What had happened?
An employee took his employer to court because he believed that he had been wrongly dismissed as the data protection officer with immediate effect.
He had been appointed as the data protection officer in 2015 and simultaneously served as the chairperson of the works council. However, the Thuringian State Commissioner for Data Protection expressed doubts as to whether these two offices could be viably held by a single person at a company. This was not without consequences: The employer withdrew the appointment of the data protection officer at the end of 2017 with immediate effect on the basis of the Federal Data Protection Act (BDSG) as amended at that time.
The employer stated that the two positions were not compatible, that conflicts of interest could arise when performing their respective duties and that the circumstances represented due cause for the dismissal. After the GDPR entered into force in 2018, the employer took further steps and also removed the employee as the data protection officer pursuant to Article 38 (3) sentence 2 of the GDPR as a precautionary measure.
The employee objected to the dismissal, stating that it was unlawful and that he did not see conflicts of interest as justification for the dismissal with immediate effect.
European Court of Justice clarifies the Federal Labor Court’s queries
The case went all the way to the Federal Labor Court. To assure conclusive ruling on the case, the Federal Labor Court, in turn, submitted a number of questions to the European Court of Justice which first had to be resolved. On the one hand, the Federal Labor Court wanted to know whether the legal basis for dismissal under German law (BGB, BDSG) could be stricter than the stipulations of EU law. On the other hand, the European Court of Justice was asked to clarify whether the same person at the company could simultaneously serve as the data protection officer and the works council chairperson or whether this combination of offices created a conflict of interest pursuant to Art. 38 (6) sentence 2 of the GDPR. After all, the Federal Labor Court had already issued a ruling in 2011 (Federal Labor Court, decision dated March 23, 2011, Ref.: 10 AZR 562/09) stating that these offices were compatible with each other.
Yet, the court was no longer entirely without doubts.
Decision by the European Court of Justice in advance
The European Court of Justice stated that national law (BGB, BDSG) fundamentally conforms with European law on this issue.
At the same time, the court also ruled that the offices of data protection officer and works council chairman are only compatible if the reliability as the data protection officer does not suffer due to a conflict of interest. However, this is the case if the data protection officer simultaneously holds an office at the company which also involves determining the purposes and means of processing of personal data (ECJ, decision dated February 9, 2023 – C-453/21).
Works council chair and data protection officer not possible at the same time
On the basis of the decision by the European Court of Justice, the Federal Labor Court ruled that this was precisely the case with the combined roles of works council chairperson and data protection officer.
It was not possible for one of the same person to serve as the chairperson of the works council and the data protection officer. The works council decides on the conditions and of which it would request personal data from the employer and how it would process this information. Therefore, the works council itself determines the purposes and processing personal data within the company.
Hints, conflicts of interest could arise in view of the prominent position of chairperson of the works council which would then lead to unreliability. In turn, this justified the dismissal as the data protection officer.
Summary of the key facts:
- The provisions of the BGB and BDSG regarding the dismissal of a data protection officer with immediate effect comply with European law.
- If a data privacy officer holds other offices within the company and this leads to a conflict of interests, this may represent good cause for dismissal of the data privacy officer.
- Serving as the chairperson of the works council and holding the office of data protection officer are mutually exclusive due to such a conflict of interests.