CJEU - C-453/21 - X-Fab Dresden GmbH & Co. KG: Difference between revisions
No edit summary |
No edit summary |
||
| Line 48: | Line 48: | ||
=== Facts === | === Facts === | ||
In this decision, the data subject | In this decision, the data subject had been an employee of X-FAB, a semiconductor foundry, since 1993. He held two functions in the company. He was the chairman of the workcouncil and he was the DPO of the company since 2015. However, on 1 December 2017, he was suddenly fired as DPO at the request of the state officer for data protection of Thuringen (Germany), based on the second sentence of [[Article 38 GDPR|Article 38(3) GDPR]], which states that ....... (13). | ||
The data subject brought action before the | The data subject brought action before the first instance German court in order to be reinstated as DPO at the controller. The latter argued that his functions as DPO and chair of the workcouncil were incompatible. The court of first instance and the court op appeal agreed with the data subject. The controller appealed this at the Bundesarbeitsgericht, which referred questions to the CJEU. (15) | ||
=== Advocate General Opinion === | === Advocate General Opinion === | ||
| Line 56: | Line 56: | ||
=== Holding === | === Holding === | ||
With the first question, the | With the first question, the referring court asked the CJEU if Article 38(3) GDPR should be interpreted in such a way that it precluded a provision in national law, which would make the dismissal of the DPO, who was also an employee, by the controller subject to certain conditions in this national law, irrespective if of this dismissal related to the performance of his tasks. | ||
First, the court held that the GDPR does not define the terms ‘dismissed’, ‘penalised’ and ‘for performing his [or her] tasks’ in the second sentence of Article 38(3). The Court considered the use of these words in normal everyday language, and considered that that this implied that the DPO in question must be protected against any decision terminating him or her duties, by which he or she would be placed at a disadvantage or which would constitute a penalty. A measure resulting in the dismissal of the DPO by the controller or processor is capable of constituting such a measure. | |||
Second, the court held that the second sentence of Article 38(3) GDPR applies whether or not the DPO is an employee of the controller/processor. The second sentence of Article 38(3) GDPR is intended to apply to any relationship between DPO’s on the one hand and controller’s and processors on the other hand, irrespective of the nature of the relationship. | |||
Third, Article 38 GDPR imposes a limit to prohibit the dismissal of a DPO on a ground relating to the performance of his or her tasks. One of these tasks is the monitoring of compliance with EU or Member State legal provisions on data protection and with the policies of the controller or processor concerning the protection of personal data. (Article 39(1)(b) GDPR. | |||
The Court continued to refer to recital 97 in order to describe the objective pursued by Article 38(3) GDPR. DPO’s, whether or not they are employees of the controller, should be in a position to perform their duties and tasks in an independent manner. They should therefore be able to carry out tasks in accordance with the objective of the GDPR, which is, pursuant to recital 10, to ensure a consistent and homogeneous application of data protection rules. | |||
The court continued with the fact that the the objective of ensuring the functional independence of the DPO, pursuant to the second sentence of Article 38(3) GDPR, is also apparent from the first and third sentences of this Article. This requires that that DPO should not to receive any instructions regarding the exercise of his duties as DPO. He/she should also report directly to the highest level of management of the controller/processor. In this context, Article 38(5) GDPR which provides that DPO is to be bound by secrecy or confidentiality in this regard. | |||
Therefore, the second sentence of Article 38(3) of the GDPR must be regarded as seeking to preserve the functional independence of the DPO and to ensure that the GDPR is effective. This interpretation is supported by the context of the provision an by the legal basis on which the EU legislature adopted the GDPR, which was Article 16(2) TFEU. From this, it followed that each member state was free to lay down more protective specific rules concerning the dismissal of a DPO, as long as these national provisions are compatible with the GDPR and EU law, in particular the second sentence for Article 38(3) GDPR. The court also noted that such increased protection cannot undermine the objectives of the GDPR. That would be the case if this increased protection would prevent any dismissal a DPO who no longer possesses the professional qualities required pursuant to Article 37(5) GDPR, or who does not fulfil his/her tasks. If a DPO would be so protected that he/she could not be fired anymore, even when they were not up for the task, this would undermine the objective of the GDPR. | |||
The court concluded that it was up to the national court to determine if the specific provision were compatible with the GDPR and EU law. | |||
Fourth question | |||
The fourth question was basically a request for clarification of the phrase ‘conflict of interest’ within the meaning of Article 38(6) GDPR. The controller had to ensure that potential other tasks and duties of its DPO do not result in a conflict of interest. The court used different interpretation methods to determine the meaning of the phrase. | |||
First, the Court looked at the wording of Article 38(6) GDPR itself by looking and the use of the phrase in everyday language. The court held that, in accordance with the objective pursued by Article 38(6) GDPR, the DPO cannot be entrusted with performing tasks or duties which could impair the execution of the functions performed by the DPO. | |||
Second, the court looked at the objective pursued by Article 38(6) GDPR, which was to preserve the functional independence of the DPO and, consequently, to ensure the effectiveness of the provisions of the GDPR. | |||
Third, the CJEU looked at the context of Article 38(6) of the GDPR and noted that, according to Article 39(1)(b) of the GDPR, the task of the DPO is, inter alia, to monitor compliance with the GDPR, other provisions of EU law or of the law of the Member States on data protection and the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits. From this, it followed that , that a DPO cannot be entrusted with tasks or duties which would result in him or her determining the objectives and methods of processing personal data on the part of the controller or its processor. Under EU law or the law of the Member States on data protection, the review of those objectives and methods must be carried out independently by the DPO. existence of a conflict of interests, within the meaning of Article 38(6) of the GDPR, must be carried out, case by case, on the basis of an assessment of all the relevant circumstances, in particular the organisational structure of the controller or its processor and in the light of all the applicable rules, including any policies of the controller or its processor. | |||
== Comment == | == Comment == | ||
The CJEU did not answer the second and third preliminary question because of the answer to the first question. | |||
== Further Resources == | == Further Resources == | ||
''Share blogs or news articles here!'' | ''Share blogs or news articles here!'' | ||
Revision as of 15:15, 11 February 2023
| CJEU - C-453/21 X-Fab Dresden GmbH & Co. KG | |
|---|---|
 | |
| Court: | CJEU |
| Jurisdiction: | European Union |
| Relevant Law: | Article 38(3) GDPR Article 38(6) GDPR |
| Decided: | 09.02.2023 |
| Parties: | X-Fab Dresden GmbH & Co. KG |
| Case Number/Name: | C-453/21 X-Fab Dresden GmbH & Co. KG |
| European Case Law Identifier: | ECLI:EU:C:2023:79 |
| Reference from: | BAG (Germany) ECLI:DE:BAG:2021:210721.U.5AZR572.20.0 |
| Language: | 24 EU Languages |
| Original Source: | Judgement |
| Initial Contributor: | n/a |
SUMMARY NOT FINALISED YET, To be updated
English Summary
Facts
In this decision, the data subject had been an employee of X-FAB, a semiconductor foundry, since 1993. He held two functions in the company. He was the chairman of the workcouncil and he was the DPO of the company since 2015. However, on 1 December 2017, he was suddenly fired as DPO at the request of the state officer for data protection of Thuringen (Germany), based on the second sentence of Article 38(3) GDPR, which states that ....... (13).
The data subject brought action before the first instance German court in order to be reinstated as DPO at the controller. The latter argued that his functions as DPO and chair of the workcouncil were incompatible. The court of first instance and the court op appeal agreed with the data subject. The controller appealed this at the Bundesarbeitsgericht, which referred questions to the CJEU. (15)
Advocate General Opinion
Not applicable
Holding
With the first question, the referring court asked the CJEU if Article 38(3) GDPR should be interpreted in such a way that it precluded a provision in national law, which would make the dismissal of the DPO, who was also an employee, by the controller subject to certain conditions in this national law, irrespective if of this dismissal related to the performance of his tasks.
First, the court held that the GDPR does not define the terms ‘dismissed’, ‘penalised’ and ‘for performing his [or her] tasks’ in the second sentence of Article 38(3). The Court considered the use of these words in normal everyday language, and considered that that this implied that the DPO in question must be protected against any decision terminating him or her duties, by which he or she would be placed at a disadvantage or which would constitute a penalty. A measure resulting in the dismissal of the DPO by the controller or processor is capable of constituting such a measure.
Second, the court held that the second sentence of Article 38(3) GDPR applies whether or not the DPO is an employee of the controller/processor. The second sentence of Article 38(3) GDPR is intended to apply to any relationship between DPO’s on the one hand and controller’s and processors on the other hand, irrespective of the nature of the relationship.
Third, Article 38 GDPR imposes a limit to prohibit the dismissal of a DPO on a ground relating to the performance of his or her tasks. One of these tasks is the monitoring of compliance with EU or Member State legal provisions on data protection and with the policies of the controller or processor concerning the protection of personal data. (Article 39(1)(b) GDPR.
The Court continued to refer to recital 97 in order to describe the objective pursued by Article 38(3) GDPR. DPO’s, whether or not they are employees of the controller, should be in a position to perform their duties and tasks in an independent manner. They should therefore be able to carry out tasks in accordance with the objective of the GDPR, which is, pursuant to recital 10, to ensure a consistent and homogeneous application of data protection rules.
The court continued with the fact that the the objective of ensuring the functional independence of the DPO, pursuant to the second sentence of Article 38(3) GDPR, is also apparent from the first and third sentences of this Article. This requires that that DPO should not to receive any instructions regarding the exercise of his duties as DPO. He/she should also report directly to the highest level of management of the controller/processor. In this context, Article 38(5) GDPR which provides that DPO is to be bound by secrecy or confidentiality in this regard.
Therefore, the second sentence of Article 38(3) of the GDPR must be regarded as seeking to preserve the functional independence of the DPO and to ensure that the GDPR is effective. This interpretation is supported by the context of the provision an by the legal basis on which the EU legislature adopted the GDPR, which was Article 16(2) TFEU. From this, it followed that each member state was free to lay down more protective specific rules concerning the dismissal of a DPO, as long as these national provisions are compatible with the GDPR and EU law, in particular the second sentence for Article 38(3) GDPR. The court also noted that such increased protection cannot undermine the objectives of the GDPR. That would be the case if this increased protection would prevent any dismissal a DPO who no longer possesses the professional qualities required pursuant to Article 37(5) GDPR, or who does not fulfil his/her tasks. If a DPO would be so protected that he/she could not be fired anymore, even when they were not up for the task, this would undermine the objective of the GDPR.
The court concluded that it was up to the national court to determine if the specific provision were compatible with the GDPR and EU law.
Fourth question
The fourth question was basically a request for clarification of the phrase ‘conflict of interest’ within the meaning of Article 38(6) GDPR. The controller had to ensure that potential other tasks and duties of its DPO do not result in a conflict of interest. The court used different interpretation methods to determine the meaning of the phrase.
First, the Court looked at the wording of Article 38(6) GDPR itself by looking and the use of the phrase in everyday language. The court held that, in accordance with the objective pursued by Article 38(6) GDPR, the DPO cannot be entrusted with performing tasks or duties which could impair the execution of the functions performed by the DPO.
Second, the court looked at the objective pursued by Article 38(6) GDPR, which was to preserve the functional independence of the DPO and, consequently, to ensure the effectiveness of the provisions of the GDPR.
Third, the CJEU looked at the context of Article 38(6) of the GDPR and noted that, according to Article 39(1)(b) of the GDPR, the task of the DPO is, inter alia, to monitor compliance with the GDPR, other provisions of EU law or of the law of the Member States on data protection and the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits. From this, it followed that , that a DPO cannot be entrusted with tasks or duties which would result in him or her determining the objectives and methods of processing personal data on the part of the controller or its processor. Under EU law or the law of the Member States on data protection, the review of those objectives and methods must be carried out independently by the DPO. existence of a conflict of interests, within the meaning of Article 38(6) of the GDPR, must be carried out, case by case, on the basis of an assessment of all the relevant circumstances, in particular the organisational structure of the controller or its processor and in the light of all the applicable rules, including any policies of the controller or its processor.
Comment
The CJEU did not answer the second and third preliminary question because of the answer to the first question.
Further Resources
Share blogs or news articles here!
