CJEU - C-453/21 - X-Fab Dresden GmbH & Co. KG: Difference between revisions

CJEU - C-453/21 X-Fab Dresden GmbH & Co. KG
Court:	CJEU
Jurisdiction:	European Union
Relevant Law:	Article 38(3) GDPR Article 38(6) GDPR
Decided:	09.02.2023
Parties:	X-Fab Dresden GmbH & Co. KG
Case Number/Name:	C-453/21 X-Fab Dresden GmbH & Co. KG
European Case Law Identifier:	ECLI:EU:C:2023:79
Reference from:	BAG (Germany) ECLI:DE:BAG:2021:210721.U.5AZR572.20.0
Language:	24 EU Languages
Original Source:	Judgement
Initial Contributor:	n/a

The CJEU determined that each member state was allowed to lay down more specific rules concerning the dismissal of a DPO, but also held that these rules had to be compatible with EU law and the GDPR. The court also determined that a 'conflict of interest', pursuant to Article 38(6) GDPR, may exist when a DPO is entrusted with other tasks or duties, which would result in determining the objectives and methods of processing personal data on behalf of the processor or controller.

English Summary

Facts

In this ruling, the plaintiff and data subject was an employee of X-FAB, a semiconductor foundry, the controller.

He held two functions in the company. First, he was the chairman of the work council and, second, he had been the DPO of the controller since 2015. He also was the DPO of the other companies in the group that X-Fab was part of, in order to ensure that all these undertakings shared a uniform level of data protection. However, on 1 December 2017, the DPO was suddenly fired from his position as DPO at the request of the DPA of Thuringen (TLfDI) (Germany) (link of our GDPR Hub page of this DPO).

The fired DPO brought action before the first instance German court in order to be reinstated in his office. The latter argued that his functions as DPO and chair of the work council were incompatible, because there was a risk of a conflict of interests if the former DPO was to exercise both functions. In subsequent proceedings, the court of first instance and the court of appeal agreed with the plaintiff. The controller appealed this to the Bundesarbeitsgericht (Federal labour court of Germany). The latter observed that the outcome of this appeal would depend on the interpretation of EU Law. Specifically, the Bundesarbeitsgericht stated that the question arose whether the second sentence of Article 38(3) GDPR (He or she shall not be dismissed or penalised by the controller or the processor for performing his tasks) precludes national legislation from making the dismissal of a DPO subject to stricter conditions than those laid down by EU law. If this was the case, the court wondered whether that provision had a sufficient legal basis. This provision was Paragraph 38(1) and 38(2) of the BDSG, in conjunction with paragraph 6(4) of the BDSG.

The court also noted that it would be necessary to determine whether the functions of chair of the works council and of DPO may be performed by one and the same person or whether that would give rise to a conflict of interests within the meaning of the second sentence of Article 38(6) GDPR.

The Bundesarbeitsgericht asked the following preliminary questions to the CJEU:

‘(1)      Is the second sentence of Article 38(3) of [the GDPR] to be interpreted as precluding a provision in national law, such as, in the present case, Paragraph 38(1) and (2) in conjunction with the first sentence of Paragraph 6(4) of the [BDSG], which makes dismissal of the [DPO] by the controller, who is his employer, subject to certain conditions set out therein, irrespective of whether such dismissal relates to the performance of his tasks?

If the first question is answered in the affirmative:

(2)      Does the second sentence of Article 38(3) GDPR also preclude such a provision in national law if the designation of the [DPO] is mandatory not in accordance with Article 37(1) GDPR, but only in accordance with the law of the Member State?

If the first question is answered in the affirmative:

(3)      Does the second sentence of Article 38(3) of the GDPR have sufficient legal basis, in particular in so far as it covers [DPOs] that have an employment relationship with the controller?

If the first question is answered in the negative:

(4)      Is there a conflict of interests within the meaning of the second sentence of Article 38(6) of the GDPR if the [DPO] also holds the office of [chair] of the works council established at the controlling body? Must specific tasks have been assigned within the works council in order for such a conflict of interests to be assumed to exist?’

Advocate General Opinion

Not applicable

Holding

The Court provided answers to the first and fourth preliminary question.

It started with the first question by interpreting Article 38(3) GDPR. According to the court's own case law, it had to do so by consider the wording, and it's meaning in everyday language, the context of the provision and the objectives of the provision.

First, with regard to the wording, the court held that the GDPR did not define the terms ‘dismissed’, ‘penalised’ and ‘for performing his [or her] tasks’ in the second sentence of Article 38(3) GDPR. The Court considered the use of these words in Article 38 GDPR and determined their meaning in normal everyday language. The CJEU considered that the use of these words in the article implied that the DPO had to be protected against any decision terminating his or her duties, by which he or she would be placed at a disadvantage, or which would constitute a penalty. According to the CJEU, A measure resulting in the dismissal of the DPO could be such a measure. The Court also held that the second sentence of Article 38(3) GDPR is intended to apply to any relationship between DPO’s and controller's / processors, irrespective of the nature of the relationship. Lastly, with regard to the wording, the CJEU held that the second sentence of Article 38(3) GDPR imposes a limit on controller's and processors possibilities to dismiss a DPO. This limit consists in prohibiting the dismissal of a DPO on a ground relating to the performance of his or her tasks.

Second, with regard to the objective of the second sentence of Article 38(3) GDPR, the Court referred to recital 97, which states that DPO’s should be in a position to perform their duties and tasks in an independent manner. This independence should enable them to carry out tasks in accordance with the objective of the GDPR of ensuring a consistent and homogeneous application of data protection rules. The court continued with the fact that the objective of ensuring the functional independence of the DPO is also apparent from the first and third sentences of Article 38(3) GDPR. The first sentence of the Article requires that the DPO should not to receive any instructions regarding the exercise of his duties as DPO. The third sentence states that the DPO should also report directly to the highest level of management of the controller/processor. In this context, Article 38(5) GDPR provides that DPO is to be bound by secrecy or confidentiality. The court concluded that the objective of Article 38(3) GDPR was to preserve the functional independence of the DPO and, therefore, to ensure that the provisions of the GDPR were effective.

Third, the Court assessed the context of the provision. The CJEU assessed the preamble of the GDPR, and noted that the GDPR was adopted on the basis of Article 16(2) TFEU. This provision states that the Council of the European Union and the European Parliament were laying down rules for the protection of natural persons with regard to the processing of personal data on the one hand, and the free movement of such data on the other hand. The CJEU held that laying down rules against the dismissal of a DPO fell within the scope of protection of natural persons. From this context, it followed that each member state was free to lay down more protective specific rules concerning the dismissal of a DPO, as long as these national provisions were compatible with the GDPR and EU law. These national provisions especially had to be compatible with the second sentence of Article 38(3) GDPR. However, as a limiting factor, The court noted that this potential increased protection of DPO's in national law could potentially undermine the objectives of the GDPR. That would be the case if this increased protection would prevent any dismissal of a DPO who no longer possessed the professional qualities of a DPO. If a DPO would be so protected that he/she could not be fired any more, even when they were not suitable any more for the job, this would undermine the GDPR's objective of ensuring a consistent and homogeneous application of data protection rules

Answering the first preliminary question, The court concluded that it was up to the national court to determine if the specific national provision was compatible with the GDPR and EU law.

The CJEU then assessed the fourth question. Just like with the first question, the court looked at the wording, the objective and the context of the provision.

First, the Court looked at the wording of Article 38(6) GDPR itself by assessing the wording of this provision in everyday language. The court stated that the there was no established incompatibility in the GDPR between the performance of the DPO's duties on the one hand, and the performance of other duties on the other hand. Article 38(6) GDPR specifically provided that the DPO can be given other tasks other than those for which it is responsible under Article 39 GDPR.

Second, the court looked at the objective of Article 38(6) GDPR, ⁣ which was to preserve the functional independence of the DPO and, consequently, to ensure the effectiveness of the GDPR.

Third, the CJEU looked at the context of Article 38(6) GDPR and noted that, according to Article 39(1)(b) GDPR, the task of the DPO was to monitor compliance with the GDPR, EU law and/or national data protection law. The DPO also had to assess the policies of the controller or processor regarding data protection, including the assignment of responsibilities, awareness-raising and training of staff. It followed from this that a DPO cannot be entrusted with tasks or duties which would result in him or her determining the objectives and methods of processing personal data on behalf of the controller or its processor. Under EU law or national law, the review of those objectives and methods must be carried out independently by the DPO. An assessment of a potential conflict of interests, within the meaning of Article 38(6) GDPR, ⁣ must be carried out on a case by case basis, with an assessment of all the relevant circumstances. The Court emphasised the organisational structure of the controller or its processor and in the light of all the applicable rules, including any policies of the controller or its processor, as an important factor.

The CJEU concluded that a 'conflict of interest' may exist where a DPO is entrusted with other tasks or duties, which would result in determining the objectives and methods of processing personal data on behalf of the processor/controller. National courts had to assess such a situation on a case tot case basis, considering all the relevant circumstances. The courts had to pay particular attention to the organisational structure of the controller / processor in the light of all applicable rules, including the own policies of the controller/processor.

Comment

The CJEU did not answer the second and third preliminary question because of the answer to the first question.

Further Resources

Share blogs or news articles here!