The CJEU Judgment on DPO’s Dismissal & Conflicts of Interest

On 9 February 2023, the CJEU issued a preliminary ruling in C-453/21 on two questions concerning DPOs submitted by the German Federal Labour Court. In summary, this ruling states that:

• The GDPR does not exclude national legislation that provides that a DPO can only be dismissed for just cause, as long as the achievement of its objectives is not undermined; and
• A conflict of interest can exist where a DPO is to determine the purposes and means of processing personal data in other tasks or duties entrusted to him or her.

1. Background of This Case

FC worked for an employer in the capacity of a DPO and other tasks or duties such as a chair of the works council. He was dismissed from his position as a DPO due to conflicts of interest with his other tasks or duties. He then brought an action before the German courts seeking a declaration that he would retain his position as the DPO.

2. The Rule on DPO’s Dismissal

The first issue was whether the German law on which the dismissal was based was compatible with the GDPR. While the GDPR only provides that a DPO may not be dismissed or penalised for performing his tasks¹, German law requires just cause for the termination of the DPO’s employment relationship². This means that the German law is more protective of DPOs than the GDPR. The German Federal Labour Court questioned the CJEU on whether that law is compatible with the GDPR.

The CJEU answered that the GDPR does not preclude national legislation which provides that a controller or a processor may dismiss a DPO where there is just cause, in so far as such legislation does not undermine the achievement of the objectives of the GDPR. In this ruling, the CJEU pointed out that:

• EU Member States are free to lay down specific provisions that are more protective with regard to the removal of DPOs, as long as these provisions do not undermine the objectives of the GDPR;
• To achieve such objectives, the DPO must be in a position to perform his or her duties and tasks in an independent manner; and
• The protection against dismissal on the ground of a conflict of interest, even if a DPO is unable to conduct the tasks in an independent manner, would undermine the achievement of such objectives.

This ruling reaffirms the CJEU’s position on national legislation that provides the dismissal of DPOs, which has already been interpreted similarly in C-534/20 on 22 June 2022. What is new is that the CJEU has given its interpretation in the context of conflicts of interest.

3. The Criteria for Conflicts of Interest

The second issue is what criteria other tasks or duties entrusted to the DPO constitute a conflict of interest. The GDPR provides that a DPO may fulfil other tasks and duties provided that any such tasks and duties do not result in a conflict of interests³. The German Federal Labour Court asked the CJEU in which circumstances other tasks and duties could give rise to a conflict of interest for a DPO.

The CJEU responded that a conflict of interest may exist where a DPO is entrusted with other tasks or duties, which would result in determining the purposes and means of processing personal data on the part of the controller or processor. In this ruling, the CJEU found that:

• The conflict of interest clause means a DPO cannot be entrusted with performing tasks or duties which could impair the execution of the functions performed by the DPO;
• The task of a DPO is, inter alia, to monitor compliance with data protection laws and the relevant policies of the controller or processor; and
• It follows, in particular, that DPOs cannot be entrusted with tasks or duties which would result in determining the purposes and means of processing personal data on the part of the controller or processor.

The CJEU stated for the first time that a conflict of interest may exist where a DPO determines the purposes and means of personal data in their other tasks or duties. Although Article 29 Working Party Guidelines already discussed this interpretation⁴, the significance of this ruling is that the CJEU has now formally expressed its view.

Next Steps

Organisations should check whether a conflict of interest exists where a DPO concurrently holds other tasks or duties to determine the purposes and means of personal data. If so, the organisations need to consider terminating the DPO or other tasks or duties based on the applicable national law.

¹ The second sentence of Article 38(3) of the GDPR
² Paragraph 626 of the German Civil Code
³ Article 38 (6) of the GDPR
⁴ Article 29 Data Protection Working Party, Guidelines on Data Protection Officers (‘DPOs’) (WP 243 rev.01, 2017), page 16