CJEU - C-453/21 - X-Fab Dresden GmbH & Co. KG
CJEU - C-453/21 X-Fab Dresden GmbH & Co. KG | |
---|---|
Court: | CJEU |
Jurisdiction: | European Union |
Relevant Law: | Article 38(3) GDPR Article 38(6) GDPR |
Decided: | 09.02.2023 |
Parties: | X-Fab Dresden GmbH & Co. KG |
Case Number/Name: | C-453/21 X-Fab Dresden GmbH & Co. KG |
European Case Law Identifier: | ECLI:EU:C:2023:79 |
Reference from: | BAG (Germany) ECLI:DE:BAG:2021:210721.U.5AZR572.20.0 |
Language: | 24 EU Languages |
Original Source: | Judgement |
Initial Contributor: | Bernardo Armentano |
The CJEU held that each member state is allowed to lay down more specific rules concerning the dismissal of a DPO, provided that these rules are compatible with EU law and the GDPR. The CJEU also held that a 'conflict of interest', pursuant to Article 38(3) GDPR, may exist when a DPO is entrusted with other tasks or duties, which would result in him/her determining the objectives and methods of personal data processing on behalf of the processor/controller.
English Summary
Facts
The data subject was an employee of the controller, X-FAB (a semiconductor foundry), and held two functions in the company: he was the chairman of the work council and the DPO of X-Fab and other companies of the same group of undertakings. However, on 1 December 2017, the data subject was dismissed from his duties as a DPO, at the request of the DPA of Thuringen (TLfDI) (Germany). As a precautionary measure, the other undertakings also decided to dismiss him, based on the second sentence of Article 38(3) of the GDPR, which had in the intervening period become applicable.
Dissatisfied, the DPO brought action before the a Court in Germany, asking to be reinstated in his position. The controller argued that his positions as a DPO and as the chair of the work council were incompatible as there was a potential conflict of interests between the two functions. In subsequent proceedings, both the courts of first instance and of appeal upheld the data subject’s action. The controller then appealed to the Bundesarbeitsgericht (Federal labour court of Germany).
This Federal Court observed that the outcome of this appeal would depend on the interpretation of EU Law. Specifically, the Bundesarbeitsgericht stated that the question arose as to whether the second sentence of Article 38(3) GDPR (He or she shall not be dismissed or penalised by the controller or the processor for performing his tasks) precludes national legislation from making the dismissal of a DPO subject to stricter conditions than those laid down by EU law. If this was the case, the Court wondered whether that provision had a sufficient legal basis.
The Court also noted that it would be necessary to determine whether the functions of chair of the works council and of DPO may be performed simultaneously the same person or whether that would give rise to a conflict of interests within the meaning of the second sentence of the aforementioned article.
The Bundesarbeitsgericht asked the following preliminary questions to the CJEU:
‘(1) Is the second sentence of Article 38(3) of [the GDPR] to be interpreted as precluding a provision in national law, such as, in the present case, Paragraph 38(1) and (2) in conjunction with the first sentence of Paragraph 6(4) of the [BDSG], which makes dismissal of the [DPO] by the controller, who is his employer, subject to certain conditions set out therein, irrespective of whether such dismissal relates to the performance of his tasks?
If the first question is answered in the affirmative:
(2) Does the second sentence of Article 38(3) GDPR also preclude such a provision in national law if the designation of the [DPO] is mandatory not in accordance with Article 37(1) GDPR, but only in accordance with the law of the Member State?
If the first question is answered in the affirmative:
(3) Does the second sentence of Article 38(3) of the GDPR have sufficient legal basis, in particular in so far as it covers [DPOs] that have an employment relationship with the controller?
If the first question is answered in the negative:
(4) Is there a conflict of interests within the meaning of the second sentence of Article 38(6) of the GDPR if the [DPO] also holds the office of [chair] of the works council established at the controlling body? Must specific tasks have been assigned within the works council in order for such a conflict of interests to be assumed to exist?’
Advocate General Opinion
Not applicable
Holding
The CJEU provided answers to the first and fourth preliminary question.
It started with the first question by interpreting Article 38(3) GDPR. According to its own case law, to do so we need to consider the wording of the provision, it's meaning in everyday language, as well as its context and objectives.
First, with regard to the wording, the Court held that the GDPR did not define the terms ‘dismissed’, ‘penalised’ and ‘for performing his [or her] tasks’ in the second sentence of Article 38(3) GDPR. Thus, it considered the use of these terms in normal everyday language to determine their meanings. Based on this line of reasoning, the CJEU concluded that the dismissal of a DPO grounded on the performance of his or her tasks is not allowed. The CJEU also held that the second sentence of Article 38(3) GDPR is intended to apply to any relationship between DPOs and controllers/processors, irrespective of the nature of the relationship.
Second, with regard to the objective of the second sentence of Article 38(3) GDPR, the CJEU referred to Recital 97, which states that DPOs should be in a position from where they can perform their duties and tasks in an independent manner. This independence should enable them to carry out tasks in accordance with the objective of the GDPR, thereby ensuring its consistent and homogeneous application. The CJEU also emphasized this independence is also apparent in the first and third sentences of Article 38(3) GDPR. The first sentence of states that DPOs should not to receive any instructions regarding the exercise of his duties, while the third states that DPOs should also report directly to the highest level of management of the controller/processor. In this context, Article 38(5) GDPR provides that DPO is to be bound by secrecy or confidentiality. Therefore, the CJEU concluded that the objective of Article 38(3) GDPR was to preserve the functional independence of the DPO and to ensure that the GDPR is effective.
Third, the Court assessed the context of the provision. The CJEU assessed the preamble of the GDPR and noted that it was adopted on the basis of Article 16(2) TFEU. This provision states that the Council of the European Union and the European Parliament were laying down rules for the protection of natural persons with regard to the processing of personal data on the one hand, and the free movement of such data on the other. The CJEU held that laying down rules against the dismissal of a DPO fell within the scope of protection of natural persons. From this context, it followed that each member state was free to lay down more protective specific rules concerning the dismissal of a DPO, as long as these national provisions were compatible with the GDPR and EU law, especially with the second sentence of Article 38(3) GDPR. However, if a DPO no longer possesses the professional qualities for the position, he/she cannot be protected as this would undermine the GDPR's objective of ensuring a consistent and homogeneous application of data protection rules.
Answering the first preliminary question, the CJEU concluded that it was up to the national court to determine if the specific national provision was compatible with the GDPR and EU law.
The CJEU then assessed the fourth question. Just like with the first question, the court looked at the wording, the objective and the context of the provision.
First, the Court looked at the wording of Article 38(3) GDPR itself by assessing the wording of this provision in everyday language. The court stated that the there was no established incompatibility in the GDPR between the performance of the DPO's duties on the one hand, and the performance of other duties on the other. Article 38(3) GDPR specifically provided that the DPO can be given tasks other than those for which he/she is responsible under Article 39 GDPR.
Second, the court looked at the objective of Article 38(3) GDPR, which was to preserve the functional independence of the DPO and, consequently, to ensure the effectiveness of the GDPR.
Third, the CJEU looked at the context of Article 38(3) GDPR and noted that, according to Article 39(1)(b) GDPR, the task of the DPO was to monitor compliance with the GDPR, EU law and/or national data protection law. The DPO also had to assess the policies of the controller or processor regarding data protection, including the assignment of responsibilities, awareness-raising and training of staff. It followed from this that a DPO cannot be entrusted with tasks or duties which would result in him or her determining the objectives and methods of processing personal data on behalf of the controller or its processor. Under EU law or national law, the review of those objectives and methods must be carried out independently by the DPO. An assessment of a potential conflict of interests, within the meaning of Article 38(3) GDPR, must be carried out on a case by case basis, with an assessment of all the relevant circumstances. The Court emphasised the organisational structure of the controller or its processor and in the light of all the applicable rules, including any policies of the controller or its processor, as an important factor.
The CJEU concluded that a 'conflict of interest' may exist where a DPO is entrusted with other tasks or duties, which would result in he/she determining the objectives and methods of processing personal data on behalf of the processor/controller. National courts had to assess such a situation on a case by case basis, considering all the relevant circumstances. The courts had to pay particular attention to the organisational structure of the controller/processor in the light of all applicable rules, including the own policies of the controller/processor.
Comment
The CJEU did not answer the second and third preliminary question because of the answer to the first question.
The CJEU ruling did not provide much information regarding the prior proceedings and the arguments which were used there. This is reflected in the summary. For instance, it is not clear what were the data subjects arguments. Most likely that these arguments were (partly) based on German law, which states that a controller/processor cannot dismiss a DPO unless there is 'just cause' for the dismissal. These German provisions seemed to provide stricter rules for the dismissal of a DPO in comparission with Article 38 GDPR. (These German provisions were Paragraph 38(1) and 38(2) of the BDSG, in conjunction with paragraph 6(4) of the BDSG and lastly, Paragraph 626 of the Civil Code - see paragraphs 7 - 9 of this CJEU ruling for more context) .
Further Resources
Share blogs or news articles here!