CJEU - C-534/20 - Leistritz

From GDPRhub
Revision as of 13:30, 11 August 2022 by Jg (talk | contribs) (Jg moved page CJEU - Case C-534/20 - Leistritz to CJEU - C-534/20 - Leistritz)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
CJEU - Case C-534/20 Leistritz
Court: CJEU
Jurisdiction: European Union
Relevant Law: Article 37(1) GDPR
Article 38(3) GDPR
Parties: Leistritz AG
Case Number/Name: Case C-534/20 Leistritz
European Case Law Identifier:
Reference from: BAG (Germany)
Language: 24 EU Languages
Original Source: Judgement
Initial Contributor: n/a

The CJEU held that Article 38(3) GDPR allows member states to subject the termination of a data protection officer's employment contract to stricter regulations than provided for by EU law so long as those regulations do not undermine the objectives of the GDPR.

English Summary


Leistritz is a private company (the Company) based in Germany that is required under German law to have a Data Protection Officer (DPO). LH was the ‘Head of Legal Affairs’ in the Company, and subsequently, also became its Data Protection Officer from 1 February 2018.

On 13 July 2018, the Company issued a letter by which it terminated LH’s employment with the Company, effective 15 August 2018. In the letter, the Company relied on internal restructuring measures, as per which the “activity of internal legal adviser and the data protection service were to be outsourced.”

LH challenged the validity of termination of her employment and claimed that the same was invalid as per Article 38(2) GDPR and Section 6(4) BDSG, as the employment could be terminated only in case of a “just cause”. The Court agreed with the plaintiff and declared LH's termination unlawful since no “just cause” was to be found in the present case. The Company filed an appeal against the decision. The issue raised was whether Article 38(3) GDPR allows a Member State to make laws that impose stricter conditions for the termination of a DPO.

Noting a divergence in German jurisprudence, the Federal Labour Court stayed the proceedings and referred the following questions to the CJEU for a preliminary ruling:

1. Is the second sentence of Article 38(3) GDPR to be interpreted as precluding a provision in national law, such as Paragraph 38(1) and (2) in conjunction with the second sentence of Paragraph 6(4) of the Bundesdatenschutzgesetz (Federal Law on data protection), which declares ordinary termination of the employment contract of the data protection officer by the data controller, who is his employer, to be impermissible, irrespective of whether his contract is terminated for performing his tasks?

If the first question is answered in the affirmative:

2. Does the second sentence of Article 38(3) GDPR also preclude such a provision in national law if the designation of the data protection officer is not mandatory in accordance with Article 37(1) GDPR, but is mandatory only in accordance with the law of the Member State?

If the first question is answered in the affirmative:

3. Is the second sentence of Article 38(3) GDPR based on a sufficient enabling clause, in particular in so far as this covers data protection officers that are party to an employment contract with the data controller?


Answering the first question, the CJEU held that there are certain words within Article 38(3) GDPR that are otherwise not defined within the GDPR. To interpret these provisions requires reference to their ordinary meaning in everyday language as well as the context in which they appear in GDPR. The CJEU concluded that Article 38(3) GDPR is intended only to ensure a DPO's functional independence, not to govern the overall employment relationship between a controller or a processor; it applies irrespective of the nature of the DPO's employment relationship with the controller or processor.

Because the EU is to support and complement the efforts of member states in the field of worker protections, the CJEU held that Article 38(3) GDPR does not preclude “national legislation which provides that a controller or a processor may terminate the employment contract of a data protection officer, who is a member of his or her staff, only with just cause, even if the contractual termination is not related to the performance of that officer’s tasks, in so far as such legislation does not undermine the achievement of the objectives of the GDPR.” As the first question was answered in the negative, the CJEU did not answer the remaining two questions.


  • Contemplating employment protections that might undermine the purposes of the GDPR, the CJEU offered the example of a law that prohibits the termination of a DPO who no longer possesses the professional qualities required to perform their tasks, or who does not fulfil those tasks in accordance with the GDPR.

Further Resources

Share blogs or news articles here!