It is impossible to imagine today’s world without the use of information technology systems. And yet, while the use of IT systems seems to facilitate everyday and professional life, it also harbors risks and dangers for the population. As a result of digitization in the business environment and the increased use of IT systems, vast amounts of personal data are being collected, including the confidential data of employees in a company. In the working world, this has led to increasing sensitivity regarding the handling of the collected personal data.
Constitutionally, this sensitivity is anchored in Article 2(I) in conjunction with Article 1(I) German Basic Law (Grundgesetz). The right to informational self-determination includes the right of individuals to decide for themselves on the disclosure and use of the collected data. In order to take sufficient account of this protection and to implement it in the company, there is a need for an independent “monitoring body.” This has been recognized by the legislator, stipulating a fundamental obligation to appoint a data protection officer, Section 4f Federal Data Protection Act (Bundesdatenschutzgesetz). The data protection officer’s main task is to ensure compliance with the Federal Data Protection Act and other relevant privacy laws (e.g., Telecommunications Act, Telemedia Act, etc.) in the company and to monitor and verify the proper use of data processing programs by the employer (Section 4g Federal Data Protection Act).
This constant monitoring of the employer may affect the relationship between the parties and frequently leads to conflicts. If the data protection officer is also an employee, these conflicts may ultimately endanger the existing employment relationship and the continued contractual collaboration. The German legislation recognized this risk in 2009. By amending the Federal Data Protection Act on August 14, 2009 the legislation introduced an appropriate “protection provision”: Section 4f(III) Federal Data Protection Act. The statutory provision now mitigates the risk of disadvantages for the data protection officer while strengthening the position at the same time. In order to be able to meet the obligations in full, the data protection officer is exempt from any instructions by the employer and is additionally subject to special protection.
In terms of content, these protective provisions establish a non-discrimination and non-disadvantage clause for the data protection officer. The data protection officer may only be removed from office by duly applying Section 626 German Civil Code (dismissal without notice for good cause), at non-public entities also at the request of the supervisory authority. In addition, the appointee enjoys subsequent special protection against dismissal; cf. Section 4f(III) sentences 5 and 6 Federal Data Protection Act. Accordingly, dismissal within one year of the termination of the data protection officer appointment is generally inadmissible, unless the employer is entitled to dismissal without notice for good cause.
But why is subsequent protection of the data protection officer necessary as well? Is it not enough to keep data protection officers free from discrimination and disadvantage by the employer only during their term of office? Apparently not. If this special protection against dismissal were no longer in place, the data controller could recall an “annoying” data protection officer and then pronounce dismissal in order to finally “get rid of” that particular data protection officer. This would make it possible for the data controller to exert indirect pressure on the data protection officer; it would mean that freedom of instruction and independence, and thus the protection of personal employee data, would be an empty exercise. Additional statutory provisions to strengthen the data protection officer’s position include the obligation to maintain confidentiality (cf. Section 4f(IV) Federal Data Protection Act) and the existence of a right to refuse to testify (Section 4f(IVa) Federal Data Protection Act). The data protection officer is also not liable to pay fines, cf. Section 43 Federal Data Protection Act. The aforementioned provisions will not be subject to any significant changes with the entry into force of the General Data Protection Regulation.
Against this backdrop, it is therefore advisable that data protection officers, whether internal or external, be carefully selected. Their tasks and functions require that communication with the employer is essential.
In addition, it should be taken into account in practice that an appointed representative of the data protection officer also enjoys the protection of Section 4f(III) Federal Data Protection Act. If this person has been appointed by the data controller and has actually and not only temporarily acted as data protection officer in the company, the provisions of Section 4f Federal Data Protection Act – and in particular the special protection against subsequent termination under Section 4f(III) sentences 5 and 6 Federal Data Protection Act – also apply (cf. Federal Labor Court, July 27, 2017 – Case: 2 AZR 812/16). Conclusion: The most recent decision once again highlights the essential role of the data protection officer and the associated protection of the collected and processed employee data. Despite the digitization of the working world, which is ultimately intended to achieve greater flexibility, the essential rights – such as the right to informational self-determination as a result of general freedom of action – must not be overlooked. While the continuing technological progress is intended to optimize work, this may not lead to the current standards of protection and the essential elements of Work 4.0 no longer being applied.
The statutory provisions on non-discrimination and the data protection officer’s freedom to issue directives under Section 4f Federal Data Protection Act succeed in combining the balancing act between this technological progress and the associated increase in the effectiveness of the working world on the one hand, and the protection of the right to informational self-determination of individuals in their everyday professional life, on the other hand.