CJEU - C-534/20 - Leistritz

From GDPRhub
Revision as of 13:29, 29 June 2022 by SR (talk | contribs) (→‎Facts)
CJEU - Case C-534/20 Leistritz
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law: Article 37(1) GDPR
Article 38(3) GDPR
Decided:
Parties: Leistritz AG
LH
Case Number/Name: Case C-534/20 Leistritz
European Case Law Identifier:
Reference from: BAG (Germany)
Language: 24 EU Languages
Original Source: Judgement
Initial Contributor: n/a


The CJEU held that Article 38(3) GDPR does not preclude national legislation mandating that a controller can only terminate employment of a DPO with “just cause”, as long as the legislation does not undermine objectives of the GDPR.

English Summary

Facts

Leistritz is a private company (the Company) based in Germany that is required under German law to have a Data Protection Officer (DPO). LH was the ‘Head of Legal Affairs’ in the Company, and subsequently, also became its Data Protection Officer from 1 February 2018.

On 13 July 2018, the Company issued a letter by which it terminated LH’s employment with the Company with effect from 15 August 2018. In the letter, the Company relied on internal restructuring measures, as per which the “activity of internal legal adviser and the data protection service were to be outsourced.”

LH challenged the validity of termination of her employment and claimed that the same was invalid as per Article 38(2) GDPR and Section 6(4) BDSG, as the employment could be terminated only in case of a “just cause”. The Court agreed with the plaintiff and declared LH's termination unlawful since no “just cause” was to be found in the present case. The Company filed an appeal against the decision. The issue raised was whether Article 38(3) GDPR allows a Member State to make laws that impose stricter conditions for termination of a DPO.

The Federal Labour Court took note of the diverging opinions in German jurisprudence. There existed a majority view that according to which the special protection for employment of a DPO was a “substantive rule of employment law” in which the European Union could not legislate. At the same time, there existed a minority view which said that the protection given to the DPO conflicts with EU law and gives rise to economic pressures to retain a DPO once they have been designated.

Accordingly, the Federal Labour Court stayed the proceedings and referred the following questions to the CJEU for a preliminary ruling:

1. Is the second sentence of Article 38(3) GDPR to be interpreted as precluding a provision in national law, such as Paragraph 38(1) and (2) in conjunction with the second sentence of Paragraph 6(4) of the Bundesdatenschutzgesetz (Federal Law on data protection), which declares ordinary termination of the employment contract of the data protection officer by the data controller, who is his employer, to be impermissible, irrespective of whether his contract is terminated for performing his tasks?

If the first question is answered in the affirmative:

2. Does the second sentence of Article 38(3) GDPR also preclude such a provision in national law if the designation of the data protection officer is not mandatory in accordance with Article 37(1) GDPR, but is mandatory only in accordance with the law of the Member State?

If the first question is answered in the affirmative:

3. Is the second sentence of Article 38(3) GDPR based on a sufficient enabling clause, in particular in so far as this covers data protection officers that are party to an employment contract with the data controller?

Holding

Answering the first question, the CJEU held that there are certain words within Article 38(3) GDPR that are otherwise not defined within the GDPR. To interpret these provisions requires reference to their ordinary meaning in everyday language as well as the context in which they appear in GDPR. The CJEU concurred with AG’s opinion which said that a DPO must be protected against any decision terminating their employment because of the nature of their work, as is also mentioned in Recital 97. The CJEU also said that Article 38(3) GDPR applies to both an in-house DPO and an external DPO. The CJEU said that the measures for protecting DPOs' employment are to ensure its “functional independence”. Relying upon the aspect of “social policy” under the TFEU, and also the opinion of the AG in support of the same, the CJEU held that Article 38(3) GDPR does not preclude “national legislation which provides that a controller or a processor may terminate the employment contract of a data protection officer, who is a member of his or her staff, only with just cause, even if the contractual termination is not related to the performance of that officer’s tasks, in so far as such legislation does not undermine the achievement of the objectives of the GDPR.” As the first question was answered in the negative, the CJEU did not answer the remaining two questions.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!