ArbG Heilbronn - 8 Ca 135/22

From GDPRhub
Revision as of 09:52, 23 November 2022 by Fz (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
ArbG Heilbronn - 8 Ca 135/22
Courts logo1.png
Court: ArbG Heilbronn (Germany)
Jurisdiction: Germany
Relevant Law: Article 38(3) GDPR
§ 38(2) BDSG
§ 6(4) BDSG
§ 626 BGB
Decided: 29.09.2022
Published:
Parties:
National Case Number/Name: 8 Ca 135/22
European Case Law Identifier:
Appeal from:
Appeal to: Unknown
Original Language(s): German
Original Source: LRBW (in German)
Initial Contributor: Carla von Lueder

The Labour Court of Heilbronn declared a termination of a DPO's employment contract without notice to be invalid due to the protections granted by the German data protection law and the lack of evidence of a concrete breach of duty.

English Summary

Facts

A German employer attempted to terminate their DPO’s employment contract without notice. The reason was that the employer claims that the DPO did not perform their duties adequately over a period of several years. The DPO contested the validity of this termination under § 6(4) BDSG, which only allows employers to terminate the employment of their DPOs for "important reasons".

A month prior, an auditing company had issued an expert opinion on a lack of data protection measures and associated risks within the company where the DPO is appointed. Implementing such data protection measures would have taken up considerable additional working time of the DPO. However, they did not notify their employer that they could not undertake such tasks. The DPO argued that these tasks were of a structural nature and therefore not their responsibility, but that of the management board.

Holding

The Labour Court of Heilbronn held the termination of the employment contract is invalid.

DPOs enjoy special protection in the context of termination of employment under § 38(2) BDSG and § 6(4) BDSG in conjunction with § 626 BGB in Germany. The special protection of DPOs, which is in addition to that awarded under Article 38(3) GDPR, is permitted under EU law.

As aforementioned, the BDSG only allows terminations of DPOs for "important reason". On the other hand, pursuant to § 626 BGB, the employment relationship may be terminated without observing a notice period if, considering all circumstances, there are facts on the basis of which the DPO cannot reasonably be expected to continue the employment relationship even until the expiry of the notice period.

However, the court declared the dismissal of the DPO to be invalid, as no reasonable grounds to warrant such a termination were found. The justification of termination was based exclusively on the failure of the DPO to complete their responsibilities as opposed to evidence of a concrete breach of duty, which is not a valid ground for termination without notice under the 38(2) BDSG and § 6(4) BDSG.

The expert opinion by the auditing company did not prescribe responsibility to the DPO in their duties of implementing the GDPR, but only revealed data protection deficiencies within the company, which is the responsibility of the employer to implement on an organizational level.

The court further iterated that the employer could have revoked the DPO’s appointment should they have concretely breached their duties, as opposed to terminating their employment from the company.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

The lawsuit is admissible and justified to the extent provided for decision. The action is admissible, in particular sufficiently specific within the meaning of § 253 Para. The plaintiff is attacking a precisely defined termination with the selective application for protection of existing rights according to § 4 sentence 1 KSchG. The need for legal protection for the declaratory action follows from the effects of § 7 KSchG. The action is also justified because the defendant's termination is ineffective and the employment relationship between the parties has not ended. The chamber is of the opinion that termination of the employment relationship is ruled out if only official duties as a data protection officer are violated (hereinafter 1.). Even if one would like to see this differently, there is no explanation of an important reason for giving notice of termination without notice (below 2.). Reinterpretation as ordinary termination is not possible (3.).1. The notice of termination given by the defendant is invalid because it is solely based on the breach of official duties by the plaintiff in his position as data protection officer. In such a case, it is not possible to give notice of termination of the employment relationship. a) At the time of the termination, the plaintiff enjoyed special protection against dismissal for data protection officers under Sections 38 (2), 6 (4) sentence 2 BDSG, since he was in the company of the defendant has been appointed data protection officer from December 1, 2018. Due to the possible conflicts of interest of a data protection officer, Section 6 (4) BDSG provides special protection for public officials against dismissal and termination of their employment. According to S. 1 of the provision, the recall of the data protection officer is only permissible in the corresponding application of § 626 BGB. The internal data protection officer also enjoys special protection against dismissal with regard to his employment relationship: Section 6 (4) sentence 2 BDSG stipulates that termination of the employment relationship is inadmissible unless there are facts that lead the employer to terminate the contract for good cause without observing a period of notice. This national standard, which occurs alongside Art. 38 (3) GDPR, also conforms to European law, because within the scope of their competence to regulate substantive labor law, the Member States are authorized to provide special protection against dismissal for data protection officers (ECJ June 22, 2022 - C -534/20 following LAG Nuremberg February 19, 2020 - 2 Sa 147/19; Kühling/Buchner DS-GVO BDSG 3rd edition 2020 Art In the opinion of the chamber, the data protection officer suggests that - just as with other officials such as members of the works council (constant case law of the BAG, for example BAG September 9, 2015 - 7 ABR 13 - para. 41; BAG January 26, 1994 - 7 AZR 640/ 92) - a distinction must always be made between the violation of contractual obligations and those that only concern the conduct of office. In the case of breaches of official duties that do not also represent a breach of the duties arising from the employment relationship, a contractual sanction such as a warning or termination is not an option, but the sanction provided for by law for breaches of official duties. In the case of a works council member, this is the application for the exclusion of a member from the works council in accordance with Section 23 (1) BetrVG. It is true that the Federal Labor Court also assumes in consistent case law that the transfer of the office of internal data protection officer to an employee should generally become part of the contractually owed service by way of the implied agreement (BAG March 23, 2011 - 10 AZR 562/09 - 29; Federal Labor Court of September 29, 2010 - 10 AZR 588/09 - marginal number 15; Federal Labor Court of March 13, 2007 - 9 AZR 612/05). This could indicate that, in the event of a breach of official duties, a contractual sanction with regard to the underlying employment contract is also possible. c) From the point of view of the Chamber, however, the systematics as well as the meaning and purpose of the regulation in Section 6 (4) BDSG in conjunction with Article 38 speak in favor Para. 3 DS-GVO against such an understanding. Section 6 (4) makes a clear distinction in sentences 1 and 2 between protection against dismissal and protection against dismissal of the data protection officer: While reasons for dismissal must be determined in accordance with Section 626 BGB (according to the case law of the Federal Labor Court, important reasons are particularly important if are related to the function and activity of the data protection officer and make it impossible to continue to exercise this activity or at least significantly endanger it, BAG March 23, 2011 - 10 AZR 562/09 mwN), the termination of the employment relationship is generally inadmissible, unless it is given grounds for termination without notice. If the legislature had wanted a synchronism in such a way that a breach of official duty justifies the termination of the employment relationship without notice and, conversely, a breach of duty in the employment relationship justifies dismissal, there would have been no need for statutory differentiation. This point of view also corresponds to the legislative purpose of § 6 Para. 4 BDSG: With regard to his office, the commissioner should be protected against dismissal without reason in favor of free exercise of his office. At the same time, the possible conflicts in the employment relationship that flow from the office are taken into account by granting him special protection against dismissal. In the opinion of the Chamber, this double protection of the status quo excludes the termination of the employment relationship due to breaches of official duties in cases such as the present one. The development of the case law of the BAG with regard to a necessary partial termination in the event of the dismissal of the data protection officer also supports this view: During the BAG in its decision of March 13, 2007 - 9 AZR 612/05 for the effective dismissal of the beneficiary additionally demanded a partial termination of the employment relationship (with the argument of the implementation of the duties as a data protection officer in the duties of the employment contract), it disagreed with this view in more recent decisions (BAG September 29, 2010 - 10 AZR 588/09 - Rn. 15; BAG March 13, 2007 - 9 AZR 612/05). in the breach of duties as a data protection officer, because di e In such a case of pure breach of official duty, dismissal will always represent the milder means compared to ending the entire employment relationship by way of termination. there is also no constellation in which there is also a breach of duty under the employment contract. The termination is therefore ineffective.2. Even if, in the event of a breach of official duties by a data protection officer, the notice of termination of the employment relationship on which the appointment is based is not considered to be excluded, the termination fails because the defendant did not demonstrate a specific breach of duty by the plaintiff. a) According to Section 626 Paragraph 1 of the German Civil Code, the employment relationship can be terminated for good cause without observing a period of notice if there are facts that make it unreasonable for the terminating party to continue the employment relationship even until the end of the period of notice, taking into account all the circumstances of the individual case and weighing the interests of both parties to the contract can be. It must first be checked whether the facts without their special circumstances "in themselves" and are therefore typically suitable as an important reason. A further examination is then required as to whether the continuation of the employment relationship is reasonable for the person giving notice, taking into account the specific circumstances of the case and weighing the interests of both parties to the contract - at least until the end of the period of notice - or not (BAG October 20, 2016 - 6 AZR 471 /15 - paragraph 14; Federal Labor Court of March 17, 2016 - 2 AZR 110/15 - paragraph 17). an explanation of specific breaches of duty by the plaintiff. The duties of the data protection officer are not subject to instructions, but rather statutory tasks in which the official is not subject to instructions, Art. 38 Para. 3 DS-GVO. According to Art. 39 DS-GVO, he is primarily responsible for information, advice and monitoring tasks. According to Art. 4 No. 7 DS-GVO, on the other hand, responsible for the implementation of the requirements of the GDPR and the BDSG, which specifies and supplements them, is “the natural or legal person, authority, institution or other body that alone or together with others decides the purposes and means of processing personal data”, in this case the defendant. The data protection problems put forward by the defendant from P.'s report only show certain deficiencies as a result of an incomplete implementation of data protection regulations, e.g. a missing data protection management system. No statement is made on the question of responsibility. Rather, from the point of view of the Chamber, the defendant, as the responsible body within the meaning of Art. 4 No. 7 DS-GVO, is organizationally obliged to implement it, whether by using external help or by instructing its own employees to implement it . This precludes the employer from claiming that the data protection officer is responsible for establishing a proper level of data protection. In addition, this should not be possible even at first glance: At the time of his appointment as the defendant's data protection officer in 2018, the plaintiff was head of the legal department with a contractual working time of "at least 40 hours". The task of data protection officer was also assigned to him. If the defendant's case was correct, the plaintiff would have had to work an additional 20 hours a week, which would ignore essential working time provisions. For the acceptance of a corresponding contractual will, aimed at such an agreement, clear indications are required. The Chamber is unable to identify such. It follows from this that the plaintiff, when he was appointed data protection officer, was not at the same time responsible for ensuring that all data protection regulations were complied with in the defendant's company. Concrete violations of the typical duties of the data protection officer in the area of control and advice the defendant did not set out. The question as to the extent to which numerous data protection law processes had already been initiated after P.'s report and the activities listed by the plaintiff in Annex K6 are therefore no longer relevant. c) Even if an employment contract breach of duty by the If the plaintiff would like to see that he had not pointed out the insufficient level of data protection to the defendant with sufficient clarity, a relevant warning would have been necessary before a dismissal could be issued, especially since the defendant states that she has been working for years ung of the plaintiff was dissatisfied. The simultaneous issuing of three warnings in 2021, which also does not affect the plaintiff's data protection tasks, but other performance deficiencies such as the incomplete implementation of the contents of a workshop, the non-consideration of the results of a risk analysis by a consulting company when concluding a contract and those from the defendant's point of view incorrect assertion by the plaintiff about a high degree of goal achievement during a discussion about the goals he had achieved cannot justify the prognosis that the plaintiff would not have changed his behavior if a further warning was issued with regard to the fulfillment of data protection obligations. The defendant is also free to do so , to revoke the plaintiff's appointment as data protection officer as a milder means compared to termination without notice and to commission another employee with this, provided that actual breaches of duty in the area of official performance as Da Tenant protection officer present.Since the defendant's pleading of December 27, 2022 does not result in any new and significant factual submissions, the plaintiff was not to be granted a pleading discount.3. The reinterpretation of the ineffective termination without notice as an ordinary termination is not possible. At the time of the termination, the plaintiff enjoyed the special protection against dismissal for data protection officers according to §§ 38 Para. 2, 6 Para. 4 Sentence 2 BDSG. According to Section 6 (4) sentence 2 BDSG, the termination of the employment relationship of a data protection officer is not permitted unless there are facts that entitle the public body or the employer to terminate the contract for good cause without observing a notice period Termination of the employment relationship of a data protection officer excluded. The cost decision follows from §§ 91 paragraph 1, 92 paragraph 1, 269 paragraph 3 sentence 2 ZPO. It follows the subject conditions. The determination of the amount in dispute results from Section 61 (1) ArbGG in conjunction with Sections 3 et seq given. Nevertheless, the appeal is permissible for the defendant according to Section 64 (2) (c) ArbGG.