Update Data Protection No. 134
ECJ Strengthens Position of Data Protection Officers
On February 9, 2023, the European Court of Justice determined that the German regulations for the dismissal of data protection officers may be stricter than the GDPR stipulates. The ECJ thereby strengthened data protection officers’ position. The following article explains the case’s background and which effects the decision has on companies.
What was it about?
The German Federal Labor Court [Bundesarbeitsgericht] submitted several questions to the ECJ, which were intended to clarify the lawful dismissal of company data protection officers. In particular, clarification was required for the extent to which conflicts of interest can justify the dismissal of data protection officers.
One case (C-453/21) concerned a data protection officer of a semiconductor manufacturer who was also the chairman of the company’s works council. The employer saw both activities as incompatible and for this reason complained about a conflict of interest, which was intended to justify the dismissal.
In the other case (C-560/21), a public employer considered that the function of a data protection officer conflicted with the data protection officer’s other professional duties. The employer justified its decision with the implementation of the Saxony’s data protection authority. The employee, on the other hand, was of the opinion that there was no good cause to justify such a dismissal.
Tasks of a data protection officer
Data protection officers enjoy special protection under the provisions of the GDPR. They have a certain special status and are free from instructions from the employer, even if the data protection officer is in an employment relationship with it.
This special status is necessary because the appointed persons are responsible for compliance with data protection as internal control bodies. Their duties include:
- informing and advising the controller and the employees;
- monitoring compliance with the GDPR, other Union or Member State data protection legislation, and the controller’s or processor’s personal data protection policies;
- advice in connection with the data protection impact assessment and monitoring of its implementation in accordance with Art. 35 GDPR;
- cooperation with the supervisory authorities;
- acting as a contact point for the supervisory authorities.
Additional tasks can also be delegated to data protection officers.
What the ECJ decided
Conflicts of interest may arise if additional tasks are assigned. According to Art. 38 (3) Sentence 2 GDPR, a data protection officer may not be dismissed or penalized by the controller or the processor for performing their tasks. The German Federal Data Protection Act [Bundesdatenschutzgesetz, BDSG] is stricter in this regard and only allows a dismissal if there is a compelling reason. The law refers to the provisions of the German Civil Code [Bürgerliches Gesetzbuch, BGB] on the termination of employment relationships for a compelling reason.
The ECJ has now ruled that a “conflict of interest” could exist if a data protection officer is given tasks or duties that would give them the occasion to determine the purposes and means of the processing of personal data by the controller or its processors. The ECJ did not specify when this would be the case. This should be decided by the national courts.
It should be noted, however, that the office of the data protection officer is, in principle, compatible with that of the works council chairman, from the point of view of the ECJ.
Impact on business
Now that the ECJ has answered the questions put to it, the proceedings are again with the German Federal Labor Court. Until a decision is made, companies must assess for themselves whether there is a conflict of interest or not.
Until then, the lower-instance decisions of the labor courts, which see no conflict of interest in the simultaneous activity as data protection officer and chairman of the works council, can be used.
In the first case in particular, the court of first instance (Labor Court of Dresden, judgment of June 27, 2018 – 10 Ca 234/18) stated that there was no conflict of interest because the data protection officer – who may be a member of the works council or chairman of the works council – is obligated to work towards compliance with data protection and to maintain confidentiality. The second instance (Regional Labor Court of Saxony, judgment of August 19, 2019 – 9 Sa 268/18) was essentially based on the decision of the first instance and also sees no conflict of interest that would constitute a compelling reason.
However, it should be noted that the exercise of multiple offices or tasks could lead to the pursuit of opposing goals, so a conflict of interest cannot be completely ruled out. For this reason, companies are advised to only appoint data protection officers whose other offices have no duties that thwart data protection. In the past, the German supervisory authorities did not consider persons with managerial functions in the areas of human resources, IT or internal audit to be suitable as data protection officers.