What’s this about?
The EU General Data Protection Regulation (EU GDPR) mandates the appointment of a Data Protection Officer (DPO) by an organization in certain circumstances. EU GDPR also sets out the DPO’s core responsibilities and tasks and prescribes that a DPO must act independently and cannot be dismissed or penalised (by the data controller or data processor who they work for) for performing their tasks. In two recent cases the European Court of Justice (the European Court) gave an interpretative ruling on the issue of the dismissal of a DPO, and also looked at the issue of DPO “conflicts of interest”. This article looks briefly at the issues.
What’s the background?
This is about two cases, both occurring in Germany. Under German (federal) data protection law a DPO’s employment cannot be terminated unless there are facts that give “just cause” to terminate (without notice), and the German civil code allows an employment relationship to be terminated “with just cause”.
In one of the two cases in question, an individual was employed by a company where they were the chair of a so-called Works Council (broadly-speaking this is a body that represents the interests of employees, which an employer must inform and consult with on issues affecting their organization) in that company. The individual also held the role of vice-chair of the central Works Council which was established for three undertakings in the group of companies to which the company that the individual worked for belonged, which were established in Germany. The individual was also appointed, by each undertaking separately, as the DPO of the company the individual worked for, its parent company and the other subsidiaries of the parent company established in Germany.
The individual was later dismissed with immediate effect from their duties as DPO, apparently on the basis of a conflict of interests. Consequently, the individual brought legal proceedings before the German courts seeking a declaration that they retain the position of DPO of the company they worked for. The company argued that there was a risk of a conflict of interests if the individual simultaneously performed the functions of DPO and chair of the Works Council, on the basis that those two posts are incompatible. There was, therefore, according to the company, a “just cause” justifying the individual’s dismissal as DPO.
The courts of first instance and of appeal upheld the individual’s action. The company sought to have that action dismissed and brought an appeal on a point of law before the German Federal Labour Court which then referred the case to the European Court for an interpretation of the provisions of EU GDPR concerning DPOs.
In the other case an individual was also appointed as a DPO but was then later dismissed from being DPO on the basis that there was a conflict of interests between their position of DPO and their other professional activities. The individual brought legal proceedings and the matter also came before the German Labour Court which also then referred the case to the European Court for an interpretation of the provisions of EU GDPR concerning DPOs.
The core issue before the European Court was whether the second sentence of Article 38(3) of EU GDPR (“[the DPO] shall not be dismissed or penalized by the controller or the processor for performing his tasks”) must be interpreted as precluding national legislation (like the German legislation in question) which provides that a controller or a processor may dismiss a DPO who is a member of staff of that data controller or data processor solely where there is “just cause”, even if the dismissal is not related to the performance of that DPO’s tasks.
In the first case there was an additional question before the European Court where it was asked in which circumstances might the existence of a “conflict of interests” (within the meaning of Article 38(6) of EU GDPR) be established (“The data protection officer may fulfil other tasks and duties. The controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests”); specifically the German court asked if there is a conflict of interest if the DPO is also the chairman of the Works Council.
What did the court rule?
The European Court ruled that:
- Just Cause – the second sentence of Article 38(3) of EU GDPR must be interpreted as not precluding national legislation which provides that a data controller or a data processor may dismiss a DPO who is a member of staff of that controller or processor solely where there is “just cause”, even if the dismissal is not related to the performance of that DPO’s tasks, in so far as such legislation does not undermine the achievement of the objectives of EU GDPR;
- Conflicts of Interest – Article 38(6) of EU GDPR must be interpreted as meaning that a “conflict of interests” may exist where a DPO is entrusted with other tasks or duties, which would result in them determining the objectives and methods of processing personal data on the part of the data controller or its processor. The court said that this is a matter for a national EU country court to determine, case by case, on the basis of an assessment of all the relevant circumstances, in particular the organizational structure of the controller or its processor and in the light of all the applicable rules, including any policies of the controller or its processor.
What are the takeaways?
Organizations should consider doing the following:
- Review the terms of appointment of the business’ DPO to ensure that there are no conflicts of interest. Conflicting positions within the organization may include senior management positions, for example, chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of HR or head of IT departments, and, also other roles lower down in the organizational structure if these positions or roles lead to the determination of purposes and means of processing personal data. A conflict of interests may also arise if, for example, an external DPO is asked to represent the data controller or processor before the courts in cases involving data protection issues; and,
- Review the DPO’s terms of employment against national law and guidance; and,
- Update and/or revise the business’ DPO documentation accordingly where need be.
Conflicts of interest and DPOs can carry significant compliance risk. For example, the Berlin data protection regulator in Germany fined a retailer €525,000 because of a conflict of interest concerning the DPO’s employment status and decision-making responsibilities, in violation of Article 38(6) of EU GDPR (for more see here:https://gdprhub.eu/index.php?title=BlnBDI_(Berlin)__Berlin_DPO_Conflict_of_Interest).
We have written about DPOs including here https://www.corderycompliance.com/lux-fines-dpo-non-compliance/ and here https://www.corderycompliance.com/belgian-dpa-dpo-fine/ and here https://www.corderycompliance.com/wp-29-issues-guidance-on-dpos-one-stop-shop-lead-regulator-right-to-portability/.
We report about data protection and privacy issues here https://www.corderycompliance.com/category/data-protection-privacy/.
The European Court judgments can be found here (in French only, for now) https://curia.europa.eu/juris/document/document.jsf?text=&docid=270339&pageIndex=0&doclang=FR&mode=req&dir=&occ=first&part=1&cid=43379, and here https://curia.europa.eu/juris/document/document.jsf?text=&docid=270323&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=45769
For more information please contact André Bywater or Jonathan Armstrong who are commercial lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH||André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH|
|Office: +44 (0)207 075 1784||Office: +44 (0)207 075 1785|