In its judgment of 22 June 2022 (Case C-534/20; available here), the ECJ ruled on the question whether the GDPR allows for the applicability of the German provisions governing the termination of a data protection officer’s (DPO) employment pursuant to Paragraph 38 (2) and Paragraph 6 (4) sentence 2 Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG). According to the ECJ, the German provisions, under which a DPO’s employment may only be terminated for just cause, even if the termination is not related to the performance of his or her duties, in principle do not conflict with EU law. However, the realisation of the objectives of the GDPR must not be compromised by the interpretation of the regulations, i.e., the DPO must continue to be sufficiently competent for his or her activities. The German Federal Labour Court (Bundesarbeitsgericht, BAG) followed the ECJ in its ruling of 25 August 2022 (Case 2 AZR 225/20 – available here) and denied that the achievement of GDPR objectives is undermined by the German provisions. Although the BAG did not completely resolve the conflict between German employment protection law and the GDPR in its ruling, it indicates that it does not want to tamper with the strict, traditionally employee-friendly application of employment protection law in favour of data protection.

Background

The BAG had to decide on the lawfulness of a DPO’s employment termination by her employer. The employer, a company governed by private law, which is obliged under German law to appoint a DPO, had terminated the DPO's employment with due notice because of a restructuring measure (i.e., the planned outsourcing of data protection tasks to an external data protection officer). The courts of lower instance held that the termination was invalid because the provisions governing the termination of a DPO’s employment pursuant to Paragraph 38 (2) and Paragraph 6 (4) sentence 2 BDSG were applicable and for this reason the employment relationship could only have been terminated for just cause.

Paragraph 6 (4) BDSG, which also applies to mandatorily appointed DPOs of non-public bodies pursuant to Paragraph 38 (2) BDSG, reads as follows:

"The dismissal of the data protection officer shall be permitted only by applying Paragraph 626 of the German Civil Code accordingly. The data protection officer’s employment shall not be terminated unless there are facts that give the public body just cause to terminate without notice. [...]"

The BAG had doubts about the compatibility of this provision with Article 38 (3) sentence 2 GDPR ("He or she [the data protection officer] shall not be dismissed or penalised by the controller or the processor for performing his [or her] tasks."), because the German provisions impose stricter requirements on the termination of a DPO’s employment than the EU law provision. Whether there is still room for Member State legislation on the termination of a DPO’s employment in addition to the EU law provisions has been a matter of dispute among German legal scholars so far.

Against this background, the BAG submitted the following question to the ECJ[1]:

"Is the second sentence of Article 38 (3) of [the GDPR] to be interpreted as precluding a provision in national law, such as Paragraph 38 (1) and (2) in conjunction with the second sentence of Paragraph 6 (4) of the [BDSG], which declares ordinary termination of the employment contract of the data protection officer by the data controller, who is his or her employer, to be impermissible, irrespective of whether his or her contract is terminated for performing his or her tasks?”

Preliminary ruling of the ECJ

The ECJ’s answer to the BAG's question is that the second sentence of Article 38 (3) of the GDPR must be interpreted as not precluding national legislation which provides that a controller or a processor may terminate the employment contract of a data protection officer, who is a member of his or her staff, only with just cause, even if the contractual termination is not related to the performance of that officer’s tasks, in so far as such legislation does not undermine the achievement of the objectives of the GDPR.

The ECJ justified its decision by stating that Article 38 (3) sentence 2 GDPR serves solely to protect the functional independence of the DPO and the effectiveness of the provisions of the GDPR. The provision is not intended to govern the employment relationship between a controller or a processor and its employees; this relationship is at most incidentally affected, insofar as this is strictly necessary for the achievement of the above-mentioned GDPR objectives. By contrast, the fixing of rules on the protection of DPOs against termination of their employment is primarily a matter of social policy. In this area, EU Member States are not prevented from regulating stricter provisions than the EU legislator, as long as these comply with EU law.

As regards the compatibility of national provisions protecting the DPO against the termination of his or her employment with the GDPR, the ECJ notes that protective provisions should not be so strict as to undermine the achievement of the objectives of the GDPR. This would be the case, however, if the provisions

"prevented any termination of the employment contract, by a controller or by a processor, of a data protection officer who no longer possesses the professional qualities required to perform his or her tasks or who does not fulfil those tasks in accordance with the provisions of the GDPR.”

The ruling of the BAG

As expected, the BAG followed the ECJ in its ruling and found that the achievement of the objectives of the GDPR is not undermined by the German provisions. Although the conditions under which the employment relationship of a DPO can be terminated are raised to the threshold of "just cause", not every termination of a DPO’s employment who no longer possesses the professional qualities required for the performance of his or her duties or who does not fulfil those duties is prohibited (as required by the ECJ). To emphasise that a DPO is not protected from any loss of his/her position, the BAG cites the possibility of a request for dismissal by the supervisory authorities of the states pursuant to Section 40 (6) sentence 2 BDSG. In this context, the BAG states that the termination of a DPO’s employment is regularly not necessary in addition to his or her dismissal.

In the specific case at hand, the BAG does not consider the objectives of the GDPR to have been compromised. The employer's statements on the necessity of the restructuring measures were too general and did not substantiate that the continuation of the employment relationship was unacceptable from a data protection standpoint. However, according to the BAG the termination of a DPO’s employment for restructuring reasons is not completely ruled out. A termination for “just cause” could be considered if an ordinary termination is excluded and this leads to the fact that the employer would still have to pay the former DPO for years despite the loss of the employment opportunity.

Does that clear everything up?

No. The dispute as to whether it is possible for Member States to provide stricter rules on the protection against the termination of a DPO’s employment than under EU law has been resolved, but the question now arises as to how strict these provisions may be and/or how strict they may be interpreted in order not to violate the GDPR.

In terms of the German provisions, it is still not clear whether and when a termination may be based on data protection grounds. The ECJ indicated that it must be possible to terminate a DPO’s employment in cases where the DPO no longer fulfils his or her duties under the GDPR or no longer possesses the qualities required for this purpose. The statement of the BAG that a termination is not made impossible or unreasonably difficult by the German provisions, but rather requires the existence of personal or behavioural reasons on the threshold of a "just cause", somewhat evades the ECJ’s position on this. By referring to the fact that the dismissal of the DPO is regularly sufficient to ensure the achievement of the objectives of the GDPR and that a termination is thereby not necessary, the BAG moves in the opposite direction and suggests that an impairment of GDPR objectives alone would not justify a termination. The BAG thus states that a dismissal, which under German law also requires a “just cause”, can be exercised below the threshold of a termination of the DPO’s employment. Whether and, if so, in which cases it considers a termination in the interest of data protection to be possible - as required by the ECJ - remains open. That is why the last word on the conflict between data protection and employment protection law with respect to the termination of a DPO’s employment has not been spoken. Going forward, German labour courts will have to deal with the question of when a DPO’s lack of necessary professional qualities or the non-fulfilment of his or her official duties constitutes a just cause for termination. The further developments should be followed by all concerned and interested parties.

ECJ will rule on the provisions governing the dismissal of a DPO

Moreover, it is still not clear whether the German provisions on the dismissal of a DPO pursuant to Paragraph 6 (4) sentence 1 BDSG (see above) are compatible with EU law. It is not certain that the ECJ's ruling on the termination of a DPO’s employment can also be applied to the provisions of the member states on the dismissal of a DPO. In particular, it is questionable whether the ECJ’s considerations on the socio-political nature of the provisions on the protection against employment termination are also applicable to a DPO dismissal. Thus, there is still a question mark behind the validity of the German provisions.

A further decision of the ECJ, which is expected at the end of this year or the beginning of next year, will presumably shed light on this issue. In another request for a preliminary ruling (decision of 27 April 2021 - 9 AZR 621/19), the BAG asked the ECJ whether Paragraph 6 (4) sentence 1 BDSG is compatible with Article 38 (3) sentence 2 GDPR.

Regardless of how the ECJ will rule, in practice the temporary appointment of a DPO or the engagement of an external DPO are likely to remain the safest instruments if a company wishes to have flexibility.