BAG - 9 AZR 383/19: Difference between revisions

From GDPRhub
(links to laws, reference to the CJEU case)
m (Co moved page - 9 AZR 383/19 to BAG - 9 AZR 383/19)
 
(4 intermediate revisions by 2 users not shown)
Line 72: Line 72:
}}
}}


The German Federal Labour Court implemented the CJEU decisoin in case ''[[CJEU - C-453/21 - X-Fab Dresden GmbH & Co. KG|C-453/21]]'' holding that the Chairman of the Workers Council of a subsidiary cannot be appointed as the DPO of the group of undertakings in accordance with § 4f(3) BDSG (a.F.) in conjunction with § 626(1) BGB.
The German Federal Labour Court implemented CJEU's decision ''[[CJEU - C-453/21 - X-Fab Dresden GmbH & Co. KG|C-453/21]]'', holding that the chairman of the Works Council of a subsidiary was rightfully dismissed as the DPO of the group of undertakings for a conflict of interests between the two functions.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The Works Council Chairman of a subsidiary was appointed as the DPO of the mother company and its subsidiaries in Germany in 2015. With the parallel appointment of the same person as the DPO for the whole group of undertakings, the mother company, the controller, aimed to synchronize the privacy standards in group.  
The Works Council Chairman of a subsidiary was appointed as the DPO of the mother company and its German subsidiaries in 2015. With the parallel appointment of the same person as the DPO for the whole group of undertakings, the mother company, the controller, aimed to synchronize the privacy standards in the group.  


In 2017, the controller asked the DPA of Thüringen whether such an appointment was lawful, due to concerns of conflict of interests and lack of reliability as upon [https://www.gesetze-im-internet.de/bdsg_2018/index.html § 4f(2) of the German Federal Privacy Law (''Bundesdatenschutzgesetz - BDSG'')]. The DPA communicated in writing on 24 November 2017 that the requirements for a DPO appointment  were not fulfilled at that time since the DPO was also the Works Council Chairman, therefore the appointment was not effective for incompatibility. Hence, the DPA declared that the controller did not have a DPO from 2015 on and that it should appoint a new DPO by 8 January 2018 or it would risk a fine of €50,000.  
In 2017, the controller asked the DPA of Thüringen whether such an appointment was lawful, due to concerns of conflict of interests and lack of reliability as under [https://dejure.org/gesetze/BDSG_a.F. § 4f(2) of the German Federal Privacy Law (''Bundesdatenschutzgesetz - BDSG'')]in its old version ''(a.F.)''. The DPA communicated in writing on 24 November 2017 that the requirements for a DPO appointment  were not fulfilled at that time since the DPO was also the Works Council Chairman, therefore the appointment was null for incompatibility. Hence, the DPA declared that the controller did not have a DPO from 2015 on and that it should appoint a new DPO by 8 January 2018 or it would risk a fine of €50,000.  


As a consequence, the controllre informed the DPO that it would revoke his appointment as DPO from 2015 with immediate effect. Upon entry into force of the GDPR, the controller also sent him a separate revocation letter referring to the operational reasons under [[Article 38 GDPR#3|Article 38(3) GDPR]], second sentence.   
As a consequence, the controller informed the DPO that it would revoke his appointment of 2015 with immediate effect. Upon entry into force of the GDPR, the controller also sent him a separate revocation letter referring to the operational reasons under [[Article 38 GDPR#3|Article 38(3) GDPR]], second sentence.   


The DPO (hereinafter the plaintiff) therefore filed a lawsuit in front of the Labour Court to challenge his revocation. In its submissions, the controller (the defendant) requested that the appeal be dismissed since the incompatibility of offices constitutes an important reason within the meaning of [https://www.gesetze-im-internet.de/bdsg_2018/index.html § 4f(3) BDSG (a.F.)] and [https://www.gesetze-im-internet.de/bdsg_2018/index.html § 38(2) BDSG, § 6(4) BDSG] in conjunction with § 626 BGB.   
The DPO therefore filed a lawsuit in front of the Labour Court to challenge his revocation. In its submissions, the controller requested that the appeal be dismissed since the incompatibility of offices constitutes an important reason within the meaning of [https://dejure.org/gesetze/BDSG_a.F. § 4f(3) BDSG (a.F.)] and [https://www.gesetze-im-internet.de/bdsg_2018/index.html § 38(2) BDSG, § 6(4) BDSG] in conjunction with [https://www.gesetze-im-internet.de/bgb/ § 626 of the German Civil Code (''Bürgerliches Gesetzbuch -BGB'')].   


In the first instance, the Labor Court of Dresden upheld the claim of the plaintiff and the Regional Labor Court of Saxony also dismissed the defendant's appeal in its judgment of 19 August 2019. The defendant, however, continuted to pursue its motion to dismiss the plaintiff's claim before the German Federal Labour Court (''Bundesarbeitsgericht - BAG'').
In the first instance, the Labor Court of Dresden upheld the claim of the DPO and the Regional Labor Court of Saxony also dismissed the controller's appeal in its judgment of 19 August 2019. The controller, however, continuted to pursue its motion to dismiss the DPO's claim before the German Federal Labour Court (''Bundesarbeitsgericht - BAG'').


=== Holding ===
=== Holding ===
First of all, the BAG suspended proceedings in 2021 due to  
In 2021, the BAG suspended proceedings as it referred four questions to the CJEU asking whether German national law was compatible with [[Article 38 GDPR#3|Article 38(3) GDPR]], second sentence. In its judgment [[CJEU - C-453/21 - X-Fab Dresden GmbH & Co. KG|C-453/21 ''X-Fab Dresden GmbH & Co. KG'']], the CJEU held that Member states may lay down more specific rules on dismissals and that a conflict of interests can be given if the DPO carries out other functions within the company that determine the scope of processing on behalf of the controller. 


In its judgment of 6 June 2023, held that this assessment made by the ECJ regarding a conflict of interest pursuant to [[Article 38 GDPR#2|Article 38(2) GDPR]] has not only applied since the amendment of data protection law due to the GDPR, but already corresponded to the legal situation within the scope of the BDSG (a.F.).
The BAG held that this assessment made by the CJEU regarding a conflict of interest pursuant to [[Article 38 GDPR#2|Article 38(2) GDPR]] has not only applied since the amendment of the BDSG after entry into force of the GDPR, but already corresponded to the legal situation within the scope of the [https://dejure.org/gesetze/BDSG_a.F. BDSG (a.F.).


The BAG further held that the appointment itself was lawful, due to the fact that reliability is not a reason for an appointment to be invalid and null, but missing reliability can be a reason for a DPA to file for dismissal of a certain DPO upon § 38(5) BDSG (a.F.).
On 6 June 2023, the BAG issued its final judgment on the case.


The revocation of the appointment was justified for good cause in accordance with § 4f(3) BDSG (a.F.) in conjunction with § 626(1) BGB. Such a reason exists if the employee appointed as data protection officer does not (or no longer) have the necessary expertise or reliability within the meaning of § 4f(2) BDSG (a.F.). Reliability could be called into question if there is a risk of conflicts of interest. A conflict of interest relevant to dismissal is to be assumed, if the data protection officer holds a position within an institution that has the purpose of determining the purposes and means of processing personal data. Not every conflict of interest justifies the revocation of the appointment of the data protection officer.
First of all, it held that the initial appointment of the employee as DPO itself was lawful, due to the fact that reliability is not a reason for an appointment to be invalid and null, but lack thereof can be a reason for revoking the appointment of a DPO under [https://dejure.org/gesetze/BDSG_a.F. § 38(5) BDSG (a.F.).]


What is required is a degree that calls the independence of the data protection officer is called into question. According to the case law of the Court of Justice on [[Article 38 GDPR#6|Article 38(6) GDPR]], the employee appointed as data protection officer may not hold a position within the controller that would allow the determination of the purposes and means of the processing of personal data.
Secondly, the BAG held that the revocation of the appointment of the employee as DPO was justified for good cause in accordance with [https://dejure.org/gesetze/BDSG_a.F. § 4f(3) BDSG (a.F.)] in conjunction with [https://www.gesetze-im-internet.de/bgb/ § 626(1) BGB]. Such reasons exists if DPO's funciton is made impossible or are at risk as for instance if he does not (or no longer) have the necessary expertise or reliability within the meaning of [https://dejure.org/gesetze/BDSG_a.F. § 4f(2) BDSG (a.F.).] Reliability of the DPO could be called into question if there was a risk of conflicts of interest. The BAG held, making reference to the [[CJEU - C-453/21 - X-Fab Dresden GmbH & Co. KG|CJEU's preliminary ruling]] on [[Article 38 GDPR#6|Article 38(6) GDPR]], that such a conflict of interests can be given if the DPO holds a position within the controller's undertaking that would allow him to determine the purposes and means of processing of personal data. In the BAG's view, if the works council chairman also acted as DPO, a concrete risk of a conflict of interest was given which put the independence of the DPO's functions at risk. As a matter of fact, the works council chairman requests access to specific personal data of employees and decides which protective measures to adopt in that regard. At the same time, the DPO is called upon to assess in a neutral and independent way whether the actions taken by the works council are in line with data protection provisions. Due to these structural limitations, the DPO may struggle to ensure both neutrality and independence from the works council's resolutions, as he is the chairsperson thereof.  


If the works council also acts as the data protection officer, there is a risk of a conflict of interest. This is because, in assessing information requests and protective measures, the council must maintain a neutral and exclusive focus on data protection. However, due to structural limitations, it may struggle to ensure both neutrality and independence from the works council's resolutions. This conflict compromises the functional independence of the data protection officer, potentially undermining data protection regulations. As a result, the employer may have grounds to revoke the appointment.
For all these reasons, the BAG held that this conflict compromises the functional independence of the DPO, potentially undermining data protection provisions and as a result, the employer is justified to revoke the appointment of the employee in question as DPO.  


== Comment ==
== Comment ==

Latest revision as of 14:13, 28 November 2023

- 9 AZR 383/19
Courts logo1.png
Court: BAG (Germany)
Jurisdiction: Germany
Relevant Law: Article 38(3) GDPR
Article 38(6) GDPR
§ 38(2) BDSG
§ 4f(2) BDSG (a.F.)
§ 4f(3) BDSG (a.F.)
§ 6(4) BDSG
§ 626 BGB
Decided: 06.06.2023
Published: 09.06.2023
Parties:
National Case Number/Name: 9 AZR 383/19
European Case Law Identifier: ECLI:DE:BAG:2023:060623.U.9AZR383.19.0
Appeal from:
Appeal to:
Original Language(s): German
Original Source: BAG (in German)
Initial Contributor: Sara Horvat

The German Federal Labour Court implemented CJEU's decision C-453/21, holding that the chairman of the Works Council of a subsidiary was rightfully dismissed as the DPO of the group of undertakings for a conflict of interests between the two functions.

English Summary

Facts

The Works Council Chairman of a subsidiary was appointed as the DPO of the mother company and its German subsidiaries in 2015. With the parallel appointment of the same person as the DPO for the whole group of undertakings, the mother company, the controller, aimed to synchronize the privacy standards in the group.

In 2017, the controller asked the DPA of Thüringen whether such an appointment was lawful, due to concerns of conflict of interests and lack of reliability as under § 4f(2) of the German Federal Privacy Law (Bundesdatenschutzgesetz - BDSG)in its old version (a.F.). The DPA communicated in writing on 24 November 2017 that the requirements for a DPO appointment were not fulfilled at that time since the DPO was also the Works Council Chairman, therefore the appointment was null for incompatibility. Hence, the DPA declared that the controller did not have a DPO from 2015 on and that it should appoint a new DPO by 8 January 2018 or it would risk a fine of €50,000.

As a consequence, the controller informed the DPO that it would revoke his appointment of 2015 with immediate effect. Upon entry into force of the GDPR, the controller also sent him a separate revocation letter referring to the operational reasons under Article 38(3) GDPR, second sentence.

The DPO therefore filed a lawsuit in front of the Labour Court to challenge his revocation. In its submissions, the controller requested that the appeal be dismissed since the incompatibility of offices constitutes an important reason within the meaning of § 4f(3) BDSG (a.F.) and § 38(2) BDSG, § 6(4) BDSG in conjunction with § 626 of the German Civil Code (Bürgerliches Gesetzbuch -BGB).

In the first instance, the Labor Court of Dresden upheld the claim of the DPO and the Regional Labor Court of Saxony also dismissed the controller's appeal in its judgment of 19 August 2019. The controller, however, continuted to pursue its motion to dismiss the DPO's claim before the German Federal Labour Court (Bundesarbeitsgericht - BAG).

Holding

In 2021, the BAG suspended proceedings as it referred four questions to the CJEU asking whether German national law was compatible with Article 38(3) GDPR, second sentence. In its judgment C-453/21 X-Fab Dresden GmbH & Co. KG, the CJEU held that Member states may lay down more specific rules on dismissals and that a conflict of interests can be given if the DPO carries out other functions within the company that determine the scope of processing on behalf of the controller.

The BAG held that this assessment made by the CJEU regarding a conflict of interest pursuant to Article 38(2) GDPR has not only applied since the amendment of the BDSG after entry into force of the GDPR, but already corresponded to the legal situation within the scope of the BDSG (a.F.).

On 6 June 2023, the BAG issued its final judgment on the case.

First of all, it held that the initial appointment of the employee as DPO itself was lawful, due to the fact that reliability is not a reason for an appointment to be invalid and null, but lack thereof can be a reason for revoking the appointment of a DPO under § 38(5) BDSG (a.F.).

Secondly, the BAG held that the revocation of the appointment of the employee as DPO was justified for good cause in accordance with § 4f(3) BDSG (a.F.) in conjunction with § 626(1) BGB. Such reasons exists if DPO's funciton is made impossible or are at risk as for instance if he does not (or no longer) have the necessary expertise or reliability within the meaning of § 4f(2) BDSG (a.F.). Reliability of the DPO could be called into question if there was a risk of conflicts of interest. The BAG held, making reference to the CJEU's preliminary ruling on Article 38(6) GDPR, that such a conflict of interests can be given if the DPO holds a position within the controller's undertaking that would allow him to determine the purposes and means of processing of personal data. In the BAG's view, if the works council chairman also acted as DPO, a concrete risk of a conflict of interest was given which put the independence of the DPO's functions at risk. As a matter of fact, the works council chairman requests access to specific personal data of employees and decides which protective measures to adopt in that regard. At the same time, the DPO is called upon to assess in a neutral and independent way whether the actions taken by the works council are in line with data protection provisions. Due to these structural limitations, the DPO may struggle to ensure both neutrality and independence from the works council's resolutions, as he is the chairsperson thereof.

For all these reasons, the BAG held that this conflict compromises the functional independence of the DPO, potentially undermining data protection provisions and as a result, the employer is justified to revoke the appointment of the employee in question as DPO.

Comment

The preliminary ruling of the CJEU in case C-453/21 is also available on GDPRhub.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

Federal Labor Court judgment of June 6, 2023
Ninth Senate - 9 AZR 383/19 -
                                            ECLI:DE:BAG:2023:060623.U.9AZR383.19.0

I. Dresden Labor Court judgment of June 27, 2018
                                            - 10 Ca 234/18 -


II. Saxon State Labor Court judgment of August 19, 2019
                                            - 9 Sat 268/18 -




Keyword for decision:

            Chairman of the works council as data protection officer

Guiding principle:

            The duties of a data protection officer are the same as those of an employee.
            Chairman of the works council cannot be agreed. The one with simultaneous truth
            Conflict of interest existing in the performance of both functions justifies
            the appointment of the works council chairman as data protection officer

            to revoke.

Note from the Senate:
            See the conformity with Union law of Section 6 Paragraph 4 Sentence 1 BDSG BAG June 6th

            2023 - 9 AZR 621/19 - FEDERAL LABOR COURT


9 AZR 383/19
9 Sat 268/18
Saxon
State Labor Court


                          In the name of the people!
Announced on
June 6, 2023
                                   VERDICT
Kleinert, clerk
the office



                                   In matters






       Defendant, appellant and appellant,






                                      pp.




       Plaintiff, respondent and defendant on appeal,








the Ninth Senate of the Federal Labor Court based on the oral arguments

act of June 6, 2023 by the presiding judge at the Federal Labor Court

court Prof. Dr. Kiel, the judges at the Federal Labor Court Zimmermann and
Dr. Suckow and the honorary judges Dr. Leitner and Stang for law

detected:




 ECLI:DE:BAG:2023:060623.U.9AZR383.19.0 - 2 - - 2 - 9 AZR 383/19



           1. The judgment of the defendant is based on the appeal
             Saxon State Labor Court dated August 19th
             2019 - 9 Sa 268/18 - repealed.

           2. On the defendant's appeal, the judgment of the Ar-
             Beitsgericht Dresden from June 27, 2018 - 10 approx
             234/18 - amended and the lawsuit dismissed.

           3. The plaintiff must bear the costs of the legal dispute.



                            By law!




                                 Facts of the case



        The parties dispute the validity of the plaintiff's appeal on January 1

the defendant's data protection officer and the revocation of the contract.

position and the dismissal of the plaintiff.

        The defendant, based in D, belongs to the X group. She is a 2

100% subsidiary of X GmbH, which was converted from an AG with its registered office
in E. The plaintiff is entitled to take into account periods of previous employment with the company.

has been in an employment relationship with the defendant since November 1, 1993.

He is chairman of the works council formed by this and is responsible for exercising responsibility
due to his duties as chairman, he was partially released from work.


        The plaintiff was terminated by the defendant with effect from June 1, 2015
parent company and its other subsidiaries based in Germany

companies X F GmbH and X I GmbH each have separate data protection regulations.

ordered ordered. With the parallel appointment of the plaintiff, the companies pursued

companies aim to establish a uniform data protection standard across the group.
ren.

        In a letter dated September 4, 2017 to the parent company of Be-4

complained, the then X AG, said the Thuringian state commissioner for data

protection and freedom of information with reference to Section 4f Paragraph 2 BDSG in the

The version valid until May 24, 2018 (BDSG aF) concerns that the plaintiff


 ECLI:DE:BAG:2023:060623.U.9AZR383.19.0
                                                                            - 3 - - 3 - 9 AZR 383/19



necessary to fulfill his duties as a company data protection officer.

have the required reliability. Because of his position as works council chairman
conflicts of interest could arise. In their statement dated

On September 27, 2017, X GmbH responded with reference to the decision

of the Federal Labor Court of March 23, 2011 (- 10 AZR 562/09 -), both radio

tions are compatible with each other.

        The Thuringian State Commissioner for Data Protection and Freedom of Information 5

In a letter dated November 24, 2017, heit stated that the plaintiff did not have the right
about the information required for the appointment as a company data protection officer.

technical reliability. Due to the incompatibility with the Office of the Operating

Chairman of the Council, the plaintiff is already not effective for operational data
protection officer has been appointed. The company has therefore had since then

June 1, 2015 no company data protection officer. The mother

The defendant's company was given the opportunity to comment until the 3rd January.

nuary 2018 with the note that a company data protection policy will be required after the deadline has expired.
a representative is appointed ex officio and the breach of duty, a

to appoint a data protection officer, with a fine of up to

50,000.00 euros could be punished.

        The defendant and the other group companies based in Germany- 6

The takers then informed the plaintiff in separate letters dated December 1st
December 2017 announced that an effective appointment as a company data protection officer

The commissioner had not done so and now to avoid a fine

a suitable data protection officer is appointed. In the alternative, they each revoked

because in a letter dated December 1, 2017, the plaintiff was appointed as
protection officer with immediate effect. As a precaution, they called the plaintiff

ger after the General Data Protection Regulation comes into force with separate writing

ben of May 25, 2018 in accordance with Art. 38 Para. 3 Sentence 2 GDPR with reference to
operational reasons as data protection officer.









 ECLI:DE:BAG:2023:060623.U.9AZR383.19.0
                                                                             - 4 - - 4 - 9 AZR 383/19



        The plaintiff was of the opinion that the defendant had him on the 7th

June 16, 2015 effective data protection officer for their operations in Germany.
provides. His dismissal by letters dated December 1, 2017 and dated

May 25, 2018 is not effective.

        The plaintiff requested 8

           1. determine that his legal status as a supervisor
                 The defendant is not responsible for data protection
                 The defendant's revocation of December 1, 2017 ended

                 has been det;
           2. determine that his legal status as a supervisor
                 nor does it have any bearing on the defendant’s data protection
                 by the defendant's revocation of May 25, 2018

                 has been ended.


        The defendant has requested dismissal of the action. She has lost her view- 9

due to an incompatibility with the office of works council chairman
The plaintiff is therefore not effectively the company's data protection officer

been ordered. In any case, the order is effective from December 1, 2017,

alternatively terminated on May 25, 2018. The office incompatibility represents a

an important reason within the meaning of Section 4f Paragraph 3 Sentence 4 BDSG old version or Section 38 Paragraph 2,
Section 6 Paragraph 4 Sentence 1 BDSG in conjunction with. § 626 BGB.

        The Labour Court has upheld the complaint. The State Labor Court 10

rejected the defendant's appeal. The revision pursues this

Defendant continued her motion to dismiss. The Senate has the legal dispute

suspended by order of April 27, 2021 and referred to the Court of Justice of the European Union
European Union requests a preliminary ruling as to whether the regulation in Section 6 Paragraph 4

Sentence 1 BDSG, according to which the dismissal of a data protection officer

There is an important reason in the sense of. § 626 BGB requires, with Art. 38

Paragraph 3 Sentence 2 GDPR is in accordance and whether there is a conflict of interest within the meaning of. Article 38
Paragraph 6 Sentence 2 GDPR applies if the data protection officer also does so

Office of the chairman of the works council formed in the responsible office

(BAG April 27, 2021 - 9 AZR 383/19 (A) - BAGE 174, 358). With judgment dated
On February 9, 2023, the Court ruled on the request for a preliminary ruling

(ECJ February 9, 2023 - C-453/21 - [X-FAB Dresden]).


 ECLI:DE:BAG:2023:060623.U.9AZR383.19.0
                                                                             - 5 - - 5 - 9 AZR 383/19





                          Reasons for the decision




        The revision is justified. The State Labor Court has appealed 11

of the defendant against the judgment in favor of the action was wrongly rejected.
The plaintiff was effectively appointed as the defendant's data protection officer.

provides. However, the defendant received the order in a letter dated December 1st

Effectively revoked in 2017. The application to be interpreted as a false auxiliary application
The Senate therefore did not have to decide on 2.


I. Contrary to the opinion of the appeal, the defendant has the plaintiff at 12

Letter dated June 16, 2015 in the form required by Section 4f Paragraph 1 Sentence 1 BDSG old version

Form (see BAG July 27, 2017 - 2 AZR 812/16 - Rn. 19, BAGE 160, 1) for the commissioning
ordered for data protection. For the effectiveness of the plaintiff’s appointment

gers, it is irrelevant whether the office of the data protection officer is the same as the office of

works council chairperson is compatible. Therefore, this question that the country
desarbeitsgericht with reference to the judgment of the Federal Labor Court of

March 23, 2011 (- 10 AZR 562/09 -) has denied, remain open at this point.


1. The reliability of a data protection officer can be determined in 13

Questions arise when there is a risk of conflicts of interest. An overlap of inter-
food spheres, the reliability required by Section 4f Paragraph 2 Sentence 1 BDSG old version can

impair safety (BAG December 5, 2019 - 2 AZR 223/19 - Rn. 25 mwN,

BAGE 169, 59). Due to the lack of reliability of a representative for
person appointed for data protection in the sense of. However, Section 4f Paragraph 2 Sentence 1 BDSG old version follows

According to the old version of the BDSG, this does not mean that the order is invalid. This legal consequence is in

The law is not provided for and would also contradict its system because other

Otherwise, the revocation of the order provided for in Section 4f Paragraph 3 Sentence 4 BDSG old
as well as the right of the supervisory authority to request dismissal due to lack of confidence

To demand negligence (Section 38 Para. 5 Sentence 3 BDSG old version) is essentially in vain

(BAG December 5, 2019 - 2 AZR 223/19 - Rn. 26 with further references, ibid).




 ECLI:DE:BAG:2023:060623.U.9AZR383.19.0
                                                                            - 6 - - 6 - 9 AZR 383/19



2. Whether something different can apply in exceptional cases if the order is a 14

nes data protection officer in a particularly serious situation
and obvious errors (see BAG December 5, 2019 - 2 AZR 223/19 -

Rn. 27, BAGE 169, 59), no decision is required at this point. Such a

This is not the case here.


II. The revocation of the plaintiff's appointment as representative for the Da-15
The defendant's protection from December 1, 2017 is effective because this is the case

important reason iSv. § 4f Para. 3 Sentence 4 BDSG old version in conjunction with. § 626 Paragraph 1 BGB

ben is. Contrary to the opinion of the State Labor Court, there is an unresolved
Resolvable conflict of interest if the data protection officer is also the company manager

is the chairman of the council of the responsible body. This makes it possible for the defendant to

It is reasonable to continue to employ the plaintiff as the company's data protection officer.

add.

1. The revocation of the appointment as data protection officer after 16

§ 4f Para. 3 Sentence 4 BDSG old version in conjunction with. § 626 Paragraph 1 BGB requires the existence of offenses

things that allow the person responsible to do so, taking into account the circumstances

circumstances of the individual case as well as weighing up the interests of both contractual parties
partner make it unreasonable to use the person in question as a company data

protection officer only until the end of the normal notice period

continue to use.

a) Important reasons are particularly those that occurred at the age of 17

related to the function and activities of the data protection officer and

make it impossible or at least impossible to carry out this activity any further

significantly endanger, for example a betrayal of secrets or a permanent
Violation of control obligations as a data protection officer (BAG March 23

2011 - 10 AZR 562/09 - Rn. 15 mwN). An important reason for the revocation is

even if the person appointed as data protection officer
Employees have the required specialist knowledge or reliability. § 4f paragraph 2

Sentence 1 BDSG aF for the fulfillment of the task no longer has.





 ECLI:DE:BAG:2023:060623.U.9AZR383.19.0
                                                                            - 7 - - 7 - 9 AZR 383/19



b) An overlap of spheres of interests can occur as per BDSG aF 18

contradict the required reliability (BAG March 23, 2011 - 10 AZR
562/09 - paragraph 24; March 22, 1994 - 1 ABR 51/93 - to B IV of the reasons, BAGE 76,

184). Not every conflict of interest justifies the revocation of the order

of the data protection officer. A degree of independence is required

of the data protection officer.

aa) Since the law requires the appointment of a company data protection officer - 19

ten permitted, who is employed as an employee by the responsible employer

is, not every touch of the different tasks can affect the reliability
question. The company data protection officer is responsible for ensuring compliance with the

Data protection regulations at the person responsible and thus the working environment

of the employee employed there. He has to do that in the end

As a consequence, also subject yourself to a check. Appropriate
applies to the function of the company data protection officer, as this does not apply

to only perform monitoring but also advisory functions and therefore

to reflect on the results of his own consultation.


bb) According to the case law of the Court of Justice of the European Union on the 20th
GDPR must ensure that a data protection officer is independent

whether he is an employee of the person responsible

or not, carry out his duties and tasks in complete independence
can practice (cf. ECJ February 9, 2023 - C-560/21 - [KISA] Rn. 20; June 22, 2022

- C-534/20 - [Leistritz] para. 26 f.). Only if this functional independence of the

data protection officer is safeguarded, the effectiveness of the data protection

legal provisions can be guaranteed (cf. ECJ February 9, 2023
- C-560/21 - [KISA] para. 22; June 22, 2022 - C-534/20 - [Leistritz] para. 28).


cc) This standard for an important reason does not only apply from the age of 21

The amendment to data protection law made by the entry into force of the GDPR,
but was already valid according to the old version of the BDSG. According to the will of the legislature

the replacement of Section 4f Paragraph 3 Sentence 4 BDSG old version by Section 6 Paragraph 4 BDSG

The standard by which a relevant conflict of interests is to be assessed,



 ECLI:DE:BAG:2023:060623.U.9AZR383.19.0
                                                                             - 8 - - 8 - 9 AZR 383/19



left touched (BT-Drs. 18/11325 p. 82: “Paragraph 4 corresponds to the previous one

Regulation of § 4f paragraph 3 sentences 4 to 6 BDSG old version).

c) A reason for the revocation of the role of the data protection officer 22

This is usually the case when the employee is in the fulfillment of his duties

further tasks and obligations have an influence on data processing

in the responsible position. In such a case, the independent
Fulfillment of the duties of a data protection officer may be at risk.


aa) According to the case law of the Court of Justice on Article 38 Paragraph 6 Sentence 2 23

GDPR, the employee appointed as data protection officer may do so within
of the responsible body do not hold a position that requires a determination of

Purposes and means of processing personal data for counter purposes

has stood (cf. ECJ February 9, 2023 - C-453/21 - [X-FAB Dresden] Rn. 44, 46;

previously Art. 29 Data Protection Group WP 243 rev. 01 p. 19). The right of
responsible person, the appointment of the data protection officer in the event of a

To revoke the right to exercise influence on data processing preserves this

functional independence and thus guarantees the effectiveness of the data

protective regulations. Whether these conditions are met is
in individual cases, taking into account all relevant circumstances, in particular

the organizational structure of the person responsible and in the light of all applicable

Legal provisions, including any internal regulations of the responsible
(cf. ECJ February 9, 2023 - C-453/21 - [X-FAB Dresden]

Rn. 45 f.).


2. The plaintiff's office as works council chairman is then 24

further performance of his duties as data protection officer.
The legal tasks of both functions cannot be carried out without interests

exercise conflict with regard to data protection, which is covered by Section 4f Paragraph 2 Sentence 1

BDSG aF abolishes the assumed functional reliability. This justifies
the revocation of the appointment as data protection officer.


a) In accordance with Section 4g Paragraph 1 Sentence 1, the data protection officer has 25

BDSG aF on compliance with the BDSG aF and other regulations on the


 ECLI:DE:BAG:2023:060623.U.9AZR383.19.0
                                                                             - 9 - - 9 - 9 AZR 383/19



to promote data protection. In particular, he must ensure the proper

Use of data processing programs with the help of which personal data is collected
Data to be processed should be monitored as well as during processing

people take appropriate measures to collect personal data

the regulations of the BDSG and other regulations on data protection

and familiar with the respective special requirements of data protection
(§ 4g para. 1 sentence 4 BDSG old version). These tasks coincide in general

essentially with the tasks of the data protection officer under Art. 39 GDPR.

The data protection officer is then responsible for providing information and advice
of the person responsible or the processor and the employees who

the processing with regard to its obligations under the GDPR and other data

Implement the protection regulations of the Union or the Member States. He has the

Compliance with the GDPR, other Union data protection regulations and/or the
member states as well as strategies of the controller or the processor

ters for the protection of personal data including the allocation of

responsibilities, sensitization and training of those involved in the processing

to check the employees involved in the processes. He is also available for advice
- upon request - in connection with the data protection impact assessment and

responsible for monitoring its implementation in accordance with Art. 35 GDPR.


b) The duties of a data protection officer are the same as those of a data protection officer
Chairman of the works council with regard to data protection regulations does not

to agree. Whether there is already a difference between the works council mandate and the office of the

protection officer there is an incompatibility that leads to a revocation

If there is a conflict of interest justifying the appointment, the Senate does not have to
divorce. In any case, there is a functional incompatibility with the tasks of the

Chairman of the works council, who, within the scope of his legal duties,

ben not only participates in the decision of the committee, but the body
represents externally within the framework of the decisions taken.


aa) The works council, as a body, determines the purposes and means of processing 27

personal data. He decides by decision, under

under what specific circumstances he will disclose which personal data


 ECLI:DE:BAG:2023:060623.U.9AZR383.19.0
                                                                          - 10 - - 10 - 9 AZR 383/19



exercise the tasks assigned to him by the Works Constitution Act

collects it and how it then processes it.

(1) The Works Constitution Act grants the works council certain 28

social, personnel and economic matters participation and

Rights of participation that go beyond mere hearing or information (e.g. Section 80

Paragraph 2 Sentence 1, Section 102 Paragraph 1 BetrVG, Section 17 Paragraph 2 Sentence 1 KSchG) on the consultation
(e.g. Section 90 Paragraph 2 Sentence 1, Section 92 Paragraph 1 Sentence 2 BetrVG, Section 17 Paragraph 2 Sentence 2

KSchG) up to the right to refuse consent (§ 99 BetrVG) and

finally extend to the right of co-determination, in which the employer has the positive
Active consent of the works council is required (e.g. Sections 87, 94, 112 Para. 4 BetrVG). In

To fulfill these tasks, the works council processes personal data.

He receives this in particular when exercising his works constitution

legal participation and co-determination rights from the employer on the one hand
and on the other hand by employees themselves, for example during consultation hours

(§ 39 BetrVG), a complaint (§ 85 para. 1 BetrVG), the right to make proposals

of employees (§ 86a BetrVG), the exchange of opinions within the framework of employment

company or departmental meetings (§ 43 para. 3 sentence 1, § 45 BetrVG) or
hearing an employee affected by a personnel measure

mers (Section 102 Paragraph 2 Sentence 4 BetrVG, cf. Lembke FS Schmidt 2021 pp. 277, 282).

Furthermore, the works council can enter into works agreements with the employer
with direct and mandatory effect for the company's employees

close the company (Section 77 Para. 4 BetrVG). Also regulations in company agreements

ments, such as technical monitoring devices in the sense of. § 87 Paragraph 1 No. 6

BetrVG (see Lang NZA 2023, 269, 272 f.), the processing can be personal.
extracted data.


(2) The purposes of data processing by the works council are defined by Section 29

Allocation of tasks in the Works Constitution Act to their external framework
according to predetermined. The works council can therefore communicate protected data

not demand it independently of its legal duties. employees

Data may only be used for purposes that are in accordance with the Works Constitution Act.

expressly provides for this and is intended to fulfill the provisions of works constitution law


 ECLI:DE:BAG:2023:060623.U.9AZR383.19.0
                                                                           - 11 - - 11 - 9 AZR 383/19



tasks are required. In this specific case, however, the works council intervenes

Execution of its legal tasks under its own responsibility, which
which employee-related information is requested and how the data transmitted

should actually be processed. This opens up for him in terms of

the use of the data provides considerable scope for decision-making (cf.

Maschmann FS Schmidt 2021 pp. 353, 356; Schulz ZESAR 2019, 323, 325;
Kurzböck/Weinbeck BB 2020, 500, 501).


(a) According to Section 80 Paragraph 2 Sentence 1 BetrVG, the employer has the works council on the 30th

To carry out his tasks in a timely and comprehensive manner. Vo-
The basis for the works council's right to information is, on the one hand, that

there is actually a task for the works council, and on the other hand, that

the requested information is required to carry out the task in individual cases

is (BAG April 9, 2019 - 1 ABR 51/17 - Rn. 12, BAGE 166, 269). Mirror image
In principle, the employer is also only allowed to provide employee data to the works council

for necessary works council tasks. When passing on

When sending sensitive data to the works council, special protective measures must be taken.

fen. Due to the independence of the works council as a structural principle of the
However, the employer does not have the power to provide appropriate work conditions

and specific protective measures or to give instructions to the works council about this.

gave to make. Regardless of whether the works council is part of the responsible
chen point (e.g. Bonanni/Niklas ArbRB 2018, 371 f.; Pötters in Gola DS-GVO

2nd ed. Art. 88 Rn. 38; on the data protection legal situation according to the BDSG old version see BAG

February 7, 2012 - 1 ABR 46/10 - Rn. 43 mwN, BAGE 140, 350) or even responsibility

more literally (e.g. Kurzböck/Weinbeck BB 2018, 1652, 1655; Kleinebrink
DB 2018, 2566 f.; Maschmann NZA 2020, 1207, 1209 ff.; Wybitul NZA 2017,

413 f.), this specific obligation to protect applies to him (BAG April 9, 2019

- 1 ABR 51/17 - Rn. 47, ibid).

(b) It can be left open as to whether the data protection officer will be appointed under the 31st

BDSG aF supervisory and control powers also vis-à-vis the authority

management council had to exercise (see Kleinebrink DB 2018, 2566, 2570 f.; Lücke

NZA 2019, 658, 667), or whether this is countered by the independence of the works council.


 ECLI:DE:BAG:2023:060623.U.9AZR383.19.0
                                                                           - 12 - - 12 - 9 AZR 383/19



subject matter (so BAG November 11, 1997 - 1 ABR 21/97 - to B III 2 c and c bb of the

Reasons, BAGE 87, 64). In any case, according to the law at the time, it was his responsibility
version, data protection compliance at the request of the works council

Personal data transmitted by the employer - if necessary

more sensitive - to check employee data. When transmitting sensitive data

Accordingly, he had to monitor on his own behalf whether the protective
The works council's policy complies with data protection requirements and

Employer may transmit the data to the works council.


(3) Subject of the data supervisory and control authority 32
The protection officer is also responsible for compliance with data protection regulations.

requirements when implementing company agreements, for example Section 87 Paragraph 1

No. 6 BetrVG, which he himself helped to bring about.


bb) The works council also determines the means of processing personal data. 33
n-related data. This includes the technical methods of processing

personal data and the manner in which a result or goal is achieved

is achieved (Art. 29 Data Protection Group WP 169 p. 17).


(1) The means to be determined primarily concern the processing of the 34
Data. The works council decides on the technical aspects of the organizational

sation of its processes and decides whether it has concrete data in analogue form

or digital form stores which software he specifically uses
User rights he grants and what storage periods he sets (Brink/Joos

NZA 2019, 1395, 1397; Kurzböck/Weinbeck BB 2020, 500, 501; Schultz

ZESAR 2019, 323, 325).


(2) This does not conflict with the fact that the works council is involved in data processing. 35
material resources, in particular an IT and communications infrastructure,

sets that the employer made available to him in accordance with Section 40 Paragraph 2 BetrVG

has. Regardless of the fact that it is not possible to decide on the means of processing
It depends on which IT system - provided by the employer -

It is the responsibility of the works council to use systems or hardware for data processing

Check whether material resources are required to carry out works council tasks


 ECLI:DE:BAG:2023:060623.U.9AZR383.19.0
                                                                           - 13 - - 13 - 9 AZR 383/19



and must be made available by the employer to the works council. He has at

his decision merely reflects the interests of the workforce in an appropriate
right exercise of the works council office and legitimate interests of the employee

donor, even insofar as it is aimed at limiting the obligation to bear costs

must be weighed against each other (BAG April 20, 2016 - 7 ABR 50/14 - Rn. 16

mwN, BAGE 155, 54).

c) A data protection officer involved as works council chairman who is 36

its monitoring task in the area of tension between its functional interests

and tasks must be fulfilled, does not have the necessary qualifications to guarantee the
Independence required by legal data protection. As a representative for the

Data protection, the chairman of the works council is obliged to check whether the

the decision of the works council represented by him externally with the provisions

is in line with data protection requirements.

aa) In his function under works constitution law, he is primarily responsible for 37

never a works council member like the other committee members. He practices the law

The works council's legally assigned powers and duties neither as an agent

more powerful or as a legal representative in his place (Fitting BetrVG
31st edition § 26 Rn. 21 f.). According to Section 26 Paragraph 2 Sentence 1 BetrVG, the operating

Chairman of the works council within the framework of the resolutions made by it.

It must also be handed over to the works council for receipt
Declarations entitled (Section 26 Paragraph 2 Sentence 2 BetrVG). So he doesn't act as a

Representative in the will, but as a representative in the declaration (BAG February 8, 2022

- 1 AZR 233/21 - Rn. 27; March 19, 2003 - 7 ABR 15/02 - to II 2 b of the reasons,

BAGE 105, 311).

bb) This task-related communication from the works council chairman 38

represents the functional independence as a data protection officer and thus the

Ensuring data protection is in question. By the works council chairman
within the framework and on the basis of the decisions of the works council by the employer

Transfer of personal employee data is required and, if necessary,

if the protective measures are presented that the works council is entitled to maintain -

has decided on the interests of the affected employees, he also represents

 ECLI:DE:BAG:2023:060623.U.9AZR383.19.0
                                                                            - 14 - - 14 - 9 AZR 383/19



the interests of the works council. While simultaneously perceiving the radio

He would have to appoint a data protection officer in the same matter
- neutral and solely committed to data protection - check whether requests for information

chen and adopted protective measures in accordance with data protection regulations

sufficient, and may advise the employer on data protection law. The

the necessary guarantee of neutrality and distance from the information request
For structural reasons, it does not have any influence on the works council because, on the one hand

bound by the decision of the works council and, on the other hand, subject to the mandatory

is committed to data protection. This conflict of interest affects the functional
functional independence of the data protection officer and endangers the effectiveness

compliance with data protection regulations, so that the employer can be held responsible

entitled to cancel the order.


III. The person against the dismissal as data protection officer on May 25, 39
The Senate's second lawsuit filed in 2018 is not subject to decision.

This is a false auxiliary request in the event that the previous

senior revocation of the appointment of data protection officer from December 1st

should be deemed ineffective in 2017.

IV. As the losing party, the plaintiff has to bear 40 of the costs of the legal dispute

carry (Section 91 Paragraph 1 ZPO).




              Kiel Suckow Zimmermann




                        Leitner Stang













 ECLI:DE:BAG:2023:060623.U.9AZR383.19.0