CJEU Ruling on Data Protection Officer positions

The recent decision of the Court of Justice of the European Union (CJEU) has defined the function of data protection officers (DPOs) in enterprises and their capacity to conduct other employment-related activities. Article 38 of the EU General Data Protection Regulation explains the roles and responsibilities of DPOs in companies that process personal data.

According to the CJEU, DPOs are expected to exercise their duties and responsibilities independently to guarantee the protection of the rights of data subjects. However, the CJEU also stated that DPOs cannot be assigned tasks or responsibilities that would allow them to determine the purposes and methods of data processing. This restriction is intended to guarantee that DPOs maintain their independence and avoid any conflicts of interest that might develop if they are given additional obligations that could interfere with their core responsibility of defending the rights of data subjects.

The CJEU rendered its decision in response to a request for a preliminary ruling from the German Federal Labour Court, often known as the Bundesarbeitsgericht. This lawsuit includes X-Fab Dresden and its former data protection officer, who was also the chair of the company's works council. X-Fab terminated the previous DPO due to a potential conflict of interest between the two positions. The judgement of the CJEU explains that national courts must examine each case on its own merits and review all pertinent evidence prior to rendering a verdict.

Notably, the CJEU highlighted that Article 38 of the GDPR, which states that DPOs cannot be dismissed or punished for performing their obligations, does not bar national law from establishing extra protections to protect DPOs from termination. However, national laws are inadequate to safeguard DPOs from dismissal when they are unable to carry out their responsibilities independently.

Overall, the CJEU's decision provides organisations with clarity about the role and responsibilities of DPOs and explains the conditions under which DPOs may execute additional employment-related activities. The ruling also highlights the need of maintaining the independence of DPOs and ensuring that they are able to carry out their responsibilities in a manner that safeguards the rights of data subjects.

Should you need GDPR related professional advice, please contact us on [email protected]