CJEU - C-453/21 - X-Fab Dresden GmbH & Co. KG: Difference between revisions

From GDPRhub
No edit summary
No edit summary
Line 43: Line 43:
}}
}}


In a preliminary ruling, the CJEU provided its interpretation of [[Article 38 GDPR]]. It determined that each member state was allowed to lay down more protective specific rules concerning the dismissal of a DPO, but also held that this national law had to be compatible with EU law and the GDPR. The court also assessed the meaning of the phrase '''conflict of interest''<nowiki/>' in [[Article 38 GDPR|Article 38(6) GDPR]] and determined that this may exist in a situation where a DPO is entrusted with other tasks or duties, which would result in determining the objectives and methods of processing personal data on behalf of the processor or controller.
In a preliminary ruling, the CJEU provided its interpretation of [[Article 38 GDPR]]. It determined that each member state was allowed to lay down more protective specific rules concerning the dismissal of a DPO, but also held that this national law had to be compatible with EU law and the GDPR. The court also assessed the meaning of the phrase '''conflict of interest''<nowiki/>' in [[Article 38 GDPR|Article 38(6) GDPR]] and determined that this may exist in a situation where a DPO is entrusted with other tasks or duties, which would result in determining the objectives and methods of processing personal data on behalf of the processor or controller.


==English Summary==
==English Summary==


=== Facts ===
=== Facts ===
In this preliminary ruling, the data subject had been an employee of X-FAB, a semiconductor foundry (controller), since 1993. He held two functions in the company. First, he was the chairman of the work council and, second, he had been the DPO of the controller since 2015. He also was the DPO of the other companies in the group that X-Fab was part of, in order to ensure that all these undertakings shared a uniform level of data protection. However, on 1 December 2017, the DPO was suddenly fired from his position as DPO at the request of the DPO of Thuringen (Germany).  
In this preliminary ruling, the plaintiff and data subject was an employee of X-FAB, a semiconductor foundry, the controller.  


The fired DPO brought action before the first instance German court in order to be reinstated as DPO at the controller. The latter argued that his functions as DPO and chair of the work council were incompatible.
He held two functions in the company. First, he was the chairman of the work council and, second, he had been the DPO of the controller since 2015. He also was the DPO of the other companies in the group that X-Fab was part of, in order to ensure that all these undertakings shared a uniform level of data protection. However, on 1 December 2017, the DPO was suddenly fired from his position as DPO at the request of the DPO of Thuringen (Germany).  


In subsequent proceedings, the court of first instance and the court of appeal agreed with the DPO. The controller appealed this to the Bundesarbeitsgericht (Federal labour court of Germany), which referred questions to the CJEU. Only the first and the fourth question were answered by the CJEU. 
The fired DPO brought action before the first instance German court in order to be reinstated in his office. The latter argued that his functions as DPO and chair of the work council were incompatible. In subsequent proceedings, the court of first instance and the court of appeal agreed with the plaintiff. The controller appealed this to the Bundesarbeitsgericht (Federal labour court of Germany), which referred questions to the CJEU.  


'''First question:''' With the first question, the referring court asked if [[Article 38 GDPR|Article 38(3) GDPR]] should be interpreted in such a way that it precluded a provision in national law, which made the dismissal of the DPO subject to certain conditions in this national law.  
Only the first and the fourth question were answered by the CJEU. With the ''first'' question, the referring court asked if [[Article 38 GDPR|Article 38(3) GDPR]] should be interpreted in such a way that it precluded a provision in national law, which made the dismissal of the DPO subject to certain conditions in this national law. With the ''fourth'' question the Court essentially required the CJEU to provide a clarification around the concept of ‘''conflict of interest''’ in [[Article 38 GDPR|Article 38(6) GDPR]].   
 
'''Fourth question''' The fourth question was basically a request for clarification of the phrase ‘''conflict of interest''’ within the meaning of [[Article 38 GDPR|Article 38(6) GDPR]].   


=== Advocate General Opinion ===
=== Advocate General Opinion ===
Line 66: Line 64:
It started with <u>the first question</u> by interpreting [[Article 38 GDPR|Article 38(3) GDPR]]. According to the court's own case law, it had to do so by consider the '''wording,''' and it's meaning in everyday language, the '''context''' of the provision and the '''objectives''' of the provision.     
It started with <u>the first question</u> by interpreting [[Article 38 GDPR|Article 38(3) GDPR]]. According to the court's own case law, it had to do so by consider the '''wording,''' and it's meaning in everyday language, the '''context''' of the provision and the '''objectives''' of the provision.     


''First'', with regard to the '''wording''', the court held that the GDPR did not define the terms ‘''dismissed''’, ‘''penalised''’ and ''‘for performing his [or her] tasks''’ in the second sentence of [[Article 38 GDPR|Article 38(3) GDPR]]. The Court considered the use of these words in [[Article 38 GDPR]] and determined their meaning in normal everyday language. The CJEU considered that the use of these words in the article implied that the DPO had to be protected against any decision terminating his or her duties, by which he or she would be placed at a disadvantage, or which would constitute a penalty. According to the CJEU, A measure resulting in the dismissal of the DPO could be such a measure.  
''First'', with regard to the '''wording''', the court held that the GDPR did not define the terms ‘''dismissed''’, ‘''penalised''’ and ''‘for performing his [or her] tasks''’ in the second sentence of [[Article 38 GDPR|Article 38(3) GDPR]]. The Court considered the use of these words in [[Article 38 GDPR]] and determined their meaning in normal everyday language. The CJEU considered that the use of these words in the article implied that the DPO had to be protected against any decision terminating his or her duties, by which he or she would be placed at a disadvantage, or which would constitute a penalty. According to the CJEU, A measure resulting in the dismissal of the DPO could be such a measure. The Court also held that the second sentence of [[Article 38 GDPR|Article 38(3) GDPR]] is intended to apply to any relationship between DPO’s and controller's / processors, irrespective of the nature of the relationship. Lastly, with regard to the wording, the CJEU held that the second sentence of [[Article 38 GDPR|Article 38(3) GDPR]] imposes a limit on controller's and processors possibilities to dismiss a DPO. This limit consists in prohibiting the dismissal of a DPO on a ground relating to the performance of his or her tasks.  
 
The Court also held that the second sentence of [[Article 38 GDPR|Article 38(3) GDPR]] is intended to apply to any relationship between DPO’s and controller's / processors, irrespective of the nature of the relationship.  
 
Lastly, with regard to the wording, the CJEU held that the second sentence of [[Article 38 GDPR|Article 38(3) GDPR]] imposes a limit on controller's and processors possibilities to dismiss a DPO. This limit consists in prohibiting the dismissal of a DPO on a ground relating to the performance of his or her tasks.  
 
''Second'', with regard to the '''objective''' of the second sentence of [[Article 38 GDPR|Article 38(3) GDPR]], the Court referred to recital 97, which states that DPO’s should be in a position to perform their duties and tasks in an independent manner. This independence should enable them to carry out tasks in accordance with the objective of the GDPR of ensuring a consistent and homogeneous application of data protection rules. 
 
The court continued with the fact that the objective of ensuring the functional independence of the DPO is also apparent from the first and third sentences of [[Article 38 GDPR|Article 38(3) GDPR]]. The first sentence of the Article requires that the DPO should not to receive any instructions regarding the exercise of his duties as DPO. The third sentence states that the DPO should also report directly to the highest level of management of the controller/processor. In this context, [[Article 38 GDPR|Article 38(5) GDPR]] provides that DPO is to be bound by secrecy or confidentiality. The court concluded that the objective of [[Article 38 GDPR|Article 38(3) GDPR]] was to preserve the functional independence of the DPO and, therefore, to ensure that the provisions of the GDPR were effective. 


''Third'', the Court assessed the '''context''' of the provision. The CJEU assessed the preamble of the GDPR, and noted that the GDPR was adopted on the basis of Article 16(2) TFEU. This provision states that the Council of the European Union and the European Parliament were laying down rules for the protection of natural persons with regard to the processing of personal data on the one hand, and the free movement of such data on the other hand. The CJEU held that laying down rules against the dismissal of a DPO fell within the scope of protection of natural persons.   
''Second'', with regard to the '''objective''' of the second sentence of [[Article 38 GDPR|Article 38(3) GDPR]], the Court referred to recital 97, which states that DPO’s should be in a position to perform their duties and tasks in an independent manner. This independence should enable them to carry out tasks in accordance with the objective of the GDPR of ensuring a consistent and homogeneous application of data protection rules. The court continued with the fact that the objective of ensuring the functional independence of the DPO is also apparent from the first and third sentences of [[Article 38 GDPR|Article 38(3) GDPR]]. The first sentence of the Article requires that the DPO should not to receive any instructions regarding the exercise of his duties as DPO. The third sentence states that the DPO should also report directly to the highest level of management of the controller/processor. In this context, [[Article 38 GDPR|Article 38(5) GDPR]] provides that DPO is to be bound by secrecy or confidentiality. The court concluded that the objective of [[Article 38 GDPR|Article 38(3) GDPR]] was to preserve the functional independence of the DPO and, therefore, to ensure that the provisions of the GDPR were effective.   


From this context, it followed that each member state was free to lay down more protective specific rules concerning the dismissal of a DPO, as long as these national provisions were compatible with the GDPR and EU law. These national provisions especially had to be compatible with the second sentence of [[Article 38 GDPR|Article 38(3) GDPR]]. However, as a limiting factor, The court noted that this potential increased protection of DPO's in national law could potentially undermine the objectives of the GDPR. That would be the case if this increased protection would prevent any dismissal of a DPO who no longer possessed the professional qualities of a DPO[[Article 37 GDPR|.]] If a DPO would be so protected that he/she could not be fired any more, even when they were not suitable any more for the job, this would undermine the GDPR's objective of ensuring a consistent and homogeneous application of data protection rules  
''Third'', the Court assessed the '''context''' of the provision. The CJEU assessed the preamble of the GDPR, and noted that the GDPR was adopted on the basis of Article 16(2) TFEU. This provision states that the Council of the European Union and the European Parliament were laying down rules for the protection of natural persons with regard to the processing of personal data on the one hand, and the free movement of such data on the other hand. The CJEU held that laying down rules against the dismissal of a DPO fell within the scope of protection of natural persons. From this context, it followed that each member state was free to lay down more protective specific rules concerning the dismissal of a DPO, as long as these national provisions were compatible with the GDPR and EU law. These national provisions especially had to be compatible with the second sentence of [[Article 38 GDPR|Article 38(3) GDPR]]. However, as a limiting factor, The court noted that this potential increased protection of DPO's in national law could potentially undermine the objectives of the GDPR. That would be the case if this increased protection would prevent any dismissal of a DPO who no longer possessed the professional qualities of a DPO[[Article 37 GDPR|.]] If a DPO would be so protected that he/she could not be fired any more, even when they were not suitable any more for the job, this would undermine the GDPR's objective of ensuring a consistent and homogeneous application of data protection rules


Concluding the <u>first preliminary question</u>, The court concluded that it was up to the national court to determine if the specific national provision was compatible with the GDPR and EU law.  
Answering the <u>first preliminary question</u>, The court concluded that it was up to the national court to determine if the specific national provision was compatible with the GDPR and EU law.  


The CJEU then assessed the <u>fourth question</u>. Just like with the first question, the court looked at the '''wording''', the '''objective''' and the '''context''' of the provision.   
The CJEU then assessed the <u>fourth question</u>. Just like with the first question, the court looked at the '''wording''', the '''objective''' and the '''context''' of the provision.   
Line 90: Line 80:
''Third'', the CJEU looked at the '''context''' of [[Article 38 GDPR|Article 38(6) GDPR]] and noted that, according to [[Article 39 GDPR|Article 39(1)(b) GDPR]], the task of the DPO was to monitor compliance with the GDPR, EU law and/or national data protection law. The DPO also had to assess the policies of the controller or processor regarding data protection, including the assignment of responsibilities, awareness-raising and training of staff. It followed from this that a DPO cannot be entrusted with tasks or duties which would result in him or her determining the objectives and methods of processing personal data on behalf of the controller or its processor. Under EU law or national law, the review of those objectives and methods must be carried out independently by the DPO. An assessment of a potential conflict of interests, within the meaning of [[Article 38 GDPR|Article 38(6) GDPR, ⁣]] must be carried out on a case by case basis, with an assessment of all the relevant circumstances. The Court emphasised the organisational structure of the controller or its processor and in the light of all the applicable rules, including any policies of the controller or its processor, as an important factor.  
''Third'', the CJEU looked at the '''context''' of [[Article 38 GDPR|Article 38(6) GDPR]] and noted that, according to [[Article 39 GDPR|Article 39(1)(b) GDPR]], the task of the DPO was to monitor compliance with the GDPR, EU law and/or national data protection law. The DPO also had to assess the policies of the controller or processor regarding data protection, including the assignment of responsibilities, awareness-raising and training of staff. It followed from this that a DPO cannot be entrusted with tasks or duties which would result in him or her determining the objectives and methods of processing personal data on behalf of the controller or its processor. Under EU law or national law, the review of those objectives and methods must be carried out independently by the DPO. An assessment of a potential conflict of interests, within the meaning of [[Article 38 GDPR|Article 38(6) GDPR, ⁣]] must be carried out on a case by case basis, with an assessment of all the relevant circumstances. The Court emphasised the organisational structure of the controller or its processor and in the light of all the applicable rules, including any policies of the controller or its processor, as an important factor.  


The CJEU concluded that a '''conflict of interest''<nowiki/>' may exist where a DPO is entrusted with other tasks or duties, which would result in determining the objectives and methods of processing personal data on behalf of the processor/controller. National courts had to assess such a situation on a case tot case basis, considering all the relevant circumstances. The courts had to pay particular attention to the organisational structure of the controller / processor in the light of all applicable rules, including the own policies of the controller/processor.
The CJEU concluded that a '''conflict of interest''<nowiki/>' may exist where a DPO is entrusted with other tasks or duties, which would result in determining the objectives and methods of processing personal data on behalf of the processor/controller. National courts had to assess such a situation on a case tot case basis, considering all the relevant circumstances. The courts had to pay particular attention to the organisational structure of the controller / processor in the light of all applicable rules, including the own policies of the controller/processor.


== Comment ==
== Comment ==

Revision as of 10:54, 15 February 2023

CJEU - C-453/21 X-Fab Dresden GmbH & Co. KG
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law: Article 38(3) GDPR
Article 38(6) GDPR
Decided: 09.02.2023
Parties: X-Fab Dresden GmbH & Co. KG
Case Number/Name: C-453/21 X-Fab Dresden GmbH & Co. KG
European Case Law Identifier: ECLI:EU:C:2023:79
Reference from: BAG (Germany)
ECLI:DE:BAG:2021:210721.U.5AZR572.20.0
Language: 24 EU Languages
Original Source: Judgement
Initial Contributor: n/a

In a preliminary ruling, the CJEU provided its interpretation of Article 38 GDPR. It determined that each member state was allowed to lay down more protective specific rules concerning the dismissal of a DPO, but also held that this national law had to be compatible with EU law and the GDPR. The court also assessed the meaning of the phrase 'conflict of interest' in Article 38(6) GDPR and determined that this may exist in a situation where a DPO is entrusted with other tasks or duties, which would result in determining the objectives and methods of processing personal data on behalf of the processor or controller.

English Summary

Facts

In this preliminary ruling, the plaintiff and data subject was an employee of X-FAB, a semiconductor foundry, the controller.

He held two functions in the company. First, he was the chairman of the work council and, second, he had been the DPO of the controller since 2015. He also was the DPO of the other companies in the group that X-Fab was part of, in order to ensure that all these undertakings shared a uniform level of data protection. However, on 1 December 2017, the DPO was suddenly fired from his position as DPO at the request of the DPO of Thuringen (Germany).

The fired DPO brought action before the first instance German court in order to be reinstated in his office. The latter argued that his functions as DPO and chair of the work council were incompatible. In subsequent proceedings, the court of first instance and the court of appeal agreed with the plaintiff. The controller appealed this to the Bundesarbeitsgericht (Federal labour court of Germany), which referred questions to the CJEU.

Only the first and the fourth question were answered by the CJEU. With the first question, the referring court asked if Article 38(3) GDPR should be interpreted in such a way that it precluded a provision in national law, which made the dismissal of the DPO subject to certain conditions in this national law. With the fourth question the Court essentially required the CJEU to provide a clarification around the concept of ‘conflict of interest’ in Article 38(6) GDPR.

Advocate General Opinion

Not applicable

Holding

The Court provided answers to the first and fourth preliminary question.

It started with the first question by interpreting Article 38(3) GDPR. According to the court's own case law, it had to do so by consider the wording, and it's meaning in everyday language, the context of the provision and the objectives of the provision.

First, with regard to the wording, the court held that the GDPR did not define the terms ‘dismissed’, ‘penalised’ and ‘for performing his [or her] tasks’ in the second sentence of Article 38(3) GDPR. The Court considered the use of these words in Article 38 GDPR and determined their meaning in normal everyday language. The CJEU considered that the use of these words in the article implied that the DPO had to be protected against any decision terminating his or her duties, by which he or she would be placed at a disadvantage, or which would constitute a penalty. According to the CJEU, A measure resulting in the dismissal of the DPO could be such a measure. The Court also held that the second sentence of Article 38(3) GDPR is intended to apply to any relationship between DPO’s and controller's / processors, irrespective of the nature of the relationship. Lastly, with regard to the wording, the CJEU held that the second sentence of Article 38(3) GDPR imposes a limit on controller's and processors possibilities to dismiss a DPO. This limit consists in prohibiting the dismissal of a DPO on a ground relating to the performance of his or her tasks.

Second, with regard to the objective of the second sentence of Article 38(3) GDPR, the Court referred to recital 97, which states that DPO’s should be in a position to perform their duties and tasks in an independent manner. This independence should enable them to carry out tasks in accordance with the objective of the GDPR of ensuring a consistent and homogeneous application of data protection rules. The court continued with the fact that the objective of ensuring the functional independence of the DPO is also apparent from the first and third sentences of Article 38(3) GDPR. The first sentence of the Article requires that the DPO should not to receive any instructions regarding the exercise of his duties as DPO. The third sentence states that the DPO should also report directly to the highest level of management of the controller/processor. In this context, Article 38(5) GDPR provides that DPO is to be bound by secrecy or confidentiality. The court concluded that the objective of Article 38(3) GDPR was to preserve the functional independence of the DPO and, therefore, to ensure that the provisions of the GDPR were effective.

Third, the Court assessed the context of the provision. The CJEU assessed the preamble of the GDPR, and noted that the GDPR was adopted on the basis of Article 16(2) TFEU. This provision states that the Council of the European Union and the European Parliament were laying down rules for the protection of natural persons with regard to the processing of personal data on the one hand, and the free movement of such data on the other hand. The CJEU held that laying down rules against the dismissal of a DPO fell within the scope of protection of natural persons. From this context, it followed that each member state was free to lay down more protective specific rules concerning the dismissal of a DPO, as long as these national provisions were compatible with the GDPR and EU law. These national provisions especially had to be compatible with the second sentence of Article 38(3) GDPR. However, as a limiting factor, The court noted that this potential increased protection of DPO's in national law could potentially undermine the objectives of the GDPR. That would be the case if this increased protection would prevent any dismissal of a DPO who no longer possessed the professional qualities of a DPO. If a DPO would be so protected that he/she could not be fired any more, even when they were not suitable any more for the job, this would undermine the GDPR's objective of ensuring a consistent and homogeneous application of data protection rules

Answering the first preliminary question, The court concluded that it was up to the national court to determine if the specific national provision was compatible with the GDPR and EU law.

The CJEU then assessed the fourth question. Just like with the first question, the court looked at the wording, the objective and the context of the provision.

First, the Court looked at the wording of Article 38(6) GDPR itself by assessing the wording of this provision in everyday language. The court stated that the there was no established incompatibility in the GDPR between the performance of the DPO's duties on the one hand, and the performance of other duties on the other hand. Article 38(6) GDPR specifically provided that the DPO can be given other tasks other than those for which it is responsible under Article 39 GDPR.

Second, the court looked at the objective of Article 38(6) GDPR, ⁣ which was to preserve the functional independence of the DPO and, consequently, to ensure the effectiveness of the GDPR.

Third, the CJEU looked at the context of Article 38(6) GDPR and noted that, according to Article 39(1)(b) GDPR, the task of the DPO was to monitor compliance with the GDPR, EU law and/or national data protection law. The DPO also had to assess the policies of the controller or processor regarding data protection, including the assignment of responsibilities, awareness-raising and training of staff. It followed from this that a DPO cannot be entrusted with tasks or duties which would result in him or her determining the objectives and methods of processing personal data on behalf of the controller or its processor. Under EU law or national law, the review of those objectives and methods must be carried out independently by the DPO. An assessment of a potential conflict of interests, within the meaning of Article 38(6) GDPR, ⁣ must be carried out on a case by case basis, with an assessment of all the relevant circumstances. The Court emphasised the organisational structure of the controller or its processor and in the light of all the applicable rules, including any policies of the controller or its processor, as an important factor.

The CJEU concluded that a 'conflict of interest' may exist where a DPO is entrusted with other tasks or duties, which would result in determining the objectives and methods of processing personal data on behalf of the processor/controller. National courts had to assess such a situation on a case tot case basis, considering all the relevant circumstances. The courts had to pay particular attention to the organisational structure of the controller / processor in the light of all applicable rules, including the own policies of the controller/processor.

Comment

The CJEU did not answer the second and third preliminary question because of the answer to the first question.

Further Resources

Share blogs or news articles here!

Retrieved from "https://gdprhub.eu/index.php?title=CJEU_-_C-453/21_-_X-Fab_Dresden_GmbH_%26_Co._KG&oldid=31184"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki