In a recent judgment, the Court of Justice of the European Union (the CJEU) has confirmed that Data Protection Officers (DPOs) can maintain other tasks and duties within their role, provided they do not result in a conflict of interest. The CJEU also held that the GDPR allows for EU member states to legislate to give greater protection to DPOs against dismissal than those set out in the GDPR.
Background to Ruling
In October 2020, the Federal Labour Court of Germany, Bundesarbeitsgericht, requested a preliminary ruling from the CJEU relating to proceedings between X-FAB Dresden GmbH & Co. KG (X-FAB) and its former DPO (“FC”) to clarify under what circumstances an organisation may be allowed to lawfully dismiss its appointed DPO. FC had been DPO for X-FAB and several related companies within its group and had held the role of chair of the works council and vice-chair of the central works council for a few group companies, alongside the DPO position for those companies. FC had been dismissed by X-FAB in December 2017 at the request of the state officer for data protection and freedom of information of Thüringen, Germany. Subsequently, on the coming into force of the GDPR in May 2018, X-FAB had repeated this dismissal as a precautionary measure. FC sought a declaration by the German courts that he retain the DPO position. X-Fab argued FC’s dismissal was justified, stating “a risk of a conflict of interests” in performing both functions, i.e., as both DPO and chair/vice-chair of the works council, on the grounds of incompatibility between the roles. The courts at both first instance and appeal upheld FC’s claim.
CJEU Ruling
The referral to the CJEU sought clarification of EU law on a few distinct points mainly relating to the interpretation of article 38(3). This states that a DPO “shall not be dismissed or penalised by the controller or the processor for performing his [or her] tasks”. The initial question before the CJEU was whether this article precluded a provision in national law that goes beyond the requirements in the GDPR, such as that in German law, which only allows for termination of a DPO’s employment for an important reason, irrespective of whether this relates to the performing of the DPO’s tasks.
With respect to this first question, the court held that, whilst Member States are free under the GDPR to legislate in order to increase protection for DPOs from dismissal, any provisions introduced must be compatible with EU law. In particular, it must remain possible for a controller or processor to dismiss a DPO who is no longer able to perform the duties of the DPO in accordance with the requirements set out in the GDPR, either due to lack of qualification or a conflict of interest. The court further held that Article 38(3) does not preclude Member States from legislating such that a controller or processor may dismiss an employee acting as DPO provided that there is just cause and the aims of the GDPR are not undermined, even if this dismissal is entirely unrelated to that individual’s performance as DPO.
Secondly, the CJEU considered the circumstances in which a “conflict of interest” may arise such as to contravene the requirement under Article 38(6) of the GDPR that any other (non-DPO) activities undertaken by the DPO do not result in a conflict of interest. The court took this in a pretty literal sense, reasoning that the DPO must not be put into the position of being required to perform other tasks or duties that would impair his or her ability to perform the required functions of the DPO. To illustrate the point, the CJEU gave the example of a DPO entrusted with tasks which meant that he or she would be making decisions about the objectives and methods of processing personal data on behalf of the controller or its processor. Since reviewing such objectives and methods must be carried out independently by the DPO, this illustrates a clear example of a conflict of interest. The CJEU held that when determining whether there is a conflict, a national court would have to assess on a case-by-case basis, taking all relevant circumstances into account, including the organizational structure, rules and policies of the controller or processor in question.
Significance of the Ruling and Takeaways
There has been limited judicial or regulatory scrutiny focusing on the DPO role since the GDPR came into force, but this ruling comes ahead of the European Data Protection Board’s (EDPB) recently announced coordinated enforcement action on the designation and position of DPO. This will involve focused action by national Data Protection Authorities and the EDPB over the next year and could result in further decisions and guidance that impact the role of DPOs and their appointment.
The EDPB’s existing DPO guidance already provides that “a DPO could still be dismissed legitimately for reasons other than for performing their tasks as a DPO”. The CJEU’s ruling therefore does not come as a shock, but it highlights that preserving what it terms the “functional independence” of the DPO is central to the rules on protection for a DPO against dismissal by a controller or processor.
The ruling also makes clear that there is the possibility for divergence between EU member states on this issue, both because national legislation to afford greater protection to DPOs is permitted, and because it is up to national courts to determine on a case-by-case basis whether a conflict arises such that a DPO may be lawfully dismissed.
Finally, the CJEU reiterated the importance of the second sentence of Article 38(6) which requires that the controller or processor ensures that the tasks and duties undertaken by the DPO do not put him or her in conflict. It is not for the DPO to avoid such conflicts, but for their organisation (as controller or processor) to prevent them from being put in a position where they risk a conflict of interest. Many organisations that are required to appoint a DPO are not realistically in a position to employ a full-time DPO, often instead opting to split the role. This ruling emphasises that whoever is taking on that DPO role within an organisation must not be put in a position to be calling the shots with respect to any data processing on account of any other role they may be undertaking, because this could give rise to a conflict of interest which prevents them from properly exercising their function as DPO. Questions have been raised by some as to whether this presents an unrealistic challenge for any employee that has a dual split between DPO and some other function in an organisation, even if the CJEU has confirmed that it is possible for this to be maintained in theory. Examples of jobs where adding the DPO as a split function could conceivably risk a conflict (but are still fairly common in practice), include: a company’s sole in-house Legal Counsel, Chief Information Security Officer, or CEO. Where seeking truly independent oversight from a DPO, deciding to employ an external organization to provide this function could prove to be the least risky option from the perspective of independence of function, although this does present other practical risks such as lack of deep knowledge of, and engagement with, the business, and preserving confidentiality. It is likely that further analysis of the options available to organisations will follow from the EDPB’s coordinated enforcement action on the role of DPO.
The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.