Authors: Iurie Cojocaru and Flavia Lungu
The General Data Protection Regulation (GDPR) instituted an additional layer of protection against sanctioning and dismissal for the data protection officer (DPO), in an attempt to prevent possible interferences from the part of company management in the activity of the DPO, which needs to preserve its functionally independent character.
According to GDPR, the DPO “shall not be dismissed or penalised by the controller or the processor for performing his tasks.” (Article 38, paragraph 3, second thesis).
At the first sight, the GDPR seems to create a powerful shield for the DPO to be protected against dismissal in what concerns the performance of his/her tasks. But is it really so?
After the GDPR came into force, but before it became applicable, the Article 29 Data Protection Working Party (an EU body, currently replaced by European Data Protection Board, reuniting representatives of all EU data protection authorities) adopted its Guidelines on DPO (WP243 rev.01, adopted on 13 December 2016 As last Revised and Adopted on 5 April 2017. These Guidelines bring a common sense clarification saying that “a DPO could still be dismissed legitimately for reasons other than for performing his or her tasks as a DPO (for instance, in case of theft, physical, psychological or sexual harassment or similar gross misconduct).” Of course, this was something which could be deduced from the GDPR provision itself, but the express wording of the Guidelines is still very useful for avoiding any doubts in this respect.
After the Working Party Guidelines were issued, the question persisted with regard to the dismissal reasons which are in relation to DPO’s tasks. What can be done if someone is just not fit for the job and the company realizes it only after the DPO has been hired? Likewise, what can be done t0 the extent the DPO, even if being competent enough, simply refuses to perform his/her tasks or performs them in bad faith?
A solution proposed in practice is to conclude limited duration agreements with DPO. One year, for example, would be enough to understand how prepared and how willing is someone to do the job. However, a Romanian company appointing the DPO would need to carefully assess this option, especially because the Romanian Labor Code provides very limited cases when an employer may conclude limited duration employment agreements and one might need to have arguments to sustain the temporary character of the job position itself to conclude such an agreement. The need for a longer probationary period than the maximum limits provided by law is, of course, not one of such reasons.
The relatively recent Opinion of the Advocate General (AG) Jean Richard de la Tour expressed on 27 January 2022 in the Leistritz case (Leistritz AG v. LH, case C-534-20) was very helpful in better shaping the scope of the situations when the DPO dismissal is possible.
Thus, the AG de la Tour indicates, at paragraph 51, that an interpretation made in line with the purposes of the GDPR would lead to the conclusion that a DPO may be dismissed when he/she, amongst others, does not fulfill the qualitative criteria necessary for carrying out the DPO tasks (e.g., knowledge of data protection law), is in breach of its GDPR-imposed obligations (e.g., the DPO breaches the secrecy or confidentiality obligations in performance of the tasks) or proves insufficient level of expertise.
Shortly after, the French data protection authority (CNIL) guidance on DPO, adopted in March 2022, followed the optic of AG de la Tour in the Leistritz case in going a bit further than the text of GDPR. Thus, according to CNIL: “an organisation that designates a DPO must ensure that the DPO has the qualifications and capabilities enabling them to perform their duties. They can therefore decide to withdraw the DPO duties from an employee who is unable to fulfil the duties assigned to him by the GDPR. This procedure is only possible if the employer has ensured that the DPO’s difficulty in carrying out their duties does not come from insufficient resources – particularly in terms of time – granted to them.” (page 33 of the CNIL guidance).
It is also worth mentioning that the AG Opinion in Leistritz case makes reference (at note 34) to the Spanish organic law No. 3/2018 on data protection and digital rights safeguards, according to which, the DPO natural person can be neither dismissed nor sanctioned while carrying out his/her tasks, except for the case when the DPO has committed a willful misconduct or a gross negligence.
The list of cases when a DPO may be dismissed is not the only problem derived from the aforementioned provision of GDPR. Certain additional procedural difficulties may arise for a Romanian company which dismisses its DPO, when such a DPO is an employee of the company concerned. What do we mean by this? The Romanian Labor Code provides a range of solutions at the disposal of an employer to sanction or even dismiss an employee, when the employee fails to fulfil or inappropriately fulfils his or her job duties. When such a failure is the result of behavioral issues, the practice leans towards disciplinary procedures, but the failure may also be the result of ignorance, insufficient knowledge or abilities of the employee to properly perform the tasks and attributions entrusted to him or her, in which case the employer is to recourse to performance related procedures. This means that the company has to adequately choose the procedural path and follow it.
Needless to say that in the case of a DPO, implementation of such procedures deriving from Romanian Labor Code may prove to be difficult in practice, when the misfit is related to the performance of his or her profession. It must be mentioned that the GDPR provides not only for the protection against sanctioning or dismissal mentioned above, but also precludes the employer from providing any instructions regarding the exercise of the tasks (according to the same GDPR Article 38, paragraph 3, first thesis). So, even if we adopt the more flexible interpretation of GDPR on DPO dismissal, how could an employer evaluate the performance of a DPO or sanction the lack thereof when it is not afforded the needed degree of control as in the case of a “regular” employee?
We look forward to seeing if the judges of the Court of Justice of European Union (CJEU) would agree with the position of the AG Opinion in the Leistritz case. On the one hand, in most cases, the judges of CJEU take the point of view expressed by the advocate general. One the other hand, the answer given by AG de la Tour on DPO performance-related dismissal cases slightly exceeds the scope of the questions brought before the CJEU, so that the court would not be bound to answer something which it was not asked.
In the meantime, we may point out that various actors in the data protection field (national legislators, data protection authorities, EU advocate general) seem to go with their interpretation of DPO dismissal provision into the same direction: the GDPR does not protect against dismissal those acting in bad faith as DPOs and for those manifestly bad fit for this job.
Still, while the GDPR does not institute an absolute protection for DPO against dismissal, neither it provides an arbitrary right for the company to dismiss the DPO. The applicable procedural rules must be observed. If the DPO is hired with an employment agreement, the employer must ensure that it strictly follows the necessary dismissal procedures (i.e., disciplinary or poor performance, as indicated above) and it can prove beyond all doubts that the DPO has committed disciplinary misconducts or is indeed a poor performer, although having been provided with all necessary resources.