GDPR responsibility lies with the company, not the data protection officer

Introduction

The GDPR (General Data Protection Regulation) has caused plenty of discussion in companies in recent years. Many were unsure who bears primary responsibility for compliance with the GDPR. However, a recent ruling by the Heilbronn Labor Court has provided clarity on this issue.

Background of the case

The plaintiff, 60 years old, had been employed by the defendant since October 1, 2002, most recently in the responsible position of attorney and head of the legal department. In this role, he was instrumental in the legal direction of the company and contributed to the resolution of complex legal challenges. Due to his expertise and commitment to data protection, he was appointed as the company’s data protection officer on December 1, 2018. In this role, he was responsible for monitoring compliance with the GDPR and other data protection regulations. Despite his many years of service and commitment to the company, disagreements arose between him and the defendant’s CEO. These differences led to tensions that eventually formed the background for the legal disputes.

Key points of the ruling

In its ruling of 29.9.2022 under case number 8 Ca 135/22, the court made important clarifications regarding the role and responsibility of data protection officers. It was clearly emphasized that termination without notice of a data protection officer based solely on mere breaches of official duties is considered invalid. If a data protection officer violates his/her duties, this can generally only serve as grounds for his/her dismissal, but not for termination without notice. Furthermore, the court emphasized that the main responsibility for implementing and complying with the GDPR lies with the company itself and not with the data protection officer. This underscores the central role that companies play with regard to data protection and the need to actively address the requirements of the GDPR.

Importance for companies

This ruling forcefully emphasizes how important it is for companies to deal intensively and continuously with the requirements of the GDPR. It is a common misconception that the mere appointment of a data protection officer is sufficient to meet all data protection requirements. While a data protection officer can provide advice and support, the actual responsibility for compliance with data protection regulations lies with the company itself. This means that companies must invest not only in employee education and training, but also in technologies and processes that ensure data protection. It is critical that they are proactive, conduct regular reviews, and stay up-to-date with the latest data protection regulations. This is the only way they can ensure that they correctly implement not only the GDPR but also other relevant data protection regulations and minimize potential legal risks.

Conclusion

The ruling of the Heilbronn Labor Court is a clear signal to all companies. It emphasizes that the responsibility for compliance with the GDPR lies with the company itself and not with the data protection officer. It is time for companies to review their data protection practices and ensure that they meet the requirements of the GDPR.

Author: Marian Härtel

Marian Härtel ist Rechtsanwalt und Fachanwalt für IT-Recht mit einer über 25-jährigen Erfahrung als Unternehmer und Berater in den Bereichen Games, E-Sport, Blockchain, SaaS und Künstliche Intelligenz. Seine Beratungsschwerpunkte umfassen neben dem IT-Recht insbesondere das Urheberrecht, Medienrecht sowie Wettbewerbsrecht. Er betreut schwerpunktmäßig Start-ups, Agenturen und Influencer, die er in strategischen Fragen, komplexen Vertragsangelegenheiten sowie bei Investitionsprojekten begleitet. Dabei zeichnet sich seine Beratung durch einen interdisziplinären Ansatz aus, der juristische Expertise und langjährige unternehmerische Erfahrung miteinander verbindet. Ziel seiner Tätigkeit ist stets, Mandanten praxisorientierte Lösungen anzubieten und rechtlich fundierte Unterstützung bei der Umsetzung innovativer Geschäftsmodelle zu gewährleisten.