The Termination of the Employment Contract of a Data Protection Officer under GDPR: Commentary on the Judgment of the Court of Justice of the European Union in Leistritz AG v LH (C-534/20)

In the judgment in question, the Court of Justice of the European Union rules that Article 38 (3) GDPR does not preclude national legislation which provides that a termination of the employment contract of a data protection officer is allowed only with just cause, even if the termination is not related to the performance of that officer’s tasks, in so far as such legislation does not undermine the achievement of the objectives of that regulation. In the approving commentary, based on the theses contained in the judgment, the reasons related to the performance of the data protection officer tasks and other reasons for the inspector’s dismissal are discussed. Doubts related to the dismissal of the data protection officer due to the reorganization of the company are also highlighted. The issue of dismissal of the data protection officer is of great practical importance, the considerations and conclusions presented in the commentary may be helpful for many controllers.


INTRODUCTION
In the commented judgment (Leistritz AG v LH 1 ), the Court of Justice of the European Union (the CJEU) on request for a preliminary ruling from the Bundesarbeitsgericht (German Federal Labour Court), interpreted the second sentence of Article 38 (3) of Regulation (EU) 2016/679. 2 This provision stipulates obligation to ensure that the data protection officer "shall not be dismissed or penalised by the controller or the processor for performing his tasks".
As a result of the EU reform of the personal data protection law and the adoption of the GDPR, the designation of a data protection officer has become obligatory not only for public bodies, but also for some private companies. The controller and the processor shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data. 3 One of the key issues has become to ensure the independence of the data protection officer in order to enable him to properly perform his tasks. The basic guarantees of independence of the data protection officer include his position -data protection officer shall directly report to the highest management level of the controller or the processor. The nature of the requirement related to the designation of the data protection officer (on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks), also has a significant impact on his activities. The controller and processor shall support the data protection officer in performing the tasks by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his expert knowledge, and shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks. The requirements set out in the GDPR are to ensure that the data protection officer will be able to properly fulfil the tasks. 4 An additional safeguard for the independence of the data protection officer is the prohibition to dismiss and penalise him for performing his tasks. However, this provision is worded in a very general manner, which raises many doubts, and requires interpretation.

FACTS AND PROCEEDINGS
The request for a preliminary ruling has been made in the following factual and legal status. Leistritz AG is a company, which is required under German law to designate a data protection officer. LH performed the duties of data protection officer in Leistritz from February 2018. In July 2018, Leistritz terminated LH's employment contract with notice, invoking a restructuring measure of that company, in the context of which the activity of the data protection service were to be outsourced.
Article 38 (3) GDPR provides: "The controller and processor shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks. He or she shall not be dismissed or penalised by the controller or the processor for performing his [or her] tasks". According to German law - § 6 (4) of the Bundesdatenschutzgesetz (BDSG; Federal Law on data protection), 5 "the dismissal of the data protection officer shall be permitted only by applying § 626 of the Bürgerliches Gesetzbuch (German Civil Code), 6 accordingly. The data protection officer's employment shall not be terminated unless there are facts that give the public body just cause to terminate without notice. The data protection officer's employment shall not be terminated for one year after the activity as the data protection officer has ended, unless the public body has just cause to terminate without notice".
LH challenged the validity of the termination of her employment and claimed that it was invalid, as the employment could be terminated only in case of a "just cause". This interpretation was confirmed by the courts ruled that termination of employment was invalid, since in accordance with the combined provisions of Article 38 (2) GDPR and the second sentence of § 6 (4) BDSG, a contract could be terminated extraordinarily only if there was just cause, owing to her status as a data protection officer. The restructuring measure described by Leistritz did not, they found, constitute such a cause. The Company filed an appeal against the decision. The issue raised was whether the GDPR allows a Member State to make laws that impose stricter conditions for the termination of a data protection officer's employment contract than those provided for by EU law.  2002(BGBl. 2002I, p. 42, corrigenda BGBl. 2002I, p. 2909, and BGBl. 2003. Paragraph 626 of the German Civil Code, titled "Termination without notice with just cause", provides: "(1) The employment relationship may be terminated by either party to the contract with just cause without giving notice where facts are present on the basis of which the terminating party cannot reasonably be expected to continue the employment relationship to the end of the notice period or to the agreed end of the employment relationship, taking all circumstances of the individual case into account and weighing the interests of both parties to the contract (…)".
The German Federal Labour Court before which Leistritz has brought an appeal, observes that under German law, the termination of LH's contract is void, but shared the doubts indicated above, also pointing to the divergence in the national legal literature, decided to stay the proceedings and to refer three questions to the CJEU for a preliminary ruling. The first question was: "Is the second sentence of Article 38 (3) of [the GDPR] to be interpreted as precluding a provision in national law, such as § 38 (1) and (2) in conjunction with the second sentence of § 6 (4) of the [BDSG], which declares ordinary termination of the employment contract of the data protection officer by the data controller, who is his or her employer, to be impermissible, irrespective of whether his or her contract is terminated for performing his or her tasks?". The next two questions depended on affirmative answer to the first question: "(2) Does the second sentence of Article 38 (3) GDPR also preclude such a provision in national law if the designation of the data protection officer is not mandatory in accordance with Article 37 (1) GDPR, but is mandatory only in accordance with the law of the Member State?", and "(3) Is the second sentence of Article 38 (3) GDPR based on a sufficient enabling clause, in particular in so far as this covers data protection officers that are party to an employment contract with the data controller?".
The CJEU rules that "the second sentence of Article 38 (3) GDPR must be interpreted as not precluding national legislation which provides that a controller or a processor may terminate the employment contract of a data protection officer, who is a member of his or her staff, only with just cause, even if the contractual termination is not related to the performance of that officer's tasks, in so far as such legislation does not undermine the achievement of the objectives of the GDPR". The CJEU further stated that in the light of the answer given to the first question, there is no need to answer the second and third questions.

THE ANALYSIS OF THE JUDGMENT
The core issues of the CJEU ruling concerns whether the termination of the contract with the data protection officer is legally permitted only for reasons related to the performance of the officer's tasks, and whether specific requirements for termination of the employment contract may be laid down in the law of the Member State.
Article 38 (3) GDPR provides, in its second sentence, that the data protection officer "shall not be dismissed or penalised by the controller or the processor for performing his [or her] tasks". The Advocate General in his opinion noted that the prohibition of the dismissal, by a controller or processor, of a data protection officer or of the imposition, by a controller or processor, of a penalty on him or her means, that officer must be protected against any decision terminating his In line with the CJEU ruling, the second sentence of Article 38 (3) GDPR, must be regarded as essentially seeking to preserve the functional independence of the data protection officer and, therefore, to ensure that the provisions of the GDPR are effective. By contrast, that provision is not intended to govern the overall employment relationship between a controller or a processor and staff members who are likely to be affected only incidentally, to the extent strictly necessary for the achievement of those objectives. 8 Apart from the specific protection of the data protection officer provided for in the second sentence of Article 38 (3) GDPR, the fixing of rules on protection against the termination of the employment contract of a data protection officer employed by a controller or by a processor does not fall within the scope of the protection of natural persons with regard to the processing of personal data or within the scope of the free movement of such data, but within the field of social policy. 9 Each Member State is free, in the exercise of its retained competence, to lay down more protective specific provisions on the termination of a data protection officer's employment contract, in so far as those provisions are compatible with EU law and, in particular, with the provisions of the GDPR, particularly the second sentence of Article 38 (3) thereof. 10 Such increased protection cannot undermine the achievement of the objectives of the GDPR. That would be the case if it prevented any termination of the employment contract, by a controller or by a processor, of a data protection officer who no longer possesses the professional qualities required to perform his or her tasks or who does not fulfil those tasks in accordance with the provisions of the GDPR. 11 The CJEU rules that the termination of the employment contract of a data protection officer is allowed only with just cause, even if the termination is not related to the performance of that officer's tasks. However, the CJEU emphasized that the national legislation must not undermine the achievement of the objectives of the GDPR.
The CJEU stated that the second sentence of Article 38 (3) GDPR clearly applies without distinction both to the data protection officer who is a member of the staff of the controller or processor and to the person who fulfils the tasks on the basis of a service contract, irrespective of the nature of the employment relationship, therefore there is no need to answer the second and third questions. The data protection officer, performing his tasks, should not be afraid of the negative consequences of his correct behaviour. Fear of losing his job can have a significant impact on the way the data protection officer works, therefore the EU legislator tries to safeguard the independence of the officer by limiting the legal possibility of his dismissal. 12 In the light of the provision of Article 38 (3) GDPR, the data protection officer shall not be dismissed by the controller or the processor for correct performing his tasks (e.g. for indicating to the controller the need to implement additional security measures or informing him about the data breach and the need to notify the data breach to the supervisory authority). However, this does not mean that the data protection officer may not be dismissed for other reasons. As underlined in the comments: "The causal link between the performance of tasks and dismissal is not permitted, but not dismissal per se". 13 The phrase "performing tasks" should be understood as the proper performance of tasks, this does not include the failure to perform tasks or the improper performance of tasks.
There may be various reasons for dismissing a person from the function of a data protection officer. The first group of reasons is related to the non-performance or improper performance of data protection officer tasks or non-compliance with requirements laid down in the GDPR. A person acting as a data protection officer may be dismissed from this function if he does not perform (or performs incorrectly) the tasks that were imposed on him in Article 39 GDPR (e.g. he does not monitor compliance with the GDPR). Another reason for dismissing a data protection officer is that he does not (no longer) meet the professional knowledge requirements set out in Article 37 (5) GDPR (e.g. he does not inform controller of their obligations pursuant to data protection provisions, if it shows a lack of his knowledge). In some cases, the reason for the dismissal of the data protection officer may be a conflict of interests between the performance of tasks as an officer and the performance of other tasks entrusted to him (e.g. as the data protection officer has been designated IT department manager -a person who, in accordance with the GDPR, cannot perform this function due to a conflict of interests and there is a need to change). 14 The second group of reasons is not related to the performance of the data protection officer's function, but relates to other reasons that justify dismissal. The Working Group Art. 29 in Guidelines on Data Protection Officers ('DPOs') explained that "as a normal management rule and as it would be the case for any other employee or contractor under, and subject to, applicable national contract or 12 P. Fajgielski,op. cit.,p. 434. 13  Pobrane z czasopisma Studia Iuridica Lublinensia http://studiaiuridica.umcs.pl Data: 15/09/2023 03:59:44 U M C S labour and criminal law, a DPO could still be dismissed legitimately for reasons other than performing his or her tasks as a DPO (for instance, in case of theft, physical, psychological or sexual harassment or similar gross misconduct)". 15 In the light of the arguments presented above, it is worth considering, whether reorganization may be one of the reasons for the dismissal of the data protection officer, not related to the performance of his tasks. The duty of the controller is to designate a data protection officer and to ensure that he can properly and independently perform his tasks. According to Article 37 (6) GDPR data protection officer may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract, the decision in this regard being made by the controller. If the controller, following the principles of management and economic considerations, decides that there is a need for reorganization (e.g. due to high costs), he should be able to dismiss the data protection officer and use outsourcing. The different interpretation would lead to an excessive restriction of the economic freedom of the entrepreneur, who should be free to decide whether the data protection officer is his employee or fulfil the tasks on the basis of a service contract.
There is a risk that a controller wishing to dismiss a data protection officer will arbitrarily decide whether the reason for the dismissal is lawful or give an apparent reason. However, the risk is mitigated by the supervisory authority, which assesses the reason for the dismissal, and may impose a high administrative fine on the controller for violating the provisions of the GDPR. In practice, this means that the controller should be able to demonstrate that the real reason for the dismissal of the data security officer was not related with the proper performance of his tasks.
The provisions of the GDPR contain only a general rule relating to the protection of the stability of the performance of the data protection officer's function in order to guarantee his independence, but do not regulate the detailed requirements or the procedure for terminating the employment contract, as these issues do not fall within the scope of data protection regulations, and are regulated by national social policy (labour law). Each Member State is entitled to lay down specific rules for termination the employment contract of a data protection officer, however, the CJEU stated that the national legislation must not undermine the achievement of the objectives of the GDPR, in particular lower the level of protection of the data protection officer's independence. Most Member States have not adopted this kind of specific legislation, 16 so the general prohibition laid down in the second sentence of Article 38 (3) GDPR applies directly.
However, some Member States have adopted specific legislation restricting the ability to dismiss the data protection officer. One of such countries is Germany.

U M C S
In accordance with German law - § 6 (4) BDSG, "the data protection officer's employment shall not be terminated unless there are facts which give the public body just cause to terminate without notice". According to the jurisprudence of German courts, the fact that, due to organizational change, data protection within the company will in future be ensured by an external data protection officer does not constitute a "just cause" for the dismissal. 17 The referring court (German Federal Labour Court) pointed to divergence in the German legal literature. Some authors argue that "due to the national legislative competence for the regulation of labor law, however, the legislator is free to provide protection against dismissal for data protection officers at a national level". 18 However, the other authors recognize that the links between protection and the position of data protection officer conflict with EU law and give rise to economic pressure to retain a data protection officer on a long-term basis once he or she has been designated. 19 The CJEU concluded that such stronger protection of the data protection officer under the national laws is not contrary to the GDPR. Moreover, the Advocate General in his opinion wrote: "It could also be considered that, in the event of economic difficulties for the company which has the obligation to appoint a data protection officer and has chosen one of its employees for this purpose, its missions should, due to the objective of Regulation 2016/679 and the contribution of such a delegate to the satisfaction of the latter, continue to be exercised as long as the employer's activity continues". 20 Such a position raises doubts; however, it may be approved if specific provisions of member state law (e.g. the above-mentioned provisions of the German BDSG) limit the dismissal of the data protection officer. The strong protection of the data protection officer under German law is quite different from the requirements set out in the GDPR. The German provisions, based on the permissibility of terminating an employment relationship with the data protection officer only if there are facts that justify termination without notice, may raise questions about whether they are an excessive limitation of the controller. According to the GDPR, the controller should be able to choose who will act as a data protection officer and whether it will be an employee or a person providing outsourcing services. Since economic problems that justify the reorganization of the company are not considered as just cause for terminating the employment of a data protection officer under German law, the controller does not have the option to make the change. In addition, it may raise doubts as to whether other reasons justifying the termination of the contract with the data protection officer, can be considered as just cause. 21 Finally, differences in requirements relating to the dismissal of the data protection officer in the Member States fail to ensure a consistent level of data protection, which was one of the key objectives of the EU data protection reform. Undoubtedly, however, strong protection of the data protection officer's employment can be considered as a measure to strengthen his independence, which can contribute to increasing the level of protection of data subjects, so the court's position recognizing the admissibility of such a national regulation should be considered correct. However, if the national provisions do not contain additional restrictions, the general rule set out in Article 38 (3) GDPR applies, and due to the need for reorganization a data protection officer may be dismissed, because economic difficulties for the company (and the need to cut costs) can be considered a legitimate cause for the dismissal.

CONCLUSIONS
The data protection officer shall not be dismissed by the controller or the processor for proper performing his tasks. However, in cases not related to the proper performance of the function, the data protection officer may be dismissed. The reasons for the dismissal may be different. The data protection officer may be dismissed if he does not perform (or performs incorrectly) the tasks, or if he does not meet the requirement to have expert knowledge in the field of data protection law and practices, or if there is a conflict of interest between the performance of the tasks as an officer and the performance of other tasks entrusted to the data protection officer.
The CJEU stated that each Member State is entitled to lay down specific rules for termination the employment contract of a data protection officer, however the national legislation must not undermine the achievement of the objectives of the GDPR.
If the national provisions do not contain such specific rules, the general rule set out in Article 38 (3) GDPR applies, and a data protection officer may be dismissed, e.g., due to the reorganization of the company, because economic difficulties can be considered a legitimate cause for the dismissal, and it is not related to the proper performance of the data protection officer tasks.