CJEU rules on dismissal of a data protection officer under the GDPR

February 24, 2023

The CJEU has ruled in the case of In X-FAB Dresden GmbH & Co KG v FC (Case C-453/21).

It was asked by the German courts to decide if a data protection officer is subject to a conflict of interests and if the GDPR precludes national legislation which sets out more protective specific provisions on the dismissal of a data protection officer.

In this case, FC was employed by X-FAB from 1 November 1993. He performed the duties of chair of the works council in that company. He was also vice-chair of the central works council which was established for three undertakings in the German group of companies to which X-FAB belongs. From 1 June 2015, FC was appointed, by each undertaking separately, as the DPO of X-FAB, its parent company and the other subsidiaries of the parent company established in Germany. According to the referring court, the aim of that appointment in parallel of FC as the DPO of all those undertakings was to ensure a uniform level of data protection in those undertakings.

At the request of the state officer for data protection and freedom of information of Thüringen, X-FAB dismissed FC as data protection officer. FC brought court proceedings seeking a declaration that the retains the position of DPO of X-FAB. X-FAB argued that there is a risk of a conflict of interests if FC simultaneously performs the functions of DPO and chair of the works council, on the ground that those two posts are incompatible. There is, therefore, a just cause justifying FC’s dismissal as DPO.

German laws gave data protection officers more protection than the GDPR which provides that data protection officers may not be dismissed or penalised for performing his tasks.

The courts of first instance and of appeal upheld FC’s action. X-FAB appealed to the Bundesarbeitsgericht (Federal Labour Court, Germany). It had to reconcile the two laws and referred the case to the CJEU.

The court ruled that:

  • The second sentence of Article 38(3) of the GDPR must be interpreted as not precluding national legislation which provides that a controller or a processor may dismiss a data protection officer who is a member of staff of that controller or processor solely where there is just cause, even if the dismissal is not related to the performance of that officer’s tasks, in so far as such legislation does not undermine the achievement of the objectives of that regulation.
  • Article 38(6) must be interpreted as meaning that a ‘conflict of interests’, as provided for in that provision, may exist where a data protection officer is entrusted with other tasks or duties, which would result in him or her determining the objectives and methods of processing personal data on the part of the controller or its processer, which is a matter for the national court to determine, case by case, on the basis of an assessment of all the relevant circumstances, in particular the organisational structure of the controller or its processor and in the light of all the applicable rules, including any policies of the controller or its processor.

This decision is not binding in the UK. However, the UK GDPR reflects the provisions concerning the dismissal of a data protection officer and conflict of interests.