CJEU - C-453/21 - X-Fab Dresden GmbH & Co. KG: Difference between revisions

From GDPRhub
No edit summary
No edit summary
 
(12 intermediate revisions by 4 users not shown)
Line 39: Line 39:
|Reference_Case_Number_Name=ECLI:DE:BAG:2021:210721.U.5AZR572.20.0
|Reference_Case_Number_Name=ECLI:DE:BAG:2021:210721.U.5AZR572.20.0


|Initial_Contributor=
|Initial_Contributor=Bernardo Armentano
|
|
}}
}}


In this ruling, the CJEU provided clarity regarding the position of DPO's in the context of the second sentence [[Article 38 GDPR|Article 38(3) GDPR]]. The Court held that this GDPR provision did not preclude national legislation
The CJEU held that each member state is allowed to lay down more specific rules concerning the dismissal of a DPO, provided that these rules are compatible with EU law and the GDPR. The CJEU also held that a '''conflict of interest''<nowiki/>', pursuant to [[Article 38 GDPR#3|Article 38(3) GDPR]], may exist when a DPO is entrusted with other tasks or duties, which would result in him/her determining the objectives and methods of personal data processing on behalf of the processor/controller.
 
and Article 38(6) GDPR


==English Summary==
==English Summary==


=== Facts ===
=== Facts ===
In this preliminary ruling, the data subject had been an employee of X-FAB, a semiconductor foundry, since 1993. He held two functions in the company. First, he was the chairman of the work council and second, he had been the DPO of the controller since 2015. He also was the DPO of the other companies in the group that X-Fab was part of, in order to ensure that all these undertakings shared a uniform level of data protection. However, on 1 December 2017, the DPO was suddenly fired from his position as DPO at the request of the DPO of Thuringen (Germany).  
The data subject was an employee of the controller, X-FAB (a semiconductor foundry), and held two functions in the company: he was the chairman of the work council and the DPO of X-Fab and other companies of the same group of undertakings. However, on 1 December 2017, the data subject was dismissed from his duties as a DPO, at the request of the [https://gdprhub.eu/index.php?title=TLfDI_(Thuringia) DPA of Thuringen (TLfDI) (Germany)]. As a precautionary measure, the other undertakings also decided to dismiss him, based on the second sentence of Article [[Article 38 GDPR#3|38(3) of the GDPR]], which had in the intervening period become applicable.  


The fired DPO brought action before the first instance German court in order to be reinstated as DPO at the controller. The latter argued that his functions as DPO and chair of the work council were incompatible.
Dissatisfied, the DPO brought action before the a Court in Germany, asking to be reinstated in his position. The controller argued that his positions as a DPO and as the chair of the work council were incompatible as there was a potential conflict of interests between the two functions. In subsequent proceedings, both the courts of first instance and of appeal upheld the data subject’s action. The controller then appealed to the Bundesarbeitsgericht (Federal labour court of Germany).      


In subsequent proceedings, the court of first instance and the court op appeal agreed with the data subject. The controller appealed this to the Bundesarbeitsgericht (Federal labour court of Germany), which referred questions to the CJEU. (15)
This Federal Court observed that the outcome of this appeal would depend on the interpretation of EU Law. Specifically, the Bundesarbeitsgericht stated that the question arose as to whether the second sentence of [[Article 38 GDPR#3|Article 38(3) GDPR]] (''He or she shall not be dismissed or penalised by the controller or the processor for performing his tasks'') precludes national legislation from making the dismissal of a DPO subject to stricter conditions than those laid down by EU law. If this was the case, the Court wondered whether that provision had a sufficient legal basis.    


'''First question:''' With the first question, the referring court asked if [[Article 38 GDPR|Article 38(3) GDPR]] should be interpreted in such a way that it precluded a provision in national law, which made the dismissal of the DPO subject to certain conditions in this national law. According to this national law, It was of no consequence if this dismissal was related to the job performance. There solely had to be 'just cause'.   
The Court also noted that it would be necessary to determine whether the functions of chair of the works council and of DPO may be performed simultaneously the same person or whether that would give rise to a ''conflict of interests'' within the meaning of the second sentence of the aforementioned article.   


'''Fourth question''' The fourth question was basically a request for clarification of the phrase ‘''conflict of interest''’ within the meaning of [[Article 38 GDPR|Article 38(6) GDPR]]. The controller had to ensure that potential other tasks and duties of its DPO did not result in a conflict of interest. The court used different interpretation methods to determine the meaning of the phrase.
The Bundesarbeitsgericht asked the following preliminary questions to the CJEU: 


=== Advocate General Opinion ===
''‘(1)      Is the second sentence of Article 38(3) of [the GDPR] to be interpreted as precluding a provision in national law, such as, in the present case, Paragraph 38(1) and (2) in conjunction with the first sentence of Paragraph 6(4) of the [BDSG], which makes dismissal of the [DPO] by the controller, who is his employer, subject to certain conditions set out therein, irrespective of whether such dismissal relates to the performance of his tasks?'' 
 
''If the first question is answered in the affirmative:''
 
''(2)      Does the second sentence of Article 38(3) GDPR also preclude such a provision in national law if the designation of the [DPO] is mandatory not in accordance with Article 37(1) GDPR, but only in accordance with the law of the Member State?''
 
''If the first question is answered in the affirmative:''
 
''(3)      Does the second sentence of Article 38(3) of the GDPR have sufficient legal basis, in particular in so far as it covers [DPOs] that have an employment relationship with the controller?''
 
''If the first question is answered in the negative:''
 
''(4)      Is there a conflict of interests within the meaning of the second sentence of Article 38(6) of the GDPR if the [DPO] also holds the office of [chair] of the works council established at the controlling body? Must specific tasks have been assigned within the works council in order for such a conflict of interests to be assumed to exist?’''
 
=== Advocate General Opinion ===
Not applicable
Not applicable


=== Holding ===
=== Holding ===
The Court provided answers to the first and fourth preliminary question.     
The CJEU provided answers to the first and fourth preliminary question.     


It started with <u>the first question</u> by interpreting [[Article 38 GDPR|Article 38(3) GDPR]]. According to the court's own case law, it had to do so by consider the '''wording, and it's meaning in everyday language''', the '''context''' of the provision and the '''objectives''' of the provision. (19) 
It started with <u>the first question</u> by interpreting [[Article 38 GDPR#3|Article 38(3) GDPR]]. According to its own case law, to do so we need to consider the '''wording of the provision''', it's meaning in everyday language, as well as its '''context''' and '''objectives'''.  


''First'', with regard to the '''wording''', the court held that the GDPR did not define the terms ‘''dismissed''’, ‘''penalised''’ and ''‘for performing his [or her] tasks''’ in the second sentence of [[Article 38 GDPR|Article 38(3) GDPR]]. The Court considered the use of these words in [[Article 38 GDPR]] and determined their meaning in normal everyday language. The CJEU considered that the use of these words in the article implied that the DPO had to be protected against any decision terminating his or her duties, by which he or she would be placed at a disadvantage, or which would constitute a penalty. According to the CJEU, A measure resulting in the dismissal of the DPO could be such a measure. (20 - 22) The Court also held that the second sentence of [[Article 38 GDPR|Article 38(3) GDPR]] is intended to apply to any relationship between DPO’s and controller's / processors, irrespective of the nature of the relationship. (23) Lastly, with regard to the wording, the CJEU held that the second sentence of Article 38(3) GDPR imposes a limit on controller's and processors possibilities to dismiss a DPO. This limit consists in prohibiting the dismissal of a DPO on a ground relating to the performance of his or her tasks.  (24) 
''First'', with regard to the '''wording''', the Court held that the GDPR did not define the terms ‘''dismissed''’, ‘''penalised''’ and ''‘for performing his [or her] tasks''’ in the second sentence of [[Article 38 GDPR|Article 38(3) GDPR]]. Thus, it considered the use of these terms in normal everyday language to determine their meanings. Based on this line of reasoning, the CJEU concluded that the dismissal of a DPO grounded on the performance of his or her tasks is not allowed. The CJEU also held that the second sentence of [[Article 38 GDPR#3|Article 38(3) GDPR]] is intended to apply to any relationship between DPOs and controllers/processors, irrespective of the nature of the relationship.    


''Second'', with regard to the '''objective''' of the second sentence of [[Article 38 GDPR|Article 38(3) GDPR]], the Court referred to recital 97, which states that DPO’s should be in a position to perform their duties and tasks in an independent manner. This independence should enable them to carry out tasks in accordance with the objective of the GDPR, which consists of ensuring a consistent and homogeneous application of data protection rules. The court continued with the fact that the objective of ensuring the functional independence of the DPO is also apparent from the first and third sentences of Article 38(3) GDPR. The first sentence of the Article requires that the DPO should not to receive any instructions regarding the exercise of his duties as DPO. The third sentence states that the DPO should also report directly to the highest level of management of the controller/processor. In this context, [[Article 38 GDPR|Article 38(5) GDPR]] provides that DPO is to be bound by secrecy or confidentiality in this regard. The court concluded its considerations regarding the objective of Article 38(3) GDPR was to preserve the functional independence of the DPO and, therefore, to ensure that the provisions of the GDPR are effective.   
''Second'', with regard to the '''objective''' of the second sentence of [[Article 38 GDPR#3|Article 38(3) GDPR]], the CJEU referred to Recital 97, which states that DPOs should be in a position from where they can perform their duties and tasks in an independent manner. This independence should enable them to carry out tasks in accordance with the objective of the GDPR, thereby ensuring its consistent and homogeneous application. The CJEU also emphasized this independence is also apparent in the first and third sentences of [[Article 38 GDPR#3|Article 38(3) GDPR]]. The first sentence of states that DPOs should not to receive any instructions regarding the exercise of his duties, while the third states that DPOs should also report directly to the highest level of management of the controller/processor. In this context, [[Article 38 GDPR|Article 38(5) GDPR]] provides that DPO is to be bound by secrecy or confidentiality. Therefore, the CJEU concluded that the objective of [[Article 38 GDPR#3|Article 38(3) GDPR]] was to preserve the functional independence of the DPO and to ensure that the GDPR is effective.   


''Third'', the Court assessed the '''context''' of the provision. The CJEU assessed the preamble of the GDPR, and noted that the GDPR was adopted on the basis of Article 16(2) TFEU. This provision states that the Council of the European Union and the European Parliament were laying down rules for the protection of natural persons with regard to the processing of personal data on the one hand, and the free movement of such data on the other hand. The CJEU held that laying down rules against the dismissal of a DPO fell within the scope of protection of natural persons. (30)  From this, it followed that each member state was free to lay down more protective specific rules concerning the dismissal of a DPO, as long as these national provisions are compatible with the GDPR and EU law. These national provisions especially had to be compatible with the second sentence of [[Article 38 GDPR|Article 38(3) GDPR]]. However, as a limiting factor, The court noted that this potential increased protection of DPO's in national law could undermine the objectives of the GDPR. That would be the case if this increased protection would prevent any dismissal of a DPO who no longer possessed the professional qualities of a DPO [[Article 37 GDPR|(Article 37(5) GDPR).]] If a DPO would be so protected that he/she could not be fired any more, even when they were not suitable any more for the job, this would undermine the GDPR's objective of ensuring a consistent and homogeneous application of data protection rules  
''Third'', the Court assessed the '''context''' of the provision. The CJEU assessed the preamble of the GDPR and noted that it was adopted on the basis of Article 16(2) TFEU. This provision states that the Council of the European Union and the European Parliament were laying down rules for the protection of natural persons with regard to the processing of personal data on the one hand, and the free movement of such data on the other. The CJEU held that laying down rules against the dismissal of a DPO fell within the scope of protection of natural persons. From this context, it followed that each member state was free to lay down more protective specific rules concerning the dismissal of a DPO, as long as these national provisions were compatible with the GDPR and EU law, especially with the second sentence of [[Article 38 GDPR#3|Article 38(3) GDPR]]. However, if a DPO no longer possesses the professional qualities for the position, he/she cannot be protected as this would undermine the GDPR's objective of ensuring a consistent and homogeneous application of data protection rules


The court concluded that it was up to the national court to determine if the specific national provision was compatible with the GDPR and EU law.  
Answering the <u>first preliminary question</u>, the CJEU concluded that it was up to the national court to determine if the specific national provision was compatible with the GDPR and EU law.  


The CJEU then assessed the <u>fourth question</u>. Just like with the first question, the court looked at the '''wording''', the '''objective''' and the '''context''' of the provision.   
The CJEU then assessed the <u>fourth question</u>. Just like with the first question, the court looked at the '''wording''', the '''objective''' and the '''context''' of the provision.   


''First'', the Court looked at the '''wording''' of [[Article 38 GDPR|Article 38(6) GDPR]] itself by assessing the wording of this provision in everyday language. The court stated that the there was no established incompatibility between the performance of the DPO's duties on the one hand, and the performance of other duties by the DPO. [[Article 38 GDPR|Article 38(6) GDPR]] specifically provides that the DPO can be given other tasks other than those for which it is responsible under [[Article 39 GDPR]].   
''First'', the Court looked at the '''wording''' of [[Article 38 GDPR#3|Article 38(3) GDPR]] itself by assessing the wording of this provision in everyday language. The court stated that the there was no established incompatibility in the GDPR between the performance of the DPO's duties on the one hand, and the performance of other duties on the other. [[Article 38 GDPR#3|Article 38(3) GDPR]] specifically provided that the DPO can be given tasks other than those for which he/she is responsible under [[Article 39 GDPR]].   


''Second'', the court looked at the '''objective''' of [[Article 38 GDPR|Article 38(6) GDPR, ⁣]] which was to preserve the functional independence of the DPO and, consequently, to ensure the effectiveness of the GDPR.
''Second'', the court looked at the '''objective''' of [[Article 38 GDPR#3|Article 38(3) GDPR, ⁣]] which was to preserve the functional independence of the DPO and, consequently, to ensure the effectiveness of the GDPR.


''Third'', the CJEU looked at the '''context''' of [[Article 38 GDPR|Article 38(6) GDPR]] and noted that, according to Article 39(1)(b) GDPR, the task of the DPO was to monitor compliance with the GDPR, EU law and/or national data protection law. The DPO also had to assess the policies of the controller or processor regarding data protection, including the assignment of responsibilities, awareness-raising and training of staff. It followed from this that a DPO cannot be entrusted with tasks or duties which would result in him or her determining the objectives and methods of processing personal data on behalf of the controller or its processor. Under EU law or national law, the review of those objectives and methods must be carried out independently by the DPO. An assessment of a potential conflict of interests, within the meaning of Article 38(6) GDPR, must be carried out, case by case, on the basis of an assessment of all the relevant circumstances, in particular the organisational structure of the controller or its processor and in the light of all the applicable rules, including any policies of the controller or its processor.
''Third'', the CJEU looked at the '''context''' of [[Article 38 GDPR|Article 38(3) GDPR]] and noted that, according to [[Article 39 GDPR|Article 39(1)(b) GDPR]], the task of the DPO was to monitor compliance with the GDPR, EU law and/or national data protection law. The DPO also had to assess the policies of the controller or processor regarding data protection, including the assignment of responsibilities, awareness-raising and training of staff. It followed from this that a DPO cannot be entrusted with tasks or duties which would result in him or her determining the objectives and methods of processing personal data on behalf of the controller or its processor. Under EU law or national law, the review of those objectives and methods must be carried out independently by the DPO. An assessment of a potential conflict of interests, within the meaning of [[Article 38 GDPR#3|Article 38(3) GDPR, ⁣]] must be carried out on a case by case basis, with an assessment of all the relevant circumstances. The Court emphasised the organisational structure of the controller or its processor and in the light of all the applicable rules, including any policies of the controller or its processor, as an important factor.  


The court concluded based on this that a '''conflict of interest''<nowiki/>' may exist where a DPO is entrusted with other tasks or duties, which would result in determining the objectives and methods of processing personal data on behalf of the processor/controller. National courts had to assess such a situation on a case tot case basis, considering all the relevant circumstances. The courts had to pay particular attention to the organisational structure of the controller / processor in the light of all applicable rules, including the own policies of the controller/processor.
The CJEU concluded that a '''conflict of interest''<nowiki/>' may exist where a DPO is entrusted with other tasks or duties, which would result in he/she determining the objectives and methods of processing personal data on behalf of the processor/controller. National courts had to assess such a situation on a case by case basis, considering all the relevant circumstances. The courts had to pay particular attention to the organisational structure of the controller/processor in the light of all applicable rules, including the own policies of the controller/processor.


== Comment ==
== Comment ==
The CJEU did not answer the second and third preliminary question because of the answer to the first question.  
The CJEU did not answer the second and third preliminary question because of the answer to the first question.  
The CJEU ruling did not provide much information regarding the prior proceedings and the arguments which were used there. This is reflected in the summary. For instance,  it is not clear what were the data subjects arguments. Most likely that these arguments were (partly) based on German law, which states that a controller/processor cannot dismiss a DPO unless there is ''<nowiki/>'just cause''<nowiki/>' for the dismissal. These German provisions seemed to provide stricter rules for the dismissal of a DPO in comparission with [[Article 38 GDPR]]. (These German provisions were Paragraph 38(1) and 38(2) of the BDSG, in conjunction with paragraph 6(4) of the BDSG and lastly, Paragraph 626 of the Civil Code - see paragraphs 7 - 9 of this CJEU ruling for more context)  .


== Further Resources ==
== Further Resources ==
''Share blogs or news articles here!''
''Share blogs or news articles here!''

Latest revision as of 12:19, 12 May 2023

CJEU - C-453/21 X-Fab Dresden GmbH & Co. KG
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law: Article 38(3) GDPR
Article 38(6) GDPR
Decided: 09.02.2023
Parties: X-Fab Dresden GmbH & Co. KG
Case Number/Name: C-453/21 X-Fab Dresden GmbH & Co. KG
European Case Law Identifier: ECLI:EU:C:2023:79
Reference from: BAG (Germany)
ECLI:DE:BAG:2021:210721.U.5AZR572.20.0
Language: 24 EU Languages
Original Source: Judgement
Initial Contributor: Bernardo Armentano

The CJEU held that each member state is allowed to lay down more specific rules concerning the dismissal of a DPO, provided that these rules are compatible with EU law and the GDPR. The CJEU also held that a 'conflict of interest', pursuant to Article 38(3) GDPR, may exist when a DPO is entrusted with other tasks or duties, which would result in him/her determining the objectives and methods of personal data processing on behalf of the processor/controller.

English Summary

Facts

The data subject was an employee of the controller, X-FAB (a semiconductor foundry), and held two functions in the company: he was the chairman of the work council and the DPO of X-Fab and other companies of the same group of undertakings. However, on 1 December 2017, the data subject was dismissed from his duties as a DPO, at the request of the DPA of Thuringen (TLfDI) (Germany). As a precautionary measure, the other undertakings also decided to dismiss him, based on the second sentence of Article 38(3) of the GDPR, which had in the intervening period become applicable.

Dissatisfied, the DPO brought action before the a Court in Germany, asking to be reinstated in his position. The controller argued that his positions as a DPO and as the chair of the work council were incompatible as there was a potential conflict of interests between the two functions. In subsequent proceedings, both the courts of first instance and of appeal upheld the data subject’s action. The controller then appealed to the Bundesarbeitsgericht (Federal labour court of Germany).

This Federal Court observed that the outcome of this appeal would depend on the interpretation of EU Law. Specifically, the Bundesarbeitsgericht stated that the question arose as to whether the second sentence of Article 38(3) GDPR (He or she shall not be dismissed or penalised by the controller or the processor for performing his tasks) precludes national legislation from making the dismissal of a DPO subject to stricter conditions than those laid down by EU law. If this was the case, the Court wondered whether that provision had a sufficient legal basis.

The Court also noted that it would be necessary to determine whether the functions of chair of the works council and of DPO may be performed simultaneously the same person or whether that would give rise to a conflict of interests within the meaning of the second sentence of the aforementioned article.

The Bundesarbeitsgericht asked the following preliminary questions to the CJEU:

‘(1)      Is the second sentence of Article 38(3) of [the GDPR] to be interpreted as precluding a provision in national law, such as, in the present case, Paragraph 38(1) and (2) in conjunction with the first sentence of Paragraph 6(4) of the [BDSG], which makes dismissal of the [DPO] by the controller, who is his employer, subject to certain conditions set out therein, irrespective of whether such dismissal relates to the performance of his tasks?

If the first question is answered in the affirmative:

(2)      Does the second sentence of Article 38(3) GDPR also preclude such a provision in national law if the designation of the [DPO] is mandatory not in accordance with Article 37(1) GDPR, but only in accordance with the law of the Member State?

If the first question is answered in the affirmative:

(3)      Does the second sentence of Article 38(3) of the GDPR have sufficient legal basis, in particular in so far as it covers [DPOs] that have an employment relationship with the controller?

If the first question is answered in the negative:

(4)      Is there a conflict of interests within the meaning of the second sentence of Article 38(6) of the GDPR if the [DPO] also holds the office of [chair] of the works council established at the controlling body? Must specific tasks have been assigned within the works council in order for such a conflict of interests to be assumed to exist?’

Advocate General Opinion

Not applicable

Holding

The CJEU provided answers to the first and fourth preliminary question.

It started with the first question by interpreting Article 38(3) GDPR. According to its own case law, to do so we need to consider the wording of the provision, it's meaning in everyday language, as well as its context and objectives.

First, with regard to the wording, the Court held that the GDPR did not define the terms ‘dismissed’, ‘penalised’ and ‘for performing his [or her] tasks’ in the second sentence of Article 38(3) GDPR. Thus, it considered the use of these terms in normal everyday language to determine their meanings. Based on this line of reasoning, the CJEU concluded that the dismissal of a DPO grounded on the performance of his or her tasks is not allowed. The CJEU also held that the second sentence of Article 38(3) GDPR is intended to apply to any relationship between DPOs and controllers/processors, irrespective of the nature of the relationship.

Second, with regard to the objective of the second sentence of Article 38(3) GDPR, the CJEU referred to Recital 97, which states that DPOs should be in a position from where they can perform their duties and tasks in an independent manner. This independence should enable them to carry out tasks in accordance with the objective of the GDPR, thereby ensuring its consistent and homogeneous application. The CJEU also emphasized this independence is also apparent in the first and third sentences of Article 38(3) GDPR. The first sentence of states that DPOs should not to receive any instructions regarding the exercise of his duties, while the third states that DPOs should also report directly to the highest level of management of the controller/processor. In this context, Article 38(5) GDPR provides that DPO is to be bound by secrecy or confidentiality. Therefore, the CJEU concluded that the objective of Article 38(3) GDPR was to preserve the functional independence of the DPO and to ensure that the GDPR is effective.

Third, the Court assessed the context of the provision. The CJEU assessed the preamble of the GDPR and noted that it was adopted on the basis of Article 16(2) TFEU. This provision states that the Council of the European Union and the European Parliament were laying down rules for the protection of natural persons with regard to the processing of personal data on the one hand, and the free movement of such data on the other. The CJEU held that laying down rules against the dismissal of a DPO fell within the scope of protection of natural persons. From this context, it followed that each member state was free to lay down more protective specific rules concerning the dismissal of a DPO, as long as these national provisions were compatible with the GDPR and EU law, especially with the second sentence of Article 38(3) GDPR. However, if a DPO no longer possesses the professional qualities for the position, he/she cannot be protected as this would undermine the GDPR's objective of ensuring a consistent and homogeneous application of data protection rules.

Answering the first preliminary question, the CJEU concluded that it was up to the national court to determine if the specific national provision was compatible with the GDPR and EU law.

The CJEU then assessed the fourth question. Just like with the first question, the court looked at the wording, the objective and the context of the provision.

First, the Court looked at the wording of Article 38(3) GDPR itself by assessing the wording of this provision in everyday language. The court stated that the there was no established incompatibility in the GDPR between the performance of the DPO's duties on the one hand, and the performance of other duties on the other. Article 38(3) GDPR specifically provided that the DPO can be given tasks other than those for which he/she is responsible under Article 39 GDPR.

Second, the court looked at the objective of Article 38(3) GDPR, ⁣ which was to preserve the functional independence of the DPO and, consequently, to ensure the effectiveness of the GDPR.

Third, the CJEU looked at the context of Article 38(3) GDPR and noted that, according to Article 39(1)(b) GDPR, the task of the DPO was to monitor compliance with the GDPR, EU law and/or national data protection law. The DPO also had to assess the policies of the controller or processor regarding data protection, including the assignment of responsibilities, awareness-raising and training of staff. It followed from this that a DPO cannot be entrusted with tasks or duties which would result in him or her determining the objectives and methods of processing personal data on behalf of the controller or its processor. Under EU law or national law, the review of those objectives and methods must be carried out independently by the DPO. An assessment of a potential conflict of interests, within the meaning of Article 38(3) GDPR, ⁣ must be carried out on a case by case basis, with an assessment of all the relevant circumstances. The Court emphasised the organisational structure of the controller or its processor and in the light of all the applicable rules, including any policies of the controller or its processor, as an important factor.

The CJEU concluded that a 'conflict of interest' may exist where a DPO is entrusted with other tasks or duties, which would result in he/she determining the objectives and methods of processing personal data on behalf of the processor/controller. National courts had to assess such a situation on a case by case basis, considering all the relevant circumstances. The courts had to pay particular attention to the organisational structure of the controller/processor in the light of all applicable rules, including the own policies of the controller/processor.

Comment

The CJEU did not answer the second and third preliminary question because of the answer to the first question.

The CJEU ruling did not provide much information regarding the prior proceedings and the arguments which were used there. This is reflected in the summary. For instance, it is not clear what were the data subjects arguments. Most likely that these arguments were (partly) based on German law, which states that a controller/processor cannot dismiss a DPO unless there is 'just cause' for the dismissal. These German provisions seemed to provide stricter rules for the dismissal of a DPO in comparission with Article 38 GDPR. (These German provisions were Paragraph 38(1) and 38(2) of the BDSG, in conjunction with paragraph 6(4) of the BDSG and lastly, Paragraph 626 of the Civil Code - see paragraphs 7 - 9 of this CJEU ruling for more context) .

Further Resources

Share blogs or news articles here!

Retrieved from "https://gdprhub.eu/index.php?title=CJEU_-_C-453/21_-_X-Fab_Dresden_GmbH_%26_Co._KG&oldid=32664"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki