In its judgment of 22 June 2022 (Case C-534/20; available here), the ECJ ruled on the question whether the GDPR allows for the applicability of the German provisions governing the termination of a data protection officer’s (DPO) employment pursuant to Paragraph 38 (2) and Paragraph 6 (4) sentence 2 Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG). According to the ECJ, the German provisions, under which a DPO’s employment may only be terminated for just cause, even if the termination is not related to the performance of his or her duties, in principle do not conflict with EU law. However, the realisation of the objectives of the GDPR must not be compromised by the interpretation of the regulations, i.e., the DPO must continue to be sufficiently competent for his or her activities. This means that a termination must be possible even if the strict requirements under the traditional employee-friendly application of German employment protection law are not met. How the German courts will deal with this remains to be seen.

Background

The ECJ's decision is based on the request for a preliminary ruling of the German Federal Labour Court (Bundesarbeitsgericht, BAG) made by the decision of 30 July 2020 (2 AZR 225/20). The BAG had to decide on the lawfulness of a DPO’s employment termination by her employer. The employer, a company governed by private law, which is obliged under German law to appoint a DPO, had terminated the DPO's employment with due notice because of a restructuring measure. The courts of lower instance held that the termination was invalid because the provisions governing the termination of a DPO’s employment pursuant to Paragraph 38 (2) and Paragraph 6 (4) sentence 2 BDSG were applicable and for this reason the employment relationship could only have been terminated for just cause.

Paragraph 6 (4) BDSG, which also applies to mandatorily appointed DPOs of non-public bodies pursuant to Paragraph 38 (2) BDSG, reads as follows:

"The dismissal of the data protection officer shall be permitted only by applying Paragraph 626 of the German Civil Code accordingly. The data protection officer’s employment shall not be terminated unless there are facts that give the public body just cause to terminate without notice. [...]"

The BAG had doubts about the compatibility of this provision with Article 38 (3) sentence 2 GDPR ("He or she [the data protection officer] shall not be dismissed or penalised by the controller or the processor for performing his [or her] tasks."), because the German provisions impose stricter requirements on the termination of a DPO’s employment than the EU law provision. Whether there is still room for Member State legislation on the termination of a DPO’s employment in addition to the EU law provisions has been a matter of dispute among German legal scholars so far.

Against this background, the BAG submitted the following question to the ECJ*:

"Is the second sentence of Article 38 (3) of [the GDPR] to be interpreted as precluding a provision in national law, such as Paragraph 38 (1) and (2) in conjunction with the second sentence of Paragraph 6 (4) of the [BDSG], which declares ordinary termination of the employment contract of the data protection officer by the data controller, who is his or her employer, to be impermissible, irrespective of whether his or her contract is terminated for performing his or her tasks?”

The decision of the ECJ

The ECJ’s answer to the BAG's question is that the second sentence of Article 38 (3) of the GDPR must be interpreted as not precluding national legislation which provides that a controller or a processor may terminate the employment contract of a data protection officer, who is a member of his or her staff, only with just cause, even if the contractual termination is not related to the performance of that officer’s tasks, in so far as such legislation does not undermine the achievement of the objectives of the GDPR.

The ECJ justified its decision by stating that Article 38 (3) sentence 2 GDPR serves solely to protect the functional independence of the DPO and the effectiveness of the provisions of the GDPR. The provision is not intended to govern the employment relationship between a controller or a processor and its employees; this relationship is at most incidentally affected, insofar as this is strictly necessary for the achievement of the above-mentioned GDPR objectives. By contrast, the fixing of rules on the protection of DPOs against termination of their employment is primarily a matter of social policy. In this area, EU Member States are not prevented from regulating stricter provisions than the EU legislator, as long as these comply with EU law.

As regards the compatibility of national provisions protecting the DPO against the termination of his or her employment with the GDPR, the ECJ notes that protective provisions should not be so strict as to undermine the achievement of the objectives of the GDPR. This would be the case, however, if the provisions

"prevented any termination of the employment contract, by a controller or by a processor, of a data protection officer who no longer possesses the professional qualities required to perform his or her tasks or who does not fulfil those tasks in accordance with the provisions of the GDPR.

Does that clear everything up?

No. The dispute as to whether it is possible for Member States to provide stricter rules on the protection against the termination of a DPO’s employment than under EU law has been resolved, but the question now arises as to how strict these provisions may be in order not to violate the GDPR.

From the ECJ's answer to the BAG’s question it can be concluded that the Court considers the German provisions requiring just cause for the termination of a DPO’s employment to be, in principle, compatible with the GDPR. However, the provisions must be interpreted in conformity with EU law so that they do not prevent the termination of a DPO even though he or she no longer possesses the professional qualities required for the performance of his or her tasks or does not perform his or her duties in accordance with the GDPR.

It remains to be seen whether German courts, which tend to be pro-employee, will consider these two cases to be "just causes" for termination in future decisions and/or whether they will develop further cases for just cause where termination is required to achieve the objectives of the GDPR. In any case, the question whether there is just cause for termination must still be determined on a case-by-case basis and court decisions will remain difficult to predict. But from now on the effects of a termination on the obligations under the GDPR will play a major role in determining whether there is just cause for termination.

The BAG must now resume the suspended proceedings and decide on the case that gave rise to the questions submitted to the ECJ. It is likely that the BAG will issue a “facts-based decision” and not provide any further interpretative guidance.

What applies to the dismissal of a DPO?

Another open question is whether the German provisions on the dismissal of a DPO pursuant to Paragraph 6 (4) sentence 1 BDSG (see above) are compatible with EU law. In its most recent judgement, the ECJ solely ruled on national legislation on the protection against the termination of a DPO’s employment but not on dismissal provisions.

For the dismissal of a DPO, German law similarly requires a just cause by applying Paragraph 626 of the BGB (see above) and, therefore, provides for a stricter protective provision than Article 38 (3) sentence 2 of the GDPR.

It is not certain that the ECJ's decision can also be applied to Member State provisions on the dismissal of a DPO. In particular, it is questionable whether the Court's considerations on the socio-political nature of the provisions on the protection against employment termination are also applicable to a DPO dismissal. Thus, there is still a question mark behind the validity of the German provisions. In practice, for the time being, the temporary appointment of a DPO is likely to remain the safest instrument if a company wishes to retain flexibility.

However, a further ruling of the ECJ, which is expected to be issued in the course of this year, could resolve this issue: In another request for a preliminary ruling (decision of 27 April 2021 - 9 AZR 621/19), the BAG asked the ECJ whether Paragraph 6 (4) sentence 1 BDSG is compatible with Article 38 (3) sentence 2 GDPR.

*two further questions submitted by the BAG were asked on the condition that the ECJ answered the first question with "yes"; since the ECJ answered the first question with "no", it did not have to decide on these questions.