The applicant, LH, was the head of legal affairs at the German company, Leistritz AG. LH was also the company’s designated data protection officer.

In July 2018, Leistritz terminated LH’s employment with notice, invoking a company restructuring which meant that LH’s roles were to be outsourced. LH challenged the validity of the contract termination and the German courts found that under German law the contract could only be terminated if there was just cause, owing to her status as data protection officer, and that a company restructuring was not just cause.

Leistritz appealed and the referring court asked the CJEU whether the second sentence of Article 38(3) of the GDPR must be interpreted as precluding national legislation from providing that a controller or a processor may terminate the employment contract of a data protection officer, who is a member of staff, only with just cause, even if the contractual termination is not related to the performance of their tasks as data protection officer.

The CJEU noted that the second sentence of Article 38(3) states that “he or she shall not be dismissed or penalised by the controller or the processor for performing his [or her] tasks”. Further, the GDPR does not define the terms “dismissed”, “penalised” and “for performing his [or her] tasks”. Giving the words their everyday meaning, the CJEU said that the bar on dismissal of a data protection officer or on the imposition of a penalty against them means that the data protection officer must be protected against any decision terminating their duties by which they would be placed at a disadvantage, or which would constitute a penalty. A measure terminating a data protection officer’s employment contract, thereby terminating the employment relationship between the officer and the employer and terminating the function of data protection officer in the undertaking, may constitute such a decision.

Further, the second sentence of Article 38(3) clearly applies without distinction between an internal data protection officer and someone who fulfils tasks pursuant to an employment contract with the data controller. Therefore, the CJEU said, the second sentence of Article 38(3) is intended to apply to the relationship between a data protection officer and a controller/processor, irrespective of the nature of the employment relationship between them.

Additionally, Article 38(3) imposes a limit that consists of a ban on the termination of a data protection officer’s employment contract on a ground relating to the performance of their tasks, which include monitoring compliance with EU or Member State law and with the policies of the controller or processor in relation to the protection of personal data.

The CJEU also pointed out that recital 97 states that data protection officers, whether they are employees of the controller, should be able to perform their duties and tasks in an independent manner. Such independence must necessarily enable them to carry out those tasks in accordance with the objectives of the GDPR, i.e., to ensure a consistent and homogeneous application of the rules for the protection of the fundamental rights and freedoms of people with respect to the processing of personal data throughout the EU.

Ensuring the functional independence of the data protection officer is also made clear from the first and third sentences of Article 38(3), which require that the officer is not to receive any instructions regarding the exercise of those tasks and is to report directly to the highest level of management of the controller/processor, and from Article 38(5), which provides that the officer is bound by confidentiality.

Therefore, the CJEU said, the second sentence of Article 38(3) must be regarded as seeking to preserve the functional independence of the data protection officer and, therefore, to ensure that the provisions of the GDPR are effective. By contrast, it is not intended to govern the overall employment relationship between a controller/processor and its employees.

The CJEU agreed with the Advocate General who stated in his Opinion that each Member State is free to lay down more protective provisions on the termination of a data protection officer’s employment contract, provided they are compatible with the GDPR, particularly the second sentence of Article 38(3). However, such increased protection cannot undermine the objectives of the GDPR, e.g., by preventing termination of a data protection officer’s employment contract if they no longer possess the necessary professional qualities, or they are no longer fulfilling their tasks in accordance with the GDPR.

Therefore, the CJEU said that the second sentence of Article 38(3) must be interpreted as not precluding national legislation from providing that a controller or a processor may terminate the employment contract of a data protection officer, who is an employee, only with just cause, even if the contractual termination is not related to the performance of that officer’s tasks, provided that such legislation does not undermine the objectives of the GDPR. (Case C-534/20 Leistritz AG v LH EU:C:2022:495 (22 June 2022) — to read the judgment in full, click here).