On February 9, 2023, the Court of Justice of the European Union ruled in two decisions (C-453/21 and C-560/21) that a data protection officer (DPO) may have other duties within their role if there is not a conflict of interest. The CJEU also found that national provisions that allow for the dismissal of a DPO with “just cause” are compatible with the General Data Protection Regulation because member states can use “just cause” as a threshold for dismissal if this does not undermine the objectives set for DPOs under the GDPR.

The CJEU’s decisions were given in cases about preliminary rulings from the German Federal Labor Court, where in one case the DPO was dismissed because he was also the chair of the works council, and in the other case because of a perceived incompatibility of the DPO’s role with other professional responsibilities at the company. In both cases, the DPOs were not dismissed for reasons relating to the performance of their duties and tasks as a DPO.

Article 38(3) of the GDPR prohibits dismissal of a DPO, and Article 38(6) of the GDPR states that a DPO may fulfil other tasks and duties. The controller or processor must ensure that any such tasks and duties do not result in a conflict of interest.

DPO dismissal

The CJEU stated that Article 38(3) of the GDPR does not prevent national laws allowing a controller or a processor to dismiss a DPO who is a member of staff solely where there is “just cause,” in so far as such legislation does not undermine the objectives of the GDPR.

The term “just cause” is used in this context in German law to refer to situations where it cannot be reasonably expected for the employment contract to continue as normal (i.e., until the end of the notice period or the agreed termination date), considering all circumstances of the individual case and weighing the interests of both parties. These more protective and specific requirements go beyond what is required according to Article 38(3) GDPR, which provides that a DPO “shall not be dismissed or penalized by the controller or the processor for performing his tasks.”

The CJEU considered that every member state is free to lay down more protective specific provisions on the dismissal of DPOs, in so far as those provisions are compatible with EU law and such increased protection does not undermine achievement of the GDPR’s objectives. Such undermining could, for example, arise when national legislation would prevent dismissal of DPOs who no longer possess the required professional qualities, who do not fulfill their tasks under the GDPR, or who are affected by a conflict of interest.

DPO conflict of interest

The CJEU also decided that a DPO can perform other duties, but that a conflict of interest may exist if a DPO is entrusted with other tasks or duties that relate to deciding on the objectives and methods of processing of personal data.

Determining whether such a conflict of interest exists is for national courts to decide, and this must be carried out based on an assessment of “all the relevant circumstances, in particular the organisational structure of the controller or its processor and in the light of all the applicable rules, including any policies of the controller or its processor.”

The CJEU stated that “the GDPR does not establish that there is a fundamental incompatibility between, on the one hand, the performance of DPO’s duties and, on the other hand, the performance of other duties within the controller or processor.”

However, it is essential to preserve the functional independence of a DPO and, consequently, to ensure the effectiveness of the GDPR. According to the CJEU, DPOs should “be in a position to perform their duties and tasks in an independent manner.” Thus, DPOs “cannot be entrusted with tasks or duties which would result in [a DPO] determining the objectives and methods of processing personal data on the part of the controller or its processor.”

Overall, these findings are not surprising, as they are in line with earlier national decisions of data protection authorities relating to DPOs. For example, it was found that the function of a DPO is incompatible with being the head of departments such as risk management, special investigations, compliance and internal audit, as these roles also carry the ultimate responsibility for determining the objectives and methods of data processing within those departments.

Companies may wish to review the Guidelines on Data Protection Officers endorsed by the European Data Protection Board. Depending on the activities, size and structure of the organization, the guidelines identify these as good practices:

  1. Identify the positions that would be incompatible with the function of DPO.
  2. Draw up internal rules to this effect to avoid conflicts of interest.
  3. Include a more general explanation about conflicts of interest.
  4. Declare that the organization’s DPO has no conflicts of interest with regard to their function as a DPO, as a way of raising awareness of this requirement.
  5. Include safeguards in the internal rules of the organization and ensure that the vacancy notice for the position of DPO or the service contract is sufficiently precise and detailed to avoid a conflict of interest.
Authors

Patrick Van Eecke

Bartholomäus Regenhardt

Posted by Cooley