Q&As

If an employer dismisses a data protection officer with less than two years’ service on the grounds that they were insufficiently expert and/or capable to do the job, what individual rights of redress would that officer have in respect of that dismissal? What enforcement action might the ICO take? How would a data protection officer dismissed in contravention of the GDPR bring a claim for compensation for that dismissal under the GDPR? Does the reference in Article 79(2) of the GDPR to ‘data subject’ in any way affect or limit the right to bring a claim for compensation under Article 82(1) of the GDPR?

read titleRead full title
Published on LexisPSL on 20/12/2019

The following Employment Q&A provides comprehensive and up to date legal information covering:

  • If an employer dismisses a data protection officer with less than two years’ service on the grounds that they were insufficiently expert and/or capable to do the job, what individual rights of redress would that officer have in respect of that dismissal? What enforcement action might the ICO take? How would a data protection officer dismissed in contravention of the GDPR bring a claim for compensation for that dismissal under the GDPR? Does the reference in Article 79(2) of the GDPR to ‘data subject’ in any way affect or limit the right to bring a claim for compensation under Article 82(1) of the GDPR?
  • Does a breach of Article 38(3) of the GDPR give rise to circumstances in which the Information Commissioner is empowered under section 149(2)(c) of the DPA 2018 to issue an enforcement notice, and could the ICO later follow up with a penalty?
  • What is the remedy for a breach of section 70(3)(c) of the DPA 2018?
  • How would a data protection officer dismissed in contravention of Article 38(3) of the GDPR bring a claim for compensation for that dismissal under Article 82(1) of the GDPR?
  • Does the reference in Article 79(2) of the GDPR to ‘data subject’ in any way affect or limit the right to bring a claim for compensation under Article 82(1) of the GDPR?

Regulation (EU) 2016/679, General Data Protection Regulation (GDPR) itself describes issues pertaining to data protection officers (DPOs) at Articles 37 to 39.

Specifically, at Article 38(3), the Regulation provides the following protection to a DPO:

‘[The data protection officer] shall not be dismissed or penalised by the controller or the processor for performing his tasks.

This protection is mentioned in Practice Note: Data protection officer (see under the heading Protected status of DPO).

This general protection for DPOs is not however reproduced in the Data Protection Act 2018 (DPA 2018). There is apparently very similar protection at DPA 2018, s 70(3)(c), but that section is in fact part of DPA 2018, Pt 3 and therefore relates to ‘Law Enforcement Processing’ only and is not of general application. It follows that the remedies open to a DPO outside the scope of ‘Law Enforcement Processing’ are not to be found in the DPA 2018 but in the GDPR itself.

As regards individual rights of redress, under the GDPR itself:

  1. at Article 82(1), the Regulation states as follows:

    ‘Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.’

  2. at Article 82(6), the Regulation explains that ‘Court proceedings for exercising the right to receive compensation shall be brought before the

Popular documents