms and Conditions
  • Imprint
  • Licence terms for easyGDPR
  • GDPR terms
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking "Accept", you consent to the use of ALL the cookies.
SettingsAccept All
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled

Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.

Non Necessary

Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.

functionality

Diese Art von Cookies erhöht die Benutzerfreundlichkeit unserer Website. Beispielsweise wird darin die von Ihnen ausgewählte Sprache gespeichert. Auch die Verfügbarkeit von Videostreams und sonstigem Inhalt kann von diesen Cookies abhängig sein. Wenn Sie diese Cookies ablehnen, ist die Benutzerfreundlichkeit eingeschränkt.

Save & Accept