A hospital decided to proceed with the dismissal of an employee who combined the roles of Chief Information Security Officer and Data Protection Officer. According to the hospital, this employee did not perform his duties properly. The employee challenged his dismissal before the French-speaking labour court in Brussels. Under the GDPR, a DPO cannot be dismissed or penalised for performing their duties. Although Belgian law and the GDPR do not provide for specific protection compensation for DPOs, the court still awarded compensation equivalent to three months’ salary. The compensation claim for unfair dismissal was dismissed.
What is a DPO?
The appointment of a Data Protection Officer (DPO) is mandatory for certain organisations under the GDPR. This is particularly true for public authorities, organisations that engage in large-scale, regular, and systematic monitoring of individuals, and organisations that process sensitive personal data on a large scale. Apart from these general obligations, there are sometimes specific legal requirements to appoint a DPO. This is, for example, the case for companies and internal services involved in private investigation.
The DPO can be either an employee or an independent service provider. Generally, the DPO is tasked with informing and advising on data protection, monitoring compliance with the GDPR, and acting as a contact point for data subjects and the Data Protection Authority.
An important aspect of the DPO’s role is that they cannot be dismissed or penalised for reasons related to the performance of their duties. This is one of the safeguards provided to ensure the DPO’s independence.
Factual background
The employee was hired under an indefinite employment contract for the position of ‘specialised advisor (Chief Information Security Officer/Data Privacy Officer)’ at a public sector hospital. Although the job title does not explicitly match the title in the GDPR (i.e., Data Protection Officer), it is undisputed in this case that the employee effectively acted as a DPO within the meaning of the GDPR. After nearly four years of employment, the employee received a dismissal proposal by letter due to dissatisfaction with the work performed.
The employee refused to accept this by stating that his dismissal was related to the performance of his duties as a DPO.
A few weeks later, the employer proceeded with the dismissal of the employee, with the payment of a severance compensation equivalent to 13 weeks’ salary.
The employee subsequently initiated proceedings before the French-speaking labour court in Brussels. On the one hand, he filed a claim for compensation for the dismissal of a ‘protected employee’, which he calculated ex aequo et bono at 3 months’ salary, and on the other hand, an additional claim for compensation of 17 weeks’ salary for unfair dismissal. At the time of the procedure, a ‘manifestly unreasonable dismissal’ did not yet exist in the public sector, but the court referred to a judgment of the Supreme Court (101/2016) which stated that the court can be guided by the principles in CBA No. 109 in dealing with this claim. The court clarified in the judgment that the claim related to an unfair dismissal.
Compensation for dismissal of DPO
The court stated that the employer bore the burden of proof to demonstrate that the dismissal of the employee was unrelated to the performance of his duties as a DPO.
In the present case, the employer asserted that the dismissal had nothing to do with the essence of the employee’s tasks as a DPO but was related to a lack of clear communication and mutual understanding. In particular, the employer claimed that the DPO was too theoretical and rigid, making him unable to propose concrete action plans regarding the practical implementation of his recommendations.
However, the court held that the employer had acknowledged that it placed a priority on the performance of the CISO role and therefore showed minimal interest in how the employee fulfilled his duties as DPO. According to the court’s interpretation, it was precisely due to the inadequate execution of his duties as DPO that the employee was unable to properly perform his CISO role.
The court consequently ruled that the roles of CISO and DPO were in fact intertwined, and that the employer could not demonstrate that the reason for the dismissal was solely related to the performance of the CISO role.
Neither Belgian law nor the GDPR provides for compensation in case of the dismissal of a DPO for reasons related to their role. The employee therefore calculated this compensation ex aequo et bono at 3 months’ salary. Referring to case law of the Court of Justice, the court ruled that the Belgian legislation was inadequate in this respect and referred in its assessment to various other legal mechanisms regarding dismissal protection. The court ultimately awarded compensation equivalent to 3 months’ salary but also specified that it had to respect the employee’s claim. In other words, the court suggested that it could have awarded a higher amount if the employee had requested it.
This is one of the first published cases in Belgium where such compensation was awarded following the dismissal of a DPO.
No unfair dismissal
Regarding the claim for compensation for unfair dismissal, the court stated that it was up to the employee to provide proof. The employer pointed out several issues with the employee’s work. For instance, the employee had only provided ten pieces of advice over four years, the register of processing activities (data register) was not updated after 2019, and the employee failed to inform the employer about the existence of a register of personal data breaches (data breach register) and did not properly maintain this register.
The court consequently concluded that any prudent and reasonable employer faced with such a situation would have considered dismissal. Consequently, the court found that there was no unfair dismissal and dismissed this claim.
Point of attention
It is essential to clearly distinguish between the different tasks of an employee when they, in addition to their role as DPO, also perform other functions within the same organisation. It is up to the employer to demonstrate that the dismissal is unrelated to the performance of the DPO’s duties. If this is not the case, there is a risk of a claim for damages.
Feel free to contact our Data & Privacy Team if you have any questions about this.
