Under the German Data Protection Act, employers with more than 20 employees which conduct automated processing of personal data must appoint a data protection officer (‘DPO’). These conditions are easily satisfied in many companies due to the use of IT systems in areas like HR, marketing and sales. In SMEs, however, there may not be many suitable candidates for the DPO position. Members of works councils are therefore often considered for the role. In a recent ruling (not yet been published in full), the German Federal Labour Court (‘BAG’) has decided that the chair of the works council is not eligible to serve as DPO.
The employer in the case appointed the chair of the works as DPO from 1 June 2015. At the instigation of the data protection authority in Thuringia, the employer revoked this appointment on 1 December 2017. The authority had objected that the two offices were incompatible because of a conflict of interest. Following the entry into force of the GDPR, the employer again dismissed the works council chairman as DPO as a precautionary measure. The works council chair went to court to challenge this, and was successful in both the Dresden Labour Court and the Regional Labour Court of Saxony. The matter was appealed to the Federal Labour Court.
On 6 June 2023 the BAG ruled that the revocation of the appointment had been justified. According to the Court, there will be good cause for termination of an appointment where the DPO does not have the expertise or reliability required to properly perform the role. Reliability may be in question if there is a risk of a conflict of interest, and the Court held that his can be assumed where the DPO holds a position which involves making important decisions about the processing of personal data. Before reaching its decision, the BAG had referred the question to the ECJ for a preliminary ruling.
The ECJ held that the duties of works council chair and DPO could not be performed by the same person without a conflict of interest arising. Personal data may only be made available to the works council for purposes expressly provided for in relevant legislation. Under German law, the works council must decide on the specific circumstances in which it requests personal data from the employer, and how it then processes this data. Because the works council determines the purposes and means of processing personal data, the works council chair is unable to monitor compliance with data protection law in a sufficiently independent way.
The DPO has the task of checking whether the employer, as data controller under the GDPR, complies with data protection law. The DPO‘s supervisory powers also extend to the works council, which is considered part of the employer under German law. What’s more, the DPO advises the employer and the works council on compliance with data protection law in the workplace. A conflict of interest can clearly be seen. As DPO, the works council chair would not be able to provide independent and neutral advice to the employer on data protection matters, due to the differing interests of the employer and the works council. The ECJ’s decision, prompting a long-overdue change in the German case-law, is therefore to be welcomed.
The BAG expressly left open the question of whether all works council members are prevented from serving as DPO. However, the arguments we have considered here suggest that a conflict of interest may arise for these employees too. Since the GDPR obliges an employer to ensure that the tasks and duties of a DPO do not lead to conflicts of interest, care should be taken to avoid appointing works council members to this important role.
For mor information about employee data privacy