The European Court of Justice ("ECJ"), in its judgment of 9 February 2023 in Case C-453/21, considered the interpretation of the dismissability of a Data Protection Officer and the performance by the DPO of other duties that may give rise to a conflict of interest. The ECJ ruled that an appointed DPO cannot hold a position within the organisation that would result in him or her determining the purposes and methods of processing personal data. The decision has significant implications for organisations wishing to entrust their DPO with additional tasks that may conflict with the DPO's duties.
X-Fab, a company based in Germany, appointed a DPO in 2015 who, in addition to his data protection-related duties, was also the chair of the local works council and the deputy chair of the central works council. X-Fab later dismissed the DPO in 2017 at the request of the State Commissioner for Data Protection and Freedom of Information of Thuringia, Germany, due to a conflict of interest between the DPO's duties within the company. Later, the X-Fab companies repeated the dismissal of the DPO on the basis of the second sentence of Art. 38(3) GDPR. The former DPO considered his dismissal unlawful and went to court, and the case ended up before the German Federal Labour Court, which referred its questions to the ECJ.
The ECJ ruled that a DPO can be dismissed under certain conditions, based on national law, without undermining the objectives of the GDPR.
Furthermore, the ECJ held that the DPO may be entrusted with tasks, provided that the DPO does not in any way determine the purposes and methods of the processing carried out by the controller or its processor. The CJEU emphasised that such tasks and the related potential conflict of interest must be assessed on a case-by-case basis, including in the light of the organisational structure of the controller or processor and the applicable internal company policies.
In practice, the CJEU's ruling means that a DPO and the tasks of a DPO must be interpreted - on a case-by-case basis applicable to the organisation concerned - in such a way as to ensure the functional requirements and objectives set out in the GDPR and applicable national legislation, but the DPO can in no way be tasked with determining the purposes and methods of data processing activities, and the DPO can be dismissed on the basis of national legislation, without prejudice to the organisational objectives of GDPR compliance.
By Adam Liber and Tamas Bereczki, Partners, Provaris