Works Council Chairman and Data Protection Officer - a conflict of interests?

In a decision dated 9 February 2023 (in Case C-453/21) the Court of Justice of the European Union (CJEU) ruled that the dual role of an employee as chair of the works council and as data protection officer (DPO) does not necessarily conflict under European Union law, but that this is to be determined by the national court on a case-by-case basis. The fact that a member state lays down more protective specific provisions on the dismissal of a DPO is insofar compatible with EU law.

The Case

The employee, working with the company since 1993, performs the duties of chair of the works council in the company’s operation. He also holds the role of vice-chair of a central works council established for three companies within the corporation, all based in Germany. With the effect from 1 June 2015, the employee was appointed by his employer as well as by other group companies in in parallel as their respective DPO with the intention to ensure a consistent data protection standard throughout the group. At the request of the Data Protection Commissioner of the federal state, the respective group companies dismissed the employee as DPO in December 2017 with immediate effect and, as a precautionary measure, again in 2018. They argued that there was a risk of a conflict of interests if the employee simultaneously performs the functions of DPO and chair of the works council.

The action brought by the employee before the German labor courts seeks a declaration that he retains the position of DPO, and the dismissal was invalid. The lower labor courts in Germany upheld the employee’s action. Germany’s Highest Labor Court, which was called upon in the third instance, has now referred the case to the CJEU by way of a reference for a preliminary ruling, as the interpretation of European law is pivotal.

The court’s Ruling

With Sec. 38 in conjunction with Sec. 6 (4) German Data Protection Act, German legislation created a provision which places stricter requirements on the dismissal of a DPO compared to EU law. With respect to this provision the CJEU rules that the second sentence of Art. 38 (3) General Data Protection Regulation (GDPR) must be interpreted as not precluding national legislation which provides that a controller or a processor may dismiss a DPO employed by them solely where there is just cause, even if the dismissal is not related to the performance of that officer’s duties insofar as such stricter protection does not undermine the achievement of the objectives of that regulation. Notably, these objectives are to ensure a high level of protection for individuals within the European Union regarding the processing of their personal data, and that, in order to achieve that objective, to ensure full independency of the DPO in the performance of his or her duties.

On the further question of whether there is a conflict of interests within the meaning of Art. 38 (6) GDPR if a DPO also performs the duties of the chair of a works council, the CJEU rules that a conflict of interest may exist where a DPO is entrusted with other tasks or duties that could impair him or her in performing his or her duties as DPO in a fully independent manner. Whether this is the case is a matter for the national court to determine, case by case, based on an assessment of all the relevant circumstances, in particular the organizational structure of the controller or its processor and in the light of all the applicable rules, including any policies of the controller or its processor.

Comments

The CJEU responds to the question of whether the role of a DPO is incompatible with the duties of a works council chair from a data protection law perspective only to the extent that this is not to be decided under EU law, but under national law. It remains to be seen how the German Federal Court will decide. With focus on the labor relations practice and in favor of a functioning collaboration between employer and employee representatives, it is important to keep the role of the DPO separate from a works council mandate. This can be essential to avoid even more difficult negotiations with the works councils on employee data privacy. For example, when implementing new software systems the works council must be involved.