The General Data Protection Regulation (GDPR) requires public authorities, organisations whose core activities involve regular monitoring of people’s data, and organisations whose core activities involve the large-scale processing of sensitive personal data or data on criminal convictions, to appoint a Data Protection Officer (DPO), tasked with ensuring compliance with GDPR and other data protection laws.
In the case of X-FAB Dresden (C-453/21), the company’s DPO also held various other positions for X-FAB and its associated companies, including chair of the works council and vice-chair of the central works council. He was dismissed, X-Fab arguing that his other roles were incompatible and that there was a risk of conflicts of interest. German rules on dismissal allow for terminations without notice for fair reasons. The DPO brought a claim stating that the conflict of interest was not a fair reason. The European Court of Justice (ECJ) was asked to consider whether Article 38(3) of the GDPR precluded member states from domestically legislating for a higher standard of protection against the dismissal of a DPO.
The ECJ ruled that Article 38(3), which states that DPOs shall not be dismissed or penalised for performing their tasks, does not prevent member states from providing DPOs with more protections against dismissal than is required by the GDPR, so long as these protections do not vitiate the DPO’s “functional independence”. Further, it ruled that the DPO’s simultaneous positions did not result in a conflict of interest.
Whilst new ECJ decisions are not binding in UK courts, this case is nonetheless important for UK employers because of the existence of the UK GDPR which contains equivalent provisions to GDPR Article 38(3) and rules on preventing conflicts of interest. In terms of practical application, while a conflict of interest was not found in the X-Fab case, the court indicated that conflicts of interest will be determined on a case-by-case basis and may arise where a DPO “is entrusted with other tasks or duties, which would result in him or her determining the objectives and methods of processing personal data on the part of the controller or its processor”.
Employers should therefore be aware of the potential for a conflict of interest between the role of the DPO and any other roles the individual holds. Additionally, if an employer is considering dismissing its DPO, it must bear in mind both the requirement under the UK GDPR that a DPO cannot be dismissed or penalised for performing their tasks, and the general requirements under UK employment law protecting employees against unfair dismissal, discrimination etc. Where a conflict arises from roles assigned to a DPO by the employer, the responsibility for resolving them is also likely to fall on the employer – and a tribunal is unlikely to accept that a resolution that consists simply of dismissing the DPO is fair.