CJEU issues landmark ruling on DPO dismissals and conflicts of interest


On 9 February 2023, the Court of Justice of the European Union (CJEU) issued a preliminary ruling in case C‑453/21 regarding the justified grounds for the dismissal of and the conflict of interests requirements relating to data protection officers (DPO) under the General Data Protection Regulation (GDPR).

The full text of the decision can be accessed here.

In general, DPOs fulfil a critical task by monitoring compliance with the GDPR, other provisions of EU law or of the law of the member states on data protection and the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness raising and the training of staff involved in processing operations, and the related audits.

Based on the facts of the present case, the DPO was dismissed due to a risk of conflict of interests perceived by the data controller, as the DPO simultaneously performed the functions of DPO and chair of the works council. The data controller argued that those two posts are incompatible and therefore the DPO’s dismissal is justified. The DPO initiated a court action seeking to retain the DPO position, and the national court referred the questions to the CJEU.

Justified grounds for the dismissal of DPOS

Article 38(3) of the GDPR provides that a DPO “shall not be dismissed or penalised by the controller or the processor for performing his tasks”.

In an earlier case (Leistritz, C‑534/20), the CJEU already clarified that the prohibition of the dismissal of a DPO or the imposition of a penalty means that that DPO must be protected against any decision terminating their duties, by which they would be placed at a disadvantage, or which would constitute a penalty. The CJEU has also stated that this requirement applies without distinction both to the DPO who is a member of the staff and to the person who fulfils the tasks on the basis of a service contract.

Moreover, each member state is free, in the exercise of its retained competence, to lay down more protective specific provisions on the dismissal of the DPO, in so far as those provisions are compatible with EU law and, in particular, with the provisions of the GDPR.

Consequently, the CJEU held that Article 38(3) does not preclude national legislation, which provides that a controller or a processor may dismiss a DPO who is a member of staff of that controller or processor solely where there is just cause, even if the dismissal is not related to the performance of that DPO’s tasks. However, such legislation cannot undermine the achievement of the objectives of the GDPR.

Conflict of interest requirements relating to DPOS

Article 38(6) provides that “the DPO may fulfil other tasks and duties. The controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests”. Within the understanding of the CJEU, this means that the DPO cannot be entrusted with performing tasks or duties, which could impair the execution of the functions performed by the DPO.

Consequently, the CJEU held that a conflict of interests may exist where a DPO is entrusted with other tasks or duties, which would result in him or her determining the objectives and methods of processing personal data on the part of the controller or its processor. Whether this circumstance exists should be determined case by case, on the basis of an assessment of all the relevant circumstances, in particular the following:

  • organisational structure of the controller or its processor; and
  • all applicable rules, including any policies of the controller or its processor.

The designation and position of DPOs is an increasingly important topic for the supervisory authorities. The ruling comes ahead of the European Data Protection Board’s upcoming coordinated enforcement action focusing on the designation and position of DPOs. The report on the outcome of the coordinated action will be adopted before the end of the year.

For more information on the CJEU judgment, or general questions related to the position and tasks of DPOs under the GDPR, contact your CMS client partner and local CMS experts.

The article was co-authored by János Bálint.