ECJ further shapes independent position of DPOs
In a judgment of 9 February 2023 (C-453/21), the European Court of Justice has further shaped the rules surrounding the independence of a data protection officer (DPO), one of the cornerstones of the GDPR.
Whenever appointed within an organisation, data protection officers are charged with the tasks of informing and advising data controllers and data processors, monitoring compliance with data protection legislation and policies adopted within the organisation, and acting as the contact point for supervisory authorities. To effectively perform these tasks, it is of utmost importance that DPOs can function independently. For such functional independence, article 38 (3) GDPR specifically stipulates that the data protection officer cannot receive any instructions regarding the exercise of its tasks, and must directly report to the highest management level. The same article also prohibits data controllers and processors to dismiss or penalize the DPO for performing his or her tasks.
With respect to the latter aspect, the question arose as to whether this prohibition precludes national legislation that allows a controller or a processor to dismiss a DPO who is a member of staff solely where there is just cause, even if the dismissal is not related to the performance of the DPO’s tasks. The Court decided that this is not the case, in so far as such legislation does not undermine the achievement of the objectives of the GDPR.
Leading up to that conclusion, the Court firstly reiterated that the concepts of “dismissing” and “penalizing” must be interpreted according to everyday language (see also judgment dated 22 June 2022, C-534/20), meaning that a DPO must be protected against “any decision terminating his or her duties, by which he or she would be placed at a disadvantage or which would constitute a penalty”. The Court confirmed that a dismissal measure by an employer is capable of constituting such a decision. Secondly, the Court reiterated that the prohibition not to dismiss or penalize a DPO applies regardless of the nature of the relationship with the DPO (i.e. regardless of whether the DPO is an employee or not), but at the same time only when the grounds underlying the decision relate to the performance of his or her tasks. The Court considered that every Member State is free to lay down more protective specific provisions on the dismissals of DPO, in so far as those provisions are compatible with EU law and GDPR and in so far as such increased protection does not undermine the achievement of the objectives of the GDPR. Such undermining could for example arise when national legislation would prevent dismissal of a DPO who no longer possesses the required professional qualities, who does not fulfil its tasks in accordance with the GDPR, or who is affected by a conflict of interests.
This brings us to the second main focus of the judgment, notably the concept of conflict of interests. Article 38 (6) GDPR allows data protection officers to be entrusted with other tasks and duties (i.e. other than those imposed on him or her by article 39 GDPR), but imposes on data controllers and processors the obligation to ensure that such tasks and duties do not result in a conflict of interests. Regarding the question as to which circumstances could entail such a conflict of interest, the Court responded rather generally that the DPO cannot be entrusted with tasks or duties that could “impair the execution of the functions performed by the DPO”. More in particular, the Court confirmed that a conflict of interest would arise whenever a DPO is entrusted with tasks that involve determining the objectives and methods of processing personal data on the part of the controller or its processor. Evidently, determining objectives or methods of data processing would clash with the requirement of being able to independently review said objectives and methods. The assessment as to whether a conflict of interests exists, must occur on a case-by-case basis in light of all the relevant circumstances (including the organizational structure and the applicable rules and policies).
This finding is not surprising, since it is fully in line with the Article 29 Working Party’s guidelines on data protection officers of 2017 and the recommendation no. 04/2017 on data protection officers of the former Belgian Privacy Commission, dating from 2017 as well.
In two similar decisions (decision no. 18/2020 of 28 April 2020 and decision no. 141/2021 of 16 December 2021), the Litigation Chamber of the current Data Protection Authority already found that the function of DPO is incompatible with being the head of departments such as (operational or information) risk management, special investigations, compliance and internal audit. The Litigation Chamber considered that by being the head of those departments, the DPO also carried the ultimate responsibility for determining the objectives and methods of data processing within those departments. According to the Litigation Chamber, cumulating such functions prevents the DPO from independently reviewing data processing activities within said departments. On the contrary, the Litigation Chamber approved the combination of the function of DPO and CISO (Chief Information Security Officer), to the extent the CISO is not responsible for any operational department but merely has an advisory function (decision no. 56/2021 of 26 April 2021).