Preiskel & CoPreiskel & Co
Preiskel & Co
  • Home
  • About Us
    • Diversity, Social Responsibility, and Pro Bono
  • Services
    • Corporate
    • Commercial
    • Regulatory
    • Competition & Antitrust
    • Data Protection, Privacy, and Retention
    • Intellectual Property
    • Dispute Resolution
    • Employment
  • Sectors
    • Telecommunications
    • IT, Technology, & Internet
    • Media and Broadcasting
    • Websites, Blogging, & Social Media
    • Film & Television
    • Gambling & Online Gaming
    • Leisure & Retail
    • Energy & Minerals
    • Cryptocurrency & Blockchain
    • Creative Industries
  • People
    • Daniel Preiskel
    • Ronnie Preiskel
    • Tim Cowen
    • Jose Saras
    • Robert Dougans
    • Karthyaeni Vittala
    • Tina Cowen
    • D A T Green
    • Richard Stewart
    • Mor Swiel
    • Ilanit Appelfeld
    • Stephen Dnes
    • Daniel Oakland
    • Robert Harvey
    • Martina Raciti
    • Joanna Coombs-Huang
    • Xavier Prida
    • Stewart White
    • Alison MacFarlane
    • Hannah Leader
    • Peter Dally
    • Antony Corel
    • Sue Warwick
    • Tony Curzon-Price
    • Shardi Shameli
    • Stephen Hornsby
    • Ewelina James
    • Maria Constantin
    • Sophia Yakhno
    • Rachael Machado
  • International
  • Blog
  • News
    • Publications
  • Contact
Menu back  

DPO’s Dismissal & Conflicts of Interest Under The EU GDPR – CJEU Ruling

February 14, 2023By Preiskel & Co

On 9 February 2023, the Court of Justice of the EU (“CJEU”) issued a preliminary ruling in the case C-453/21, following two important questions submitted by a German Federal Labor Court, regarding:

  • Whether Article 38(3) of the GDPR precludes national legislation from introducing certain requirements for the dismissal of the DPO?
  • What circumstances constitute a ‘conflict of interest’ in the tasks and duties of a DPO under Article 38(6)?

The First Question: Dismissal of the DPO

The CJEU considered whether German national legislation, which provided that the DPO cannot be dismissed unless for just cause, was precluded by Article 38(3) of the GDPR. The requirement in German law stipulates that the employer must find a reason of just cause to dismiss a DPO, irrespective of whether such dismissal relates to the performance of his tasks.

This German provision introduces a stricter threshold for the dismissal of a DPO in comparison to the GDPR Article 38(3), which simply states that “he or she shall not be dismissed or penalized by the controller or the processor for performing his tasks”.

However, despite imposing stricter requirements than those laid down in EU law, the CJEU ruled that this provision in German law was in fact compatible and not precluded by Article 38(3) GDPR. The CJEU explained that Article 38(3) serves to solely protect the functional independence of the DPO and enhance the effectiveness of the GDPR. It does not aim to go further or govern the employment relationship between the controller/processor and his employees. Thus, if national legislation wishes to impose additional provisions to protect the DPO against the termination of his employment, they can do so, as this falls into the field of social policy – not data protection.

With this being said, whilst the CJEU ruled that this provision was compatible with the GDPR, Member States are not entitled to create excessive protection in their national legislation in a way that hinders the effectiveness of the DPO. In a previous case (C-534/20), which also addressed the scope for dismissal, the Court expressed that such provisions shall be prohibited if they prevent the “dismissal of a DPO who no longer possesses the professional qualities required to perform his or her tasks, or who does not fulfil those tasks in accordance with the provisions of the GDPR”. This example highlights the boundaries placed on national legislation, to ensure that national thresholds against dismissal do not go so far as to interrupt the intention and effectiveness of the GDPR.

Therefore, it can be concluded from the judgment of the CJEU, that Article 38(3) of the GDPR must be interpreted as not precluding national legislation, to the extent that such legislation does not undermine the achievement of the objectives of the GDPR.

The Second Question: Conflicts of interest for the DPO

The CJEU also considered Article 38(6) of the GDPR, as the German Labor Court brought forward a request for clarity as to what constitutes a “conflict of interest” for the DPO.

Article 38(6) allows for the data protection officer to fulfill other tasks and duties, in so far that the controller or processor ensures that any such tasks and duties do not result in a conflict of interest. In this case, the individual also had a position as chairman of the works Council at the same company for which he was a DPO. This raised doubt as to whether such a scenario could amount to a ‘conflict of interest’ under Article 38(6).

The CJEU highlighted that the overall objective of Article 38(6) is to guarantee the DPO’s functional independence. In the judgment, the CJEU thus clarified that, to achieve this objective, the DPO cannot be entrusted with tasks which would result in him “determining the objectives and methods of processing personal data”. This means that an individual cannot take on a role that would involve them influencing the very objectives and methods that they are required to independently review in their capacity as a DPO.

Overall, the impact of this judgment does not set out clear grounds as to the particular tasks that would be compatible and the ones which would not, and so these parameters will likely unfold on a case-by-case basis over time. However, this judgment does emphasize the importance for controllers and processors to consider whether additional assignments can infringe upon their data protection officer’s ability to review of the objectives and methods of processing personal data effectively and independently.

Find the preliminary ruling here.

 

Please contact Jose Saras if you have any questions regarding the above.

The material in this article is only for general review of the topics covered and does not constitute legal advice. No legal or business decision should be based on its content.

This article is written in English language. Preiskel & Co LLP is not responsible for any translation of all or part of its content into any language.

Leave Comment

Cancel reply

Your email address will not be published. Required fields are marked *

clear formSubmit

Latest Preiskel & Co blog posts
  • Advocate General Opinion on Automated Credit-Scoring & Retention of Insolvency Data
    March 28, 2023
  • White House’s Economic Report of the President sets out a roadmap to improve competition in digital markets
    March 22, 2023
  • Brussels Conference brings in industry leaders to discuss the international antitrust landscape
    March 22, 2023
  • Issues in the UK’s forthcoming Digital Markets, Competition and Consumer Bill
    March 17, 2023
  • Stormy weather for cloud computing in the EU
    March 16, 2023
  • Inmarsat Takeover Provisionally Cleared for Take-Off
    March 10, 2023
  • EDPB’s Feedback on the New EU-U.S. Data Privacy Framework
    March 6, 2023
  • UK Data Reform Bill to return to the House of Commons
    March 3, 2023
  • DCMS Publishes New Security and Privacy Principles for App Store Operators and Developers
    February 16, 2023
  • DPO’s Dismissal & Conflicts of Interest Under The EU GDPR – CJEU Ruling
    February 14, 2023
  • ICO – Change of Deadline for Reporting Breach Notifications for Communication Service Providers
    February 6, 2023
  • General EU Requirements for Cookie Banners – EDPB Task Force Report
    January 27, 2023

The Preiskel Blog

  • Advocate General Opinion on Automated Credit-Scoring & Retention of Insolvency Data 28 Mar 2023
  • White House’s Economic Report of the President sets out a roadmap to improve competition in digital markets 22 Mar 2023
  • Brussels Conference brings in industry leaders to discuss the international antitrust landscape 22 Mar 2023
  • Issues in the UK’s forthcoming Digital Markets, Competition and Consumer Bill 17 Mar 2023

Preiskel news

  • Senior Partner, Danny Preiskel, quoted by IT Pro on the costs incurred by MNOs
  • Senior Partner, Danny Preiskel, will be a panellist at GCCM Carrier Community 2023 on IOT
  • Jose Saras and Xavier Prida Awarded First Place as Data Protection Thought Leaders in the UK
  • Ronnie Preiskel chosen to judge 24 May 2023 The Tech Capital Global Awards
Preiskel tweets
  • Advocate General Opinion on Automated Credit-Scoring & Retention of Insolvency Data. Find out more here: https://t.co/bJkvPBvj6F12 hours ago
  • Issues in the UK’s forthcoming Digital Markets, Competition and Consumer Bill. Find out more: https://t.co/3BHP1xq69Y5 days ago
  • White House’s Economic Report of the President sets out a roadmap to improve competition in digital markets. Find o… https://t.co/S7J7sX3kfs6 days ago
Preiskel & Co LLP
4 King's Bench Walk,
Temple,
London
EC4Y 7DL
United Kingdom

Tel: +44 20 7332 5640
Email: info@preiskel.com

Find us on:

TwitterLinkedinMail
© Preiskel & Co LLP 2023 | Site map | Legal notices | Cookie Policy | Privacy