Dismissal only for cause? ECJ decision: Special protection for data protection officers

von Jan

Special protection for data privacy officers

Special protection for data protection officers with a function as advisors to a data processing entity can only be adequately met if the data protection officer can act completely independently. For this reason, his or her position in the company is particularly protected under the General Data Protection Regulation. In particular, Art. 38 GDPR states that a data protection officer may not be dismissed or disadvantaged on the basis of his/her duties. This is intended to ensure that a data protection officer is able to perform his or her auditing and advisory duties in a truly independent manner and does not evaluate data protection issues in a biased manner for fear of professional consequences.

The provisions of Section 38 (1) and (2) BDSG in conjunction with Section 6 (4) BDSG go even further and stipulate that there must also be good cause within the meaning of Section 626 BGB for the dismissal. The good cause must be so serious that the person responsible can no longer reasonably be expected to observe at least the statutory notice period.

Is this regulation in conformity with European law?

Special protection for data protection officers – the content of this special German provision is the same as that already in force under the old Federal Data Protection Act. Since the introduction of the General Data Protection Regulation, it has been a matter of legal dispute whether the regulation is valid at all or whether it violates European law.

The background to this is that the General Data Protection Regulation created uniform European law. The member states may enact additional data protection law if the subject matter to be regulated falls under one of the so-called opening clauses, i.e., covers an area that the European Union has deliberately left to the member states for regulation.

The best example of this interaction between European and national law is the opening clause of Art. 88 GDPR for the area of employee data protection, which Germany has used by creating Section 26 BDSG.

Now, the fact is that the GDPR precisely does not provide for an opening clause regarding the position of the data protection officer.

Consequently, nationally increased, special protection for data protection officers can only be effective if this area does not fall under the subject matter regulated by the General Data Protection Regulation and thus does not fall under the primacy of European law. Therefore, in the case of the provision from the Federal Data Protection Act, it is being discussed whether this is not actually a provision of labor law and thus falls under the independent regulatory competence of the member states.

Judicial proceedings

The Federal Labor Court was now confronted with this issue. The case concerned the dismissal of the plaintiff from his appointment as internal data protection officer. In addition to his office as data protection officer, the plaintiff had been elected chairman of the works council, which caused his employer, prompted by the competent data protection supervisory authority, to doubt the independence of the performance of his duties and to dismiss the plaintiff from his position as data protection officer. However, the defendant did not present any good cause pursuant to Section 626 of the German Civil Code (BGB) that would have justified the dismissal of the plaintiff in accordance with the provisions of Section 38 (1) and (2) of the German Data Protection Act (BDSG) in conjunction with Section 6 (4) of the BDSG.

Consequently, the first step for the BAG is to determine whether, in addition to Art. 38 (1) and (2) BDSG in conjunction with Sec. 6 (4) BDSG, Section 38 (1) and (2) BDSG must also be complied with in the case of dismissal, or whether dismissal is also permissible without the existence of good cause.

Since this legal question touches on the area of European law and its primacy of application and thus falls within the decision-making competence of the ECJ, the BAG has submitted a legal question corresponding to Art. 267 TFEU. In the meantime, the proceedings before the BAG have been interrupted and will be continued after the ECJ’s decision.


Three years after the entry into force of the General Data Protection Regulation, there is an increasing number of decisions by the highest courts and ECJ rulings on data protection issues. In addition to specific questions of interpretation, the relationship between the European General Data Protection Regulation and national law is often put to the test, as in this case. It is therefore to be hoped that the ECJ’s decision will also set fundamental milestones for the relationship between the General Data Protection Regulation and national law.


aigner business solutions GmbH is a consulting company for data protection and IT security and is one of the leading service providers in this field in Bavaria. With a total of over 30 employees at its headquarters in Hutthurm near Passau and its branch office in Munich, the company serves national and international corporations as well as SMEs.

Would you like our experts to help you in the areas of information security or data protection? Feel free to contact us!

Head office Hutthurm – Tel.: +49 (0) 8505 91927 – 0
Munich branch office – Tel.: +49 (0) 8941 32943 – 0
E-Mail: info@aigner-business-solutions.com

For further information please also visit our website: www.aigner-business-solutions.com


Jan ist seit seiner erfolgreich abgeschlossenen Ausbildung als Business Development Manager bei der aigner business solutions tätig. Jan setzt seine Kreativität, Talent für Bildbearbeitung und Leidenschaft für Videoschnitt in unserer Marketingabteilung ein und unterstützt zudem den Vertriebsprozess bei ihren alltäglichen Aufgaben. Nicht zuletzt dürfen sich unsere Kunden und Follower stets über neue interessante Inhalte auf unseren Social Media Kanälen und in unseren Newslettern freuen.