BAG - 9 AZR 383/19: Difference between revisions
(more references to the CJEU case) |
m (Co moved page - 9 AZR 383/19 to BAG - 9 AZR 383/19) |
||
(3 intermediate revisions by the same user not shown) | |||
Line 72: | Line 72: | ||
}} | }} | ||
The German Federal Labour Court implemented | The German Federal Labour Court implemented CJEU's decision ''[[CJEU - C-453/21 - X-Fab Dresden GmbH & Co. KG|C-453/21]]'', holding that the chairman of the Works Council of a subsidiary was rightfully dismissed as the DPO of the group of undertakings for a conflict of interests between the two functions. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
The Works Council Chairman of a subsidiary was appointed as the DPO of the mother company and its subsidiaries | The Works Council Chairman of a subsidiary was appointed as the DPO of the mother company and its German subsidiaries in 2015. With the parallel appointment of the same person as the DPO for the whole group of undertakings, the mother company, the controller, aimed to synchronize the privacy standards in the group. | ||
In 2017, the controller asked the DPA of Thüringen whether such an appointment was lawful, due to concerns of conflict of interests and lack of reliability as | In 2017, the controller asked the DPA of Thüringen whether such an appointment was lawful, due to concerns of conflict of interests and lack of reliability as under [https://dejure.org/gesetze/BDSG_a.F. § 4f(2) of the German Federal Privacy Law (''Bundesdatenschutzgesetz - BDSG'')]in its old version ''(a.F.)''. The DPA communicated in writing on 24 November 2017 that the requirements for a DPO appointment were not fulfilled at that time since the DPO was also the Works Council Chairman, therefore the appointment was null for incompatibility. Hence, the DPA declared that the controller did not have a DPO from 2015 on and that it should appoint a new DPO by 8 January 2018 or it would risk a fine of €50,000. | ||
As a consequence, the | As a consequence, the controller informed the DPO that it would revoke his appointment of 2015 with immediate effect. Upon entry into force of the GDPR, the controller also sent him a separate revocation letter referring to the operational reasons under [[Article 38 GDPR#3|Article 38(3) GDPR]], second sentence. | ||
The DPO therefore filed a lawsuit in front of the Labour Court to challenge his revocation. In its submissions, the controller requested that the appeal be dismissed since the incompatibility of offices constitutes an important reason within the meaning of [https:// | The DPO therefore filed a lawsuit in front of the Labour Court to challenge his revocation. In its submissions, the controller requested that the appeal be dismissed since the incompatibility of offices constitutes an important reason within the meaning of [https://dejure.org/gesetze/BDSG_a.F. § 4f(3) BDSG (a.F.)] and [https://www.gesetze-im-internet.de/bdsg_2018/index.html § 38(2) BDSG, § 6(4) BDSG] in conjunction with [https://www.gesetze-im-internet.de/bgb/ § 626 of the German Civil Code (''Bürgerliches Gesetzbuch -BGB'')]. | ||
In the first instance, the Labor Court of Dresden upheld the claim of the DPO and the Regional Labor Court of Saxony also dismissed the controller's appeal in its judgment of 19 August 2019. The controller, however, continuted to pursue its motion to dismiss the DPO's claim before the German Federal Labour Court (''Bundesarbeitsgericht - BAG''). | In the first instance, the Labor Court of Dresden upheld the claim of the DPO and the Regional Labor Court of Saxony also dismissed the controller's appeal in its judgment of 19 August 2019. The controller, however, continuted to pursue its motion to dismiss the DPO's claim before the German Federal Labour Court (''Bundesarbeitsgericht - BAG''). | ||
Line 90: | Line 90: | ||
In 2021, the BAG suspended proceedings as it referred four questions to the CJEU asking whether German national law was compatible with [[Article 38 GDPR#3|Article 38(3) GDPR]], second sentence. In its judgment [[CJEU - C-453/21 - X-Fab Dresden GmbH & Co. KG|C-453/21 ''X-Fab Dresden GmbH & Co. KG'']], the CJEU held that Member states may lay down more specific rules on dismissals and that a conflict of interests can be given if the DPO carries out other functions within the company that determine the scope of processing on behalf of the controller. | In 2021, the BAG suspended proceedings as it referred four questions to the CJEU asking whether German national law was compatible with [[Article 38 GDPR#3|Article 38(3) GDPR]], second sentence. In its judgment [[CJEU - C-453/21 - X-Fab Dresden GmbH & Co. KG|C-453/21 ''X-Fab Dresden GmbH & Co. KG'']], the CJEU held that Member states may lay down more specific rules on dismissals and that a conflict of interests can be given if the DPO carries out other functions within the company that determine the scope of processing on behalf of the controller. | ||
The BAG held that this assessment made by the | The BAG held that this assessment made by the CJEU regarding a conflict of interest pursuant to [[Article 38 GDPR#2|Article 38(2) GDPR]] has not only applied since the amendment of the BDSG after entry into force of the GDPR, but already corresponded to the legal situation within the scope of the [https://dejure.org/gesetze/BDSG_a.F. BDSG (a.F.).] | ||
On 6 June 2023, the BAG issued its final judgment on the case. | On 6 June 2023, the BAG issued its final judgment on the case. | ||
First of all, it held that the initial appointment of the employee as DPO itself was lawful, due to the fact that reliability is not a reason for an appointment to be invalid and null, but lack thereof can be a reason for revoking the appointment of a DPO under § 38(5) BDSG (a.F.). | First of all, it held that the initial appointment of the employee as DPO itself was lawful, due to the fact that reliability is not a reason for an appointment to be invalid and null, but lack thereof can be a reason for revoking the appointment of a DPO under [https://dejure.org/gesetze/BDSG_a.F. § 38(5) BDSG (a.F.).] | ||
Secondly, the BAG held that the revocation of the appointment of the employee as DPO was justified for good cause in accordance with § 4f(3) BDSG (a.F.) in conjunction with § 626(1) BGB. Such reasons exists if DPO's funciton is made impossible or are at risk as for instance if he does not (or no longer) have the necessary expertise or reliability within the meaning of § 4f(2) BDSG (a.F.). Reliability could be called into question if there was a risk of conflicts of interest. The BAG held, making reference to the [[CJEU - C-453/21 - X-Fab Dresden GmbH & Co. KG|CJEU's preliminary ruling]] on [[Article 38 GDPR#6|Article 38(6) GDPR]], that such a conflict of interests can be given if the DPO holds a position within the controller's undertaking that would allow him to determine the purposes and means of processing of personal data. In the BAG's view, if the works council also acted as DPO, a concrete risk of a conflict of interest was given. | Secondly, the BAG held that the revocation of the appointment of the employee as DPO was justified for good cause in accordance with [https://dejure.org/gesetze/BDSG_a.F. § 4f(3) BDSG (a.F.)] in conjunction with [https://www.gesetze-im-internet.de/bgb/ § 626(1) BGB]. Such reasons exists if DPO's funciton is made impossible or are at risk as for instance if he does not (or no longer) have the necessary expertise or reliability within the meaning of [https://dejure.org/gesetze/BDSG_a.F. § 4f(2) BDSG (a.F.).] Reliability of the DPO could be called into question if there was a risk of conflicts of interest. The BAG held, making reference to the [[CJEU - C-453/21 - X-Fab Dresden GmbH & Co. KG|CJEU's preliminary ruling]] on [[Article 38 GDPR#6|Article 38(6) GDPR]], that such a conflict of interests can be given if the DPO holds a position within the controller's undertaking that would allow him to determine the purposes and means of processing of personal data. In the BAG's view, if the works council chairman also acted as DPO, a concrete risk of a conflict of interest was given which put the independence of the DPO's functions at risk. As a matter of fact, the works council chairman requests access to specific personal data of employees and decides which protective measures to adopt in that regard. At the same time, the DPO is called upon to assess in a neutral and independent way whether the actions taken by the works council are in line with data protection provisions. Due to these structural limitations, the DPO may struggle to ensure both neutrality and independence from the works council's resolutions, as he is the chairsperson thereof. | ||
For all these reasons, the BAG held that this conflict compromises the functional independence of the DPO, potentially undermining data protection provisions and as a result, the employer is justified to revoke the appointment of the employee in question as DPO. | |||
== Comment == | == Comment == |
Latest revision as of 14:13, 28 November 2023
- 9 AZR 383/19 | |
---|---|
Court: | BAG (Germany) |
Jurisdiction: | Germany |
Relevant Law: | Article 38(3) GDPR Article 38(6) GDPR § 38(2) BDSG § 4f(2) BDSG (a.F.) § 4f(3) BDSG (a.F.) § 6(4) BDSG § 626 BGB |
Decided: | 06.06.2023 |
Published: | 09.06.2023 |
Parties: | |
National Case Number/Name: | 9 AZR 383/19 |
European Case Law Identifier: | ECLI:DE:BAG:2023:060623.U.9AZR383.19.0 |
Appeal from: | |
Appeal to: | |
Original Language(s): | German |
Original Source: | BAG (in German) |
Initial Contributor: | Sara Horvat |
The German Federal Labour Court implemented CJEU's decision C-453/21, holding that the chairman of the Works Council of a subsidiary was rightfully dismissed as the DPO of the group of undertakings for a conflict of interests between the two functions.
English Summary
Facts
The Works Council Chairman of a subsidiary was appointed as the DPO of the mother company and its German subsidiaries in 2015. With the parallel appointment of the same person as the DPO for the whole group of undertakings, the mother company, the controller, aimed to synchronize the privacy standards in the group.
In 2017, the controller asked the DPA of Thüringen whether such an appointment was lawful, due to concerns of conflict of interests and lack of reliability as under § 4f(2) of the German Federal Privacy Law (Bundesdatenschutzgesetz - BDSG)in its old version (a.F.). The DPA communicated in writing on 24 November 2017 that the requirements for a DPO appointment were not fulfilled at that time since the DPO was also the Works Council Chairman, therefore the appointment was null for incompatibility. Hence, the DPA declared that the controller did not have a DPO from 2015 on and that it should appoint a new DPO by 8 January 2018 or it would risk a fine of €50,000.
As a consequence, the controller informed the DPO that it would revoke his appointment of 2015 with immediate effect. Upon entry into force of the GDPR, the controller also sent him a separate revocation letter referring to the operational reasons under Article 38(3) GDPR, second sentence.
The DPO therefore filed a lawsuit in front of the Labour Court to challenge his revocation. In its submissions, the controller requested that the appeal be dismissed since the incompatibility of offices constitutes an important reason within the meaning of § 4f(3) BDSG (a.F.) and § 38(2) BDSG, § 6(4) BDSG in conjunction with § 626 of the German Civil Code (Bürgerliches Gesetzbuch -BGB).
In the first instance, the Labor Court of Dresden upheld the claim of the DPO and the Regional Labor Court of Saxony also dismissed the controller's appeal in its judgment of 19 August 2019. The controller, however, continuted to pursue its motion to dismiss the DPO's claim before the German Federal Labour Court (Bundesarbeitsgericht - BAG).
Holding
In 2021, the BAG suspended proceedings as it referred four questions to the CJEU asking whether German national law was compatible with Article 38(3) GDPR, second sentence. In its judgment C-453/21 X-Fab Dresden GmbH & Co. KG, the CJEU held that Member states may lay down more specific rules on dismissals and that a conflict of interests can be given if the DPO carries out other functions within the company that determine the scope of processing on behalf of the controller.
The BAG held that this assessment made by the CJEU regarding a conflict of interest pursuant to Article 38(2) GDPR has not only applied since the amendment of the BDSG after entry into force of the GDPR, but already corresponded to the legal situation within the scope of the BDSG (a.F.).
On 6 June 2023, the BAG issued its final judgment on the case.
First of all, it held that the initial appointment of the employee as DPO itself was lawful, due to the fact that reliability is not a reason for an appointment to be invalid and null, but lack thereof can be a reason for revoking the appointment of a DPO under § 38(5) BDSG (a.F.).
Secondly, the BAG held that the revocation of the appointment of the employee as DPO was justified for good cause in accordance with § 4f(3) BDSG (a.F.) in conjunction with § 626(1) BGB. Such reasons exists if DPO's funciton is made impossible or are at risk as for instance if he does not (or no longer) have the necessary expertise or reliability within the meaning of § 4f(2) BDSG (a.F.). Reliability of the DPO could be called into question if there was a risk of conflicts of interest. The BAG held, making reference to the CJEU's preliminary ruling on Article 38(6) GDPR, that such a conflict of interests can be given if the DPO holds a position within the controller's undertaking that would allow him to determine the purposes and means of processing of personal data. In the BAG's view, if the works council chairman also acted as DPO, a concrete risk of a conflict of interest was given which put the independence of the DPO's functions at risk. As a matter of fact, the works council chairman requests access to specific personal data of employees and decides which protective measures to adopt in that regard. At the same time, the DPO is called upon to assess in a neutral and independent way whether the actions taken by the works council are in line with data protection provisions. Due to these structural limitations, the DPO may struggle to ensure both neutrality and independence from the works council's resolutions, as he is the chairsperson thereof.
For all these reasons, the BAG held that this conflict compromises the functional independence of the DPO, potentially undermining data protection provisions and as a result, the employer is justified to revoke the appointment of the employee in question as DPO.
Comment
The preliminary ruling of the CJEU in case C-453/21 is also available on GDPRhub.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
Federal Labor Court judgment of June 6, 2023 Ninth Senate - 9 AZR 383/19 - ECLI:DE:BAG:2023:060623.U.9AZR383.19.0 I. Dresden Labor Court judgment of June 27, 2018 - 10 Ca 234/18 - II. Saxon State Labor Court judgment of August 19, 2019 - 9 Sat 268/18 - Keyword for decision: Chairman of the works council as data protection officer Guiding principle: The duties of a data protection officer are the same as those of an employee. Chairman of the works council cannot be agreed. The one with simultaneous truth Conflict of interest existing in the performance of both functions justifies the appointment of the works council chairman as data protection officer to revoke. Note from the Senate: See the conformity with Union law of Section 6 Paragraph 4 Sentence 1 BDSG BAG June 6th 2023 - 9 AZR 621/19 - FEDERAL LABOR COURT 9 AZR 383/19 9 Sat 268/18 Saxon State Labor Court In the name of the people! Announced on June 6, 2023 VERDICT Kleinert, clerk the office In matters Defendant, appellant and appellant, pp. Plaintiff, respondent and defendant on appeal, the Ninth Senate of the Federal Labor Court based on the oral arguments act of June 6, 2023 by the presiding judge at the Federal Labor Court court Prof. Dr. Kiel, the judges at the Federal Labor Court Zimmermann and Dr. Suckow and the honorary judges Dr. Leitner and Stang for law detected: ECLI:DE:BAG:2023:060623.U.9AZR383.19.0 - 2 - - 2 - 9 AZR 383/19 1. The judgment of the defendant is based on the appeal Saxon State Labor Court dated August 19th 2019 - 9 Sa 268/18 - repealed. 2. On the defendant's appeal, the judgment of the Ar- Beitsgericht Dresden from June 27, 2018 - 10 approx 234/18 - amended and the lawsuit dismissed. 3. The plaintiff must bear the costs of the legal dispute. By law! Facts of the case The parties dispute the validity of the plaintiff's appeal on January 1 the defendant's data protection officer and the revocation of the contract. position and the dismissal of the plaintiff. The defendant, based in D, belongs to the X group. She is a 2 100% subsidiary of X GmbH, which was converted from an AG with its registered office in E. The plaintiff is entitled to take into account periods of previous employment with the company. has been in an employment relationship with the defendant since November 1, 1993. He is chairman of the works council formed by this and is responsible for exercising responsibility due to his duties as chairman, he was partially released from work. The plaintiff was terminated by the defendant with effect from June 1, 2015 parent company and its other subsidiaries based in Germany companies X F GmbH and X I GmbH each have separate data protection regulations. ordered ordered. With the parallel appointment of the plaintiff, the companies pursued companies aim to establish a uniform data protection standard across the group. ren. In a letter dated September 4, 2017 to the parent company of Be-4 complained, the then X AG, said the Thuringian state commissioner for data protection and freedom of information with reference to Section 4f Paragraph 2 BDSG in the The version valid until May 24, 2018 (BDSG aF) concerns that the plaintiff ECLI:DE:BAG:2023:060623.U.9AZR383.19.0 - 3 - - 3 - 9 AZR 383/19 necessary to fulfill his duties as a company data protection officer. have the required reliability. Because of his position as works council chairman conflicts of interest could arise. In their statement dated On September 27, 2017, X GmbH responded with reference to the decision of the Federal Labor Court of March 23, 2011 (- 10 AZR 562/09 -), both radio tions are compatible with each other. The Thuringian State Commissioner for Data Protection and Freedom of Information 5 In a letter dated November 24, 2017, heit stated that the plaintiff did not have the right about the information required for the appointment as a company data protection officer. technical reliability. Due to the incompatibility with the Office of the Operating Chairman of the Council, the plaintiff is already not effective for operational data protection officer has been appointed. The company has therefore had since then June 1, 2015 no company data protection officer. The mother The defendant's company was given the opportunity to comment until the 3rd January. nuary 2018 with the note that a company data protection policy will be required after the deadline has expired. a representative is appointed ex officio and the breach of duty, a to appoint a data protection officer, with a fine of up to 50,000.00 euros could be punished. The defendant and the other group companies based in Germany- 6 The takers then informed the plaintiff in separate letters dated December 1st December 2017 announced that an effective appointment as a company data protection officer The commissioner had not done so and now to avoid a fine a suitable data protection officer is appointed. In the alternative, they each revoked because in a letter dated December 1, 2017, the plaintiff was appointed as protection officer with immediate effect. As a precaution, they called the plaintiff ger after the General Data Protection Regulation comes into force with separate writing ben of May 25, 2018 in accordance with Art. 38 Para. 3 Sentence 2 GDPR with reference to operational reasons as data protection officer. ECLI:DE:BAG:2023:060623.U.9AZR383.19.0 - 4 - - 4 - 9 AZR 383/19 The plaintiff was of the opinion that the defendant had him on the 7th June 16, 2015 effective data protection officer for their operations in Germany. provides. His dismissal by letters dated December 1, 2017 and dated May 25, 2018 is not effective. The plaintiff requested 8 1. determine that his legal status as a supervisor The defendant is not responsible for data protection The defendant's revocation of December 1, 2017 ended has been det; 2. determine that his legal status as a supervisor nor does it have any bearing on the defendant’s data protection by the defendant's revocation of May 25, 2018 has been ended. The defendant has requested dismissal of the action. She has lost her view- 9 due to an incompatibility with the office of works council chairman The plaintiff is therefore not effectively the company's data protection officer been ordered. In any case, the order is effective from December 1, 2017, alternatively terminated on May 25, 2018. The office incompatibility represents a an important reason within the meaning of Section 4f Paragraph 3 Sentence 4 BDSG old version or Section 38 Paragraph 2, Section 6 Paragraph 4 Sentence 1 BDSG in conjunction with. § 626 BGB. The Labour Court has upheld the complaint. The State Labor Court 10 rejected the defendant's appeal. The revision pursues this Defendant continued her motion to dismiss. The Senate has the legal dispute suspended by order of April 27, 2021 and referred to the Court of Justice of the European Union European Union requests a preliminary ruling as to whether the regulation in Section 6 Paragraph 4 Sentence 1 BDSG, according to which the dismissal of a data protection officer There is an important reason in the sense of. § 626 BGB requires, with Art. 38 Paragraph 3 Sentence 2 GDPR is in accordance and whether there is a conflict of interest within the meaning of. Article 38 Paragraph 6 Sentence 2 GDPR applies if the data protection officer also does so Office of the chairman of the works council formed in the responsible office (BAG April 27, 2021 - 9 AZR 383/19 (A) - BAGE 174, 358). With judgment dated On February 9, 2023, the Court ruled on the request for a preliminary ruling (ECJ February 9, 2023 - C-453/21 - [X-FAB Dresden]). ECLI:DE:BAG:2023:060623.U.9AZR383.19.0 - 5 - - 5 - 9 AZR 383/19 Reasons for the decision The revision is justified. The State Labor Court has appealed 11 of the defendant against the judgment in favor of the action was wrongly rejected. The plaintiff was effectively appointed as the defendant's data protection officer. provides. However, the defendant received the order in a letter dated December 1st Effectively revoked in 2017. The application to be interpreted as a false auxiliary application The Senate therefore did not have to decide on 2. I. Contrary to the opinion of the appeal, the defendant has the plaintiff at 12 Letter dated June 16, 2015 in the form required by Section 4f Paragraph 1 Sentence 1 BDSG old version Form (see BAG July 27, 2017 - 2 AZR 812/16 - Rn. 19, BAGE 160, 1) for the commissioning ordered for data protection. For the effectiveness of the plaintiff’s appointment gers, it is irrelevant whether the office of the data protection officer is the same as the office of works council chairperson is compatible. Therefore, this question that the country desarbeitsgericht with reference to the judgment of the Federal Labor Court of March 23, 2011 (- 10 AZR 562/09 -) has denied, remain open at this point. 1. The reliability of a data protection officer can be determined in 13 Questions arise when there is a risk of conflicts of interest. An overlap of inter- food spheres, the reliability required by Section 4f Paragraph 2 Sentence 1 BDSG old version can impair safety (BAG December 5, 2019 - 2 AZR 223/19 - Rn. 25 mwN, BAGE 169, 59). Due to the lack of reliability of a representative for person appointed for data protection in the sense of. However, Section 4f Paragraph 2 Sentence 1 BDSG old version follows According to the old version of the BDSG, this does not mean that the order is invalid. This legal consequence is in The law is not provided for and would also contradict its system because other Otherwise, the revocation of the order provided for in Section 4f Paragraph 3 Sentence 4 BDSG old as well as the right of the supervisory authority to request dismissal due to lack of confidence To demand negligence (Section 38 Para. 5 Sentence 3 BDSG old version) is essentially in vain (BAG December 5, 2019 - 2 AZR 223/19 - Rn. 26 with further references, ibid). ECLI:DE:BAG:2023:060623.U.9AZR383.19.0 - 6 - - 6 - 9 AZR 383/19 2. Whether something different can apply in exceptional cases if the order is a 14 nes data protection officer in a particularly serious situation and obvious errors (see BAG December 5, 2019 - 2 AZR 223/19 - Rn. 27, BAGE 169, 59), no decision is required at this point. Such a This is not the case here. II. The revocation of the plaintiff's appointment as representative for the Da-15 The defendant's protection from December 1, 2017 is effective because this is the case important reason iSv. § 4f Para. 3 Sentence 4 BDSG old version in conjunction with. § 626 Paragraph 1 BGB ben is. Contrary to the opinion of the State Labor Court, there is an unresolved Resolvable conflict of interest if the data protection officer is also the company manager is the chairman of the council of the responsible body. This makes it possible for the defendant to It is reasonable to continue to employ the plaintiff as the company's data protection officer. add. 1. The revocation of the appointment as data protection officer after 16 § 4f Para. 3 Sentence 4 BDSG old version in conjunction with. § 626 Paragraph 1 BGB requires the existence of offenses things that allow the person responsible to do so, taking into account the circumstances circumstances of the individual case as well as weighing up the interests of both contractual parties partner make it unreasonable to use the person in question as a company data protection officer only until the end of the normal notice period continue to use. a) Important reasons are particularly those that occurred at the age of 17 related to the function and activities of the data protection officer and make it impossible or at least impossible to carry out this activity any further significantly endanger, for example a betrayal of secrets or a permanent Violation of control obligations as a data protection officer (BAG March 23 2011 - 10 AZR 562/09 - Rn. 15 mwN). An important reason for the revocation is even if the person appointed as data protection officer Employees have the required specialist knowledge or reliability. § 4f paragraph 2 Sentence 1 BDSG aF for the fulfillment of the task no longer has. ECLI:DE:BAG:2023:060623.U.9AZR383.19.0 - 7 - - 7 - 9 AZR 383/19 b) An overlap of spheres of interests can occur as per BDSG aF 18 contradict the required reliability (BAG March 23, 2011 - 10 AZR 562/09 - paragraph 24; March 22, 1994 - 1 ABR 51/93 - to B IV of the reasons, BAGE 76, 184). Not every conflict of interest justifies the revocation of the order of the data protection officer. A degree of independence is required of the data protection officer. aa) Since the law requires the appointment of a company data protection officer - 19 ten permitted, who is employed as an employee by the responsible employer is, not every touch of the different tasks can affect the reliability question. The company data protection officer is responsible for ensuring compliance with the Data protection regulations at the person responsible and thus the working environment of the employee employed there. He has to do that in the end As a consequence, also subject yourself to a check. Appropriate applies to the function of the company data protection officer, as this does not apply to only perform monitoring but also advisory functions and therefore to reflect on the results of his own consultation. bb) According to the case law of the Court of Justice of the European Union on the 20th GDPR must ensure that a data protection officer is independent whether he is an employee of the person responsible or not, carry out his duties and tasks in complete independence can practice (cf. ECJ February 9, 2023 - C-560/21 - [KISA] Rn. 20; June 22, 2022 - C-534/20 - [Leistritz] para. 26 f.). Only if this functional independence of the data protection officer is safeguarded, the effectiveness of the data protection legal provisions can be guaranteed (cf. ECJ February 9, 2023 - C-560/21 - [KISA] para. 22; June 22, 2022 - C-534/20 - [Leistritz] para. 28). cc) This standard for an important reason does not only apply from the age of 21 The amendment to data protection law made by the entry into force of the GDPR, but was already valid according to the old version of the BDSG. According to the will of the legislature the replacement of Section 4f Paragraph 3 Sentence 4 BDSG old version by Section 6 Paragraph 4 BDSG The standard by which a relevant conflict of interests is to be assessed, ECLI:DE:BAG:2023:060623.U.9AZR383.19.0 - 8 - - 8 - 9 AZR 383/19 left touched (BT-Drs. 18/11325 p. 82: “Paragraph 4 corresponds to the previous one Regulation of § 4f paragraph 3 sentences 4 to 6 BDSG old version). c) A reason for the revocation of the role of the data protection officer 22 This is usually the case when the employee is in the fulfillment of his duties further tasks and obligations have an influence on data processing in the responsible position. In such a case, the independent Fulfillment of the duties of a data protection officer may be at risk. aa) According to the case law of the Court of Justice on Article 38 Paragraph 6 Sentence 2 23 GDPR, the employee appointed as data protection officer may do so within of the responsible body do not hold a position that requires a determination of Purposes and means of processing personal data for counter purposes has stood (cf. ECJ February 9, 2023 - C-453/21 - [X-FAB Dresden] Rn. 44, 46; previously Art. 29 Data Protection Group WP 243 rev. 01 p. 19). The right of responsible person, the appointment of the data protection officer in the event of a To revoke the right to exercise influence on data processing preserves this functional independence and thus guarantees the effectiveness of the data protective regulations. Whether these conditions are met is in individual cases, taking into account all relevant circumstances, in particular the organizational structure of the person responsible and in the light of all applicable Legal provisions, including any internal regulations of the responsible (cf. ECJ February 9, 2023 - C-453/21 - [X-FAB Dresden] Rn. 45 f.). 2. The plaintiff's office as works council chairman is then 24 further performance of his duties as data protection officer. The legal tasks of both functions cannot be carried out without interests exercise conflict with regard to data protection, which is covered by Section 4f Paragraph 2 Sentence 1 BDSG aF abolishes the assumed functional reliability. This justifies the revocation of the appointment as data protection officer. a) In accordance with Section 4g Paragraph 1 Sentence 1, the data protection officer has 25 BDSG aF on compliance with the BDSG aF and other regulations on the ECLI:DE:BAG:2023:060623.U.9AZR383.19.0 - 9 - - 9 - 9 AZR 383/19 to promote data protection. In particular, he must ensure the proper Use of data processing programs with the help of which personal data is collected Data to be processed should be monitored as well as during processing people take appropriate measures to collect personal data the regulations of the BDSG and other regulations on data protection and familiar with the respective special requirements of data protection (§ 4g para. 1 sentence 4 BDSG old version). These tasks coincide in general essentially with the tasks of the data protection officer under Art. 39 GDPR. The data protection officer is then responsible for providing information and advice of the person responsible or the processor and the employees who the processing with regard to its obligations under the GDPR and other data Implement the protection regulations of the Union or the Member States. He has the Compliance with the GDPR, other Union data protection regulations and/or the member states as well as strategies of the controller or the processor ters for the protection of personal data including the allocation of responsibilities, sensitization and training of those involved in the processing to check the employees involved in the processes. He is also available for advice - upon request - in connection with the data protection impact assessment and responsible for monitoring its implementation in accordance with Art. 35 GDPR. b) The duties of a data protection officer are the same as those of a data protection officer Chairman of the works council with regard to data protection regulations does not to agree. Whether there is already a difference between the works council mandate and the office of the protection officer there is an incompatibility that leads to a revocation If there is a conflict of interest justifying the appointment, the Senate does not have to divorce. In any case, there is a functional incompatibility with the tasks of the Chairman of the works council, who, within the scope of his legal duties, ben not only participates in the decision of the committee, but the body represents externally within the framework of the decisions taken. aa) The works council, as a body, determines the purposes and means of processing 27 personal data. He decides by decision, under under what specific circumstances he will disclose which personal data ECLI:DE:BAG:2023:060623.U.9AZR383.19.0 - 10 - - 10 - 9 AZR 383/19 exercise the tasks assigned to him by the Works Constitution Act collects it and how it then processes it. (1) The Works Constitution Act grants the works council certain 28 social, personnel and economic matters participation and Rights of participation that go beyond mere hearing or information (e.g. Section 80 Paragraph 2 Sentence 1, Section 102 Paragraph 1 BetrVG, Section 17 Paragraph 2 Sentence 1 KSchG) on the consultation (e.g. Section 90 Paragraph 2 Sentence 1, Section 92 Paragraph 1 Sentence 2 BetrVG, Section 17 Paragraph 2 Sentence 2 KSchG) up to the right to refuse consent (§ 99 BetrVG) and finally extend to the right of co-determination, in which the employer has the positive Active consent of the works council is required (e.g. Sections 87, 94, 112 Para. 4 BetrVG). In To fulfill these tasks, the works council processes personal data. He receives this in particular when exercising his works constitution legal participation and co-determination rights from the employer on the one hand and on the other hand by employees themselves, for example during consultation hours (§ 39 BetrVG), a complaint (§ 85 para. 1 BetrVG), the right to make proposals of employees (§ 86a BetrVG), the exchange of opinions within the framework of employment company or departmental meetings (§ 43 para. 3 sentence 1, § 45 BetrVG) or hearing an employee affected by a personnel measure mers (Section 102 Paragraph 2 Sentence 4 BetrVG, cf. Lembke FS Schmidt 2021 pp. 277, 282). Furthermore, the works council can enter into works agreements with the employer with direct and mandatory effect for the company's employees close the company (Section 77 Para. 4 BetrVG). Also regulations in company agreements ments, such as technical monitoring devices in the sense of. § 87 Paragraph 1 No. 6 BetrVG (see Lang NZA 2023, 269, 272 f.), the processing can be personal. extracted data. (2) The purposes of data processing by the works council are defined by Section 29 Allocation of tasks in the Works Constitution Act to their external framework according to predetermined. The works council can therefore communicate protected data not demand it independently of its legal duties. employees Data may only be used for purposes that are in accordance with the Works Constitution Act. expressly provides for this and is intended to fulfill the provisions of works constitution law ECLI:DE:BAG:2023:060623.U.9AZR383.19.0 - 11 - - 11 - 9 AZR 383/19 tasks are required. In this specific case, however, the works council intervenes Execution of its legal tasks under its own responsibility, which which employee-related information is requested and how the data transmitted should actually be processed. This opens up for him in terms of the use of the data provides considerable scope for decision-making (cf. Maschmann FS Schmidt 2021 pp. 353, 356; Schulz ZESAR 2019, 323, 325; Kurzböck/Weinbeck BB 2020, 500, 501). (a) According to Section 80 Paragraph 2 Sentence 1 BetrVG, the employer has the works council on the 30th To carry out his tasks in a timely and comprehensive manner. Vo- The basis for the works council's right to information is, on the one hand, that there is actually a task for the works council, and on the other hand, that the requested information is required to carry out the task in individual cases is (BAG April 9, 2019 - 1 ABR 51/17 - Rn. 12, BAGE 166, 269). Mirror image In principle, the employer is also only allowed to provide employee data to the works council for necessary works council tasks. When passing on When sending sensitive data to the works council, special protective measures must be taken. fen. Due to the independence of the works council as a structural principle of the However, the employer does not have the power to provide appropriate work conditions and specific protective measures or to give instructions to the works council about this. gave to make. Regardless of whether the works council is part of the responsible chen point (e.g. Bonanni/Niklas ArbRB 2018, 371 f.; Pötters in Gola DS-GVO 2nd ed. Art. 88 Rn. 38; on the data protection legal situation according to the BDSG old version see BAG February 7, 2012 - 1 ABR 46/10 - Rn. 43 mwN, BAGE 140, 350) or even responsibility more literally (e.g. Kurzböck/Weinbeck BB 2018, 1652, 1655; Kleinebrink DB 2018, 2566 f.; Maschmann NZA 2020, 1207, 1209 ff.; Wybitul NZA 2017, 413 f.), this specific obligation to protect applies to him (BAG April 9, 2019 - 1 ABR 51/17 - Rn. 47, ibid). (b) It can be left open as to whether the data protection officer will be appointed under the 31st BDSG aF supervisory and control powers also vis-à-vis the authority management council had to exercise (see Kleinebrink DB 2018, 2566, 2570 f.; Lücke NZA 2019, 658, 667), or whether this is countered by the independence of the works council. ECLI:DE:BAG:2023:060623.U.9AZR383.19.0 - 12 - - 12 - 9 AZR 383/19 subject matter (so BAG November 11, 1997 - 1 ABR 21/97 - to B III 2 c and c bb of the Reasons, BAGE 87, 64). In any case, according to the law at the time, it was his responsibility version, data protection compliance at the request of the works council Personal data transmitted by the employer - if necessary more sensitive - to check employee data. When transmitting sensitive data Accordingly, he had to monitor on his own behalf whether the protective The works council's policy complies with data protection requirements and Employer may transmit the data to the works council. (3) Subject of the data supervisory and control authority 32 The protection officer is also responsible for compliance with data protection regulations. requirements when implementing company agreements, for example Section 87 Paragraph 1 No. 6 BetrVG, which he himself helped to bring about. bb) The works council also determines the means of processing personal data. 33 n-related data. This includes the technical methods of processing personal data and the manner in which a result or goal is achieved is achieved (Art. 29 Data Protection Group WP 169 p. 17). (1) The means to be determined primarily concern the processing of the 34 Data. The works council decides on the technical aspects of the organizational sation of its processes and decides whether it has concrete data in analogue form or digital form stores which software he specifically uses User rights he grants and what storage periods he sets (Brink/Joos NZA 2019, 1395, 1397; Kurzböck/Weinbeck BB 2020, 500, 501; Schultz ZESAR 2019, 323, 325). (2) This does not conflict with the fact that the works council is involved in data processing. 35 material resources, in particular an IT and communications infrastructure, sets that the employer made available to him in accordance with Section 40 Paragraph 2 BetrVG has. Regardless of the fact that it is not possible to decide on the means of processing It depends on which IT system - provided by the employer - It is the responsibility of the works council to use systems or hardware for data processing Check whether material resources are required to carry out works council tasks ECLI:DE:BAG:2023:060623.U.9AZR383.19.0 - 13 - - 13 - 9 AZR 383/19 and must be made available by the employer to the works council. He has at his decision merely reflects the interests of the workforce in an appropriate right exercise of the works council office and legitimate interests of the employee donor, even insofar as it is aimed at limiting the obligation to bear costs must be weighed against each other (BAG April 20, 2016 - 7 ABR 50/14 - Rn. 16 mwN, BAGE 155, 54). c) A data protection officer involved as works council chairman who is 36 its monitoring task in the area of tension between its functional interests and tasks must be fulfilled, does not have the necessary qualifications to guarantee the Independence required by legal data protection. As a representative for the Data protection, the chairman of the works council is obliged to check whether the the decision of the works council represented by him externally with the provisions is in line with data protection requirements. aa) In his function under works constitution law, he is primarily responsible for 37 never a works council member like the other committee members. He practices the law The works council's legally assigned powers and duties neither as an agent more powerful or as a legal representative in his place (Fitting BetrVG 31st edition § 26 Rn. 21 f.). According to Section 26 Paragraph 2 Sentence 1 BetrVG, the operating Chairman of the works council within the framework of the resolutions made by it. It must also be handed over to the works council for receipt Declarations entitled (Section 26 Paragraph 2 Sentence 2 BetrVG). So he doesn't act as a Representative in the will, but as a representative in the declaration (BAG February 8, 2022 - 1 AZR 233/21 - Rn. 27; March 19, 2003 - 7 ABR 15/02 - to II 2 b of the reasons, BAGE 105, 311). bb) This task-related communication from the works council chairman 38 represents the functional independence as a data protection officer and thus the Ensuring data protection is in question. By the works council chairman within the framework and on the basis of the decisions of the works council by the employer Transfer of personal employee data is required and, if necessary, if the protective measures are presented that the works council is entitled to maintain - has decided on the interests of the affected employees, he also represents ECLI:DE:BAG:2023:060623.U.9AZR383.19.0 - 14 - - 14 - 9 AZR 383/19 the interests of the works council. While simultaneously perceiving the radio He would have to appoint a data protection officer in the same matter - neutral and solely committed to data protection - check whether requests for information chen and adopted protective measures in accordance with data protection regulations sufficient, and may advise the employer on data protection law. The the necessary guarantee of neutrality and distance from the information request For structural reasons, it does not have any influence on the works council because, on the one hand bound by the decision of the works council and, on the other hand, subject to the mandatory is committed to data protection. This conflict of interest affects the functional functional independence of the data protection officer and endangers the effectiveness compliance with data protection regulations, so that the employer can be held responsible entitled to cancel the order. III. The person against the dismissal as data protection officer on May 25, 39 The Senate's second lawsuit filed in 2018 is not subject to decision. This is a false auxiliary request in the event that the previous senior revocation of the appointment of data protection officer from December 1st should be deemed ineffective in 2017. IV. As the losing party, the plaintiff has to bear 40 of the costs of the legal dispute carry (Section 91 Paragraph 1 ZPO). Kiel Suckow Zimmermann Leitner Stang ECLI:DE:BAG:2023:060623.U.9AZR383.19.0