Dismissal of DPO in concerns of potential conflicts of interests justified under national legislation Summary • A conflict of interests may arise if a data protection An employee, who had been working for X-FAB since 1st officer has additional tasks or duties that would November 1993, held the positions of chair of the works enable them to determine the objectives and council and vice-chair of the central works council methods of processing personal data for the for three undertakings within the group of companies, controller or processor (GDPR, Article 38(6)). The all of which belonged to X-FAB and were situated in national court must determine whether such Germany. Beginning in June 2015, the employee was a conflict exists on a case-by-case basis by appointed as the DPO for X-FAB, its parent company, assessing all relevant circumstances, including and other subsidiaries established in Germany. the organizational structure of the controller or processor and applicable rules and policies. However, in response to a request from the Thüringen DPA, X-FAB and the undertakings in question dismissed Our remarks the employee from his duties as DPO, citing concerns of • The DPO should be able to perform their duties potential conflicts of interest due to his concurrent roles and tasks in an independent manner. In that as DPO and chair of the works council. The company regard, such independence must necessarily argued that the dismissal was justified under national enable them to carry out those tasks in legislation that allowed for dismissal with ‘just cause’. accordance with the objective of the GDPR. The As a result, the employee brought an action before the DPO cannot be assigned responsibilities that German courts seeking a declaration that he should involve deciding on the objectives and methods retain the position of DPO. of processing personal data for the controller or its processor. It is necessary to evaluate all The Decision of the European Court of Justice the relevant circumstances on a case-by-case (CJEU) basis, including the organizational structure The preliminary ruling by the CJEU ruled that the of the controller or its processor, applicable dismissal of the DPO grounded in the ‘just cause’ notion regulations, and any policies of the controller or in national legislation was justified with the following its processor, to identify any potential conflicts arguments: of interest. • According to national legislation, a controller or • According to the CJEU, Member States are processor has the authority to dismiss a data allowed to lay down more protective legislation protection officer who is an employee of that relating to the dismissal of a DPO employed controller or processor, even if the dismissal is not by a controller or by a processor, if such related to the officer’s tasks. This provision does not legislation is intended to preserve the functional violate the second sentence of GDPR, Article 38(3) independency of the DPO and is compatible provided that such legislation does not undermine with EU law. When operating as a DPO in the objectives of the Regulation and remains multiple countries, make sure to evaluate the compatible with EU law. legal landscapes in each country to ensure sufficient functional independence. Published: 09-02-2023 Journal number: C-453/21 Tags: 01 Legal Basis and principles 68