The Court of Justice of the European Union (“CJEU”) issued a judgment on the 9th of February 2023 (docket no. C-453/21), which addresses the question of the dismissal of a Data Protection Officer (“DPO”) and the interpretation of Article 38 of the EU GDPR.
FC was an employee, chair of the works council, and the DPO of X-FAB Dresden GmbH & Co. KG. (“X-FAB”) and several of its group companies. At the request of the state officer for data protection and freedom of information of Thüringen, X-FAB and its group companies dismissed FC as DPO with immediate effect.
FC brought proceedings before the German courts seeking a declaration that the dismissal had been ineffective and that he remains the DPO. X-FAB argued that there was a risk of a conflict of interest between FC’s role as chair of the works council and his former role as DPO and that this conflict was just cause for FC’s dismissal as DPO.
Questions before the CJEU:
The Bundesarbeitsgericht (Federal Labour Court, Germany) refered four questions to the CJEU, of which the following questions were responded to:
1. Whether Article 38(3) GDPR precluded member states from setting out further grounds for the dismissal of a DPO, beyond those laid out in the GDPR. […]
4. Whether FC’s positions as chair of the works council and DPO would give rise to a conflict of interests within the meaning of the second sentence of Article 38(6) of the GDPR.
Question 1 – Member states retain competence over other grounds for DPO dismissal
The second sentence of Article 38(3) GDPR states that a DPO “shall not be dismissed or penalised by the controller or the processor for performing his tasks”.
German law, section 6(4) of the Bundesdatenschutzgesetz (German Federal Law on data protection) sets out further conditions which make it more difficult for a processor or controller to dismiss a DPO, namely that there must be just cause for the dismissal.
The CJEU was asked to consider whether Article 38(3) was exhaustive or whether member states could set out further conditions before a DPO may be dismissed. The CJEU noted a GDPR objective to ensure a high level of protection to processing personal data, and the relation to Article 38 GDPR that aims to ensure the functional independence of the DPO from the controller or processor.
The CJEU held that member states retain delegated authority to place more stringent grounds for the dismissal of a DPO, provided that such grounds are not incompatible with GDPR objectives or other objectives of EU law. Notwithstanding the finding, the CJEU returned the specific question on compatibility of sections 38(1) and (2) GDPR in conjunction with section 6(4) of the Bundesdatenschutzgesetz to the referring court.
Question 4 – What amounts to a conflict of interest?
The CJEU held that a case-by-case assessment is needed to determine whether a conflict of interest arises between the role of DPO and that person’s other role(s), task(s), or duties, and did not clarify whether the facts in the present case would always give rise to a conflict of interest.
The CJEU determined that, as a guiding principle, a DPO cannot be entrusted with a role which would result the DPO determining the objectives and methods of processing of personal data on the part of the controller or its processor. The independence of the DPO must be preserved so that a proper review of the compliance of those objectives and methods in light of the GDPR and EU law.
The judgment confirms that DPOs do have the ability to carry out roles in addition to the DPO function, so long as it does not result in a conflict of interest. Organizations must ensure that any of those additional duties, tasks, or roles carried out by the DPO remain free of any conflicts so that they can independently assess GDPR compliance.
DPOs should also carefully evaluate which additional tasks they take on to ensure that they retain independence in line with the CJEU’s guiding principle when carrying out their DPO role.