CJEU - C-534/20 - Leistritz: Difference between revisions

From GDPRhub
(Added Summary, Facts and Holding. Shifted questions from holding to Facts.)
 
(9 intermediate revisions by 3 users not shown)
Line 35: Line 35:
}}
}}


The CJEU held that Article 38(3) GDPR does not preclude national legislation mandating that a controller can terminate employment of a DPO only with “just cause”, as long as the legislation does not undermine objectives of the GDPR.
The CJEU held that [[Article 38 GDPR#3|Article 38(3) GDPR]] allows member states to subject the termination of a data protection officer's employment contract to stricter regulations than provided for by EU law so long as those regulations do not undermine the objectives of the GDPR.


==English Summary==
==English Summary==
Line 42: Line 42:
Leistritz is a private company (the Company) based in Germany that is required under German law to have a Data Protection Officer (DPO). LH was the ‘Head of Legal Affairs’ in the Company, and subsequently, also became its Data Protection Officer from 1 February 2018.
Leistritz is a private company (the Company) based in Germany that is required under German law to have a Data Protection Officer (DPO). LH was the ‘Head of Legal Affairs’ in the Company, and subsequently, also became its Data Protection Officer from 1 February 2018.


On 13 July 2018, the Company issued a letter by which it terminated LH’s employment with the Company with effect from 15 August 2018. In the letter, the Company relied on internal restructuring measures, as per which the “activity of internal legal adviser and the data protection service were to be outsourced.”
On 13 July 2018, the Company issued a letter by which it terminated LH’s employment with the Company, effective 15 August 2018. In the letter, the Company relied on internal restructuring measures, as per which the “activity of internal legal adviser and the data protection service were to be outsourced.”


LH challenged the validity of termination of her employment and claimed that the same was invalid as per Article 38(2) GDPR and Section 6(4) BDSG, as the employment could be terminated only if there was a “just cause”. The Court decided in favour of LH saying that there was no “just cause” to terminate LH’s employment. However, the Company appealed against this decision on the point of law (revision).
LH challenged the validity of termination of her employment and claimed that the same was invalid as per [[Article 38 GDPR#2|Article 38(2) GDPR]] and Section 6(4) BDSG, as the employment could be terminated only in case of a “just cause”. The Court agreed with the plaintiff and declared LH's termination unlawful since no “just cause” was to be found in the present case. The Company filed an appeal against the decision. The issue raised was whether [[Article 38 GDPR#3|Article 38(3) GDPR]] allows a Member State to make laws that impose stricter conditions for the termination of a DPO.  


The issue raised was whether Article 38(3) of the GDPR allows a Member State to make laws that impose stricter conditions for termination of employment of a DPO. The Federal Labour Court took note of the diverging opinions in German jurisprudence. There existed a majority view that said that the special protection for employment of a DPO was a “substantive rule of employment law”, in which the European Union could not legislative. At the same time, there existed a minority view which said that the protection given to DPO conflicts with EU law, and gives rise to economic pressures to retain a person as a DPO, once they have been designated.
Noting a divergence in German jurisprudence, the Federal Labour Court stayed the proceedings and referred the following questions to the CJEU for a preliminary ruling:
 
Accordingly, the Federal Labour Court stayed the proceedings and referred the following questions to the CJEU for a preliminary ruling -


'''1.''' Is the second sentence of Article 38(3) GDPR to be interpreted as precluding a provision in national law, such as Paragraph 38(1) and (2) in conjunction with the second sentence of Paragraph 6(4) of the Bundesdatenschutzgesetz (Federal Law on data protection), which declares ordinary termination of the employment contract of the data protection officer by the data controller, who is his employer, to be impermissible, irrespective of whether his contract is terminated for performing his tasks?
'''1.''' Is the second sentence of Article 38(3) GDPR to be interpreted as precluding a provision in national law, such as Paragraph 38(1) and (2) in conjunction with the second sentence of Paragraph 6(4) of the Bundesdatenschutzgesetz (Federal Law on data protection), which declares ordinary termination of the employment contract of the data protection officer by the data controller, who is his employer, to be impermissible, irrespective of whether his contract is terminated for performing his tasks?
Line 60: Line 58:
'''3.''' Is the second sentence of [[Article 38 GDPR#3|Article 38(3) GDPR]] based on a sufficient enabling clause, in particular in so far as this covers data protection officers that are party to an employment contract with the data controller?
'''3.''' Is the second sentence of [[Article 38 GDPR#3|Article 38(3) GDPR]] based on a sufficient enabling clause, in particular in so far as this covers data protection officers that are party to an employment contract with the data controller?
=== Holding ===
=== Holding ===
Answering the first question, the CJEU held that there are certain words within Article 38(3) GDPR that are otherwise not defined within the GDPR. To interpret these provisions, their ordinary meaning in everyday language and also the context in which they appear in GDPR needs to be looked into. The CJEU concurred with AG’s opinion which said that a DPO must be protected against any decision terminating their employment because of the nature of their work, as is also mentioned in Recital 97. The CJEU also said that Article 38(3) GDPR applies to both in-house DPO and external DPO.
Answering the first question, the CJEU held that there are certain words within [[Article 38 GDPR#3|Article 38(3) GDPR]] that are otherwise not defined within the GDPR. To interpret these provisions requires reference to their ordinary meaning in everyday language as well as the context in which they appear in GDPR. The CJEU concluded that [[Article 38 GDPR#3|Article 38(3) GDPR]] is intended only to ensure a DPO's functional independence, not to govern the overall employment relationship between a controller or a processor; it applies irrespective of the nature of the DPO's employment relationship with the controller or processor.


The CJEU said that the measures for protecting DPO’s employment are present to ensure “functional independence” of the DPO. Relying upon the aspect of “social policy” under the TFEU, and also the opinion of the AG in support of the same, the CJEU held that Article 38(3) GDPR does not preclude “national legislation which provides that a controller or a processor may terminate the employment contract of a data protection officer, who is a member of his or her staff, only with just cause, even if the contractual termination is not related to the performance of that officer’s tasks, in so far as such legislation does not undermine the achievement of the objectives of the GDPR.”
Because the EU is to support and complement the efforts of member states in the field of worker protections, the CJEU held that [[Article 38 GDPR#3|Article 38(3) GDPR]] does not preclude “national legislation which provides that a controller or a processor may terminate the employment contract of a data protection officer, who is a member of his or her staff, only with just cause, even if the contractual termination is not related to the performance of that officer’s tasks, in so far as such legislation does not undermine the achievement of the objectives of the GDPR.” As the first question was answered in the negative, the CJEU did not answer the remaining two questions.


As the first question was answered in the negative, the CJEU did not have the need to answer the remaining two questions.
== Comment ==


== Comment ==
* Contemplating employment protections that might undermine the purposes of the GDPR, the CJEU offered the example of a law that prohibits the termination of a DPO who no longer possesses the professional qualities required to perform their tasks, or who does not fulfil those tasks in accordance with the GDPR.
''Share your comments here!''


== Further Resources ==
== Further Resources ==
''Share blogs or news articles here!''
''Share blogs or news articles here!''

Latest revision as of 13:30, 11 August 2022

CJEU - Case C-534/20 Leistritz
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law: Article 37(1) GDPR
Article 38(3) GDPR
Decided:
Parties: Leistritz AG
LH
Case Number/Name: Case C-534/20 Leistritz
European Case Law Identifier:
Reference from: BAG (Germany)
Language: 24 EU Languages
Original Source: Judgement
Initial Contributor: n/a


The CJEU held that Article 38(3) GDPR allows member states to subject the termination of a data protection officer's employment contract to stricter regulations than provided for by EU law so long as those regulations do not undermine the objectives of the GDPR.

English Summary

Facts

Leistritz is a private company (the Company) based in Germany that is required under German law to have a Data Protection Officer (DPO). LH was the ‘Head of Legal Affairs’ in the Company, and subsequently, also became its Data Protection Officer from 1 February 2018.

On 13 July 2018, the Company issued a letter by which it terminated LH’s employment with the Company, effective 15 August 2018. In the letter, the Company relied on internal restructuring measures, as per which the “activity of internal legal adviser and the data protection service were to be outsourced.”

LH challenged the validity of termination of her employment and claimed that the same was invalid as per Article 38(2) GDPR and Section 6(4) BDSG, as the employment could be terminated only in case of a “just cause”. The Court agreed with the plaintiff and declared LH's termination unlawful since no “just cause” was to be found in the present case. The Company filed an appeal against the decision. The issue raised was whether Article 38(3) GDPR allows a Member State to make laws that impose stricter conditions for the termination of a DPO.

Noting a divergence in German jurisprudence, the Federal Labour Court stayed the proceedings and referred the following questions to the CJEU for a preliminary ruling:

1. Is the second sentence of Article 38(3) GDPR to be interpreted as precluding a provision in national law, such as Paragraph 38(1) and (2) in conjunction with the second sentence of Paragraph 6(4) of the Bundesdatenschutzgesetz (Federal Law on data protection), which declares ordinary termination of the employment contract of the data protection officer by the data controller, who is his employer, to be impermissible, irrespective of whether his contract is terminated for performing his tasks?

If the first question is answered in the affirmative:

2. Does the second sentence of Article 38(3) GDPR also preclude such a provision in national law if the designation of the data protection officer is not mandatory in accordance with Article 37(1) GDPR, but is mandatory only in accordance with the law of the Member State?

If the first question is answered in the affirmative:

3. Is the second sentence of Article 38(3) GDPR based on a sufficient enabling clause, in particular in so far as this covers data protection officers that are party to an employment contract with the data controller?

Holding

Answering the first question, the CJEU held that there are certain words within Article 38(3) GDPR that are otherwise not defined within the GDPR. To interpret these provisions requires reference to their ordinary meaning in everyday language as well as the context in which they appear in GDPR. The CJEU concluded that Article 38(3) GDPR is intended only to ensure a DPO's functional independence, not to govern the overall employment relationship between a controller or a processor; it applies irrespective of the nature of the DPO's employment relationship with the controller or processor.

Because the EU is to support and complement the efforts of member states in the field of worker protections, the CJEU held that Article 38(3) GDPR does not preclude “national legislation which provides that a controller or a processor may terminate the employment contract of a data protection officer, who is a member of his or her staff, only with just cause, even if the contractual termination is not related to the performance of that officer’s tasks, in so far as such legislation does not undermine the achievement of the objectives of the GDPR.” As the first question was answered in the negative, the CJEU did not answer the remaining two questions.

Comment

  • Contemplating employment protections that might undermine the purposes of the GDPR, the CJEU offered the example of a law that prohibits the termination of a DPO who no longer possesses the professional qualities required to perform their tasks, or who does not fulfil those tasks in accordance with the GDPR.

Further Resources

Share blogs or news articles here!