CJEU - C-453/21 - X-Fab Dresden GmbH & Co. KG

From GDPRhub
Revision as of 16:15, 13 February 2023 by Kv (talk | contribs)
CJEU - C-453/21 X-Fab Dresden GmbH & Co. KG
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law: Article 38(3) GDPR
Article 38(6) GDPR
Decided: 09.02.2023
Parties: X-Fab Dresden GmbH & Co. KG
Case Number/Name: C-453/21 X-Fab Dresden GmbH & Co. KG
European Case Law Identifier: ECLI:EU:C:2023:79
Reference from: BAG (Germany)
ECLI:DE:BAG:2021:210721.U.5AZR572.20.0
Language: 24 EU Languages
Original Source: Judgement
Initial Contributor: n/a

SUMMARY NOT FINALISED YET, To be updated

English Summary

Facts

In this preliminary ruling, the data subject had been an employee of X-FAB, a semiconductor foundry, since 1993. He held two functions in the company. First, he was the chairman of the workcouncil and second, he had been the DPO of the controlelr since 2015. However, on 1 December 2017, he was suddenly fired as DPO at the request of the DPO of Thuringen (Germany).

The fired DPO brought action before the first instance German court in order to be reinstated as DPO at the controller. The latter argued that his functions as DPO and chair of the workcouncil were incompatible.

In subsquent proceedings, the court of first instance and the court op appeal agreed with the data subject. The controller appealed this at the Bundesarbeitsgericht, which referred questions to the CJEU. (15)

Advocate General Opinion

Not applicable

Holding

First question: With the first question, the referring court asked if Article 38(3) GDPR should be interpreted in such a way that it precluded a provision in national law. This law made the dismissal of the DPO subject to certain conditions in this national law. According to this national law, It was of no cosnequence if this dismissal was related to the job performance. There were still aditional safeguards protecting the position of the DPO.

First, the court held that the GDPR does not define the terms ‘dismissed’, ‘penalised’ and ‘for performing his [or her] tasks’ in the second sentence of Article 38(3) GDPR. The Court considered the use of these words in Article 38 GDPR and determined their meaning in normal everyday language. The CJEU considered that that these use of these words in the Article implied that the DPO in question had to be protected against any decision terminating his or her duties, by which he or she would be placed at a disadvantage or which would constitute a penalty. According to the CJEU, A measure resulting in the dismissal of the DPO could be such a measure. (20 - 22)

Second, the Court held that the second sentence of Article 38(3) GDPR is intended to apply to any relationship between DPO’s and controller's / processors, irrespective of the nature of the relationship. (23)

24

The Court also considered the objective of the second sentence of Article 38(3) GDPR. The Court referred to recital 97, which states that DPO’s should be in a position to perform their duties and tasks in an independent manner. This independence should therefore enable them to carry out tasks in accordance with the objective of the GDPR, which is, pursuant to recital 10, to ensure a consistent and homogeneous application of data protection rules. The court continued with the fact that the objective of ensuring the functional independence of the DPO, pursuant to the second sentence of Article 38(3) GDPR, is also apparent from the first and third sentences of this Article. This requires that that DPO should not to receive any instructions regarding the exercise of his duties as DPO. He/she should also report directly to the highest level of management of the controller/processor. In this context, Article 38(5) GDPR provides that DPO is to be bound by secrecy or confidentiality in this regard.

Therefore, the second sentence of Article 38(3) GDPR must be regarded as seeking to preserve the functional independence of the DPO and to ensure that the GDPR is effective. This interpretation is supported by the context of the provision an by the legal basis on which the EU legislature adopted the GDPR, which was Article 16(2) TFEU. From this, it followed that each member state was free to lay down more protective specific rules concerning the dismissal of a DPO, as long as these national provisions are compatible with the GDPR and EU law. These national provisions especially had to be compatible with the second sentence for Article 38(3) GDPR.

The court also noted that increased protection of DPO's in national law cannot undermine the objectives of the GDPR. That would be the case if this increased protection would prevent any dismissal a DPO who no longer possesses the professional qualities required to act as a DPO ((Article 37(5) GDPR), or if this DPO did not fulfil his/her tasks anymore. If a DPO would be so protected that he/she could not be fired anymore, even when they were not suitable anymore, this would undermine the objective of the GDPR.

The court concluded that it was up to the national court to determine if the specific national provision was compatible with the GDPR and EU law.

Fourth question The fourth question was basically a request for clarification of the phrase ‘conflict of interest’ within the meaning of Article 38(6) GDPR. The controller had to ensure that potential other  tasks and duties of its DPO do not result in a conflict of interest. The court used different interpretation methods to determine the meaning of the phrase.

First, the Court looked at the wording of Article 38(6) GDPR itself by looking and the use of the phrase in everyday language. The court held that, in accordance with the objective pursued by Article 38(6) GDPR, the DPO cannot be entrusted with performing tasks or duties which could impair the execution of the functions performed by the DPO.

Second, the court looked at the objective pursued by Article 38(6) GDPR, which was to preserve the functional independence of the DPO and, consequently, to ensure the effectiveness of the provisions of the GDPR.

Third, the CJEU looked at the context of Article 38(6) of the GDPR and noted that, according to Article 39(1)(b) of the GDPR, the task of the DPO is, inter alia, to monitor compliance with the GDPR, other provisions of EU law or of the law of the Member States on data protection and the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits. From this, it followed that , that a DPO cannot be entrusted with tasks or duties which would result in him or her determining the objectives and methods of processing personal data on the part of the controller or its processor. Under EU law or the law of the Member States on data protection, the review of those objectives and methods must be carried out independently by the DPO. existence of a conflict of interests, within the meaning of Article 38(6) of the GDPR, must be carried out, case by case, on the basis of an assessment of all the relevant circumstances, in particular the organisational structure of the controller or its processor and in the light of all the applicable rules, including any policies of the controller or its processor.

Comment

The CJEU did not answer the second and third preliminary question because of the answer to the first question.

Further Resources

Share blogs or news articles here!

Retrieved from "https://gdprhub.eu/index.php?title=CJEU_-_C-453/21_-_X-Fab_Dresden_GmbH_%26_Co._KG&oldid=31112"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki