Location Amsterdam
Jollemanshof 12
1019 GW Amsterdam
020 663 1941
Location Groningen
Leonard Springerlaan 35
9727 KB Groningen
050 209 34 99
Location Brussel
Avenue Louise 65
1000 Brussel
+32 (0)2 535 77 55.
BE 0696.909.465
Back to home

Can I fire my Data Protection Officer?

The GDPR protects Data Protection Officers against dismissal. Does this mean that an employer cannot fire the appointed DPO? And does this mean that someone who merely wants maximum job security, should become a DPO?

In many countries, there are certain circumstances in which employees are legally protected against dismissal, for example if the employee is sick or pregnant, or a member of a works council. And now, with the advent of the General Data Protection Regulation (GDPR), also if the employee is a Data Protection Officer (DPO).

What does a DPO do, and why is a DPO protected?

Each organisation who has appointed a DPO, must involve the DPO in all issues which relate to the protection of personal data. The GDPR explicitly provides the tasks of the DPO, which are to inform and advise the organisation about privacy-related matters, monitor compliance with privacy-laws, cooperate with the supervisory authority, and act as a contact point, both for supervisory authorities, as well as data subjects.

The DPO must be somewhat independent of the organisation, because he or she must be able to balance the interests of the organisation with the interests of the people whose data may be processed by the organisation. In this respect, the DPO’s role is somewhat comparable to a works council, which represents the interests of employees.

A DPO or a works council member cannot be expected to be able to represent the interests of any party other than the organisation’s interests, if he could be fired for it. Likewise, the employer may not provide any instructions to the DPO on how to perform its tasks, as that would equally impair the DPO’s independence.

Do I actually need to appoint a DPO?

Organisations are required by the GDPR to appoint a DPO if the organisation: (a) is a public body, (b) engages in regular and systemic monitoring of people’s activities on a large scale, as a part of the organisation’s core activities, or (c) processes sensitive personal data (such as medical records) on a large scale. The DPO can be appointed either internally or externally, for example one of Legal ICT’s (virtual) privacy officers.

The DPO’s protection against dismissal

For reasons as described above, the GDPR holds that the DPO “shall not be dismissed or penalised by the controller or the processor for performing his tasks”. For example, if a DPO concludes that a particular processing of personal data is high risk and requires a data protection impact assessment, whereas the organisation disagrees, the DPO cannot be fired for giving this advice.

This protection against dismissal applies to fixed term contracts, as well as temporary contracts. The protection of DPO’s is not limited to employees, it also applies to external DPO’s. Although an organisation may decide not to extend or renew a temporary contract, a DPO may be able to challenge this decision with the argument that it was merely for performing his tasks.

When can a DPO be fired?

The protection against dismissal only extends to the DPO’s performance of the DPO’s tasks, as assigned under the GDPR. This protection will not apply in other circumstances, such as the following:

  • Criminal acts or gross misconduct, such as theft, or physical, psychological or sexual abuse;
  • Bankruptcy of the organisation, or a part of it;
  • Reaching the age of mandatory retirement (if applicable);

To answer the question in the first paragraph, it is certainly not impossible to fire a DPO. And attempting to become a DPO merely for reasons of job security is not advisable, as the protection applies for performing the DPO’s tasks, which may be complex and challenging, and not for not performing them, or other grounds for dismissal.  

Deciding whether you want to hire a DPO? Make sure you evaluate the potential DPO’s qualifications and skills. Also make sure you have a plan to keep the DPO competent. Still not sure? Consider hiring a DPO of another company, such as Legal ICT.

Matthijs van Bergen

Managing director Legal ICT
Matthijs manages Legal ICT’s Brussels office and advises clients mostly in matters concerning EU and international law. Matthijs has extensive experience in drafting and negotiating (international) ICT contracts and has substantial knowledge about intellectual property, privacy, information security, Internet, freedom of speech, net neutrality, and broadband in rural areas.

There are no comments yet

Leave a Reply

Your email address will not be published. Required fields are marked *

Your personal information will only be used to publish and process your response. Please read the privacy statement for more information