DP News – Week 7. The CJEU has issued a decision clarifying the status of Data Protection Officers (DPO), European Parliament’s Industry, Research and Energy Committee approved the draft Data Act

In September 2022, it was announced that EDPB chose “designation and position of the data protection officer” as the topic for its coordinated enforcement action, meaning that the EDPB prioritises this topic “for data protection authorities (DPAs) to work on at the national level”.

Now, on 09 February 2023, the CJEU issued a ruling (case C-453/21) as a follow-up to a request for a preliminary ruling made by the Federal Labour Court of Germany, Bundesarbeitsgericht, bringing the issue of DPO’s dismissal due to conflict of interests front and centre.

CJEU reiterated again the main idea of the GDPR Article 38(6) that DPO may fulfil other tasks and duties, unless it results in a conflict of interests. Against this background, the CJEU concluded that, in particular, “DPO cannot be entrusted with tasks or duties which would result in him or her determining the objectives and methods of processing personal data on the part of the controller or its processor. Under EU law or the law of the Member States on data protection, the review of those objectives and methods must be carried out independently by the DPO” (paragraph 44).

As for the protection of DPO from dismissal, the CJEU factored in the GDPR Article 38(3) and also specified that “each Member State is free, in the exercise of its retained competence, to lay down more protective specific provisions on the dismissal of the DPO, in so far as those provisions are compatible with EU law and, in particular, with the provisions of the GDPR, particularly the second sentence of Article 38(3) thereof” (paragraph 31). “In particular, such increased protection cannot undermine the achievement of the objectives of the GDPR. That would be the case if it prevented any dismissal, by a controller or by a processor, of a DPO who no longer possesses the professional qualities required to perform his or her tasks, in accordance with Article 37(5) of the GDPR, or who does not fulfil those tasks in accordance with the provisions of that regulation” (paragraph 32).

***

On 09 February, the draft Data Act was approved by the Industry, Research and Energy Committee of the European Parliament (EP). According to the EP’s official press release, the text, inter alia, strengthens the “provisions to protect trade secrets and avoid a situation where increased access to data is used by competitors to retro-engineer services or devices”, sets “stricter conditions on business-to-government data requests”, facilitates “switching between providers of cloud services, and other data processing services, and introduce safeguards against unlawful international data transfer by cloud service providers”. A “full House vote” in the EP is scheduled for March 2023.