Νέο κείμενό μας, από το Εργαστήριο στις Βρυξέλλες (CDSL), αυτή τη φορά για την προστασία του DPO από “ασυμφωνίες” κατά την άσκηση των καθηκόντων του, στο, φιλόξενο, EU Law Live (το κείμενο, όπως πάντα, ελεύθερα προσβάσιμο).
Op-Ed: “As strict as you like – the data protection officers protection against dismissal according to the GDPR” by Daniel Wasser, Nardin Maarouf-Wasser and Vagelis Papakonstantinou
Data protection officers (DPO) are “whiners”, aren’t they? Torpedoing all progress in the name of data protection and being rewarded with special protection against dismissal’. This clearly exaggerated statement, not to be connected to the specific case discussed in this Op-Ed, illustrates the feeling of the management in some corporations.
Although the present authors do not agree with that statement in terms of torpedoing progress, the special protection of DPOs against dismissal according to the GDPR is undoubtedly a controversial issue. In this respect, it has been mainly questioned in Germany whether the German legislature can lawfully provide for a higher level of protection for DPO’s against dismissal than is set out in the EU’s General Data Protection Regulation (GDPR) 2016/679.
This question has now been answered by the Court of Justice in its ruling of 22 June 2022 in Leistritz AG (C-534/20) as follows:
According to the Court of Justice, (the second sentence of) Article 38(3) of the General Data Protection Regulation (GDPR) ‘must be interpreted as not precluding national legislation which provides that a controller or a processor may terminate the employment contract of a data protection officer, who is a member of his or her staff, only with just cause, even if the contractual termination is not related to the performance of that officer’s tasks, in so far as such legislation does not undermine the achievement of the objectives of that regulation’.
I. Facts of the case
Leistritz AG, an international supplier for turbine, pump, extrusion and other technologies, restructured its corporation, terminating its contractual relationship with several employees, including the corporation’s DPO.
The DPO filed a lawsuit against this termination. In this context, the question was raised as to the conditions under which a DPO can be dismissed from employment according to the GDPR and Member States’ laws. The German Federal Labour Court (BAG) initiated the process of a preliminary ruling according to Article 267 TFEU, submitting the case to the Court of Justice (BAG, decision from July 30, 2020 – 2 AZR 225/20 (A)).
The difficulties in deciding the case mainly result from the fact that, according to the second sentence of Article 38(3) GDPR, a DPO shall not be dismissed or penalised by the controller or the processor for performing his tasks. In Germany, however, any termination of a corporation’s mandatorily appointed DPO is additionally unlawful if there is no specific reason. The national provision, §§ 38(2), 6(4) 1 of the German Federal Data Protection Act (Bundesdatenschutzgesetz (BDSG)), in this respect stipulates that termination of the DPOs’ employment relationship is only lawful if the requirements of an extraordinary termination without notice according to § 626 of the German Civil Law Code (Bürgerliches Gesetzbuch (BGB)) are met. Moreover, termination of the employment relationship that does not meet the requirements of § 626 BGB is unlawful within one year starting from the end of the appointment as DPO (§6(4) 3 BDSG).
II. The Opinion of the Advocate General and the judgment of the Court of Justice
Addressing these frictions, the Opinion of Advocate General Richard de la Tour of 27 January 2022 as well as the judgment of the Court of Justice analysed two aspects in particular:
- Does the second sentence of Article 38(3) GDPR also cover the employment relationship? and
- Are the Member States allowed to provide for a higher level of protection?
1. Article 38(3) (second sentence) GDPR covers aspects of employment relationships as well
In this respect, the Court of Justice initially stated that – due to the fact that the wording of Article 38(3) GDPR needs to be interpreted it is necessary to consider not only its wording, but also the context in which the provision applies, and the objectives pursued by the rules of which it is part (para 18 of the judgment).
The Court of Justice agrees with the Opinion of the Advocate General that the second sentence of Article 38(3) GDPR covers dismissal or sanctions related to both the position as a DPO and additional employment relationship.
The second sentence of Article 38(3) GDPR intends to preserve the functional independence of the DPO by prohibiting the termination of a DPO’s employment contract on a ground relating to the performance of his or her tasks (para 25 of the judgment). As terminating a DPO’s employment contract correlates with terminating the function as DPO, the protection according to Article 38(3) GDPR necessarily contains a protection against dismissal. In addition, the provision applies without distinction to an internal and external DPO (paras 22 and 23 of the judgment).
The Court of Justice hence agrees with the Opinion of the Advocate General, stating that the second sentence of Article 38(3) of the GDPR clearly applies without distinction both to a DPO who is an employee of either the controller or processor.
2. Member States may set a higher level of protection for the DPO
The Court of Justice furthermore agrees with the argument put forward by the Advocate General that, with respect to the termination of the DPOs’ contract, Article 153(1)(d) TFEU in conjunction with Articles 2(2) and 4(2)(b) TFEU enable Member States to use their shared competence to legislate if the aspects in questions have not already been covered by the GDPR (para 33 of the judgment).
In this respect, it is to be observed that the special protection against dismissal provided by Article 38(3) GDPR does not lead to the harmonisation of substantive employment law. The objective of Article 38(3) GDPR – according to the Court of Justice – is to ensure the functional independence of the DPO enabling him or her to perform the duties and tasks in an independent manner. Apart from this specific protection, the GDPR does not intend to stipulate specific rules on protection against termination of employment. In other words, Article 38(3) GDPR imposes a prohibition on the dismissal of a DPO in so far as it is related solely to the performance of his duties as a DPO, the specific aspects of terminating the employment relationship have not been stipulated (points 39 and 40 of the AG’s Opinion). As a result, Member States are still competent to strengthen the DPOs’ protection in national legislations.
In conclusion, particularly in Germany, DPOs are rewarded with special protection against dismissal. According to the authors’ view, the decision is to be welcomed but nonetheless causes difficulties at the same time.
Protecting personal data adequately is an important aim. It correlates with the protection of fundamental rights and freedoms of employees and particularly their right to the protection of personal data. This principle is also stipulated in Article 1(2) of the GDPR and specified in Recital 1 of the GDPR. Providing for a higher level of protection is – from a general data protection perspective – to be acknowledged in general.
Transferring the decision to daily practice, however, employers will face problems in ending employment relationships with a DPO. The decision in particular causes difficulties with regard to the variety of levels of employment protection within the Member States. It is thus questionable whether the GDPR achieves its goal to harmonise Member States’ laws (Recital 9 of the GDPR).
The difficulties in particular occur for German corporations or those appointing a DPO in Germany. In this respect, as an example, the following aspects are to be considered:
- First, the DPOs’ employment relationship may only be extraordinarily terminated for serious cause. In this respect, all circumstances of the individual case as well as the interests of both contracting parties are comprehensively considered resulting in a situation in which the terminating party cannot be expected to continue the employment relationship to the end of the ordinary notice period or to the agreed end of the employment relationship.
- The employment relationship must be terminated in writing (§ 623 BGB) within two weeks of the employer becoming aware of the facts relevant to the termination (§ 626(2) BGB).
- However, if the corporation is not mandatorily obliged to appoint a DPO under European or German laws, an ordinary termination is lawful. The German provision § 38(2) BDSG exclusively refers to § 6(4) 1 and 2 BDSG for bodies obliged to appoint a data protection officer.
- If, on the other hand, bodies that are obliged to appoint a data protection officer voluntarily appoint two or more data protection officers, the special protection of Section 6(4) (in conjunction with Section 38(2)) BDSG also applies to them.
Daniel Wasser is Attorney at Law supervising national as well as international corporations in Labor & Employment. Moreover, he is a Ph.D. researcher being supervised by the author Prof. Papakonstantinou at the Vrije Universiteit Brussels. During his research he mainly focuses on aspects of compliance, data protection and employment law.
Nardin Maarouf-Wasser is research associate at an international law firm focusing on data protection. She is an LL.M. student in the and Law Department at the University of Maastricht.
Vagelis Papakonstantinou is Professor at the Vrije Universiteit Brussel. His research focuses i.a. on personal data protection, both from an EU and an international perspective, with an emphasis on supervision, in particular Data Protection Authorities’ global cooperation. Other research topics include cybersecurity, digital personhood and software. He is also a registered attorney with the Athens and Brussels Bar Associations. Since 2016 he has been serving as a member (alternate) of the Hellenic Data Protection Authority. From 2013-2016 he served as a member of the Board of Directors of the Hellenic Copyright Organization.