The data protection officer (DPO) plays an important supervisory role with regard to compliance with legal requirements and policies on the subject that may have been adopted by the entity that appointed him or her, whether the data controller or the processor.
The subject of the DPO – more correctly, the requirements referring to his or her designation, duties, and protections – is one of the few that the GDPR addresses indiscriminately to both data controllers and processors.
Consequently, the data processor may also be liable for violating one of the GDPR’s provisions regarding the DPO, be imposed the administrative fine from Article 83, or even be sued for damages that may have been caused (Article 82, GDPR).
Therefore, what is stated in these comments applies indiscriminately to entities assuming the role of data controllers or data processors.
CJEU C-453/21
The DPO performs a supervisory function regarding the effective enforcement of applicable rules and any internal data protection policies by the organization of the data controller or data processor for which he or she has been appointed.
For the proper performance of this mandate, there are certain requirements to be met both for the selection step of the candidate and for the step of managing the activities of the delegated person.
In the first case, it is necessary that the DPO to be appointed must have specific expertise both technical and with regard to the specifications of the processing carried out by the organization.
In the second, it is necessary that the DPO be able to carry out his or her mandate in a condition of independence, without receiving instructions regarding the performance of his or her duties and without being in a situation of conflict of interests.
Since the wording of the GDPR, however, some questions have arisen from the enforcement aspect; for example:
- what is meant by the prohibition of penalization;
- what independence consists of;
- how conflict of interests cases are identified and who assesses the existence of such cases;
- in case it becomes known that the appointed DPO has a conflict of interests, can the DPO be dismissed without violating the prohibition of penalization?
These and other questions in this regard have been answered by the Court of Justice’s Feb. 9, 2023 decision in X-FAB Dresden GmbH & Co. KG v. FC, C-453/21, on a reference for a preliminary ruling that essentially concerns the interpretation to be given to the second sentence of Article 38(3) of the GDPR, which reads as follows:
“The Data Protection Officer shall not be dismissed or penalised by the controller or the processor for performing his tasks.”
The case
The request for a preliminary ruling arises from a dispute in the German courts regarding the following case.
FC has been employed by X-FAB since 1993 and performs the functions of chairman of the works council at the company. He also serves as vice-chairman of the central works council established for three companies in the same group of companies, based in Germany.
Effective June 2015, FC is designated by each enterprise separately as DPO in order to ensure a uniform level of data protection in those enterprises.
Dismissal due to conflict of interests
At the request of the Data Protection and Freedom of Information Officer of Thüringen (i.e., the supervisory authority of that German Lande), X-FAB and other subsidiaries, remove FC from his duties as DPO with immediate effect, based on a conflict of interests assessed under German law.
FC is appealing the dismissaldecision before the German courts in order to have its DPO status declared persistent. The companies, for their part, defend themselves by arguing that “there is a risk of conflict of interests if FC exercises the functions of DPO and chairman of the works council at the same time, since these two positions are incompatible. Accordingly, there would be just cause for the dismissal of FC from his duties as DPO.” (see p. 14, C-453/21).
In the first two instances, the courts upheld the action brought by FC, while the Supreme Court (Federal Labor Court, Germany), while inclined to conform to the previous judgments, referred the case back to the CJEU with a request for a preliminary ruling.