CJEU - C-453/21 - X-Fab Dresden GmbH & Co. KG: Difference between revisions
No edit summary |
No edit summary |
||
| Line 43: | Line 43: | ||
}} | }} | ||
In this ruling, the CJEU provided clarity regarding the position of DPO's in the context of the second sentence [[Article 38 GDPR|Article 38(3) GDPR]]. The Court held that this GDPR provision did not preclude national legislation | |||
and Article 38(6) GDPR | |||
==English Summary== | ==English Summary== | ||
=== Facts === | === Facts === | ||
In this preliminary ruling, the data subject had been an employee of X-FAB, a semiconductor foundry, since 1993. He held two functions in the company. First, he was the chairman of the | In this preliminary ruling, the data subject had been an employee of X-FAB, a semiconductor foundry, since 1993. He held two functions in the company. First, he was the chairman of the work council and second, he had been the DPO of the controller since 2015. He also was the DPO of the other companies in the group that X-Fab was part of, in order to ensure that all these undertakings shared a uniform level of data protection. However, on 1 December 2017, the DPO was suddenly fired from his position as DPO at the request of the DPO of Thuringen (Germany). | ||
The fired DPO brought action before the first instance German court in order to be reinstated as DPO at the controller. The latter argued that his functions as DPO and chair of the work council were incompatible. | |||
In subsequent proceedings, the court of first instance and the court op appeal agreed with the data subject. The controller appealed this to the Bundesarbeitsgericht (Federal labour court of Germany), which referred questions to the CJEU. (15) | |||
'''First question:''' With the first question, the referring court asked if [[Article 38 GDPR|Article 38(3) GDPR]] should be interpreted in such a way that it precluded a provision in national law, which made the dismissal of the DPO subject to certain conditions in this national law. According to this national law, It was of no consequence if this dismissal was related to the job performance. There solely had to be 'just cause'. | |||
'''Fourth question''' The fourth question was basically a request for clarification of the phrase ‘''conflict of interest''’ within the meaning of [[Article 38 GDPR|Article 38(6) GDPR]]. The controller had to ensure that potential other tasks and duties of its DPO did not result in a conflict of interest. The court used different interpretation methods to determine the meaning of the phrase. | |||
=== Advocate General Opinion === | === Advocate General Opinion === | ||
| Line 58: | Line 64: | ||
=== Holding === | === Holding === | ||
The Court provided answers to the first and fourth preliminary question. | |||
It started with <u>the first question</u> by interpreting [[Article 38 GDPR|Article 38(3) GDPR]]. According to the court's own case law, it had to do so by consider the '''wording, and it's meaning in everyday language''', the '''context''' of the provision and the '''objectives''' of the provision. (19) | |||
'' | ''First'', with regard to the '''wording''', the court held that the GDPR did not define the terms ‘''dismissed''’, ‘''penalised''’ and ''‘for performing his [or her] tasks''’ in the second sentence of [[Article 38 GDPR|Article 38(3) GDPR]]. The Court considered the use of these words in [[Article 38 GDPR]] and determined their meaning in normal everyday language. The CJEU considered that the use of these words in the article implied that the DPO had to be protected against any decision terminating his or her duties, by which he or she would be placed at a disadvantage, or which would constitute a penalty. According to the CJEU, A measure resulting in the dismissal of the DPO could be such a measure. (20 - 22) The Court also held that the second sentence of [[Article 38 GDPR|Article 38(3) GDPR]] is intended to apply to any relationship between DPO’s and controller's / processors, irrespective of the nature of the relationship. (23) Lastly, with regard to the wording, the CJEU held that the second sentence of Article 38(3) GDPR imposes a limit on controller's and processors possibilities to dismiss a DPO. This limit consists in prohibiting the dismissal of a DPO on a ground relating to the performance of his or her tasks. (24) | ||
''Second'', with regard to the '''objective''' of the second sentence of [[Article 38 GDPR|Article 38(3) GDPR]], the Court referred to recital 97, which states that DPO’s should be in a position to perform their duties and tasks in an independent manner. This independence should enable them to carry out tasks in accordance with the objective of the GDPR, which consists of ensuring a consistent and homogeneous application of data protection rules. The court continued with the fact that the objective of ensuring the functional independence of the DPO is also apparent from the first and third sentences of Article 38(3) GDPR. The first sentence of the Article requires that the DPO should not to receive any instructions regarding the exercise of his duties as DPO. The third sentence states that the DPO should also report directly to the highest level of management of the controller/processor. In this context, [[Article 38 GDPR|Article 38(5) GDPR]] provides that DPO is to be bound by secrecy or confidentiality in this regard. The court concluded its considerations regarding the objective of Article 38(3) GDPR was to preserve the functional independence of the DPO and, therefore, to ensure that the provisions of the GDPR are effective. | |||
''Third'', the Court assessed the '''context''' of the provision. The CJEU assessed the preamble of the GDPR, and noted that the GDPR was adopted on the basis of Article 16(2) TFEU. This provision states that the Council of the European Union and the European Parliament were laying down rules for the protection of natural persons with regard to the processing of personal data on the one hand, and the free movement of such data on the other hand. The CJEU held that laying down rules against the dismissal of a DPO fell within the scope of protection of natural persons. (30) From this, it followed that each member state was free to lay down more protective specific rules concerning the dismissal of a DPO, as long as these national provisions are compatible with the GDPR and EU law. These national provisions especially had to be compatible with the second sentence of [[Article 38 GDPR|Article 38(3) GDPR]]. However, as a limiting factor, The court noted that this potential increased protection of DPO's in national law could undermine the objectives of the GDPR. That would be the case if this increased protection would prevent any dismissal of a DPO who no longer possessed the professional qualities of a DPO [[Article 37 GDPR|(Article 37(5) GDPR).]] If a DPO would be so protected that he/she could not be fired any more, even when they were not suitable any more for the job, this would undermine the GDPR's objective of ensuring a consistent and homogeneous application of data protection rules | |||
The court concluded that it was up to the national court to determine if the specific national provision was compatible with the GDPR and EU law. | |||
The | The CJEU then assessed the <u>fourth question</u>. Just like with the first question, the court looked at the '''wording''', the '''objective''' and the '''context''' of the provision. | ||
''' | ''First'', the Court looked at the '''wording''' of [[Article 38 GDPR|Article 38(6) GDPR]] itself by assessing the wording of this provision in everyday language. The court stated that the there was no established incompatibility between the performance of the DPO's duties on the one hand, and the performance of other duties by the DPO. [[Article 38 GDPR|Article 38(6) GDPR]] specifically provides that the DPO can be given other tasks other than those for which it is responsible under [[Article 39 GDPR]]. | ||
'' | ''Second'', the court looked at the '''objective''' of [[Article 38 GDPR|Article 38(6) GDPR, ]] which was to preserve the functional independence of the DPO and, consequently, to ensure the effectiveness of the GDPR. | ||
'' | ''Third'', the CJEU looked at the '''context''' of [[Article 38 GDPR|Article 38(6) GDPR]] and noted that, according to Article 39(1)(b) GDPR, the task of the DPO was to monitor compliance with the GDPR, EU law and/or national data protection law. The DPO also had to assess the policies of the controller or processor regarding data protection, including the assignment of responsibilities, awareness-raising and training of staff. It followed from this that a DPO cannot be entrusted with tasks or duties which would result in him or her determining the objectives and methods of processing personal data on behalf of the controller or its processor. Under EU law or national law, the review of those objectives and methods must be carried out independently by the DPO. An assessment of a potential conflict of interests, within the meaning of Article 38(6) GDPR, must be carried out, case by case, on the basis of an assessment of all the relevant circumstances, in particular the organisational structure of the controller or its processor and in the light of all the applicable rules, including any policies of the controller or its processor. | ||
'' | The court concluded based on this that a '''conflict of interest''<nowiki/>' may exist where a DPO is entrusted with other tasks or duties, which would result in determining the objectives and methods of processing personal data on behalf of the processor/controller. National courts had to assess such a situation on a case tot case basis, considering all the relevant circumstances. The courts had to pay particular attention to the organisational structure of the controller / processor in the light of all applicable rules, including the own policies of the controller/processor. | ||
== Comment == | == Comment == | ||
Revision as of 09:49, 14 February 2023
| CJEU - C-453/21 X-Fab Dresden GmbH & Co. KG | |
|---|---|
 | |
| Court: | CJEU |
| Jurisdiction: | European Union |
| Relevant Law: | Article 38(3) GDPR Article 38(6) GDPR |
| Decided: | 09.02.2023 |
| Parties: | X-Fab Dresden GmbH & Co. KG |
| Case Number/Name: | C-453/21 X-Fab Dresden GmbH & Co. KG |
| European Case Law Identifier: | ECLI:EU:C:2023:79 |
| Reference from: | BAG (Germany) ECLI:DE:BAG:2021:210721.U.5AZR572.20.0 |
| Language: | 24 EU Languages |
| Original Source: | Judgement |
| Initial Contributor: | n/a |
In this ruling, the CJEU provided clarity regarding the position of DPO's in the context of the second sentence Article 38(3) GDPR. The Court held that this GDPR provision did not preclude national legislation
and Article 38(6) GDPR
English Summary
Facts
In this preliminary ruling, the data subject had been an employee of X-FAB, a semiconductor foundry, since 1993. He held two functions in the company. First, he was the chairman of the work council and second, he had been the DPO of the controller since 2015. He also was the DPO of the other companies in the group that X-Fab was part of, in order to ensure that all these undertakings shared a uniform level of data protection. However, on 1 December 2017, the DPO was suddenly fired from his position as DPO at the request of the DPO of Thuringen (Germany).
The fired DPO brought action before the first instance German court in order to be reinstated as DPO at the controller. The latter argued that his functions as DPO and chair of the work council were incompatible.
In subsequent proceedings, the court of first instance and the court op appeal agreed with the data subject. The controller appealed this to the Bundesarbeitsgericht (Federal labour court of Germany), which referred questions to the CJEU. (15)
First question: With the first question, the referring court asked if Article 38(3) GDPR should be interpreted in such a way that it precluded a provision in national law, which made the dismissal of the DPO subject to certain conditions in this national law. According to this national law, It was of no consequence if this dismissal was related to the job performance. There solely had to be 'just cause'.
Fourth question The fourth question was basically a request for clarification of the phrase ‘conflict of interest’ within the meaning of Article 38(6) GDPR. The controller had to ensure that potential other tasks and duties of its DPO did not result in a conflict of interest. The court used different interpretation methods to determine the meaning of the phrase.
Advocate General Opinion
Not applicable
Holding
The Court provided answers to the first and fourth preliminary question.
It started with the first question by interpreting Article 38(3) GDPR. According to the court's own case law, it had to do so by consider the wording, and it's meaning in everyday language, the context of the provision and the objectives of the provision. (19)
First, with regard to the wording, the court held that the GDPR did not define the terms ‘dismissed’, ‘penalised’ and ‘for performing his [or her] tasks’ in the second sentence of Article 38(3) GDPR. The Court considered the use of these words in Article 38 GDPR and determined their meaning in normal everyday language. The CJEU considered that the use of these words in the article implied that the DPO had to be protected against any decision terminating his or her duties, by which he or she would be placed at a disadvantage, or which would constitute a penalty. According to the CJEU, A measure resulting in the dismissal of the DPO could be such a measure. (20 - 22) The Court also held that the second sentence of Article 38(3) GDPR is intended to apply to any relationship between DPO’s and controller's / processors, irrespective of the nature of the relationship. (23) Lastly, with regard to the wording, the CJEU held that the second sentence of Article 38(3) GDPR imposes a limit on controller's and processors possibilities to dismiss a DPO. This limit consists in prohibiting the dismissal of a DPO on a ground relating to the performance of his or her tasks. (24)
Second, with regard to the objective of the second sentence of Article 38(3) GDPR, the Court referred to recital 97, which states that DPO’s should be in a position to perform their duties and tasks in an independent manner. This independence should enable them to carry out tasks in accordance with the objective of the GDPR, which consists of ensuring a consistent and homogeneous application of data protection rules. The court continued with the fact that the objective of ensuring the functional independence of the DPO is also apparent from the first and third sentences of Article 38(3) GDPR. The first sentence of the Article requires that the DPO should not to receive any instructions regarding the exercise of his duties as DPO. The third sentence states that the DPO should also report directly to the highest level of management of the controller/processor. In this context, Article 38(5) GDPR provides that DPO is to be bound by secrecy or confidentiality in this regard. The court concluded its considerations regarding the objective of Article 38(3) GDPR was to preserve the functional independence of the DPO and, therefore, to ensure that the provisions of the GDPR are effective.
Third, the Court assessed the context of the provision. The CJEU assessed the preamble of the GDPR, and noted that the GDPR was adopted on the basis of Article 16(2) TFEU. This provision states that the Council of the European Union and the European Parliament were laying down rules for the protection of natural persons with regard to the processing of personal data on the one hand, and the free movement of such data on the other hand. The CJEU held that laying down rules against the dismissal of a DPO fell within the scope of protection of natural persons. (30) From this, it followed that each member state was free to lay down more protective specific rules concerning the dismissal of a DPO, as long as these national provisions are compatible with the GDPR and EU law. These national provisions especially had to be compatible with the second sentence of Article 38(3) GDPR. However, as a limiting factor, The court noted that this potential increased protection of DPO's in national law could undermine the objectives of the GDPR. That would be the case if this increased protection would prevent any dismissal of a DPO who no longer possessed the professional qualities of a DPO (Article 37(5) GDPR). If a DPO would be so protected that he/she could not be fired any more, even when they were not suitable any more for the job, this would undermine the GDPR's objective of ensuring a consistent and homogeneous application of data protection rules
The court concluded that it was up to the national court to determine if the specific national provision was compatible with the GDPR and EU law.
The CJEU then assessed the fourth question. Just like with the first question, the court looked at the wording, the objective and the context of the provision.
First, the Court looked at the wording of Article 38(6) GDPR itself by assessing the wording of this provision in everyday language. The court stated that the there was no established incompatibility between the performance of the DPO's duties on the one hand, and the performance of other duties by the DPO. Article 38(6) GDPR specifically provides that the DPO can be given other tasks other than those for which it is responsible under Article 39 GDPR.
Second, the court looked at the objective of Article 38(6) GDPR, which was to preserve the functional independence of the DPO and, consequently, to ensure the effectiveness of the GDPR.
Third, the CJEU looked at the context of Article 38(6) GDPR and noted that, according to Article 39(1)(b) GDPR, the task of the DPO was to monitor compliance with the GDPR, EU law and/or national data protection law. The DPO also had to assess the policies of the controller or processor regarding data protection, including the assignment of responsibilities, awareness-raising and training of staff. It followed from this that a DPO cannot be entrusted with tasks or duties which would result in him or her determining the objectives and methods of processing personal data on behalf of the controller or its processor. Under EU law or national law, the review of those objectives and methods must be carried out independently by the DPO. An assessment of a potential conflict of interests, within the meaning of Article 38(6) GDPR, must be carried out, case by case, on the basis of an assessment of all the relevant circumstances, in particular the organisational structure of the controller or its processor and in the light of all the applicable rules, including any policies of the controller or its processor.
The court concluded based on this that a 'conflict of interest' may exist where a DPO is entrusted with other tasks or duties, which would result in determining the objectives and methods of processing personal data on behalf of the processor/controller. National courts had to assess such a situation on a case tot case basis, considering all the relevant circumstances. The courts had to pay particular attention to the organisational structure of the controller / processor in the light of all applicable rules, including the own policies of the controller/processor.
Comment
The CJEU did not answer the second and third preliminary question because of the answer to the first question.
Further Resources
Share blogs or news articles here!
