Data protection officer and works council member: conflict of interest?

A data protection officer who is also a member of the Works Council? Is there a conflict of interest there? Sander Poelman tells you more about it.

What does a data protection officer do?

Organizations that primarily or widely process personal data are required by the General Data Protection Regulation (AVG) to appoint a data protection officer (FG).

The Data Protection Officer's duties include informing the organization of its obligations under the AVG. He must also independently supervise compliance and application of the AVG within the organization. In doing so, the data protection officer works together with the supervisory authority (in the Netherlands, the Authority for Personal Data). The data protection officer may perform other tasks and duties, but logically this should not lead to a conflict of interest.

When is there a conflict of interest?

German case

Recently, the Court of Justice of the European Union (CJEU) ruled on this issue. The case involved a large German group of companies. The employee in question is chairman of the works council (OR) of the parent company as well as vice-chairman of the group's central works council. In 2015, the employee also became a data protection officer for the parent company and its German-based subsidiaries.

Dismissal due to conflict of interest

In 2017, the company wants to dismiss the employee as data protection officer . This is because the company argues that a conflict of interest is likely to arise if the employee is simultaneously chairman of the Works Council and data protection officer.

What does the AVG say?

The AVG regulates that the data protection officer is not dismissed or penalized by the relevant organization for performing his duties. This is not the case with a conflict of interest. However, German law has a stricter test for the dismissal of a data protection officer . The national court therefore asks the CJEU how that law relates to the AVG.

ECJ ruling

The CJEU rules that a member state may grant greater protection to a data protection officer. However, this cannot prevent the proper and independent performance of the function and duties. Those duties include independent supervision of the purpose and means of processing personal data at the organization in question.

The data protection officer cannot do this if he can (partly) determine the purpose and means of certain processing operations from his role as a Works Council member or chairperson. In that case, therefore, there is indeed a conflict of interest.

Two hats

In short; in this matter, the FG was proverbially wearing two hats that conflicted. This is related to no longer being able to perform the duties independently, for example, when he helps determine the purpose and means of processing (think of the use of camera surveillance or monitoring employees). Appointing an FG may thus be a legal duty, but the appointment is additionally subject to other legal requirements.

Wondering if your organization should appoint a data protection officer? Or do you have questions about how best to fill the position of an FG? Then be sure to contact us, we would be happy to help you!