The German-based company Leistritz AG dismissed its data protection officer as part of a restructuring measure. The termination, which was declared null and void in the first instance, was appealed in the revision proceedings. It was questioned whether the nationally governed protection against dismissal for data protection officers may be stricter than in Union law.
2. Legal basis
Art. 37 - 39 GDPR regulates, among other matters, when data protection officers must be appointed. They have special protection against termination for motive; they shall not be dismissed or disadvantaged due to the fulfilling of their duty. The special protection against dismissal in Article 38 (3) sentence 2 of the GDPR ensures the independence of the data protection officer. The tasks of the data protection officer include monitoring of adherence to the regulation and strategies of the responsible parties for the protection of personal data.
3. On the decision of the ECJ
Article 38 (3) of the GDPR provides that the data protection officer must not be discriminated or dismissed by reason of his or her activities. The referring court primarily wanted to clarify whether a national regulation is allowable which strengthens the protection against dismissal so that this is only permitted for important reasons, even if the dismissal is not related to the fulfillment of the tasks of the data protection officer.
Data privacy officers must be able to perform their duties in complete independence. This is to be achieved by the special protection against dismissal.
However, employee protection is - with the exception of the regulations of Art. 38 (3) GDPR - a matter of social policy which, according to Art. 2 (2) and Art. 4 (2) lit b TFEU, falls under the shared competence between the Union and the Member States.
For the protection of workers, the Union can issue supplementary and supporting regulations by means of directives. However, pursuant to Art. 153 (2) b and (4) TFEU, this does not deprive the Member States of the competence to enact special or stricter national regulations. In doing so, however, the Member States must not violate Union law.
Art 38 (3) sentence 2 GDPR shall be interpreted in such a way that it does not preclude a national law which provides that a data protection officer may only be dismissed for important reasons, even if there is no connection with the activity as data protection officer. However, this must not prevent the realization of the aims of the GDPR.
Therefore, national regulations on the protection of data protection officers against dismissal are permitted, provided that existing Union law - in particular Art. 38 (3) sentence 2 GDPR - is not violated.