– CJEU on Sensitive Data under the Law Enforcement Directive (LED) –
On 26th January, the CJEU delivered a judgment concerning the lawful processing of biometric and genetic data for law enforcement purposes in the case of Ministerstvo na vatreshnite raboti. As to the facts of the case, the police wanted to record the photographic, dactyloscopic and genetic data of a suspect in a crime (V.S.), who, however, refused to provide the data. Following the refusal, the law enforcement authorities sought judicial authorisation in order to forcefully collect the biometric and genetic data. The domestic court decided to seek clarification by the CJEU on the following three aspects related to the interpretation and application of the LED: (1) whether the Bulgarian legal provisions implementing the LED constitute an adequate legal basis for the processing of the data in question, especially because they made references both to the GDPR and the LED; (2) whether the provision in Bulgarian law to allow courts to order the collection of the data ‘without the court being able to assess whether there are serious grounds for believing that the person has committed the criminal offence of which he or she is accused’ is compatible with the LED (especially the requirement in Article 6 LED to distinguish between different categories of data subjects) and the CFREU (especially with the rights to effective remedies and to be presumed innocent); and (3) whether the LED allows for a systematic collection of biometric and genetic data of accused persons without a requirement in national law on assessing the necessity and proportionality of the collected data in each case. As to the first aspect, the CJEU ruled that national law constitutes a proper legal basis where ‘the law of that Member State contains a sufficiently clear and precise legal basis to authorise that processing. The fact that the national legislative act containing such a legal basis refers, furthermore, to the GDPR, and not to Directive 2016/680, is not capable, in itself, of calling the existence of such authorisation into question, provided that it is apparent, in a sufficiently clear, precise and unequivocal manner, from the interpretation of the set of applicable provisions of national law that the processing of biometric and genetic data at issue falls within the scope of that directive, and not of that regulation.’ As to the second aspect, the Court ruled that the requirement in Article 6 LED is neither absolute, nor does it list exhaustively the categories of data subjects. In addition, it ruled that ‘Article 6(a) of Directive 2016/680 does not preclude national legislation which provides for the compulsory collection, in order to be entered in a record, of biometric and genetic data concerning persons in respect of whom sufficient evidence is gathered that they are guilty of an intentional offence subject to public prosecution and who have been accused for that reason.’ On the question of the compatibility of the measures with the rights to effective judicial remedies and the presumption of innocence, the Court ruled that the contested provisions in Bulgarian law are not incompatible ‘provided that national law subsequently guarantees effective judicial review of the conditions for that accusation, from which the authorisation to collect those data arises.’ As to the third aspect, the Court established that ‘national legislation which provides for the systematic collection of the biometric and genetic data of any person accused of an intentional offence subject to public prosecution is, in principle, contrary to the requirement laid down in Article 10 of Directive 2016/680 that processing of the special categories of data referred to in that article is to be allowed ‘only where strictly necessary’. The Court reached this conclusion by interpreting Article 10 LED in light of the principles of data minimisation, fairness and lawfulness, and purpose limitation in Article 4 LED and on the requirement on lawful processing Article 8 LED. In casu, the Court was especially disturbed by the provision in Bulgarian law, which contains a very broad and general definition of ‘intentional criminal offence subject to public prosecution’, which meant that virtually any suspect could fall under it.
– CJEU Rules on the Position of the DPO –
On 9th February the CJEU delivered its judgment in the case of X-FAB Dresden GmbH & Co. KG v FC. In terms of the facts, the case concerned a DPO, who was in an employment relationship with the controller, who had been dismissed from their position. The DPO brough proceedings before the national courts, where the employer, X-FAB, argued that there was cause for the dismissal as ‘there is a risk of a conflict of interests if FC simultaneously performs the functions of DPO and chair of the works council, on the ground that those two posts are incompatible.’ In this regard, the national court referred four questions to the CJEU concerning the position of the DPO under the GDPR. These concerned:
- Whether Article 38(3) GDPR prohibits provisions in national law – in this case the German BDSG – which make dismissing a DPO employed by a controller ‘subject to certain conditions…irrespective of whether…dismissal relates to…performance’.
- If the first question is answered positively: Whether Article 38(3) also prohibits such a provision in national law if appointment of a DPO is obligatory not under Article 37(1) GDPR, but according to national law?
- If the first issue is answered positively: Whether Article 38(3) has ‘sufficient legal basis, in particular in so far as it covers’ DPOs in an employment relationship.
- If the first issue is answered negatively: Whether ‘there a conflict of interests within the meaning of…Article 38(6)’ if the DPO is also chair ‘of the works council established at the controlling body? Must specific tasks have been assigned within the works council in order for such a conflict of interests to be assumed to exist?’
The Court answered the first question negatively, in concluding that ‘Article 38(3)…must be interpreted as not precluding national legislation which provides that a controller or a processor may dismiss a data protection officer who is a member of staff of that controller or processor solely where there is just cause, even if the dismissal is not related to the performance of that officer’s tasks, in so far as such legislation does not undermine the achievement of the objectives of’ the GDPR. Accordingly, the Court moved directly to the fourth question, and concluded that Article 38(6) means that a conflict of interests exists where a DPO has ‘other tasks or duties, which would result in him or her determining the objectives and methods of processing personal data on the part of the controller or its processor, which is a matter for the national court to determine, case by case, on the basis of an assessment of all the relevant circumstances, in particular the organisational structure of the controller or its processor and in the light of all the applicable rules, including any policies of the controller or its processor.’ The decision and reasoning seem straightforward and will likely be unsurprising to many in the data protection community. The case is nevertheless interesting and important. This is not least true as the case offers further significant clarifications concerning the relationship between EU and national law as well as in terms of the legal position of the DPO.
– CJEU Rules Again on the Position of DPO –
On 9th February, the CJEU delivered its judgment in the case of ZS v Zweckverband „Kommunale Informationsverarbeitung Sachsen“ KISA, Körperschaft des öffentlichen Rechts. In terms of the facts, the case concerns the dismissal of the plaintiff from their position of DPO by the defendant. The plaintiff complained that there was no legitimate basis for the dismissal, whereas the defendant claimed that this was justified by a conflict of interests between the plaintiff’s position as DPO and the plaintiff’s other work duties. Against this background, the referring national court posed two questions – closely related to those posed in X-FAB – concerning the position of DPO under the GDPR to the CJEU:
- Does Article 38(3) GDPR prohibit national legal provisions – in this case those in the German BDSG – which make dismissing a DPO in an employment relationship subject to their conditions, regardless of whether the dismissal is connected with the performance of duties?
- In case the answer to the first question is affirmative: Is Article 38(3) based on a sufficient enabling basis, especially concerning the extent that the provision applies to DPOs who are in employment relationships with the controller?
In relation to the first question, the Court concluded, in line with its decision in X-FAB, that Article 38(3) does not preclude national provisions according to which a DPO in an employment relationship with a controller or processor may be dismissed only for cause, even where dismissal would not relate to the performance of duties, provided the rule does not affect the achievement of the objectives of the GDPR. In light of the negative answer to the first question, the Court found no need to answer the second question. We would highlight the judgment is not yet available in English. Accordingly, other language versions were used in the production of this report. Whilst every effort has been made to ensure correct translation, we cannot absolutely exclude the possibility of errors.