ECJ Rules on Data Protection Officer Dismissed for Conflict of Interest
The European Court of Justice has given its preliminary ruling in a case concerning the dismissal of a Data Protection Officer whose data protection duties conflicted with his other position as chair of his employer's works council.
What Was the Background to the Case?
Under the GDPR, certain organisations (eg public authorities) are required to appoint a Data Protection Officer (DPO). A DPO's tasks include monitoring compliance with the GDPR and domestic data protection law.
The GDPR sets out various protections benefiting DPOs, including:
- Article 38(3), which says that a DPO shall not be dismissed or penalised by the organisation for performing their tasks, and
- Article 38(6), which provides that a DPO may carry out other tasks and duties, and the organisation will ensure that any such tasks and duties do not result in a conflict of interest.
The UK GDPR contains the same provisions in relation to the dismissal of a DPO and conflict of interests.
In the case of X-Fab Dresden GmbH & Co KG v FC, the employee (FC) was his organisation's DPO. He also held other positions including chair of the works council for one company within the group, and vice-chair of the central works council for the group. FC's DPO role was terminated with immediate effect by the employer. The employer argued it had just cause for terminating the DPO because of the risk of a conflict of interest between the DPO role, and FC's work council roles.
FC sought a declaration in the German Federal Court that he remained the organisation's DPO. The German Federal Court referred questions to the European Court of Justice (ECJ) to assist in its interpretation of the GDPR.
What Did the ECJ Decide?
In its preliminary ruling, the ECJ has held that Article 38(3) does not preclude national legislation from providing more protection in respect of the dismissal of a DPO, so long as any such additional protection does not undermine the objectives of the GDPR. In respect of Article 38(6), it is the responsibility of the organisation to ensure the DPO is not given duties that could impair the execution of their DPO role.
In practical terms, this means that a DPO cannot hold a position that leads him or her to determine the purposes and means of processing personal data. A DPO must also not be expected to manage competing objectives that could result in data protection taking a secondary role to achieving business aims.
It is for the national courts to establish whether a conflict of interest does indeed exist in a particular case.
What Can Employers with DPOs Learn from This Decision?
ECJ cases are not binding on UK courts. However, as the UK GDPR contains the same provisions on DPO dismissal and conflict of interest, it is possible that the UK courts will have regard to this case. Conflict of interest cases can be difficult for employers to manage. It is worth considering your organisation's policies and procedures, its structure, and any additional duties your DPO carries out, so that you can reduce the risk of a conflict arising in the first place.
For more information, please contact Mark Stevens in our Employment Law team on 0117 314 5401, or complete the form below.