CJEU - C-534/20 - Leistritz: Difference between revisions
Gauravpathak (talk | contribs) (Added Summary, Facts and Holding. Shifted questions from holding to Facts.) |
m (→Facts) |
||
Line 44: | Line 44: | ||
On 13 July 2018, the Company issued a letter by which it terminated LH’s employment with the Company with effect from 15 August 2018. In the letter, the Company relied on internal restructuring measures, as per which the “activity of internal legal adviser and the data protection service were to be outsourced.” | On 13 July 2018, the Company issued a letter by which it terminated LH’s employment with the Company with effect from 15 August 2018. In the letter, the Company relied on internal restructuring measures, as per which the “activity of internal legal adviser and the data protection service were to be outsourced.” | ||
LH challenged the validity of termination of her employment and claimed that the same was invalid as per Article 38(2) GDPR and Section 6(4) BDSG, as the employment could be terminated only if there | LH challenged the validity of termination of her employment and claimed that the same was invalid as per [[Article 38 GDPR#2|Article 38(2) GDPR]] and Section 6(4) BDSG, as the employment could be terminated only if there were “just cause”. The Court decided in favour of LH saying that there was no “just cause” to terminate LH’s employment. However, the Company appealed against this decision on the point of law (revision). | ||
The issue raised was whether Article 38(3) | The issue raised was whether [[Article 38 GDPR#3|Article 38(3) GDPR]] allows a Member State to make laws that impose stricter conditions for termination of a DPO. The Federal Labour Court took note of the diverging opinions in German jurisprudence. There existed a majority view that said that the special protection for employment of a DPO was a “substantive rule of employment law” in which the European Union could not legislate. At the same time, there existed a minority view which said that the protection given to the DPO conflicts with EU law and gives rise to economic pressures to retain a DPO once they have been designated. | ||
Accordingly, the Federal Labour Court stayed the proceedings and referred the following questions to the CJEU for a preliminary ruling - | Accordingly, the Federal Labour Court stayed the proceedings and referred the following questions to the CJEU for a preliminary ruling - | ||
Line 60: | Line 60: | ||
'''3.''' Is the second sentence of [[Article 38 GDPR#3|Article 38(3) GDPR]] based on a sufficient enabling clause, in particular in so far as this covers data protection officers that are party to an employment contract with the data controller? | '''3.''' Is the second sentence of [[Article 38 GDPR#3|Article 38(3) GDPR]] based on a sufficient enabling clause, in particular in so far as this covers data protection officers that are party to an employment contract with the data controller? | ||
=== Holding === | === Holding === | ||
Answering the first question, the CJEU held that there are certain words within Article 38(3) GDPR that are otherwise not defined within the GDPR. To interpret these provisions | Answering the first question, the CJEU held that there are certain words within [[Article 38 GDPR#3|Article 38(3) GDPR]] that are otherwise not defined within the GDPR. To interpret these provisions requires reference to their ordinary meaning in everyday language as well as the context in which they appear in GDPR. The CJEU concurred with AG’s opinion which said that a DPO must be protected against any decision terminating their employment because of the nature of their work, as is also mentioned in Recital 97. The CJEU also said that [[Article 38 GDPR#3|Article 38(3) GDPR]] applies to both an in-house DPO and an external DPO. | ||
The CJEU said that the measures for protecting | The CJEU said that the measures for protecting DPOs' employment are to ensure “functional independence” of the DPO. Relying upon the aspect of “social policy” under the TFEU, and also the opinion of the AG in support of the same, the CJEU held that [[Article 38 GDPR#3|Article 38(3) GDPR]] does not preclude “national legislation which provides that a controller or a processor may terminate the employment contract of a data protection officer, who is a member of his or her staff, only with just cause, even if the contractual termination is not related to the performance of that officer’s tasks, in so far as such legislation does not undermine the achievement of the objectives of the GDPR.” | ||
As the first question was answered in the negative, the CJEU did not | As the first question was answered in the negative, the CJEU did not answer the remaining two questions. | ||
== Comment == | == Comment == |
Revision as of 12:02, 29 June 2022
CJEU - Case C-534/20 Leistritz | |
---|---|
Court: | CJEU |
Jurisdiction: | European Union |
Relevant Law: | Article 37(1) GDPR Article 38(3) GDPR |
Decided: | |
Parties: | Leistritz AG LH |
Case Number/Name: | Case C-534/20 Leistritz |
European Case Law Identifier: | |
Reference from: | BAG (Germany) |
Language: | 24 EU Languages |
Original Source: | Judgement |
Initial Contributor: | n/a |
The CJEU held that Article 38(3) GDPR does not preclude national legislation mandating that a controller can terminate employment of a DPO only with “just cause”, as long as the legislation does not undermine objectives of the GDPR.
English Summary
Facts
Leistritz is a private company (the Company) based in Germany that is required under German law to have a Data Protection Officer (DPO). LH was the ‘Head of Legal Affairs’ in the Company, and subsequently, also became its Data Protection Officer from 1 February 2018.
On 13 July 2018, the Company issued a letter by which it terminated LH’s employment with the Company with effect from 15 August 2018. In the letter, the Company relied on internal restructuring measures, as per which the “activity of internal legal adviser and the data protection service were to be outsourced.”
LH challenged the validity of termination of her employment and claimed that the same was invalid as per Article 38(2) GDPR and Section 6(4) BDSG, as the employment could be terminated only if there were “just cause”. The Court decided in favour of LH saying that there was no “just cause” to terminate LH’s employment. However, the Company appealed against this decision on the point of law (revision).
The issue raised was whether Article 38(3) GDPR allows a Member State to make laws that impose stricter conditions for termination of a DPO. The Federal Labour Court took note of the diverging opinions in German jurisprudence. There existed a majority view that said that the special protection for employment of a DPO was a “substantive rule of employment law” in which the European Union could not legislate. At the same time, there existed a minority view which said that the protection given to the DPO conflicts with EU law and gives rise to economic pressures to retain a DPO once they have been designated.
Accordingly, the Federal Labour Court stayed the proceedings and referred the following questions to the CJEU for a preliminary ruling -
1. Is the second sentence of Article 38(3) GDPR to be interpreted as precluding a provision in national law, such as Paragraph 38(1) and (2) in conjunction with the second sentence of Paragraph 6(4) of the Bundesdatenschutzgesetz (Federal Law on data protection), which declares ordinary termination of the employment contract of the data protection officer by the data controller, who is his employer, to be impermissible, irrespective of whether his contract is terminated for performing his tasks?
If the first question is answered in the affirmative:
2. Does the second sentence of Article 38(3) GDPR also preclude such a provision in national law if the designation of the data protection officer is not mandatory in accordance with Article 37(1) GDPR, but is mandatory only in accordance with the law of the Member State?
If the first question is answered in the affirmative:
3. Is the second sentence of Article 38(3) GDPR based on a sufficient enabling clause, in particular in so far as this covers data protection officers that are party to an employment contract with the data controller?
Holding
Answering the first question, the CJEU held that there are certain words within Article 38(3) GDPR that are otherwise not defined within the GDPR. To interpret these provisions requires reference to their ordinary meaning in everyday language as well as the context in which they appear in GDPR. The CJEU concurred with AG’s opinion which said that a DPO must be protected against any decision terminating their employment because of the nature of their work, as is also mentioned in Recital 97. The CJEU also said that Article 38(3) GDPR applies to both an in-house DPO and an external DPO.
The CJEU said that the measures for protecting DPOs' employment are to ensure “functional independence” of the DPO. Relying upon the aspect of “social policy” under the TFEU, and also the opinion of the AG in support of the same, the CJEU held that Article 38(3) GDPR does not preclude “national legislation which provides that a controller or a processor may terminate the employment contract of a data protection officer, who is a member of his or her staff, only with just cause, even if the contractual termination is not related to the performance of that officer’s tasks, in so far as such legislation does not undermine the achievement of the objectives of the GDPR.”
As the first question was answered in the negative, the CJEU did not answer the remaining two questions.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!