If you prefer reading, we’ve got those in blog form on whether you need a DPO, who can be your DPO, and what DPOs do.
And on 9 February 2023, we got a new judgment on DPOs from the Court of Justice of the European Union (or CJEU), the EU’s highest court, in the wonderfully-named X-FAB case (such a relief as some case names are very hard to remember). The decision is on 2 points: conflict and job proteciton, neither of which should come as any surprise.
The fact it’s not a surprise is partly because the job protection part is a re-run of a June 2022 case before the CJEU, Leistritz, where they came to the same decision.
Let’s unpack what happened.
Our second video and blog in the DPO series covers this real kicker. GDPR states:
‘The data protection officer may fulfil other tasks and duties. The controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests.‘
This is a tough rule to comply with for so many reasons. As some examples from cases and guidance:
This isn’t always a popular thing to say but do watch that video, and it has relevant links in the notes.
We also had a great chat in a Privacy Kitchen Coffee Break video about DPOs and conflict with the excellent Tom McNamara, Founder & CEO of Apex Privacy.
In the X-FAB case, the DPO was also chair of the works council at his employer and ‘vice-chair of the central works council which was established for three undertakings in the group of companies to which X-FAB belongs, which are established in Germany‘.
The CJEU, rather unhelpfully, simply stated the following and kicked it back down to the national court to decide (our emphasis):
‘a ‘conflict of interests’, as provided for in that provision, may exist where a data protection officer is entrusted with other tasks or duties, which would result in him or her determining the objectives and methods of processing personal data on the part of the controller or its processor’
This doesn’t really add anything to the existing case law, and it didn’t answer the particular question, though we believe it would be very surprising if the national court doesn’t find a conflict of interest in this case.
As context, GDPR states:
‘[The DPO] shall not be dismissed or penalised by the controller or the processor for performing [the DPO’s] tasks’
Some points to note while we’re on this topic:
The German law relevant in this case goes much further than GDPR. It made dismissal of a DPO much harder, essentially only when dismissal without notice was applicable (which is pretty nuclear in employment situations) and included these obligations:
‘The [DPO]’s employment shall not be terminated unless there are facts that give the public body just cause to terminate without notice. The [DPO]’s employment shall not be terminated for one year after the activity as the data protection officer has ended, unless the public body has just cause to terminate without notice.’
The CJEU noted that, ‘in interpreting a provision of EU law, it is necessary to consider not only its wording, by considering the latter’s usual meaning in everyday language, but also the context in which the provision occurs and the objectives pursued by the rules of which it is part‘.
The Court went on to note that GDPR’s purpose was the ‘protection of natural persons with regard to the processing of personal data‘ and that GDPR intended DPOs to be able to carry out their role without instruction, without conflict, and with some level of job protection.
Having even more job protection didn’t cut across any of this. Indeed, it supported GDPR’s aims. The Court was therefore fine with the German law.
The CJEU held that GDPR should not be interpreted as ‘precluding national legislation which provides that a controller or a processor may dismiss a data protection officer who is a member of staff of that controller or processor solely where there is just cause, even if the dismissal is not related to the performance of that officer’s tasks, in so far as such legislation does not undermine the achievement of the objectives of that regulation‘.
As we said, the decision isn’t surprising. What is perhaps surprising is the existence of that German law.
It’s a good note of caution to always look at national laws in Members States in which you operate.
Keepabl’s Privacy Management Software ensures your Data Map is easily created and updated, you can benchmark against the UK ICO’s Accountability Framework, integrated into Keepabl, plus we instantly create your Gap Analysis and all your GDPR records and KPIs as you go. You can give your DPO access to your Keepabl account so they can keep their expert eye on progress, advise you efficiently wherever they are, working on the same version of the Data Map as you are, and manage your other GDPR obligations simply.
Why not see for yourself and book your demo today!
Our experience is that, after the last 18 months working on spreadsheets to manage GDPR, many organisations are now looking for SaaS to bring its many benefits to ongoing GDPR…
GDPR’s just turned 2 – here’s our overview 25 May 2020 went past with a whisper compared to 25 May 2018. GDPR entered the ‘terrible two’s at a time when…