A company in Germany decided to appoint an in-house data protection officer (DPO) to comply with the General Data Protection Regulation (GDPR) in 2015 and selected the chairman of the works council. Two years later, the position of DPO was revoked from the chairman due to a conflict of duty. The chairman contested this, and the case went through the courts. In June 2023, the BAG (Bundesarbeitsgericht, or Federal Labor Court) ruled that removing the chairman from the position of DPO was justified because the two positions presented a conflict of interest.
The DPO “has the task to make sure that a company is in compliance with the General Data Protection Regulation. And [the DPO] has been tasked to monitor the management to make sure that the company complies with GDPR obligations,” said Antje Munch, an attorney with Heuking in Stuttgart.
The tasks the DPO is responsible for can include training staff, conducting audits and reviewing internal processes.
The chairman presides over the works council, an elected body at German organizations with more than five employees. The role serves as a liaison between the works council and management. Often, terminations and restructurings are discussed in conjunction with the chairman of the works council.
“The works council people are employees within a company. They have a second role as a works council,” Munch said.
Why Are These Two Roles Incompatible?
A problem arises when these roles are held by the same employee, as in the case decided by the BAG. The way each position is expected to use and relate to data leads to a potential conflict of interest.
“There are situations where the works council chairman will deal with personal data related to employees” in negotiations with the employer, said Artur-Konrad Wypych, an attorney with Bird & Bird in Dϋsseldorf.
So, they are a user and processor of this protected employee data. In contrast, the DPO has to look at how the data is being used in an impersonal and removed manner, primarily considering compliance with the GDPR.
“You can’t be the one determining the processing of personal data and monitoring the one processing it,” Wypych said.
It has been unclear from the beginning whether the two positions could be held by the same employee, though there are reasons a company might be tempted to combine the roles. Often, both are part-time positions, and promoting an internal DPO can be easier than recruiting an outside one. Both are also protected positions that make it difficult for employers to unilaterally remove either, so combining the roles of DPO and chairman of the works council means there is only one employee with the protected status, rather than two. However, the conflicts inherent remain.
The DPO must be able to perform their tasks independently without receiving instructions, according to the GDPR.
“Once this person is actually involved in the decisions concerning how personal data is processed and for which purposes, then this independence is no longer maintained, and there’s a conflict of interest,” said Thomas Albermann, an attorney with Bird & Bird in Dϋsseldorf.
Questions Still Remain About Works Council
One point that has not been definitely determined is whether the ruling applies only to the chairman or to the works council in general. It has not been decided by the European Court of Justice or the Federal Labor Court in Germany whether the ruling applies to other works council members, Wypych said.
The risk of violating the GDPR by appointing a DPO with a conflicting role can be high for companies.
“Under the GDPR, you always have the risk of sanctions in this case, and there have been sanctions for companies who actually appointed data protection officers who had a conflict of interest,” Albermann said.
Data protection violations by the works council are attributed to the company. The company has to make sure that the works council is in line with the GDPR, Munch said: “Otherwise, the company might be fined or they will have problems with any claims raised because of breaches of the data by the works council.”
Katie Nadworny is a freelance writer in Istanbul.
Related Content
As artificial intelligence technology continues to develop, the demand for workers with the ability to work alongside and manage AI systems will increase. This means that workers who are not able to adapt and learn these new skills will be left behind in the job market.
A vast majority of U.S. professionals say students entering the workforce should have experience using AI and be prepared to use it in the workplace, and they expect higher education to play a critical role in that preparation.
Advertisement
An organization run by AI is not a futuristic concept. Such technology is already a part of many workplaces and will continue to shape the labor market and HR. Here's how employers and employees can successfully manage generative AI and other AI-powered systems.
Advertisement