The German Federal Court of Labor ruled on 23 March 2011 that an internal data protection officer’s appointment may not be validly terminated because the employer wants to transfer this function to a service provider as external data protection officer. Internal and external data protection officers are widely used in Germany, partly because their appointment is mandatory due to the number of employees processing personal data, partly because their appointment frees the company from filing registrations with local data protection authorities. The use of service providers as external service providers has become more popular after September 2009, when the amendments to the German Federal Data Protection Act provided stronger protection for employees acting as internal data protection officers against termination or withdrawal of their function. This ruling strengthens the position of the employee exercising this function and limits any German employer’s ability to outsource this function to an external service provider.
The data protection officer’s function includes the right to contact local data protection authorities if in doubt, and the officer mandatorily reports directly to the company’s management.
In the case at hand, the plaintiff had been appointed as data protection officer at the defending company in 1992. She spent 30 % of her working time to fulfil her tasks as data protection officer. The defending company decided to appoint an external data protection officer for its group of companies and, therefore, withdrew the appointment of the plaintiff. The plaintiff’s claim against this withdrawal was successful. Under German law, internal data protection officers (if their appointment is mandatory) may only be terminated for cause. The German Federal Court of Labor argued that the appointment of an external data protection officer was no such cause. (The plaintiff was also a member of the works council since 1994. This did neither justify the termination of her function as data protection officer for cause.)
Inhouse data protection officers are used not only in Germany, but also in other EU countries like France or Sweden. Part of the EU program on its legislation for 2011 is the more widespread use of data protection officers. The EU Commission is currently contemplating to make the appointment of an independent data protection officer mandatory and to harmonise the rules related to their tasks and competences, while reflecting on the appropriate threshold to avoid undue administrative burdens, particularly on small and micro-enterprises (see the EU Commission’s communication " A comprehensive approach on personal data protection in the European Union", COM(2010) 609).
German data protection authorities are cautious about the switch to external service providers. In a resolution published by the German State data protection authorities of 24/25 November 2010 for external DPOs, it is accepted to stipulate a term of 1-2 years as a trial or testing period, and subsequently a minimum period of 4 years (without the company’s right to terminate earlier for convenience). The long contract term should enable the external service provider to exercise his function as independently and as free from the fear of termination as an internal data protection officer.
Link to the (German language) press release of the German Federal Court of Labor.