Under the GDPR, certain organisations (eg public authorities) are required to appoint a Data Protection Officer (DPO). A DPO's tasks include monitoring compliance with the GDPR and domestic data protection law.
The GDPR sets out various protections benefiting DPOs, including:
The UK GDPR contains the same provisions in relation to the dismissal of a DPO and conflict of interests.
In the case of X-Fab Dresden GmbH & Co KG v FC, the employee (FC) was his organisation's DPO. He also held other positions including chair of the works council for one company within the group, and vice-chair of the central works council for the group. FC's DPO role was terminated with immediate effect by the employer. The employer argued it had just cause for terminating the DPO because of the risk of a conflict of interest between the DPO role, and FC's work council roles.
FC sought a declaration in the German Federal Court that he remained the organisation's DPO. The German Federal Court referred questions to the European Court of Justice (ECJ) to assist in its interpretation of the GDPR.
In its preliminary ruling, the ECJ has held that Article 38(3) does not preclude national legislation from providing more protection in respect of the dismissal of a DPO, so long as any such additional protection does not undermine the objectives of the GDPR. In respect of Article 38(6), it is the responsibility of the organisation to ensure the DPO is not given duties that could impair the execution of their DPO role.
In practical terms, this means that a DPO cannot hold a position that leads him or her to determine the purposes and means of processing personal data. A DPO must also not be expected to manage competing objectives that could result in data protection taking a secondary role to achieving business aims.
It is for the national courts to establish whether a conflict of interest does indeed exist in a particular case.
ECJ cases are not binding on UK courts. However, as the UK GDPR contains the same provisions on DPO dismissal and conflict of interest, it is possible that the UK courts will have regard to this case. Conflict of interest cases can be difficult for employers to manage. It is worth considering your organisation's policies and procedures, its structure, and any additional duties your DPO carries out, so that you can reduce the risk of a conflict arising in the first place.