Case C‑534/20

Leistritz AG

v

LH

(Request for a preliminary ruling from the Bundesarbeitsgericht)

Judgment of the Court (First Chamber), 22 June 2022

(Reference for a preliminary ruling – Protection of natural persons with regard to the processing of personal data – Regulation (EU) 2016/679 – Second sentence of Article 38(3) – Data protection officer – Prohibition of the dismissal, by a controller or processor, of a data protection officer or of the imposition, by a controller or processor, of a penalty on him or her for performing his or her tasks – Legal basis – Article 16 TFEU – Requirement of functional independence – National legislation prohibiting the termination of a data protection officer’s employment contract without just cause)

Protection of natural persons with regard to the processing of personal data – Regulation 2016/679 – Data protection officer – Function – Prohibition of the dismissal, by a controller or processor, of a data protection officer or of the imposition, by a controller or processor, of a penalty on him or her for performing his or her tasks – National legislation prohibiting the termination of a data protection officer’s employment contract without just cause – Termination not related to the performance of that officer’s tasks – Whether permissible – Condition – Compliance with the objectives provided for by that regulation

(European Parliament and Council Regulation 2016/679, Art. 38(3), second sentence)

(see paragraphs 21-36 and operative part)

Résumé

LH performed, from 1 February 2018, the duties of data protection officer within the company Leistritz AG. That company is required, under German law, to designate a data protection officer. In July 2018, Leistritz terminated LH’s employment contract with notice, invoking a measure for the restructuring of its activities, under which the data protection service was to be outsourced.

The courts adjudicating on the substance, before which LH challenged the validity of the termination of her contract, ruled that that termination was invalid. In accordance with the provisions of German federal legislation, LH, in her capacity as data protection officer, could have her employment contract terminated extraordinarily only if there was just cause. The restructuring of Leistritz’s activities, it was found, did not constitute such a cause.

Following the appeal brought by Leistritz before the Bundesarbeitsgericht (Federal Labour Court, Germany), that court asks whether the General Data Protection Regulation ( 1 ) allows legislation of a Member State which makes the termination of a data protection officer’s employment contract subject to stricter conditions than those laid down by EU law.

By its judgment, the Court of Justice holds that the second sentence of Article 38(3) of the GDPR ( 2 ) does not preclude national legislation which provides that a controller or processor may terminate the employment contract of a data protection officer who is a member of his or her staff only if there is just cause. That reasoning is applicable even if the contractual termination is not related to the performance of that officer’s tasks, in so far as such legislation does not undermine the achievement of the objectives of the GDPR.

Findings of the Court

In the first place, the Court notes that, in accordance with the second sentence of Article 38(3) of the GDPR, the prohibition of the dismissal, by a controller or processor, of a data protection officer or of the imposition, by a controller or processor, of a penalty on him or her means that that officer must be protected against any decision terminating his or her duties, by which he or she would be placed at a disadvantage or which would constitute a penalty. Thus, a measure terminating a data protection officer’s employment contract taken by his or her employer and terminating the employment relationship existing between that officer and that employer may constitute such a decision. In respect of that employment relationship, the Court states that the second sentence of Article 38(3) of the GDPR applies both to the data protection officer who is a member of the staff of the controller or processor and to the person who fulfils the tasks on the basis of a service contract concluded with the latter. That provision is therefore intended to apply to the relationship between a data protection officer and a controller or processor, irrespective of the nature of the employment relationship between that officer and the latter. Furthermore, that same provision imposes a limit which consists of prohibiting the termination of a data protection officer’s employment contract on a ground relating to the performance of his or her tasks. ( 3 )

In the second place, as regards the objective pursued by the second sentence of Article 38(3) of the GDPR, that regulation ( 4 ) states that data protection officers, whether or not they are employees of the controller, should be in a position to perform their duties and tasks in an independent manner, in accordance with the objective of the GDPR. ( 5 ) Thus, the objective of ensuring the functional independence of the data protection officer ( 6 ) implies that that officer is not to receive any instructions regarding the exercise of those tasks, that he or she is to report directly to the highest level of management of the controller or processor, and that he or she is bound by secrecy or confidentiality. Consequently, the second sentence of Article 38(3) of the GDPR seeks to preserve the independence of the data protection officer, in so far as that provision protects him or her against any decision in relation to his or her duties which terminates those duties, places him or her at a disadvantage or constitutes a penalty. However, that provision is not intended to govern the overall employment relationship between a controller or a processor and staff members.

As regards, in the third and last place, the context of the second sentence of Article 38(3) of the GDPR, the Court states that, apart from the specific protection of the data protection officer provided for in that provision, protection against the termination of the employment contract of a data protection officer employed by a controller or by a processor does not fall within the scope of rules which may be adopted on the basis of the GDPR ( 7 ) but rather within the field of social policy. The European Union and the Member States have shared competence ( 8 ) in that field. The European Union supports and complements action taken by the Member States in the field of the protection of workers in the event of termination of an employment contract by laying down minimum requirements in that regard. Therefore, each Member State is free, in the exercise of its competence, to lay down more protective specific provisions on termination of a data protection officer’s employment contract, in so far as those provisions are compatible with the provisions of the GDPR. In particular, such increased protection cannot undermine the achievement of the objectives of the GDPR. That would be the case if it prevented any termination of the employment contract, by a controller or by a processor, of a data protection officer who no longer possesses the professional qualities required to perform his or her tasks or who does not fulfil those tasks in accordance with the provisions of the GDPR.

( 1 ) See, in particular, the second sentence of Article 38(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1; ‘the GDPR’).

( 2 ) Under the second sentence of Article 38(3) of the GDPR, the data protection officer cannot be dismissed or penalised by the controller or processor for performing his or her tasks.

( 3 ) Under Article 39(1)(b) of the GDPR, those tasks include, in particular, monitoring compliance with EU or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data.

( 4 ) In particular, recital 97 of the GDPR.

( 5 ) The GDPR, as is apparent from recital 10 thereof, seeks, inter alia, to ensure a high level of protection of natural persons within the European Union.

( 6 ) As is apparent from the first, second and third sentences of Article 38(3) and from Article 38(5) of the GDPR.

( 7 ) Article 16(2) TFEU, which is the legal basis for the GDPR, allows for the adoption of rules on the protection of individuals with regard to the processing of personal data and to the free movement of such data.

( 8 ) Under Article 4(2)(b) TFEU.