CJEU - C-560/21 - KISA

From GDPRhub
CJEU - C-560/21
Court: CJEU
Jurisdiction: European Union
Relevant Law:
Case Number/Name: C-560/21
European Case Law Identifier: ECLI:EU:C:2023:81
Reference from:
Language: 24 EU Languages
Original Source: Judgement
Initial Contributor: n/a

CJEU case on KISA.

English Summary


ZS is employed at KISA since the 1st January 2002. KISA, obliged according to the GDPR as well as the BDSG (Federal Data Protection Law) to nominate a DPO, nominated him the 27th February 2004 as Data Protection Officer.

With letter the 15th August 2018 discmissed KISA ZS as DPO with effect 31st August 2018 and justified this, that a conflict of interest exists between his activity as DPO and his other professional activity. ZS argued that in this case there is a lack of an important reason justifying his dismissal.

The Federal Data Protection Law stipulates that:

The dismissal of the data protection officer shall be permitted only by corresponding application of Paragraph 626 of the Bürgerliches Gesetzbuch (German Civil Code).

According to this law, dismissal is only legitimate if there are facts which justify, based on an important reason, the dismissal without notice.

Article 626 of the Civil Code states:

The service relationship may be terminated by either party to the contract for a compelling reason without complying with a notice period, if facts are present on the basis of which the party giving notice cannot reasonably be expected to continue the service relationship to the end of the notice period or to the agreed end of the service relationship, taking all circumstances of the individual case into account and weighing the interests of both parties to the contract.


The second sentence of Article 38(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), must be interpreted as not precluding national legislation which provides the a DPO employed by a controller or a processor can be only dismissed due to an important reason, even when the dismissal is not in relation of his taks, as far as this rule does not undermine the achievement of the objectives of that regulation.

Given that the answer to the first question is answered in the negative, there is no need to answer to the second question.


Similar to CJEU - C-453/21 - X-FAB Dresden.

The second question was: If the answer to the first question is in the affirmative:

Does the second sentence of Article 38(3) of the GDPR have a sufficient legal basis, in particular in so far as the provision covers data protection officers who have an employment relationship with the controller?

Argumentation in favour of the second question (could be interesting in later cases):

The GDPR was enacted on the basis of Article 16 TFEU in particular (see the preamble and recital 12 of the GDPR). However, the wording of the first sentence of Article 16(2) TFEU has been understood in some areas of the national egal literature to mean that the legislative competence conferred on the European Union by the Treaties is confined only to data protection in cases where data are processed by EU institutions, data processing by public bodies when implementing EU law, and cross-border data processing [...]. The Court of Justice’s case-law on Directive 95/46/EC and Article 100a TEC to date has not adopted such a narrow understanding (see CJEU, 20 May 2003, C-465/00, C-138/01 and C-139/01, paragraph 39 et seq.).

Some legal commentators take the view that there has been an infringement of the principle of subsidiarity under EU law (first subparagraph of Article 5(3) TEU) [...]. In line with that viewpoint, in a decision of 30 March 2012 (BR ‑ Drucksache (Bundesrat document) 52/12 [decision]), the German Bundesrat (Upper Chamber of the Parliament) raised a subsidiarity-related objection to the original proposal for the GDPR, on the basis of Article 12(b) TEU, read in conjunction with Article 6 of the Protocol on the application of the principles of subsidiarity and proportionality of 13 December 2007 (OJ 2007 C 306, p. 150).

Lastly, in a few isolated instances in the national legal literature, the GDPR is considered to be invalid on the ground that it infringes the principle of proportionality under the first subparagraph of Article 5(4) TEU [...].

Further Resources

Share blogs or news articles here!