Data protection officers can maintain other tasks and duties within their role, if they do not result in a conflict of interest, the Court of Justice of the European Union has affirmed.
In a Feb. 9 ruling centered around Article 38 of the EU General Data Protection Regulation, the CJEU stated DPOs should “be in a position to perform their duties and tasks in an independent manner” but “cannot be entrusted with tasks or duties which would result in him or her determining the objectives and methods of processing personal data on the part of the controller or its processor.”
The CJEU said this is “a matter for the national court to determine, case by case, on the basis of an assessment of all the relevant circumstances.”
This is likely to be an “increasingly important, and hard,” distinction for privacy pros and organizations as they “grapple with the challenging confluence of regulatory compliance and business practice,” IAPP Director of Research and Insights Joe Jones said.
“That could be an intractable position for many organizations where their DPO wears many different hats, some of which may afford decision-making powers on what data to process, why and how,” he said.
The ruling comes ahead of the European Data Protection Board’s upcoming coordinated enforcement action focusing on DPO designations.
The CJEU’s determination followed a request for a preliminary ruling made by the Federal Labour Court of Germany, Bundesarbeitsgericht, regarding proceedings between X-Fab Dresden and its former data protection officer.
The former DPO, who had also performed the role of “chair of the works council,” was dismissed from the role of DPO in December 2017. In May 2018, when the GDPR became law, X-Fab argued the former DPO’s dismissal was justified, citing “a risk of a conflict of interests” in performing both functions “on the ground that those two posts are incompatible.”
Jones also noted the CJEU found that Article 38, which states DPOs cannot be dismissed or penalized for performing tasks, does not prevent national laws from establishing additional protections against dismissing DPOs. However, these additional protections should not “compromise the principal objectives of the GDPR to maintain high levels of data protection.”
“The example the CJEU gives is that national laws can’t protect DPOs from dismissal in the event that the DPO is unable or no longer able to carry out their duties in complete independence due to the existence of a conflict of interest,” he said.