Q&As

If an employer dismisses a data protection officer with less than two years’ service on the grounds that they were insufficiently expert and/or capable to do the job, what individual rights of redress would that officer have in respect of that dismissal? What enforcement action might the ICO take? How would a data protection officer dismissed in contravention of the GDPR bring a claim for compensation for that dismissal under the GDPR? Does the reference in Article 79(2) of the GDPR to ‘data subject’ in any way affect or limit the right to bring a claim for compensation under Article 82(1) of the GDPR?

read titleRead full title
Published on LexisPSL on 20/12/2019

The following Employment Q&A provides comprehensive and up to date legal information covering:

  • If an employer dismisses a data protection officer with less than two years’ service on the grounds that they were insufficiently expert and/or capable to do the job, what individual rights of redress would that officer have in respect of that dismissal? What enforcement action might the ICO take? How would a data protection officer dismissed in contravention of the GDPR bring a claim for compensation for that dismissal under the GDPR? Does the reference in Article 79(2) of the GDPR to ‘data subject’ in any way affect or limit the right to bring a claim for compensation under Article 82(1) of the GDPR?
  • Does a breach of Article 38(3) of the GDPR give rise to circumstances in which the Information Commissioner is empowered under section 149(2)(c) of the DPA 2018 to issue an enforcement notice, and could the ICO later follow up with a penalty?
  • What is the remedy for a breach of section 70(3)(c) of the DPA 2018?
  • How would a data protection officer dismissed in contravention of Article 38(3) of the GDPR bring a claim for compensation for that dismissal under Article 82(1) of the GDPR?
  • Does the reference in Article 79(2) of the GDPR to ‘data subject’ in any way affect or limit the right to bring a claim for compensation under Article 82(1) of the GDPR?

If an employer dismisses a data protection officer with less than two years’ service on the grounds that they were insufficiently expert and/or capable to do the job, what individual rights of redress would that officer have in respect of that dismissal? What enforcement action might the ICO take? How would a data protection officer dismissed in contravention of the GDPR bring a claim for compensation for that dismissal under the GDPR? Does the reference in Article 79(2) of the GDPR to ‘data subject’ in any way affect or limit the right to bring a claim for compensation under Article 82(1) of the GDPR?

Regulation (EU) 2016/679, General Data Protection Regulation (GDPR) itself describes issues pertaining to data protection officers (DPOs) at Articles 37 to 39.

Specifically, at Article 38(3), the Regulation provides the following protection to a DPO:

‘[The data protection officer] shall not be dismissed or penalised by the controller or the processor for performing his tasks.

This protection is mentioned in Practice Note: Data protection officer (see under the heading Protected status of DPO).

This general protection for DPOs is not however reproduced in the Data Protection Act 2018 (DPA 2018). There is apparently very similar protection at DPA 2018, s 70(3)(c), but that section is in fact part of DPA 2018, Pt 3 and therefore relates to ‘Law Enforcement Processing’ only and is not of

Popular documents