by Adam Finlay, Partner, Technology & Innovation Group at McCann FitzGerald LLP
The position of a Data Protection Officer (“DPO”) is unique, insofar as being a role within an organisation that is specifically protected under EU law. Recently, decisions from the Court of Justice of the European Union (“CJEU”) have shed further light on when a DPO is permitted under the General Data Protection Regulation (“GDPR”) to juggle other responsibilities, and whether member states can provide additional grounds for their dismissal.
The European Data Protection Board (“EDPB”) has also launched a new coordinated enforcement action targeting the role of DPOs within organisations, which will lead to supervisory authorities taking a more proactive approach in assessing compliance.
The role of a Data Protection Officer
Under the GDPR, certain categories of organisations are required to designate an individual as their DPO. Their responsibilities include, among other things, auditing the organisation’s compliance with data protection law, advising the controller/processor of their obligations and serving as the point of contact with data subjects and the relevant data protection supervisory authority1. While this person can be an employee or an external contractor, DPOs are expected to report to the “highest management level” of the organisation2 and be supported with sufficient resources in order to carry out their tasks and maintain their expert knowledge in data protection3.
Article 38(3) of the GDPR confers significant protection on an organisation’s DPO, by stating that they “shall not be dismissed or penalised by the controller or processor for performing [their] tasks”. This is to ensure, as per Recital 97, that the DPO is “in a position to perform their duties and tasks in an independent manner”. Interestingly, Article 38(6) provides that the DPO “may fulfil other tasks and duties” but that “the controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests”.
Background to the cases
Two recent judgments from the CJEU have now provided more clarity on the test for discerning when a DPO may find themselves in a conflict of interest when occupying an additional role within an organisation.
In X-FAB Dresden v FC4, the DPO of a German company simultaneously held the role of chair of the company’s works council. He was originally dismissed with immediate effect in December 2017. In light of the introduction of the GDPR in 2018, his employer informed him of his dismissal a second time and stated that it was justified on the basis that he could not perform both of his assigned roles concurrently. The claimant then instituted legal proceedings seeking his reinstatement as DPO at the company.
The judgment of the second case of SZ v KISA5 does not disclose what other responsibilities came into conflict with the role of the DPO, but the DPO in question maintained that there was no serious reason which could justify his dismissal.
The Federal German Labour Court referred a number of questions to the CJEU for consideration. The German law on data protection provided that a DPO could only be relieved of their duties for serious cause. The CJEU was therefore asked, with reference to Article 38(3) and the prohibition on penalisation of DPOs, whether EU law prevented Germany from imposing stricter conditions for dismissing a DPO over and above what was included in the GDPR. The German Court also enquired as to where a conflict of interest may arise when a DPO is assigned multiple roles or responsibilities.
In both cases, the CJEU reiterated its view from Leistritz6 that the purpose of Article 38(3) is to “protect the functional independence of the DPO and, therefore, to ensure that the provisions of the GDPR are effective”.
It found that member states are permitted to introduce additional protections against the dismissal of DPOs, but any such protections cannot “undermine the achievement of the objectives of the GDPR”. This may arise if a DPO cannot be dismissed when they no longer possess “the professional qualities required to perform his or her tasks, in accordance with Article 37(5) of the GDPR”. Article 37(5) states that the DPO should be appointed on the basis of professional qualities, expert knowledge of data protection law and a capacity to carry out their responsibilities under the GDPR.
The CJEU also added, in the X-FAB judgment, that any increased protection for the DPO which would prevent their dismissal in circumstances where they are no longer in a position to act independently (on account of there being a conflict of interest) would undermine the objective of the GDPR. In expanding how such a conflict would arise, the court stated that the DPO is permitted to fulfil other tasks and duties, but these cannot “impair the execution of the functions performed by the DPO”. It explained that if the DPO’s role under the GDPR is to monitor compliance with data protection law, then they cannot be entrusted with determining the objectives and methods of processing personal data for the controller or its processor. Such tasks must be carried out by another party, as the DPO’s role is to independently review this processing.
In any event, whether a DPO is affected by a conflict of interest must be assessed on a case-by-case basis. Such assessment would have regard to the organisational structure of the controller (or processor) and the rules and policies it has put in place.
In September 2022, the Berlin commissioner for data protection imposed a €525,000 fine on an e-commerce retailer after finding that its DPO also occupied the role of managing director of two of its data processors. Following on from this fine and the cases outlined above, on 15 March 2023 the EDPB launched its second coordinated enforcement action targeting the designation and position of the DPO within organisations. This means that data protection authorities, such as the Irish Data Protection Commission, will be tasked by the EDPB to prioritise ensuring compliance with the requirements of the GDPR when it comes to the appointment and role of the DPO. The EDPB has indicated that DPOs should expect to receive questionnaires to assist in aggregating enforcement data, which also allow supervisory authorities to identify grounds for investigation.
The two judgments of X-FAB Dresden and KISA, combined with increased scrutiny from supervisory authorities, serve as an additional reminder to organisations processing personal data to ensure that their DPOs are able to function independently and effectively in their role.
Also contributed to by Lisa Leonard
- Article 39 of the GDPR.
- Article 38(3) of the GDPR.
- Article 38(2) of the GDPR.
- Case C‑453/21.
- Case C-560/21.
- Case C‑534/20.
About the author
Adam advises on a wide range of data protection, information technology, intellectual property, cyber security and outsourcing issues. His clients include international and domestic market leaders, innovative disruptors and regulatory bodies.
He acts as trusted advisor to clients on all aspects of data protection and e-privacy law and compliance strategies, with a particular focus on providing sector specific and commercial advice.
On the technology side, Adam drafts and negotiates outsourcing agreements software licences, IT services agreements and transitional services agreements and advises on the legal issues attached to digital transformation projects, transacting online and dealing with consumers.