The GDPR requires both controllers and processors to appoint a Data Protection Officer (DPO) if they meet one of three criteria set out in Article 37 (something we have covered in a previous blog). The application of the criteria listed within Article 37 is fairly clear and is not often a source of confusion, however, the same cannot be said for the application of Article 38, which relates to the position of the data protection officer. More specifically:
Many of the legal questions and debates relating to Article 38 revolve around these two points above, and in this blog, we will be considering how to apply these requirements, with particular reference to the recent Court of Justice of the European UnionA Court interpreting EU law, ensuring it is applied in the same way in all EU countries, and settling legal disputes between national governments and EU institutions. The Courts ensure the correct interpretation and application of primary and secondary EU law within the EU. It consists of two courts: the Court of Justice and the General Court. (CJEU) case C-453/21 X-FAB Dresden GmbH & Co. KG v FC.
Before going any further, it is important to understand the context and background of this particular case. On the 9th of February 2023, the CJEU issued a preliminary ruling following a request that was submitted by the German Federal Labour Court regarding the application of Articles 38(3) and 38(6). The case concerned the dismissal of the company’s DPO with the reasoning being that a possible conflict of interest was said to have arisen, as the individual acted as the DPO and performed the duties of chair of the works council. The company argued that the two posts held by the individual were incompatible and that the dismissal was therefore justified. Whereas the DPO argued the opposite.
Article 38(3) makes it clear that a DPO cannot be dismissed or penalised for performing their tasks as a DPO as defined in Article 39. Furthermore, in an earlier case C-534/20 Leistritz AG v LH, the CJEU clarified that the DPO must also be protected from decisions that could lead to the termination of their duties by which they are placed at a disadvantage or could receive a penalty. The court related this requirement back to the fact that DPOs must act independently, and therefore they should not be told how to perform (or not to perform) their duties. The CJEU also explained that this applies to DPOs regardless of whether they are outsourced or an employee.
Under the GDPR, this protection for DPOs does not make them invincible, as the protection afforded to them only applies in so far as it relates to the performance of their DPO duties. Therefore, if there are other justifications for such a dismissal, the GDPR would not wholly protect the individual. However, it is important to note that the CJEU pointed out that each Member State is free, within the confines of the law and in the exercise of its retained competence, to lay down more specific provisions around the dismissal of DPOs.
The CJEU in the X-FAB case held that Article 38(3) does not ‘preclude national legislation’ which provides that a controller or a processor may only dismiss their DPO where there is just cause, even if the dismissal is not related to the performance of the DPO’s tasks, as long as the legislation does not undermine the objectives of the GDPR.
Article 38(6) makes it clear that whilst a DPO may hold another role within their organisation, this role cannot present a conflict of interest. This means that the DPO cannot be entrusted to perform tasks or duties which could impair the execution of their functions as a DPO.
In the X-FAB case, the CJEU interpreted this to mean that a ‘conflict of interest’ may exist where a DPO is entrusted with other tasks or duties which would result in them determining the objectives and methods of processing personal dataInformation which relates to an identified or identifiable natural person. on behalf of the controller or processor. The CJEU maintained that a conflict of interest in such cases is a matter for the national courts to determine on a case-by-case basis and by considering all the facts and circumstances. The CJEU suggested that the national courts would have to look at the organisational structure of the company in question, as well as its rules and policies.
This is not the only case where conflicts of interest have been discussed. In 2020, the Belgian authority fined a telecom service provider €50,000 for appointing its Director for Audit, Risk and Compliance as its DPO, holding that the combined roles were a breach of Article 38(6). In this case, the Litigation Chamber of the Belgian Data Protection Authority (GBA) held that as the DPO was also the manager of three departments, they were likely to decide the purpose and means of processing personal data. In addition, there was likely a risk to the duty of confidentiality, something all DPOs owe to data subjects.
Aside from the example above, the Article 29 Data Protection Working Party released its Guidelines on Data Protection Officers to help offer some further clarification. The guidance makes it clear that the DPO can be someone within the organisation who has other tasks, but it cannot give rise to a conflict of interest, stating: This entails in particular that the DPO cannot hold a position within the organisation that leads him or her to determine the purposes and the means of the processing of personal data. Due to the specific organisational structure in each organisation, this has to be considered case by case”.
The guidance sets out a list of clear examples of where a conflict of interest will typically arise, this includes:
Anyone who works in senior management or anyone who holds a C-suite role will more than likely have some input in deciding on the purpose and means of processing personal data; therefore organisations should ensure that the position of DPO does not sit with them. It is also likely that a lot of these roles will have some kind of economic interest in how the data is being processed, and this, again, is likely to be considered a conflict of interest. When the GDPR was first introduced and the role of the DPO was less well established, it was often left to someone senior to take on the job, meaning that conflicts of interest were rife, although this has changed over recent years, with more and more organisations requiring a dedicated DPO, or choosing to outsource the role to companies with the required expertise.
To work out if an additional role could present a conflict of interest for your DPO, you should consider whether the role allows them to remain at ‘arm’s length’ to the decisions being made about the processing of the data and whether the role would have any impact on their duty to uphold data protection and data subject rightsUnder UK and EU data protection regulation, data subjects have a number of rights available to them, including the right to be informed, access, rectification, erasure, restrict processing, data portability, to object and further rights in relation to automated decision making and profiling. – you do not want your DPO to be your judge, jury, and executioner!
If the unfortunate scenario arises where an organisation is seeking to dismiss its DPO, it must ensure that it is following its jurisdiction’s recommendations and guidance, and be confident that it is dismissing its DPO with just cause and good reason (and not because it disagrees with their conclusion or advice). Organisations must also uphold employment law and contract law, alongside the GDPR, and consider the wider rights associated with and ramifications of their dismissal.
For Article 38(6), essentially this means that organisations need to be careful about who they appoint as their DPO, especially if they are hiring for an in-house position. Organisations have to ensure that there are no clear conflict of interests between the DPO and the other roles/duties they may hold.
Want to know the easiest way of ensuring your DPO doesn’t have a conflict of interest? Outsource to an external organisation who then acts as your DPO. If you want to know what outsourcing would mean for your organisation, click here to read our blog. If you want to discuss the many additional benefits of outsourcing your DPO, complete the form below and we will be in touch.
Fill in your details below and we’ll get back to you as soon as possible