CJEU on DPOs, Job Protection & Conflict

We’ve always believed that the Data Protection Officer (or DPO) is a very misunderstood role. It’s why we created these 3 great Privacy Kitchen videos [YouTube cookies and Privacy Policy apply]:

• Do I need a DPO?
• Who can be DPO? and
• What does a DPO do?

If you prefer reading, we’ve got those in blog form on whether you need a DPO, who can be your DPO, and what DPOs do.

And on 9 February 2023, we got a new judgment on DPOs from the Court of Justice of the European Union (or CJEU), the EU’s highest court, in the wonderfully-named X-FAB case (such a relief as some case names are very hard to remember). The decision is on 2 points: conflict and job proteciton, neither of which should come as any surprise.

The fact it’s not a surprise is partly because the job protection part is a re-run of a June 2022 case before the CJEU, Leistritz, where they came to the same decision.

Let’s unpack what happened.

Conflict

Our second video and blog in the DPO series covers this real kicker. GDPR states:

‘The data protection officer may fulfil other tasks and duties. The controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests.‘

This is a tough rule to comply with for so many reasons. As some examples from cases and guidance:

• C-level? Conflicted.
• Head of Department? Conflicted.
• Senior Marketing Manager who also creates campaigns? Conflicted.
• IT Manager who also creates the procedures to protect the personal data? Conflicted.
• External consultant that you make do lots of the heavy lifting on your GDPR compliance? Almost certainly conflicted.

This isn’t always a popular thing to say but do watch that video, and it has relevant links in the notes.

We also had a great chat in a Privacy Kitchen Coffee Break video about DPOs and conflict with the excellent Tom McNamara, Founder & CEO of Apex Privacy.

The CJEU’s X-FAB Decision

In the X-FAB case, the DPO was also chair of the works council at his employer and ‘vice-chair of the central works council which was established for three undertakings in the group of companies to which X-FAB belongs, which are established in Germany‘.

The CJEU, rather unhelpfully, simply stated the following and kicked it back down to the national court to decide (our emphasis):

‘a ‘conflict of interests’, as provided for in that provision, may exist where a data protection officer is entrusted with other tasks or duties, which would result in him or her determining the objectives and methods of processing personal data on the part of the controller or its processor’

This doesn’t really add anything to the existing case law, and it didn’t answer the particular question, though we believe it would be very surprising if the national court doesn’t find a conflict of interest in this case.

Job Protection

As context, GDPR states:

‘[The DPO] shall not be dismissed or penalised by the controller or the processor for performing [the DPO’s] tasks’

Some points to note while we’re on this topic:

• this protection (and the other rights and obligations around DPOs) applies whether you have to appoint a DPO under GDPR or you’ve decided to voluntarily appoint a DPO, and
• those rights and obligations even apply if you simply decide to use the job title Data Protection Officer or DPO without meaning that person to in fact be a DPO. (So use Privacy Manager or similar instead if you don’t want to take this on.)

The CJEU’s X-FAB Decision

The German law relevant in this case goes much further than GDPR. It made dismissal of a DPO much harder, essentially only when dismissal without notice was applicable (which is pretty nuclear in employment situations) and included these obligations:

‘The [DPO]’s employment shall not be terminated unless there are facts that give the public body just cause to terminate without notice. The [DPO]’s employment shall not be terminated for one year after the activity as the data protection officer has ended, unless the public body has just cause to terminate without notice.’

The CJEU noted that, ‘in interpreting a provision of EU law, it is necessary to consider not only its wording, by considering the latter’s usual meaning in everyday language, but also the context in which the provision occurs and the objectives pursued by the rules of which it is part‘.

The Court went on to note that GDPR’s purpose was the ‘protection of natural persons with regard to the processing of personal data‘ and that GDPR intended DPOs to be able to carry out their role without instruction, without conflict, and with some level of job protection.

Having even more job protection didn’t cut across any of this. Indeed, it supported GDPR’s aims. The Court was therefore fine with the German law.

The CJEU held that GDPR should not be interpreted as ‘precluding national legislation which provides that a controller or a processor may dismiss a data protection officer who is a member of staff of that controller or processor solely where there is just cause, even if the dismissal is not related to the performance of that officer’s tasks, in so far as such legislation does not undermine the achievement of the objectives of that regulation‘.

Perhaps the main thing …

As we said, the decision isn’t surprising. What is perhaps surprising is the existence of that German law.

It’s a good note of caution to always look at national laws in Members States in which you operate.

Your DPO’s Best Friend

Keepabl’s Privacy Management Software ensures your Data Map is easily created and updated, you can benchmark against the UK ICO’s Accountability Framework, integrated into Keepabl, plus we instantly create your Gap Analysis and all your GDPR records and KPIs as you go. You can give your DPO access to your Keepabl account so they can keep their expert eye on progress, advise you efficiently wherever they are, working on the same version of the Data Map as you are, and manage your other GDPR obligations simply.

Why not see for yourself and book your demo today!