Please note that all my articles are for informational purposes only and not legal advice. I assume no liability for the content of my articles. The articles may be out of date, the legal situation may have changed, or the specific situation in a case may need to be assessed differently. A binding consultation can only be given by me directly in the individual case. Take advantage of my free brief consultation!
GDPR responsibility lies with the company, not the data protection officer
The GDPR (General Data Protection Regulation) has caused plenty of discussion in companies in recent years. Many were unsure who bears primary responsibility for compliance with the GDPR. However, a recent ruling by the Heilbronn Labor Court has provided clarity on this issue.
Background of the case
The plaintiff, 60 years old, had been employed by the defendant since October 1, 2002, most recently in the responsible position of attorney and head of the legal department. In this role, he was instrumental in the legal direction of the company and contributed to the resolution of complex legal challenges. Due to his expertise and commitment to data protection, he was appointed as the company’s data protection officer on December 1, 2018. In this role, he was responsible for monitoring compliance with the GDPR and other data protection regulations. Despite his many years of service and commitment to the company, disagreements arose between him and the defendant’s CEO. These differences led to tensions that eventually formed the background for the legal disputes.
Key points of the ruling
In its ruling of 29.9.2022 under case number 8 Ca 135/22, the court made important clarifications regarding the role and responsibility of data protection officers. It was clearly emphasized that termination without notice of a data protection officer based solely on mere breaches of official duties is considered invalid. If a data protection officer violates his/her duties, this can generally only serve as grounds for his/her dismissal, but not for termination without notice. Furthermore, the court emphasized that the main responsibility for implementing and complying with the GDPR lies with the company itself and not with the data protection officer. This underscores the central role that companies play with regard to data protection and the need to actively address the requirements of the GDPR.
Importance for companies
This ruling forcefully emphasizes how important it is for companies to deal intensively and continuously with the requirements of the GDPR. It is a common misconception that the mere appointment of a data protection officer is sufficient to meet all data protection requirements. While a data protection officer can provide advice and support, the actual responsibility for compliance with data protection regulations lies with the company itself. This means that companies must invest not only in employee education and training, but also in technologies and processes that ensure data protection. It is critical that they are proactive, conduct regular reviews, and stay up-to-date with the latest data protection regulations. This is the only way they can ensure that they correctly implement not only the GDPR but also other relevant data protection regulations and minimize potential legal risks.
Conclusion
The ruling of the Heilbronn Labor Court is a clear signal to all companies. It emphasizes that the responsibility for compliance with the GDPR lies with the company itself and not with the data protection officer. It is time for companies to review their data protection practices and ensure that they meet the requirements of the GDPR.
Marian Härtel is a lawyer and entrepreneur specializing in copyright law, competition law and IT/IP law, with a focus on games, esports, media and blockchain.