LAG Mecklenburg-Western Pomerania - 5 Sa 108/19

From GDPRhub
LAG Mecklenburg-Western Pomerania - 5 Sa 108/19
CourtsDE-MV.png
Court: LAG Mecklenburg-Western Pomerania (Category)
Jurisdiction: Germany
Relevant Law: Article 37 GDPR
Decided: 25. 2. 2020
Published:
Parties: Unknown
National Case Number/Name: 5 Sa 108/19
European Case Law Identifier:
Appeal from:
Appeal to:
Original Language(s): German
Original Source: landesrecht-mv.de (in German)
Initial Contributor: n/a

The State Labour Court Mecklenburg-Western Pomerania (Landesarbeitsgericht Mecklenburg-Vorpommern) ruled on a dismissal of a data protection officer. The Court argued that the position as an internal data protection officer cannot be completely separated from the underlying employment relationship. Therefore, a serious breach of general employment contract duties can mean that it is no longer possible to reliably exercise self-regulation under data protection law.

English Summary[edit | edit source]

Facts[edit | edit source]

The defendant revoked the plaintiff’s appointment as a group data protection officer due to the allegations that the plaintiff had illegally set up a pension commitment for the then commercial director in collusive cooperation and had likewise acted on his own pension promise without an effective legal basis.

Plaintiff[edit | edit source]

TThe plaintiff took the view that the revocations of the appointment as group or data protection officer were ineffective since there was no important reason. The plaintiff argued that he had not violated his obligations as data protection officer.

Defendant[edit | edit source]

The defendant argued that the plaintiff lacks the necessary reliability for the work of the data protection officer. In the defendant’s view, there was no entitlement to a company pension scheme and the plaintiff's legal opinion was not justifiable. Only the Supervisory Board was responsible for the promise of a pension. The plaintiff disregarded the objections expressed by the head of payroll accounting and two other employees. He also did not involve the defendant's supervisory board.

Dispute[edit | edit source]

The State Labour Court Mecklenburg-Western Pomerania had to decide, whether the plaintiff has violated any general obligations from the employment relationship that prevent further use in the role of data protection officer.

Holding[edit | edit source]

The Court stated that the data protection officer must not only have the necessary specialist knowledge, but also offer the guarantee that he will carry out his duties conscientiously and not against his obligations as a data protection officer, e.g. B. violates his duty of confidentiality. A serious violation of general employment contract obligations can also jeopardize reliability, e.g. theft, embezzlement, intentional damage to reputation, assault against other employees, etc. The reliability must be assessed taking into account the purpose of the appointment of a data protection officer. The data protection officer has the task of ensuring effective self-monitoring of the data protection regulations, in order to relieve public control bodies at the same time. The person appointed to the data protection officer must be able to guarantee effective self-control in addition to expertise. With an internal data protection officer, his position as a data protection officer cannot be completely separated from the underlying employment relationship. A serious breach of contractual obligations can mean that it is no longer possible to reliably exercise self-regulation under data protection law.

The court argued that the plaintiff has the necessary reliability for the work of the data protection officer. In the opinion of the court, the plaintiff has not violated any general obligations from the employment relationship that prevent further use in the role of data protection officer

Comment[edit | edit source]

Add your comment here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the German original. Please refer to the German original for more details.

Dismissal of a data protection officer

    1. The law does not link the activity as data protection officer to a specific training or specified specialist knowledge. Which expertise is required for this depends in particular on the size of the organizational unit to be supervised, the scope of the data processing processes involved, the IT processes used, the type of data generated etc. Knowledge of data protection law, the technology of data processing and the operational requirements are regular Procedures required.

    2. The according to § 20 DSG M-V a. F. The required reliability of an internal data protection officer can not only be questioned if he violates the duties associated with this task, but also in the event of a serious violation of general employment contract duties. With an internal data protection officer, his position as a data protection officer cannot be completely separated from the underlying employment relationship. A serious breach of contractual obligations can mean that it is no longer possible to reliably exercise self-regulation under data protection law.


State Labor Court of Mecklenburg-Western Pomerania 5th Chamber of Appeals, judgment of 25.02.2020, 5 Sa 108/19

§ 18aF DSG MV, § 19aF DSG MV, § 20aF DSG MV, § 21aF DSG MV, § 22aF DSG MV, § 6 Abs 4 BDSG, § 37 EUV 2016/679, § 39 EUV 2016/679
tenor

    1. The defendant's appeal against the judgment of the Stralsund Labor Court of April 17, 2019 - 3 Ca 75/18 - will be rejected at their expense.

    2. The revision is not permitted.

Fact

1

    The parties argue about the effectiveness of the removal of the data protection officer.

2nd

    As a corporation under public law, the defendant operates a university hospital with more than 4,100 employees. The group of companies includes a further 11 companies with a total of around 900 employees. The plaintiff, born in November 1966, is an assessor of rights (ass. Jur.), That is, a fully qualified lawyer. On May 7, 2007, he concluded a special service contract with the defendant on employment as head of personnel from August 1, 2007. The employment contract stipulates a regular weekly working time of 46 hours and a fixed annual basic salary of € 82,000 gross, as well as performance and success-related payments and the provision of a privately usable company car. In addition, the usual company pension scheme is granted under the agreement currently concluded with the DUK pension scheme.

3rd

    A few months after his appointment, the plaintiff wrote a decision dated December 19, 2007, in which he came to the conclusion that Mr. G., the commercial board member in charge of him, is entitled to a company pension. As a reason, he referred to the reference clause in the service contract with Mr. G. dated October 24/30, 2006, according to which the applicable collective agreements apply, unless otherwise specified in the service contract. The plaintiff referred to the written assertion by Mr. G. dated December 18, 2007 and considered it necessary to set up a company pension scheme retrospectively within the exclusion period in accordance with the benefit plan of the DUK pension scheme. The defendant then set up such a company pension scheme for Mr. G.

4th

    In 2008, the plaintiff was appointed managing director of Personalservice Gesundheitswesen GmbH, a subsidiary of the defendant. On November 1, 2009, the plaintiff established an employment relationship with a minor subsidiary of the defendant, HKS Rettungsdienst A-Stadt GmbH.

5

    On October 23, 2014, the parties concluded an amendment agreement with effect from January 1, 2015, in which u. a. the reference clause, the remuneration scheme and the task have been redrafted. This also includes the plaintiff's appointment as data protection officer (insofar as matters of the HR department are not affected) and his appointment as 2nd waste officer. Mr. G. left the defendant on December 31, 2014 and was replaced by Mrs. L. with effect from January 1, 2015.
6

    In a letter dated July 10, 2015, the State Commissioner for Data Protection and Freedom of Information Mecklenburg-Western Pomerania informed the plaintiff when asked to classify the scope of work of the data protection officer at University Medicine as a full-time job. The parties concluded another amendment contract on September 18, 2015. Thereafter, the plaintiff will continue to work for 25% of his working time as a legal advisor and as a second waste officer from 17.09.2015. As a legal advisor, he is assigned to the area of the commercial board of directors without being entrusted with tasks related to human resources and / or data processing. In addition, the contract provides for 75% of his working hours to be released for the duties of the official data protection officer and the group data protection officer. Furthermore, the amendment agreement stipulates that the company pension scheme will be closed as of September 30, 2015 and that there will be no entitlement to future employer pension benefits. To compensate for this, the plaintiff receives an allowance.

7

    The plaintiff organized internal data protection conferences to which he invited the local data protection officers. As part of in-house training, he offered training on various data protection issues. He participated in various committees and working groups. The defendant and its subsidiaries incur more than 10,000 data processing operations every day. In the email dated February 17, 2017, the plaintiff asked the commercial board of directors to be reinstated in the department heads in order to be able to fulfill his duty to monitor and advise as data protection officer. The request was unsuccessful.

8th

    The plaintiff has been a member of the defendant's staff council since 2017.

9

    The former commercial director, Mr. G., received a one-time payment from the company pension scheme in 2017 in the amount of € 260,395.91.

10th

    On January 30, 2018, the defendant held a conversation with the plaintiff on the status of the implementation of the EU General Data Protection Regulation (GDPR), which came into force in May of the year, both in-house and at the subsidiaries. In a letter dated January 31, 2018, the plaintiff commented on this and reported on the ongoing legislative procedures in the state of Mecklenburg-Western Pomerania to adapt general and area-specific data protection law, in particular the data protection and state hospital law (DSG M-V, LKHG M-V). He also referred to an article he wrote about the GDPR in the magazine "f & w lead and manage in the hospital", issue 02/17. The penultimate sentence of the letter dated January 31, 2018 states:
11

    "Logically, the data protection officers can only implement the data protection laws of the country after the laws come into force."

12th

    With the essentially identical letters of February 19, 2018, the subsidiaries listed below revoked the defendant's subsidiaries with immediate effect from the plaintiff's appointment as group or data protection officer:

13

    - Service center A-Stadt GmbH,

    - Medical care center at the Universitätsmedizin A-Stadt GmbH,

    - Universitätsmedizin A-Stadt MVZ GmbH,

    - KID Krankenhaus Informatik und Dienstleistungen GmbH,

    - HKS Rettungsdienst A-Stadt GmbH,

    - Medical Service A-Stadt GmbH,

    - District Hospital W. gGmbH,

    - Palliativnetzwerk Vorpommern GmbH,

    - Health center A-Stadt GmbH and

    - Personalservice Gesundheitswesen GmbH.

14

    In a letter dated February 20, 2018, the defendant revoked the plaintiff's appointment as group data protection officer with immediate effect. All of the letters were received by the plaintiff on February 24, 2018.

15

    On February 27, 2018, the defendant held another interview with the plaintiff, prohibiting him from working as a data protection officer for the defendant and the subsidiaries mentioned. After the plaintiff had pointed out in the conversation that the defendant had not yet revoked his appointment as data protection officer, the defendant made up for this in a letter dated February 27, 2018, which the plaintiff received on March 1, 2018.

16

    By letter dated February 28, 2018, the defendant applied to the entire staff council for approval of an intended extraordinary notice of change by the plaintiff, provided with the change offer, then as a lawyer with the commercial board of directors and as a second waste officer with a regular weekly working time of 39 hours and that corresponding to the collective agreement Remuneration to continue working. The entire staff council did not agree to the extraordinary termination notice on March 8, 2018. Likewise, the staff council for non-scientific employees rejected such a notice of change on 13.03.2018. The defendant then appealed to the administrative court to have the consent replaced in court. A decision has not yet been made.

17th

    In a letter dated 8/13/2018, which the defendant received on 8/15/2018, the State Commissioner for Data Protection and Freedom of Information M-V complained about a violation of data protection regulations after the staff council for the non-scientific employees had submitted a complaint regarding the personal data visible in the TDA electronic roster system. The TDA roster system had been in operation for several years. There were a. Personnel numbers, hours worked, prohibitions of employment and sick leave are stored, which all employees of the station could see. In particular, the state commissioner considered the disclosure of health data ("sick") to all ward staff to be unnecessary and therefore inadmissible. He asked the defendant to submit the processing directory for the TDA, in particular he called for a rights and role concept and deadlines. Otherwise, he promised a fine. In his statement to the staff council on July 20, 2018, the newly appointed external data protection officer also assumed that the defendant had been informed on July 24, 2018.

18th

    As a precaution, the defendant revoked the plaintiff's appointment as Group and data protection officer by letter dated August 27, 2018. The 10 subsidiaries mentioned also declared the cancellation of the order again, also on August 27, 2018.
19th

    On 10.09.2018, the defendant held a personal interview with the plaintiff on the allegations that he had illegally set up a pension commitment for the then commercial director, Mr. G., in collusive cooperation and had likewise acted on his own pension promise without an effective legal basis. The defendant then irrevocably released him from work and banned him from the house. In a letter dated September 13, 2018, the defendant also applied to the staff council for the non-academic staff as well as to the general staff council for consent to the intended extraordinary termination of the plaintiff, or alternatively with an expiration period. As the staff councils refused to give their consent, the defendant contacted the VG Greifswald on September 23, 2018 (file number 7 A 1419/18). The subject of another legal dispute is the continuation of the employment relationship with HKS Rettungsdienst A-Stadt GmbH after pronouncement of an extraordinary, alternatively ordinary termination on September 21, 2018 (ArbG Stralsund, judgment of April 3, 2019, file number 3 Ca 239/18; LAG Mecklenburg-Vorpommern , Judgment of 16.10.2019, file number 4 Sa 104/19).

20th

    After the defendant initially exempted the plaintiff's activity as a member of the general staff council from the house ban, she now wrote in a letter dated November 9, 2018 to appeal for his membership in the general staff council to be suspended in accordance with section 22 (3) PersVG M-V. According to this provision, membership of the staff council is suspended as long as an employee is prohibited from conducting official business or an official is temporarily suspended due to a pending disciplinary or investigation procedure. The defendant also filed criminal charges against the plaintiff (StA Stralsund, file number 534 Js 23379/18).

21

    At first instance, the plaintiff took the view that the revocations of the appointment as group or data protection officer were ineffective. There was no important reason within the meaning of section 626 (1) BGB, section 20 DSG MV (old version). In addition, the exclusion period of Section 626 (2) BGB was not met. The plaintiff had not violated his obligations as data protection officer. The defendant combines the tasks of the data protection officer with those of the data protection officer. The task of the data protection officer is not the operational implementation of the legal requirements, but the control of the implementation. As the data protection officer, the plaintiff is an adviser to the employer and the employee. In no case was he idle. He had worked intensively on the new data protection regulations, as the article in f & w shows. He brought the data protection issues into the IT commission. He also played a key role in founding the Working Group on Data Protection at University Hospitals. He is a member of the data protection law working group of the Mecklenburg-Western Pomerania Hospital Society. He forwarded recommendations for action to the responsible authorities.

22

    The applicant had not treated the pension provision issue G. incorrectly. The legal basis for the pension commitment results from the employment contract concluded by the Supervisory Board. This does not contain any regulations on company pensions, so that the reference clause applies. Certain areas of the collective agreement were expressly excluded in the employment contract, such as working hours, categorization or remuneration. However, the collective bargaining provisions on pensions are not covered by this. Accordingly, § 25 TV-L was to be applied, according to which Mr. G. could have claimed a company pension scheme with his own contribution. A company pension scheme was also granted to other board members. a. Mr. B. and Mr. H .. Mr. G. had approached the plaintiff and had informed that originally a surcharge had been paid to the VBL (Federal and State Pension Fund), but not after the switch to the DUK pension scheme more happen. Mr G. had assumed an administrative oversight and asked the plaintiff for a legal check. Since the plaintiff was not aware of the background and did not want to disgrace himself during the trial period, he coordinated this with Mr. B. from the legal department. The employment contracts of board members B. and H. were also examined in the same way, also with a positive result. The folder with the documents on the company pension scheme for Mr. G. was not kept hidden, as the defendant claims, but was visible to all employees in the HR department.
23

    The pension scheme set up for the plaintiff complied with the contractual regulations. The premium adjustment was based on the annual salaries submitted by the defendant. Insofar as the DUK pension scheme initially set up another company pension scheme for the plaintiff in 2008, this was an accident on the part of the pension scheme, as the pension scheme confirmed in a letter dated September 17, 2018. According to the letter, the pension fund erroneously set up a second pension for the plaintiff for reasons that are no longer understandable. The defendant's contributions were therefore credited back in January 2019. The contribution rate is not uniform for all employees, but is determined individually according to age, pension entitlement, reinsurance periods, etc. According to the articles of association, his contribution rate was 9.65%; the average contribution rate of all employees at that time was 3.9%.

24th

    The plaintiff has applied at first instance, insofar as it is still relevant for the appeal process,

25th

    1. Determine that the revocation of the plaintiff's appointment as defendant's data protection officer and defendant's group data protection officer from 19/20/02/2018 and 27/02/2018 is ineffective, and

26

    2. Determine that the revocation of the plaintiff's appointment as defendant's data protection officer and defendant's group data protection officer is ineffective on August 27, 2018.

27

    The defendant applied to dismiss the action. It took the view that the revocations were justified. The plaintiff had completely failed to work towards implementing the provisions of the GDPR. The implementation of the GDPR and the additional provisions is associated with a considerable amount of time and content. First, an inventory of your own data processing should be made. Then the need for adjustment should be determined and specific measures derived and implemented. If the defendant does not comply with this, they can expect considerable sanctions, namely fines of up to 10 or even 20 million euros. The data protection officer should proactively accompany the implementation of the GDPR and make his own suggestions. In the letter of January 31, 2018, the plaintiff indicated that he was unwilling to meet his obligations. At no time did he point out the data protection problems of the duty roster system TDA, but rather contributed to it. Only the newly appointed external data protection officer had expressed concerns to the staff council.

28

    In addition, the plaintiff lacks the necessary reliability for the work of the data protection officer. The plaintiff approached the then commercial director, Mr. G., shortly after taking up employment and offered to include him in the company pension scheme. Mr. G.'s executive board employment contract refers to collective agreements. However, this only applies if nothing else arises from the contract. The systematic interpretation of the contract means that there is no entitlement to a company pension scheme. This shows the heading of § 4 "Disability / old age pension". Under § 4 there are only regulations on incapacity for work, which is why retirement benefits are therefore excluded. The plaintiff's legal opinion was not justifiable. Only the Supervisory Board was responsible for the promise of a pension. The plaintiff disregarded the objections expressed by Ms. K., head of payroll accounting, and Ms. T., payroll accountant, that Mr. G., as a member of the executive board, was not entitled to occupational pensions, by relying on his two employees Appointed position as supervisor. He also did not involve the defendant's supervisory board. He had filed the documents for retirement provision G. in a separate folder. He personally managed the major part of the correspondence with the provident fund. The current commercial director, who has been in charge since January 1, 2016, learned of these events for the first time on August 27, 2018.

29

    In addition, the plaintiff, with the approval of Mr. G., had his contributions increased from 3.9% of the eligible net income to 9.65%. As a result, the monthly contribution increased from € 275.68 to € 671.54. In doing so, the plaintiff is guilty of punitive infidelity.
30th

    The labor court upheld the complaint to the extent of the applications still relevant here. The revocation of the plaintiff's appointment as data protection officer and group data protection officer are ineffective. There are no reasons for this within the meaning of section 20 (2) sentence 2 DSG M-V a. F. in connection with § 626 BGB. In view of the independent position of the data protection officer, dismissal is only permitted for serious reasons. A permanent violation of the control obligations could result in a reason for the dismissal. However, the defendant has not set out any circumstances from which such a breach of duty can be derived. The plaintiff dealt with the GDPR in good time. Their actual implementation could only take place after it came into force. The same applies to the new version of the DSG M-V and the LKHG M-V, which had not yet been adopted. The plaintiff also participated in various committees and working groups. The plaintiff did not support the electronic duty roster system, since it had not been introduced during his time as data protection officer. Insofar as the defendant relies on irregularities in the setting up of pension commitments, there is no reference to the activities as data protection officer.

31

    The defendant opposes this with its timely and reasoned appeal. The labor court was wrong to assume that the revocation of the plaintiff's appointment as data protection officer was not effective. Despite the imminent entry into force of the GDPR, the plaintiff remained completely inactive. The defendant could have expected the plaintiff to actively participate in the preparations for the implementation of the GDPR. The plaintiff was obliged to get an overview of the systems relevant to data protection law. Instead, the plaintiff behaved in a purely passive and dilatory manner in order to conceal his lack of expertise and his unreliability. The applicant had not grasped the scope of his duties at all. In the interests of effective data protection, the defendant was forced to appoint a technically suitable successor for the plaintiff. In addition, the labor court failed to recognize that the plaintiff had seriously violated ancillary contractual obligations and was relevant under criminal law. The plaintiff lacks personal integrity. The participation he wished in the extended department head rounds had no connection with his duties as data protection officer. The board always kept him well informed.

32

    The defendant claims that

33

    to amend the judgment of the Stralsund Labor Court of April 17, 2019, file number 3 Ca 75/18, and dismiss the lawsuit.

34

    The applicant claims that

35

    dismiss the defendant's appeal.
36

    He defends the decision of the labor court. The plaintiff has always and fully complied with the duties of data protection officer. The plaintiff dealt with the GDPR and participated in various committees and working groups. He did not support the electronic duty roster system TDA. Rather, Ms. L., the chairperson of the personnel council for the non-scientific employees, asked him about the recording of the disease data in the TDA after a training course on data protection he had conducted. The plaintiff considered this to be inadmissible, but at the same time informed Ms L. about his dismissal as data protection officer and referred her to the new data protection officer. The latter then confirmed the plaintiff's legal opinion.

37

    For further details of the state of affairs and the dispute, reference is made to the parties' written pleadings and annexes, the minutes of the meetings and the contested labor court judgment.

Reasons for decision

38

    The defendant's appeal is admissible, but not justified. The labor court has rightfully upheld the claim, which is still pending here.

39

    The defendant did not effectively revoke or effectively revoke the plaintiff's appointment as official data protection officer and group data protection officer either by letter dated February 19/20/27, 2018 or by letter dated August 27, 2018.
40

    The effectiveness of the revocation depends on the applicable legal situation. The relevant assessment basis for the lawfulness of a revocation are, just like for a termination, the objective conditions at the time of receipt of the revocation declaration (see termination: BAG, judgment of December 5, 2019 - 2 AZR 223/19 - paragraph 39, juris = NZA 2020, 227). The general principles apply to the burden of proof and proof. Thereafter, the claimant bears the burden of proof and proof for the legal justification, the defendant bears it for the right-destroying, right-hindering and legal-inhibiting features (BAG, judgment of 28 February 2019 - 8 AZR 201/18 - paragraph 32, juris = NZA 2019, 1279).

41

    1. Revocations from 19/20/27 February 2018

42

    According to § 20 Para. 2 Clause 2 DSG MV in the version valid until May 24, 2018 (as amended), the appointment to the official data protection officer can be revoked in writing if a conflict of interest arises with his other official duties or another important reason corresponding application of § 626 BGB exists. Before the decision on the revocation, the official data protection officer must be heard (Section 20 (2) sentence 3 DSG M-V a. F.).

43

    A conflict of interest exists if the data protection officer primarily has to monitor his own activities (BAG, judgment of December 5, 2019 - 2 AZR 223/19 - paragraph 25, juris = NZA 2020, 227; BAG, judgment of March 23, 2011 - 10 AZR 562/09 - paragraph 24, juris = ZTR 2011, 561). Membership of the works council is generally compatible with the work of a data protection officer (BAG, judgment of March 23, 2011 - 10 AZR 562/09 - paragraph 25, juris = ZTR 2011, 561).

44

    An important reason in the corresponding application of § 626 BGB is given if there are facts on the basis of which the employer can no longer be expected to take on the employee's role as data protection officer, taking into account all circumstances of the individual case and considering the interests of both contracting parties . In particular, those that are related to the function and activity of the data protection officer and make it impossible to continue performing this activity or at least significantly endanger it, such as a betrayal of secrets or a permanent violation of the data protection control obligations (BAG, judgment of 23. March 2011 - 10 AZR 562/09 - Rn. 15, juris = ZTR 2011, 561; Greiner / Senk, NZA 2020, p. 206 f.). However, it is not enough that the employer now considers another person, be it another employee or an external service provider, to be more suitable. This is countered by the independence and freedom of instruction of the data protection officer. The data protection officer should be able to carry out his control activities in the interest of data protection without fear of dismissal (BAG, judgment of March 23, 2011 - 10 AZR 562/09 - paragraph 14, juris = ZTR 2011, 561).

45

    According to Section 20 Paragraph 1 Sentence 3 DSG M-V a. F. only be ordered if you have the expertise and reliability required to perform your task. If these prerequisites are no longer met, it is generally not reasonable for the employer to continue to leave the person concerned in the role of data protection officer, especially since this would cause him to behave unlawfully.

46

    The official data protection officer has pursuant to Section 20 Paragraph 3 DSG M-V a. F. the task of monitoring the data processing body in the implementation of this law and other regulations on data protection and giving advice on implementation. He can request information and inspect files and files insofar as this is necessary for the performance of his tasks. Professional and official secrets cannot be held against him. To assist him, he can contact the data protection officer at any time. The duties of the official data protection officer include in particular:
47

    1. work towards compliance with data protection regulations when introducing data processing measures,

48

    2. To make the persons involved in the processing of personal data familiar with the provisions of this law and the other provisions on data protection by taking suitable measures.

49

    3. to support the data processing body in the implementation of the measures required by Sections 18, 21 and 22,

50

    4. keep the directory according to § 18 and

51

    5. carry out the prior check according to § 19.

52

    According to § 18 Abs. 1 DSG M-V a. F. the data processing body is obliged to specify in a description for each method it uses and to transmit it to the official data protection officer to keep the directory:

53

    1. the name of the process and the processing body,

54

    2. the purpose and legal basis of the processing,

55

    3. the type of data stored,

56

    4. the group of those affected,

57

    5. the group of recipients to whom the data are communicated,

58

    6. Planned data transfers to third countries,

59

    7. a general description of the technical and organizational measures.

60

    The establishment or the essential change of an automated process for the processing of personal data requires the approval of the head of the data processing agency or a representative commissioned for it (§ 19 Paragraph 1 Clause 1 DSG M-V a. F.). The official data protection officer is responsible in accordance with Section 19 Paragraph 2 Sentence 1 DSG M-V a. F. give you the opportunity to check beforehand whether data processing is permitted and whether the measures envisaged in accordance with Sections 21, 22 DSG M-V a. F. are sufficient (prior check).

61

    In § 21 DSG M-V a. F. general measures for data security are listed. According to this, it must be ensured in particular that

62

    1. only authorized persons can take note of (confidentiality),

63

    2. Personal data remains intact, complete and up-to-date during processing (integrity),

64

    3. personal data are available in a timely manner and can be processed properly (availability),

65

    4. personal data can be assigned to its origin at any time (authenticity of the data),

66

    5. With the participation of the staff or employee representative, a logging procedure is determined by the data processing body, which allows the determination of who processed which personal data and in what manner (auditability) and

67

    6. The procedures for the processing of personal data can be fully and reasonably understood (transparency).

68

    § 22 DSG M-V a. F. describes the special measures for data security when using automated processes. According to this, automated procedures are to be designed in such a way that processing of personal data is only possible after the user's authorization has been determined (para. 1). Access with which changes to automated processes can be brought about should only be possible for those who are expressly authorized to do so. The access of these people must be logged and checked (Paragraph 2). If personal data is processed by the processing agency outside of its premises with the help of information technology devices, the data stocks are to be encrypted (Paragraph 3). If personal data is only to be stored automatically, it must be logged when, by whom and in what way the data was stored, which also applies to the change and transmission of the data (para. 4 sentences 1 and 2).

69

    The plaintiff has both the necessary expertise and the required reliability to perform the tasks incumbent on the official data protection officer.

70

    The law does not link the work of the data protection officer to a specific training or specified specialist knowledge. Which expertise is required for this depends in particular on the size of the organizational unit to be supervised, the scope of the data processing processes involved, the IT processes used, the type of data generated etc. Knowledge of data protection law, the technology of data processing and the operational requirements are regular Processes required (Döpfler, EU-GDPR and BDSG, 2nd edition 2020, GDPR Art. 37, para. 18; Gola DS-GVO / Klug, 2nd edition 2018, GDPR Art. 37, para. 18) . If the data protection officer only has his own qualification in a sub-area, it is sufficient if he can also rely on competent employees (Kühling / Buchner / Bergt, 2nd edition 2018, GDPR Art. 37, para. 34). Furthermore, further training on the new technical developments and changes in the law or developments in case law are essential (BeckOK Data Protection Regulation / Moos, 31st Ed., As of 01.11.2019, GDPR Art. 37, marginal no. 60).

71

    As a fully qualified lawyer, the plaintiff is easily able to familiarize himself with the relevant data protection law and to apply it in practice. Due to the previous many years of work as head of HR, he was already familiar with the essential principles of data protection. The plaintiff is familiar with the details of the new data protection law, as its publication in the magazine f & w shows. There he outlined the principles of data protection and the essential innovations of the GDPR. Furthermore, he had informed himself about the status of the state law. The plaintiff was able to obtain information on the technical questions of data processing from the deputy data protection officer, a computer scientist.

72      
    In addition, the plaintiff has the necessary reliability for the work of the data protection officer. The data protection officer must not only have the necessary specialist knowledge, but also offer the guarantee that he will carry out his duties conscientiously and not against his obligations as a data protection officer, e.g. B. violates his duty of confidentiality. A serious violation of general employment contract obligations can also jeopardize reliability, e.g. theft, embezzlement, intentional damage to reputation, assault against other employees, etc. The reliability must be assessed taking into account the purpose of the appointment of a data protection officer. The data protection officer has the task of ensuring effective self-monitoring of the data protection regulations, in order to relieve public control bodies at the same time (BeckOK DatenschutzR / Moos, 31st Ed., As of: 01.11.2019, GDPR Art. 37, para. 1; Döpfler , EU-GDPR and BDSG, 2nd edition 2020, GDPR Art. 37, marginal 1; Paal / Pauly, DS-GVO BDSG, 2nd ed. 2018, GDPR Art. 37, marginal 3). The person appointed to the data protection officer must be able to guarantee effective self-control in addition to expertise. With an internal data protection officer, his position as a data protection officer cannot be completely separated from the underlying employment relationship. A serious breach of contractual obligations can mean that it is no longer possible to reliably exercise self-regulation under data protection law. If the data protection officer no longer has the necessary trust due to such misconduct, it may be a. excluded from entrusting him with the information required for his work, including professional and official secrets (section 20 (3) sentence 3 DSG M-V a. F.).

73

    The plaintiff has neither seriously violated his duties as data protection officer nor his duties from the employment relationship. Effective self-monitoring of data protection issues is still ensured.
74

    The plaintiff did not neglect his duties as data protection officer, for whom he was available with a regular weekly working time of 34.5 hours. Given the size of the area to be supervised, it is imperative to set priorities. The defendant and its subsidiaries process thousands of particularly sensitive medical data every day. In addition, there are personnel data from a total of around 5000 employees. Various data processing programs are in use. According to Section 20 (3) sentence 5 DSG M-V a. F. worked towards compliance with data protection regulations. He has made the employees familiar with the regulations of data protection. He answered numerous inquiries from his own company and from subsidiaries. He has participated in various committees and working groups.

75

    In his letter of January 31, 2018, the plaintiff did not declare that he did not want to meet his obligations. Compliance with the current data protection law, taking into account the relevant case law, is initially the responsibility of the defendant as operator of the clinics. The plaintiff as the data protection officer is the supervisory body. He has to support the defendant in the implementation of the necessary measures (Section 20 Paragraph 3 Clause 5 No. 3 DSG M-V a. F.). However, the implementation itself remains the responsibility of the defendant and its subsidiaries. The defendant was familiar with the GDPR as well as the plaintiff and was concerned with examining the need for adjustment. The penultimate sentence in the letter dated January 31, 2018 only refers to the "concrete" implementation of the data protection laws of the State of Mecklenburg-Western Pomerania, which at the time were only available as drafts. On the other hand, the data protection officers are addressed there. In addition, the letter only contains information on the status of the legislation. The plaintiff had already prepared for the anticipated legal changes by dealing with the GDPR and following the legislative process for state law.

76

    Until his release from the duties of the data protection officer, the plaintiff did not raise any data protection objections to the electronic duty roster system TDA. However, it does not follow from this that he neglected his duties as data protection officer. The multitude of tasks of a data protection officer often does not allow you to check all data processing processes on your own at short notice. The job made it necessary to set priorities, especially if this only made up part of the working time and at the same time other companies had to be looked after. Inquiries and complaints have to be dealt with, further training courses have to be carried out, information material has to be evaluated etc. The control duties are only neglected if the data protection officer does not exhaust the working hours available to him, even though the tasks have not yet been completed. That was not the case with the plaintiff. There were no indications of data protection problems of the TDA until the plaintiff was released from the duties of the data protection officer. The plaintiff did not classify the roster system as being compliant with data protection law. Rather, like the defendant, he saw no urgent reason for a more in-depth data protection review.

77

    The plaintiff has not violated any general obligations from the employment relationship that prevent further use in the role of data protection officer. The plaintiff did not purposefully damage or attempt to damage the defendant to the advantage of the then Commercial Director G. or for his own benefit. He did not deliberately ignore contractual, collective bargaining or legal regulations in order to illegally favor Mr. G. or himself. Confidence in the complainant's legally compliant conduct has not been destroyed.
78

    No conclusive assessment is required here of whether Mr. G. was entitled to a company pension scheme. In any event, the plaintiff's legal opinion in the decision of December 19, 2007 appears reasonable. The service contract with Mr. G. dated October 24/30, 2006 contains the term "old-age pension" in the heading to § 4. However, there is no regulation on old-age pension, neither positive nor negative. It is not clear why the contracting parties used the term pair "incapacity for work / retirement provision" there, especially since the two subjects of the regulation have no internal connection, but rather denote different life situations and benefits. In addition, § 4 of the employment contract contains no statements on pensions, despite the heading. Only legal consequences in the event of incapacity to work are specified there. Since the contract does not regulate or exclude a company pension scheme elsewhere, it is not far off to use the reference clause. In any case, the plaintiff did not clearly and unambiguously ignore the contract or other regulations in order to give Mr G. an advantage that is obviously not his. The plaintiff was not required to approach the supervisory board bypassing his superior. In the plaintiff's view, Mr. G.'s claim arose from the service contract that the Supervisory Board had concluded itself.

79

    The plaintiff did not procure too high a company pension in violation of the contract. Insofar as a contribution rate of 9.65% has been paid in his favor, a violation of contractual, collective bargaining or statutory provisions cannot be determined. Apart from this, the parties have reorganized the company pension scheme with the amendment agreement dated September 18, 2015 and closed it with effect from September 30, 2015. A correction for the past was not made at the time.

80

    2. Revocations from 08/27/2018

81

    Since May 25, 2018, the GDPR and the federal and state data protection laws coordinated with it have been applicable. According to section 6 (4) sentence 1 BDSG, the data protection officer may only be dismissed - as in the previous legal situation - only if section 626 BGB is applied accordingly. The comments on § 20 DSG M-V a. F. therefore apply accordingly under number 1.

82

    The data protection officer is appointed in accordance with Art. 37 Para. 5 GDPR on the basis of his professional qualifications and in particular the specialist knowledge he has in the field of data protection law and data protection practice, as well as on the basis of his ability to fulfill the tasks mentioned in Article 39 GDPR . The to § 20 DSG M-V a. F. mentioned standards are to be used accordingly. Personal reliability is no longer mentioned as a requirement. However, the data protection officer must have the ability to perform his tasks as specified in Article 39 GDPR. This results in similar requirements, so that reference can be made to the above explanations. A different assessment of the plaintiff's recall is not required based on the new data protection law. In addition, the plaintiff was no longer allowed to exercise his duties as data protection officer since the end of February 2018, so that he has not been able to violate his control obligations and other data protection tasks since then.

83

    The decision on costs follows from Section 97 (1) ZPO. There are no reasons for the approval of the revision. The legal dispute does not raise any relevant legal questions of fundamental importance.