top of page

Is DPO solely Responsible for compliance?

The Heilbronn Labor Court's decision from September 29, 2022, addressed the legality of the employer's termination of the internal Data Protection Officer's (DPO) employment contract. The business claimed that for a number of years, the DPO did not carry out any of his responsibilities as an internal DPO. This was also the outcome of an auditing firm's expert opinion.

It's crucial to remember that domestically nominated DPOs in Germany are given particular protection (the ECJ found the provision to be compliant with EU legislation in C-534/20 on 22.6.2022). On the one hand, the internal DPO may only be removed from his position as DPO if there are very relevant reasons, in accordance with Sections 38 (2) and 6 (4) of the German Federal Data Protection Act (BDSG). The internal DPO also has further protection against being fired under the terms of his employment contract as an employee.

In this instance, the labor court determined that the controller (employer) had not proven a specific duty violation on the part of the DPO.

Contrarily, as stated in Art. 4 No. 7 GDPR, the controller is in charge of carrying out the regulations of the GDPR and the BDSG that concretizes and supplements it.

The court also reasoned that "this precludes the employer from relying on the fact that the data protection officer is responsible for establishing a proper level of data protection."

Instead, in the eyes of the Court, the employer is the organizationally compelled responsible body under Art. 4 No. 7 GDPR to execute, whether through the use of outside assistance or by educating its own staff.

3 views0 comments


bottom of page