New CJEU ruling on the matter of DPOs and Conflicts of Interest
On February 9th, the Court of Justice of the European Union issued a ruling stating that Data Protection Officers are allowed to perform other tasks and duties as part of their role when employed by a data controller or processor, but only as long as this does not result in a conflict of interest.
This ruling comes after a request for a preliminary ruling submitted by the Bundesarbeitsgericht, the Federal Labour Court of Germany, in the case of X-Fab Dresden and their former DPO as well as chair of the works council, whom they dismissed from the role back in December 2017, citing a risk of a conflict of interests if the DPO simultaneously performed the functions of DPO and chair of the works council, on the ground that those two posts were incompatible, basing their argument on the GDPR’s Article 38(6), which mandates that “the data protection officer may fulfill other tasks and duties” but that the data controller or processor has to “ensure that any such tasks and duties do not result in a conflict of interests.”
According to Section 6 of Germany’s Federal Data Protection Act, the BDSG, a DPO’s employment may be terminated but only if there are “facts which give the public body just cause to terminate without notice” based on Section 626 of the Civil Code, where it is stated that an employment relationship may be terminated by either the employer (data controller/processor) or the employee (DPO) without notice and with just cause, only where “terminating party cannot reasonably be expected to continue the employment relationship to the end of the notice period or to the agreed end of the employment relationship, taking all circumstances of the individual case into account and weighing the interests of both parties to the contract.”
In the aforementioned case, the initial rulings supported the action of the former DPO against the employing company, but in light of the GDPR’s coming into effect, the latter party cited Article 38(3) to support their decision and to have the action dismissed.
Given all of the above, the CJEU reflected that the outcome would depend on how EU law is interpreted. As such, it has ruled as follows:
sentence 2 of Article 38(3) does not preclude national legislation which may establish further protective measures against DPO dismissals but only as long as these do not “undermine the achievement of the objectives” of the GDPR.
the concept of conflict of interest, mentioned by Article 38(6) must be interpreted as situations where the DPO is given additional duties or tasks “which would result in him or her determining the objectives and methods of processing personal data on the part of the controller or its processor,” which should be assessed by each national court, on a case by case basis.
This ruling is all the more relevant in light of the European Data Protection Board’s topic for the second coordinated enforcement action, which will focus on the designation and position of DPOs.
To find out more about the two laws, you can read a detailed overview by accessing our Regulations page.