Insights

On 9 February 2023, the Court of Justice of the European Union (the “CJEU”), in delivering a preliminary ruling in the name of X-FAB Dresden GmbH & Co. KG v. FC clarified the interpretation of two specific articles of the General Data Protection Regulation (“GDPR”) which deal with the grounds for dismissal of a data protection officer and the conflict of interests requirements relating to such officers. The CJEU explained that national legislation may lay down more protective specific provisions on the dismissal of a data protection officer, in so far as those provisions are compatible with EU law and in particular, with the provisions of the GDPR. It also spelled out the instances where a conflict of interest, as mentioned under Article 38(6) of the GDPR, may arise in cases where a data protection officer is entrusted with other tasks or duties which could impair the execution of the functions performed by such officer.

Facts of the Case

FC was employed by X-FAB, and he used to perform the duties of chair of the works council, vice-chair of the central works council which was established for three undertakings in the group of companies to which X-FAB belongs, and data protection officer of X-FAB, its parent company and other subsidiaries of the parent company established in Germany. At the request of the German state officer for data protection and freedom of information, X-FAB and the undertakings mentioned above, dismissed FC with immediate effect from his duties as data protection officer.

FC brought proceedings before the German courts seeking a declaration that he should retain his position as data protection officer of X-FAB. X-FAB argued that there was a risk of conflict of interest between FC’s roles as data protection officer and chair of the works council, and that this was a just cause for FC’s dismissal as data protection officer.

The courts of first instance and of appeal upheld FC’s action. X-FAB appealed on a point of law before the German Federal Labour Court, which is the referring court, seeking to have that action dismissed. The German referring court held that the outcome of that appeal depended on the interpretation of EU law, and it referred, inter alia, the following two main questions before the CJEU:

1. whether Article 38(3) of the GDPR precluded member states from setting further grounds for the dismissal of a data protection officer, beyond those laid out in the GDPR; and
2. whether FC’s positions as chair of works council and data protection officer would give rise to a conflict of interests within the meaning of the second sentence of Article 38(6) of the GDPR.

CJEU Considerations

(1) Grounds for dismissal of a Data Protection Officer

According to Article 38(3) of the GDPR, “the controller and processor shall ensure that the data protection officer does not receive any instructions regarding the exercise of [his/her] tasks. The data protection officer shall not be dismissed or penalised by the controller or the processor for performing his/her tasks [and s/he] shall directly report to the highest management level of the controller or processor.” At the time when this case was considered by the German courts, German law permitted the dismissal of a data protection officer with just cause without notice where facts were present on the basis of which the terminating party could not be reasonably expected to continue the employment relationship, taking into account the circumstances of the individual case, and weighing the interests of both parties to the contract. Termination can only take place, under German law, upon the expiry of a period of two weeks from when the terminating party becomes aware of the facts serving as the basis for termination.

By its first question, the German referring court asked the CJEU to confirm whether the second sentence of Article 38(3), quoted above, must be interpreted as precluding national legislation which provides that a controller or a processor may dismiss a data protection officer who is a member of staff of that controller or processor solely where there is just cause, even if the dismissal is not related to the performance of that officer’s tasks.

In answering this question and interpreting the above-mentioned specific provision of the GDPR, the CJEU considered not only the wording of the relevant article but also the context in which the provision occurs, and the objectives pursued by the rules of which it is part, as one will notice from the CJEU’s considerations and explanations expanded upon below.

Firstly, the CJEU explained that the prohibition of dismissal of a data protection officer or of the imposition of a penalty on him/her means that such officer must be protected against any decision terminating his/her duties, by which s/he would be placed at a disadvantage, or which would constitute a penalty.

Secondly, the CJEU also stated that Article 38(3) of the GDPR applies without distinction both to the data protection officer who is a member of the staff of the controller or processor and to the person who fulfils the tasks on the basis of a service contract concluded with the latter.

Thirdly, the mentioned GDPR provision imposes a limit which consists in prohibiting the dismissal of a data protection officer on a ground relating to the performance of his/her tasks. The objective pursued by this provision is that data protection officers, whether or not they are employees of the controller or processor, should be in a position to perform their duties and tasks in an independent manner. This independence allows them to carry out their tasks in accordance with the objectives of GDPR which seeks to, inter alia, ensure a high level of protection of natural persons within the EU and to ensure a consistent and homogenous application of the rules for the protection of the fundamental rights and freedoms of such natural persons regarding the processing of personal data through the EU.

The CJEU concluded that the laying down of rules on protection against the dismissal of a data protection officer employed by a controller or a processor falls within the scope of the protections which the GDPR aims at safeguarding, since such rules are intended to preserve the functional independence of the data protection officer. It therefore follows that each member state is free, in the exercise of its retained competence, to lay down additional protective specific provisions on the dismissal of data protection officers, subject to these provisions being compatible with EU law, the provisions of the GDPR and its objectives. An increased national law protection cannot undermine the achievement of the objectives of the GDPR. The CJEU held that it is for national courts to ensure that specific national provisions are compatible with EU law and with the provisions of the GDPR.

(2) When do other roles performed by a Data Protection Officer constitute a conflict of interest?

With respect to the second question referred to the CJEU, in essence, the referring court asked in which circumstances may the existence of a conflict of interests, within the meaning of Article 38(6) of the GDPR, be established. Article 38(6) of the GDPR allows a data protection officer to fulfil other tasks and duties if such other tasks and duties do not result in a conflict of interest.

The CJEU held that it follows from the wording of the above-mentioned article that there is no fundamental incompatibility between the performance of the data protection officer’s duties and the performance of other duties within the controller or processor. Yet, the controller or processor must ensure that those tasks and duties do not give rise to a ‘conflict of interest.’ The CJEU continued by saying that considering the meaning of term ‘conflict of interest’ in everyday language and the GDPR objectives, the data protection officer cannot be entrusted with performing tasks or duties which could impair the execution of the functions performed by same. Article 38(6) of the GDPR is effectively intended at preserving the functional independence of the officer and ensuring the effectiveness of the provisions of the GDPR. The CJEU concluded that a data protection officer cannot be entrusted with tasks or duties which would result in him/her determining the objectives and methods of processing personal data on the part of the controller or its processor. Under EU law, or the law of the relevant member state on data protection, the review of those objectives and methods must be carried out independently by the data protection officer. Whether this circumstance exists should be determined, by the national courts on a case-by-case basis, based on an assessment of all the relevant circumstances, in particular, the organisational structure of the controller or its processor and all applicable rules, including any policies of the controller or its processor.

The article was first published in The Malta Independent (8 March 2023).