The ECJ ruled today on various questions referred by the German Federal Labour Court [Bundesarbeitsgericht, BAG] concerning company data protection officers. The decision has been eagerly awaited, as the referred questions concern the fact that a data protection officer was also a member of the works council and the company had justified the dismissal from office due to a conflict of interest. We explain the decision and its implications below.
Background of the decisions
In 2021, the BAG had to rule on two similar cases (9 AZR 383/19 and 9 AZR 621/19):
The plaintiff was the chairman of the works council formed at the defendant, for which he was partially released from his work duties. At the same time, he was also appointed as the company data protection officer at the defendant and three other group companies. The defendant (and the three other group companies) had dismissed the plaintiff from his office as data protection officer because of the risk of a conflict of interest through his exercise of both offices. Accordingly, in accordance with Sec. 38 (2) in conjunction with Sec. 6 (4) sentence 1 of the German Data Protection Act [Bundesdatenschutzgesetz, BDSG], this constituted a "good cause" [wichtiger Grund] within the meaning of Sec. 626 of the German Civil Code [Bundesgesetzbuch, BGB] for dismissing the plaintiff from office.
The lower courts upheld the claim. The Ninth Senate of the BAG, however, turned to the ECJ on 27 April 2021 with a view to having the ECJ establish whether the possibility of dismissal from office for good cause is reconcilable with Art. 38 (3) sentence 2 GDPR, according to which the data protection officer may not be dismissed or disadvantaged on grounds of the performance of his duties. In addition, the ECJ was to clarify the question of whether a conflict of interest exists within the meaning of Art. 38 (6) sentence 2 GDPR if the data protection officer also holds the office of chairperson of the works council formed at the controller, and whether a special assignment of tasks within the works council would be required to assume such a conflict of interest.
The ECJ's decisions
Today, the ECJ gave its opinion on the questions referred to it by the BAG (C-453/21 and C-560/21).
Firstly, the ECJ determined that the provision of Sec. 38 (2) in conjunction with Sec. 6 (4) sentence 1 BDSG, which allows a dismissal from office only for good cause within the meaning of Sec. 626 BGB, does not fundamentally conflict with the Union law provision of Art. 38 (3) sentence 2 GDPR. This is also the case if the dismissal from office is not related to the data protection officer's performance of his duties.
However, it must be ensured that the regulation of the member state does not hinder the achievement of the objectives of the GDPR, which essentially concern ensuring a high level of data protection for natural persons within the Union (Recital 10 of the GDPR).
In addition, a further objective is to ensure the independence of the data protection officer. Each member state is therefore free to provide for stricter rules on the dismissal of a data protection officer from office, provided that these are compatible with Union law and especially with the GDPR. In particular, dismissal from office must be possible in cases where the data protection officer no longer has the required professional qualifications or does not perform his duties in accordance with the GDPR.
On the topic of a possible conflict of interest within the meaning of Art. 38 (6) GDPR, the ECJ established that it is fundamentally permissible for a data protection officer to also perform other tasks and duties. However, the data protection officer's functional independence still has to be guaranteed. It follows from this that a data protection officer may not be assigned tasks or duties that would require him to determine the purposes and means of the processing of personal data at the controller. This is due to the fact that the data protection officer must carry out the monitoring of these purposes and means independently.
Whether a conflict of interest exists therefore has to be determined on a case-by-case basis, taking into account all relevant circumstances, in particular the controller's organisational structure, and in consideration of all applicable legal provisions and internal regulations of the controller.
Fortunately, the ECJ has clarified the matter by stating that the national provisions of Sec. 38 (2) in conjunction with Sec. 6 (4) sentence 1 BDSG are fundamentally reconcilable with Union law and specifically with the GDPR. However, companies must examine in each individual case whether the dismissal of the data protection officer from office jeopardises the achievement of the objectives of the GDPR. However, in cases of a conflict of interest, the dismissal from office should be permissible.
Not entirely clear is whether a works council member can actually assume the position of data protection officer in person, as this is a question to be determined in the individual case. What is clear is that the purposes and means of data processing are basically determined by the employer as the controller within the meaning of the GDPR.
However, one must bear in mind the works council's general right of co-determination regarding data processing pursuant to Sec. 87 (1) No. 6 German Shop Constitution Act [Betriebsverfassungsgesetz, BetrVG], which also covers the specific means of data processing. For this reason, one could indeed assume a conflict of interest here. The BAG's decision in the two pending cases is thus eagerly anticipated.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.