The GDPR protects Data Protection Officers against dismissal. Does this mean that an employer cannot fire the appointed DPO? And does this mean that someone who merely wants maximum job security, should become a DPO?
In many countries, there are certain circumstances in which employees are legally protected against dismissal, for example if the employee is sick or pregnant, or a member of a works council. And now, with the advent of the General Data Protection Regulation (GDPR), also if the employee is a Data Protection Officer (DPO).
What does a DPO do, and why is a DPO protected?
Each organisation who has appointed a DPO, must involve the DPO in all issues which relate to the protection of personal data. The GDPR explicitly provides the tasks of the DPO, which are to inform and advise the organisation about privacy-related matters, monitor compliance with privacy-laws, cooperate with the supervisory authority, and act as a contact point, both for supervisory authorities, as well as data subjects.
The DPO must be somewhat independent of the organisation, because he or she must be able to balance the interests of the organisation with the interests of the people whose data may be processed by the organisation. In this respect, the DPO’s role is somewhat comparable to a works council, which represents the interests of employees.
A DPO or a works council member cannot be expected to be able to represent the interests of any party other than the organisation’s interests, if he could be fired for it. Likewise, the employer may not provide any instructions to the DPO on how to perform its tasks, as that would equally impair the DPO’s independence.
Do I actually need to appoint a DPO?
Organisations are required by the GDPR to appoint a DPO if the organisation: (a) is a public body, (b) engages in regular and systemic monitoring of people’s activities on a large scale, as a part of the organisation’s core activities, or (c) processes sensitive personal data (such as medical records) on a large scale. The DPO can be appointed either internally or externally, for example one of Legal ICT’s (virtual) privacy officers.
The DPO’s protection against dismissal
For reasons as described above, the GDPR holds that the DPO “shall not be dismissed or penalised by the controller or the processor for performing his tasks”. For example, if a DPO concludes that a particular processing of personal data is high risk and requires a data protection impact assessment, whereas the organisation disagrees, the DPO cannot be fired for giving this advice.
This protection against dismissal applies to fixed term contracts, as well as temporary contracts. The protection of DPO’s is not limited to employees, it also applies to external DPO’s. Although an organisation may decide not to extend or renew a temporary contract, a DPO may be able to challenge this decision with the argument that it was merely for performing his tasks.
When can a DPO be fired?
The protection against dismissal only extends to the DPO’s performance of the DPO’s tasks, as assigned under the GDPR. This protection will not apply in other circumstances, such as the following:
- Criminal acts or gross misconduct, such as theft, or physical, psychological or sexual abuse;
- Bankruptcy of the organisation, or a part of it;
- Reaching the age of mandatory retirement (if applicable);
To answer the question in the first paragraph, it is certainly not impossible to fire a DPO. And attempting to become a DPO merely for reasons of job security is not advisable, as the protection applies for performing the DPO’s tasks, which may be complex and challenging, and not for not performing them, or other grounds for dismissal.
Deciding whether you want to hire a DPO? Make sure you evaluate the potential DPO’s qualifications and skills. Also make sure you have a plan to keep the DPO competent. Still not sure? Consider hiring a DPO of another company, such as Legal ICT.