The GDPR stipulates in Article 37 that companies that carry out extensive monitoring or extensive processing of personal data need a data protection officer. The German Bundesrat (upper house of parliament ) has tightened this regulation in § 38 BDSG and required all companies with at least 10 employees who work with personal data to have a data protection officer.
After the Bundesrat gave its approval to the 2nd Data Protection Adaptation and Implementation Act EU (2nd DSAnpUG -EU) on 20.09.2019, the final version of the law was published in the Federal Law Gazette. The amendments made herein to the Federal Data Protection Act and numerous other laws thus entered into force on November 26, 2019. It includes not only adjustments to employee data protection, for example, but also a fundamental adjustment to the obligation to appoint a data protection officer.
Data protection officers in Germany
The German legislator has made use of the opening clause of the Art. 37 par. 4 P. 1 DSGVO made use of. § Section 38 of the German Federal Data Protection Act (BDSG ) previously required German data controllers to appoint a data protection officer if “as a rule, at least 10 persons are permanently involved in the automated processing of personal data”. The current amendment increased this limit to 20 people. This eliminates the obligation for many smaller companies to appoint a data protection officer.
For small businesses, this means a cost savings.
But how can data protection officers who have already been appointed be recalled?
Each data protection officer shall, pursuant to. Article 38 GDPR independently and freely perform its duties. This applies in particular to internal data protection officers. External data protection officers are essentially bound by the service contract they have concluded, which ends, for example, at the end of the agreed contract term. Unscheduled termination is therefore generally only possible if there is good cause.
The increase in the statutory upper limit for the obligation to appoint a data protection officer constitutes such an important reason.
It is more difficult to remove internal company data protection officers in Germany.
The internal company data protection officer generally enjoys protection against dismissal. Once appointed, he or she may be dismissed only for good cause. This follows from § 6 para. 4 S. 1 i.V.m. § 38 para. 2 BDSG as well as a corresponding application of § 626 BGB. Good cause can be seen in particular in a neglect of duties as a data protection officer, serious failures to provide advice or glaring deficiencies in expertise.
A disagreement with the employer is not a reason to dismiss the data protection officer. The GDPR prohibits the dismissal of the data protection officer on the basis of his proper performance of his duties. The data protection officer may not be dismissed if he or she performs his or her duties and thus becomes a “nuisance”.
Special protection against dismissal
The internal company data protection officer additionally enjoys a special right of termination from § 6 para. 4 S. 2 i.V.m. § 38 para. 2 BDSG. According to this, employees who have been appointed as internal company data protection officers can only be dismissed if the conditions for extraordinary (immediate) termination are met. This protection against dismissal shall furthermore continue for one year after the end of the activity as internal data protection officer. This is intended to ensure that disagreeable company data protection officers cannot simply be removed and that employees also do not have to expect immediate reprisals after the end of their activities.