JUDGMENT OF THE COURT (Sixth Chamber)
9 February 2023 (*)
(Reference for a preliminary ruling – Protection of natural persons with regard to the processing of personal data – Regulation (EU) 2016/679 – Article 38(3) – Data protection officer – Prohibition on dismissing data protection officer for performing his or her tasks – Requirement for functional independence – National legislation prohibiting the dismissal of a data protection officer without just cause – Article 38(6) – Conflict of interests – Criteria)
In Case C-453/21,
REQUEST for a preliminary ruling under Article 267 TFEU from the Bundesarbeitsgericht (Federal Labour Court, Germany), made by decision of 27 April 2021, received at the Court on 21 July 2021, in the proceedings
X-FAB Dresden GmbH & Co. KG
v
FC,
THE COURT (Sixth Chamber),
composed of P.G. Xuereb, President of the Chamber, A. Kumin and I. Ziemele (Rapporteur), Judges,
Advocate General: J. Richard de la Tour,
Registrar: D. Dittert, head of unit,
having regard to the written procedure and further to the hearing on 26 September 2022,
after considering the observations submitted on behalf of:
– X-FAB Dresden GmbH & Co. KG, by S. Leese, Rechtsanwalt,
– FC, by R. Buschmann and T. Heller, Prozessbevollmächtigte,
– the German Government, by J. Möller, D. Klebs and P.-L. Krüger, acting as Agents,
– the European Parliament, by O. Hrstková Šolcová and B. Schäfer, acting as Agents,
– the Council of the European Union, by T. Haas and K. Pleśniak, acting as Agents,
– the European Commission, by A. Bouchagiar, K. Herrmann and H. Kranenborg, acting as Agents,
having decided, after hearing the Advocate General, to proceed to judgment without an Opinion,
gives the following
Judgment
1 This request for a preliminary ruling concerns the interpretation and validity of the second sentence of Article 38(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1, and corrigendum OJ 2018 L 127, p. 2; ‘the GDPR’) and the interpretation of Article 38(6) of that regulation.
2 The request has been made in proceedings between X-FAB Dresden GmbH & Co. KG (‘X-FAB’) and FC, an employee of X-FAB, concerning FC’s dismissal from the position of data protection officer (the ‘DPO’), carried out by X-FAB.
Legal context
European Union law
3 Recitals 10 and 97 of the GDPR state:
‘(10) In order to ensure a consistent and high level of protection of natural persons and to remove the obstacles to flows of personal data within the [European] Union, the level of protection of the rights and freedoms of natural persons with regard to the processing of such data should be equivalent in all Member States. Consistent and homogenous application of the rules for the protection of the fundamental rights and freedoms of natural persons with regard to the processing of personal data should be ensured throughout the Union. …
…
(97) … Such [DPOs], whether or not they are an employee of the controller, should be in a position to perform their duties and tasks in an independent manner.’
4 Article 37 of the GDPR, entitled ‘Designation of the [DPO]’, provides in paragraphs 5 and 6:
‘5. The [DPO] shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.
6. The [DPO] may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract.’
5 Article 38 of the GDPR, entitled ‘Position of the [DPO]’, provides in paragraphs 3, 5 and 6:
‘3. The controller and processor shall ensure that the [DPO] does not receive any instructions regarding the exercise of those tasks. [The DPO] shall not be dismissed or penalised by the controller or the processor for performing his tasks. The [DPO] shall directly report to the highest management level of the controller or processor.
…
5. The [DPO] shall be bound by secrecy or confidentiality concerning the performance of his or her tasks, in accordance with Union or Member State law.
6. The [DPO] may fulfil other tasks and duties. The controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests.’
6 Article 39 of the GDPR, entitled ‘Tasks of the [DPO]’, reads as follows:
‘1. The [DPO] shall have at least the following tasks:
(a) to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;
(b) to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
(c) to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;
(d) to cooperate with the supervisory authority;
(e) to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.
2. The [DPO] shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.’
German law
The BDSG
7 Paragraph 6 of the Bundesdatenschutzgesetz (Federal Law on data protection) of 20 December 1990 (BGBl. 1990 I, p. 2954), in the version in force from 25 May 2018 until 25 November 2019 (BGBl. 2017 I, p. 2097) (‘the BDSG’), entitled ‘Position’, provides in subparagraph 4:
‘The dismissal of the [DPO] shall be permitted only by applying Paragraph 626 of the Bürgerliches Gesetzbuch (Civil Code) in the version of 2 January 2002 (BGBl. 2002 I, p. 42, corrigenda BGBl. 2002 I, p. 2909, and BGBl. 2003 I, p. 738) accordingly. The [DPO]’s employment shall not be terminated unless there are facts that give the public body just cause to terminate without notice. The [DPO]’s employment shall not be terminated for one year after the activity as the data protection officer has ended, unless the public body has just cause to terminate without notice.’
8 Paragraph 38 of the BDSG, entitled ‘[DPO] of private bodies’, states:
‘(1) In addition to Article 37(1)(b) and (c) of the [GDPR], the controller and processor shall designate a [DPO] if they generally continuously employ at least ten persons dealing with the automated processing of personal data. …
(2) Paragraph 6(4), (5) second sentence, and (6) shall apply; however, Paragraph 6(4) shall apply only if the designation of a data protection officer is mandatory.’
The Civil Code
9 Paragraph 626 of the Civil Code, entitled ‘Termination without notice with just cause’, provides:
‘(1) The employment relationship may be terminated by either party to the contract with just cause without giving notice where facts are present on the basis of which the terminating party cannot reasonably be expected to continue the employment relationship to the end of the notice period or to the agreed end of the employment relationship, taking all circumstances of the individual case into account and weighing the interests of both parties to the contract.
(2) Termination may take place only upon expiry of a period of two weeks. That period starts to run when the person entitled to terminate becomes aware of the facts serving as the basis for termination. …’
The dispute in the main proceedings and the questions referred for a preliminary ruling
10 FC is employed by X-FAB as from 1 November 1993.
11 He performs the duties of chair of the works council in that company and, on that basis, is released from some of his work obligations. He also holds the role of vice-chair of the central works council which was established for three undertakings in the group of companies to which X-FAB belongs, which are established in Germany.
12 With effect from 1 June 2015, FC was appointed, by each undertaking separately, as the DPO of X-FAB, its parent company and the other subsidiaries of the parent company established in Germany. According to the referring court, the aim of that appointment in parallel of FC as the DPO of all those undertakings was to ensure a uniform level of data protection in those undertakings.
13 At the request of the state officer for data protection and freedom of information of Thüringen (Germany), X-FAB and the undertakings referred to in paragraph 12 of the present judgment, by letters dated 1 December 2017, dismissed FC with immediate effect from his duties as DPO. By separate letters of 25 May 2018, those undertakings, as a precautionary measure, repeated their dismissal of FC, based on the second sentence of Article 38(3) of the GDPR, which had in the intervening period become applicable, relying on grounds linked to the group of companies to which X-FAB belongs.
14 The action brought by FC before the German courts seeks a declaration that he retains the position of DPO of X-FAB. X-FAB submits that there is a risk of a conflict of interests if FC simultaneously performs the functions of DPO and chair of the works council, on the ground that those two posts are incompatible. There is, therefore, a just cause justifying FC’s dismissal as DPO.
15 The courts of first instance and of appeal upheld FC’s action. The appeal on a point of law (Revision) brought by X-FAB before the Bundesarbeitsgericht (Federal Labour Court, Germany), which is the referring court, seeks to have that action dismissed.
16 The referring court observes that the outcome of that appeal depends on the interpretation of EU law. In particular, the question arises, first, whether the second sentence of Article 38(3) of the GDPR precludes the legislation of a Member State from making the dismissal of a DPO subject to stricter conditions than those laid down by EU law and, if so, whether that provision has sufficient legal basis. Should the Court find that the conditions to which the BDSG makes the dismissal subject do comply with EU law, it would be necessary to determine whether the functions of chair of the works council and of DPO of that undertaking may be performed by one and the same person or whether that would give rise to a conflict of interests within the meaning of the second sentence of Article 38(6) of the GDPR.
17 In those circumstances the Bundesarbeitsgericht (Federal Labour Court) decided to stay the proceedings and to refer the following questions to the Court of Justice for a preliminary ruling:
‘(1) Is the second sentence of Article 38(3) of [the GDPR] to be interpreted as precluding a provision in national law, such as, in the present case, Paragraph 38(1) and (2) in conjunction with the first sentence of Paragraph 6(4) of the [BDSG], which makes dismissal of the [DPO] by the controller, who is his employer, subject to certain conditions set out therein, irrespective of whether such dismissal relates to the performance of his tasks?
If the first question is answered in the affirmative:
(2) Does the second sentence of Article 38(3) GDPR also preclude such a provision in national law if the designation of the [DPO] is mandatory not in accordance with Article 37(1) GDPR, but only in accordance with the law of the Member State?
If the first question is answered in the affirmative:
(3) Does the second sentence of Article 38(3) of the GDPR have sufficient legal basis, in particular in so far as it covers [DPOs] that have an employment relationship with the controller?
If the first question is answered in the negative:
(4) Is there a conflict of interests within the meaning of the second sentence of Article 38(6) of the GDPR if the [DPO] also holds the office of [chair] of the works council established at the controlling body? Must specific tasks have been assigned within the works council in order for such a conflict of interests to be assumed to exist?’
Consideration of the questions referred
The first question
18 By its first question, the referring court asks, in essence, whether the second sentence of Article 38(3) of the GDPR must be interpreted as precluding national legislation which provides that a controller or a processor may dismiss a DPO who is a member of staff of that controller or processor solely where there is just cause, even if the dismissal is not related to the performance of that officer’s tasks.
19 As is clear from settled case-law, in interpreting a provision of EU law, it is necessary to consider not only its wording, by considering the latter’s usual meaning in everyday language, but also the context in which the provision occurs and the objectives pursued by the rules of which it is part (judgment of 22 June 2022, Leistritz, C-534/20, EU:C:2022:495, paragraph 18 and the case-law cited).
20 In the first place, as regards the wording of the provision at issue, it must be stated that the second sentence of Article 38(3) of the GDPR provides that ‘he or she shall not be dismissed or penalised by the controller or the processor for performing his [or her] tasks’.
21 In that regard, in its judgment of 22 June 2022, Leistritz (C-534/20, EU:C:2022:495, paragraphs 20 and 21), the Court, after observing that the GDPR does not define the terms ‘dismissed’, ‘penalised’ and ‘for performing his [or her] tasks’ in the second sentence of Article 38(3) of the GDPR, stated, first, that, in accordance with the meaning which those words have in everyday language, the prohibition of the dismissal, by a controller or processor, of a DPO or of the imposition, by a controller or processor, of a penalty on him or her means that that DPO must be protected against any decision terminating his or her duties, by which he or she would be placed at a disadvantage or which would constitute a penalty.
22 A dismissal measure in respect of a DPO taken by his or her employer and resulting in the DPO being dismissed by the controller or its processor is capable of constituting such a decision.
23 Second, as the Court has also stated, the second sentence of Article 38(3) of the GDPR applies without distinction both to the DPO who is a member of the staff of the controller or processor and to the person who fulfils the tasks on the basis of a service contract concluded with the latter, in accordance with Article 37(6) of the GDPR, with the result that the second sentence of Article 38(3) is intended to apply to relationships between a DPO and a controller or processor, irrespective of the nature of the relationship between that DPO and the latter (judgment of 22 June 2022, Leistritz, C-534/20, EU:C:2022:495, paragraphs 23 and 24).
24 Third, the latter provision imposes a limit which consists in prohibiting the dismissal of a DPO on a ground relating to the performance of his or her tasks, which include, in particular, under Article 39(1)(b) of the GDPR, monitoring compliance with EU or Member State legal provisions on data protection and with the policies of the controller or processor concerning the protection of personal data (see, to that effect, judgment of 22 June 2022, Leistritz, C-534/20, EU:C:2022:495, paragraph 25).
25 In the second place, as regards the objective pursued by the second sentence of Article 38(3) of the GDPR, first, recital 97 of that regulation states that data protection officers, whether or not they are employees of the controller, should be in a position to perform their duties and tasks in an independent manner. In that regard, such independence must necessarily enable them to carry out those tasks in accordance with the objective of the GDPR, which seeks, inter alia, as is apparent from recital 10 thereof, to ensure a high level of protection of natural persons within the European Union and, to that end, to ensure a consistent and homogeneous application of the rules for the protection of the fundamental rights and freedoms of such natural persons with regard to the processing of personal data throughout the European Union (judgment of 22 June 2022, Leistritz, C-534/20, EU:C:2022:495, paragraph 26 and the case-law cited).
26 Second, the objective of ensuring the functional independence of the DPO, as it follows from the second sentence of Article 38(3) of the GDPR, is also apparent from the first and third sentences of that provision, which require that that DPO is not to receive any instructions regarding the exercise of those tasks and is to report directly to the highest level of management of the controller or processor, and from Article 38(5), which provides that, with regard to that exercise, that DPO is to be bound by secrecy or confidentiality (judgment of 22 June 2022, Leistritz, C-534/20, EU:C:2022:495, paragraph 27).
27 Thus, the second sentence of Article 38(3) of the GDPR, by protecting the DPO against any decision which terminates his or her duties, places him or her at a disadvantage or constitutes a penalty, where such a decision relates to the performance of his or her tasks, must be regarded as seeking essentially to preserve the functional independence of the DPO and, therefore, to ensure that the provisions of the GDPR are effective (judgment of 22 June 2022, Leistritz, C-534/20, EU:C:2022:495, paragraph 28).
28 As the Court has also held, that interpretation is supported, in the third place, by the context of that provision and, in particular, by the legal basis on which the EU legislature adopted the GDPR (judgment of 22 June 2022, Leistritz, C-534/20, EU:C:2022:495, paragraph 29).
29 As is apparent from the preamble to the GDPR, that regulation was adopted on the basis of Article 16 TFEU, paragraph 2 of which provides, in particular, that the European Parliament and the Council of the European Union are, by means of regulations, acting in accordance with the ordinary legislative procedure, to lay down the rules relating, first, to the protection of natural persons with regard to the processing of personal data by the EU institutions, bodies, offices or agencies and by the Member States when carrying out activities which fall within the scope of EU law and, second, to the free movement of such data (judgment of 22 June 2022, Leistritz, C-534/20, EU:C:2022:495, paragraph 30).
30 In that regard, the laying down of rules on protection against the dismissal of a DPO employed by a controller or by a processor falls within the scope of the protection of natural persons with regard to the processing of personal data solely inasmuch as such rules are intended to preserve the functional independence of the latter, in accordance with the second sentence of Article 38(3) of the GDPR (see, to that effect, judgment of 22 June 2022, Leistritz, C-534/20, EU:C:2022:495, paragraph 31).
31 It follows that each Member State is free, in the exercise of its retained competence, to lay down more protective specific provisions on the dismissal of the DPO, in so far as those provisions are compatible with EU law and, in particular, with the provisions of the GDPR, particularly the second sentence of Article 38(3) thereof (see, to that effect, judgment of 22 June 2022, Leistritz, C-534/20, EU:C:2022:495, paragraph 34).
32 In particular, such increased protection cannot undermine the achievement of the objectives of the GDPR. That would be the case if it prevented any dismissal, by a controller or by a processor, of a DPO who no longer possesses the professional qualities required to perform his or her tasks, in accordance with Article 37(5) of the GDPR, or who does not fulfil those tasks in accordance with the provisions of that regulation (see, to that effect, judgment of 22 June 2022, Leistritz, C-534/20, EU:C:2022:495, paragraph 35).
33 In that regard, it should be recalled, as has been noted in paragraph 25 of the present judgment, that the GDPR seeks to ensure a high level of protection of natural persons within the European Union with regard to the processing of their personal data, and that, in order to achieve that objective, the DPO must be in a position to perform his or her duties and tasks in an independent manner.
34 Thus, increased protection for the DPO which would prevent the dismissal of the DPO in the event that he or she is not, or is no longer, in a position to carry out his or her tasks in an independent manner on account of there being a conflict of interests would undermine the achievement of that objective.
35 It is for the national court to satisfy itself that specific provisions such as those referred to in paragraph 31 of the present judgment are compatible with EU law and, in particular, with the provisions of the GDPR.
36 In the light of the foregoing considerations, the answer to the first question is that the second sentence of Article 38(3) of the GDPR must be interpreted as not precluding national legislation which provides that a controller or a processor may dismiss a DPO who is a member of staff of that controller or processor solely where there is just cause, even if the dismissal is not related to the performance of that DPO’s tasks, in so far as such legislation does not undermine the achievement of the objectives of the GDPR.
The second and third questions
37 In the light of the answer given to the first question, there is no need to answer the second and third questions.
The fourth question
38 By its fourth question, the referring court asks, in essence, in which circumstances may the existence of a ‘conflict of interests’, within the meaning of Article 38(6) of the GDPR, be established.
39 As regards, in the first place, the wording of the provision at issue, it should be noted that, as set out in the second sentence of Article 38(6) of the GDPR, ‘the [DPO] may fulfil other tasks and duties. The controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests’.
40 It thus follows from the wording of that provision, first, that the GDPR does not establish that there is a fundamental incompatibility between, on the one hand, the performance of DPO’s duties and, on the other hand, the performance of other duties within the controller or processor. Article 38(6) of that regulation specifically provides that the DPO may be entrusted with performing tasks and duties other than those for which it is responsible under Article 39 of the GDPR.
41 The fact remains, second, that the controller or its processor must ensure that those other tasks and duties do not give rise to a ‘conflict of interests’. In the light of the meaning of those words in everyday language, it must be held that, in accordance with the objective pursued by Article 38(6) of the GDPR, the DPO cannot be entrusted with performing tasks or duties which could impair the execution of the functions performed by the DPO.
42 As regards that objective, it should, in the second place, be noted that that provision is, in essence, intended, as are the other provisions referred to in paragraph 25 of the present judgment, to preserve the functional independence of the DPO and, consequently, to ensure the effectiveness of the provisions of the GDPR.
43 In the third place, as regards the context of which Article 38(6) of the GDPR forms part, it should be noted that, according to Article 39(1)(b) of the GDPR, the task of the DPO is, inter alia, to monitor compliance with the GDPR, other provisions of EU law or of the law of the Member States on data protection and the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits.
44 It follows, in particular, that a DPO cannot be entrusted with tasks or duties which would result in him or her determining the objectives and methods of processing personal data on the part of the controller or its processor. Under EU law or the law of the Member States on data protection, the review of those objectives and methods must be carried out independently by the DPO.
45 The determination of the existence of a conflict of interests, within the meaning of Article 38(6) of the GDPR, must be carried out, case by case, on the basis of an assessment of all the relevant circumstances, in particular the organisational structure of the controller or its processor and in the light of all the applicable rules, including any policies of the controller or its processor.
46 In the light of all the foregoing, the answer to the fourth question is that Article 38(6) of the GDPR must be interpreted as meaning that a ‘conflict of interests’, as provided for in that provision, may exist where a DPO is entrusted with other tasks or duties, which would result in him or her determining the objectives and methods of processing personal data on the part of the controller or its processor, which is a matter for the national court to determine, case by case, on the basis of an assessment of all the relevant circumstances, in particular the organisational structure of the controller or its processor and in the light of all the applicable rules, including any policies of the controller or its processor.
Costs
47 Since these proceedings are, for the parties to the main proceedings, a step in the action pending before the national court, the decision on costs is a matter for that court. Costs incurred in submitting observations to the Court, other than the costs of those parties, are not recoverable.
On those grounds, the Court (Sixth Chamber) hereby rules:
1. The second sentence of Article 38(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), must be interpreted as not precluding national legislation which provides that a controller or a processor may dismiss a data protection officer who is a member of staff of that controller or processor solely where there is just cause, even if the dismissal is not related to the performance of that officer’s tasks, in so far as such legislation does not undermine the achievement of the objectives of that regulation.
2. Article 38(6) of Regulation 2016/679 must be interpreted as meaning that a ‘conflict of interests’, as provided for in that provision, may exist where a data protection officer is entrusted with other tasks or duties, which would result in him or her determining the objectives and methods of processing personal data on the part of the controller or its processor, which is a matter for the national court to determine, case by case, on the basis of an assessment of all the relevant circumstances, in particular the organisational structure of the controller or its processor and in the light of all the applicable rules, including any policies of the controller or its processor.
[Signatures]
* Language of the case: German.