On 9 February 2023, the Court of Justice of the EU (“CJEU”) issued a preliminary ruling in the case C-453/21, following two important questions submitted by a German Federal Labor Court, regarding:
- Whether Article 38(3) of the GDPR precludes national legislation from introducing certain requirements for the dismissal of the DPO?
- What circumstances constitute a ‘conflict of interest’ in the tasks and duties of a DPO under Article 38(6)?
The First Question: Dismissal of the DPO
The CJEU considered whether German national legislation, which provided that the DPO cannot be dismissed unless for just cause, was precluded by Article 38(3) of the GDPR. The requirement in German law stipulates that the employer must find a reason of just cause to dismiss a DPO, irrespective of whether such dismissal relates to the performance of his tasks.
This German provision introduces a stricter threshold for the dismissal of a DPO in comparison to the GDPR Article 38(3), which simply states that “he or she shall not be dismissed or penalized by the controller or the processor for performing his tasks”.
However, despite imposing stricter requirements than those laid down in EU law, the CJEU ruled that this provision in German law was in fact compatible and not precluded by Article 38(3) GDPR. The CJEU explained that Article 38(3) serves to solely protect the functional independence of the DPO and enhance the effectiveness of the GDPR. It does not aim to go further or govern the employment relationship between the controller/processor and his employees. Thus, if national legislation wishes to impose additional provisions to protect the DPO against the termination of his employment, they can do so, as this falls into the field of social policy – not data protection.
With this being said, whilst the CJEU ruled that this provision was compatible with the GDPR, Member States are not entitled to create excessive protection in their national legislation in a way that hinders the effectiveness of the DPO. In a previous case (C-534/20), which also addressed the scope for dismissal, the Court expressed that such provisions shall be prohibited if they prevent the “dismissal of a DPO who no longer possesses the professional qualities required to perform his or her tasks, or who does not fulfil those tasks in accordance with the provisions of the GDPR”. This example highlights the boundaries placed on national legislation, to ensure that national thresholds against dismissal do not go so far as to interrupt the intention and effectiveness of the GDPR.
Therefore, it can be concluded from the judgment of the CJEU, that Article 38(3) of the GDPR must be interpreted as not precluding national legislation, to the extent that such legislation does not undermine the achievement of the objectives of the GDPR.
The Second Question: Conflicts of interest for the DPO
The CJEU also considered Article 38(6) of the GDPR, as the German Labor Court brought forward a request for clarity as to what constitutes a “conflict of interest” for the DPO.
Article 38(6) allows for the data protection officer to fulfill other tasks and duties, in so far that the controller or processor ensures that any such tasks and duties do not result in a conflict of interest. In this case, the individual also had a position as chairman of the works Council at the same company for which he was a DPO. This raised doubt as to whether such a scenario could amount to a ‘conflict of interest’ under Article 38(6).
The CJEU highlighted that the overall objective of Article 38(6) is to guarantee the DPO’s functional independence. In the judgment, the CJEU thus clarified that, to achieve this objective, the DPO cannot be entrusted with tasks which would result in him “determining the objectives and methods of processing personal data”. This means that an individual cannot take on a role that would involve them influencing the very objectives and methods that they are required to independently review in their capacity as a DPO.
Overall, the impact of this judgment does not set out clear grounds as to the particular tasks that would be compatible and the ones which would not, and so these parameters will likely unfold on a case-by-case basis over time. However, this judgment does emphasize the importance for controllers and processors to consider whether additional assignments can infringe upon their data protection officer’s ability to review of the objectives and methods of processing personal data effectively and independently.
Find the preliminary ruling here.
Please contact Jose Saras if you have any questions regarding the above.
The material in this article is only for general review of the topics covered and does not constitute legal advice. No legal or business decision should be based on its content.
This article is written in English language. Preiskel & Co LLP is not responsible for any translation of all or part of its content into any language.