法律翻译｜Leistritz AG v LH. 终止数据保护官的雇佣合同是否应严格限制？

译者｜吴靓 中南财经政法大学法学本科

一审｜胡婧卓 UCLA LL.M.

二审｜董辰 中国政法大学硕士

编辑｜陈婉菁 中国政法大学硕士

         邵娅绮 浙江工商大学本科         

责编｜戚琳颖 大连海事大学本科    

原文链接：

https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62020CJ0534

JUDGMENT OF THE COURT (First Chamber)

法院判决（第一分庭）

22 June 2022 ( *1 )

2022年6月22日

(Reference for a preliminary ruling – Protection of natural persons with regard to the processing of personal data – Regulation (EU) 2016/679 – Second sentence of Article 38(3) – Data protection officer – Prohibition of the dismissal, by a controller or processor, of a data protection officer or of the imposition, by a controller or processor, of a penalty on him or her for performing his or her tasks – Legal basis – Article 16 TFEU – Requirement of functional independence – National legislation prohibiting the termination of a data protection officer’s employment contract without just cause)

（参考初步裁决-在处理个人数据方面保护自然人-条例(EU)2016/679-第38(3)条第二句-数据保护官员-禁止控制者或处理者解雇数据保护官，或禁止控制者或处理者因其执行任务而对其进行处罚-法律依据-TFEU第16条-职能独立性要求-禁止无正当理由终止数据保护官的雇佣合同的国内法）

This request for a preliminary ruling concerns the interpretation and validity of the second sentence of Article 38(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1, and corrigendum OJ 2018 L 127, p. 2; ‘the GDPR’).

本初步裁定请求涉及欧洲议会和欧洲理事会在2016年4月27日颁布的《关于在个人数据处理和此类数据自由流动方面保护自然人的条例》第2016/679号第38(3)条第二句的解释和有效性，此外还涉及废止第95/46/EC号指令（《通用数据保护条例》，General Data Protection Regulation，以下简称“GDPR”）（OJ 2016 L 119，第1页和更正OJ 2018 L 127，第2页)。

The request has been made in proceedings between Leistritz AG and LH, who performed the duties of a data protection officer within that company, concerning the termination of her employment contract on account of a departmental reorganisation of that company.

该请求是在德国莱斯特瑞兹集团和被解雇的数据保护官之间的诉讼中提出的，后者在该公司内履行数据保护官的职责，该公司因部门重组而终止其雇佣合同。

Recitals 10 and 97 of the GDPR state:

GDPR叙文10和97规定：

(10)

In order to ensure a consistent and high level of protection of natural persons and to remove the obstacles to flows of personal data within the Union, the level of protection of the rights and freedoms of natural persons with regard to the processing of such data should be equivalent in all Member States. Consistent and homogenous application of the rules for the protection of the fundamental rights and freedoms of natural persons with regard to the processing of personal data should be ensured throughout the Union. …

(10)为了确保对自然人的一贯、高水平保护并消除个人数据在欧盟内部流动的障碍，所有成员国在处理此类数据方面，对自然人的权利和自由的保护水平应相同。应确保在整个欧盟范围内一致和统一地适用保护自然人在处理个人数据方面的基本权利和自由的规则。…

(97)

… [The] data protection officers, whether or not they are an employee of the controller, should be in a position to perform their duties and tasks in an independent manner.’

(97)

…[这些]数据保护官，无论他们是否是控制者的雇员，都应该能够以独立的方式履行其职责和任务。

Article 37 of the GDPR, entitled ‘Designation of the data protection officer’, reads as follows:

‘1. The controller and the processor shall designate a data protection officer in any case where:

(a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;

(b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or

(c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 or personal data relating to criminal convictions and offences referred to in Article 10.

…

‘6. The data protection officer may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract.

GDPR第37条题为“数据保护官的委任”，内容如下：

‘1.在如下任一情形中，控制者和处理者应当委任数据保护官：

(a)处理是公共机构或公共实体进行操作的，法庭在履行其司法职能时除外；

(b)控制者或处理者的核心处理活动天然性地需要大规模性地对数据主体进行常规和系统性的监控；或者

(c)控制者或处理者的核心活动包含了第9条规定的对某种特殊类型数据的大规模处理和第10条规定的对定罪和违法相关的个人数据的处理。

…

‘6.数据保护官应当是控制者或处理者或基于服务合同而完成任务的一名职员。

Article 38 of the GDPR, entitled ‘Position of the data protection officer’, provides, in paragraphs 3 and 5:

GDPR 第38条题为“数据保护官的职位”，该条在第3款和第5款中规定：

‘3. The controller and processor shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks. He or she shall not be dismissed or penalised by the controller or the processor for performing his [or her] tasks. The data protection officer shall directly report to the highest management level of the controller or the processor.

‘3.控制者和处理者应当确保数据保护官不会收到任何关于履行此类责任的指示。数据保护官不应因完成任务而被解雇或惩罚。其可以直接向控制者或处理者的最高管理层进行报告。

（图片来源于网络）

The data protection officer shall be bound by secrecy or confidentiality concerning the performance of his or her tasks, in accordance with Union or Member State law.’

数据保护官在完成其任务时，应当遵守欧盟或成员国的法律，负有保密义务。

Article 39 of the GDPR, entitled ‘Tasks of the data protection officer’, provides in paragraph 1(b):

‘The data protection officer shall have at least the following tasks:

…

(b) to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;

…’

GDPR 第39条题为“数据保护官的任务”，该条在第 1（b）段中规定：数据保护官应当至少具备以下任务：

…(b)确保遵守本条例、其他欧盟或成员国数据保护条款、和个人数据保护相关的控制者或处理者的政策，包括分配处理操作中以及相关审计中的责任、增强意识以及培训职员；

Paragraph 6 of the Bundesdatenschutzgesetz (Federal Law on data protection) of 20 December 1990 (BGBl. 1990 I, p. 2954), in the version in force from 25 May 2018 until 25 November 2019 (BGBl. 2017 I, p. 2097) (‘the BDSG’), entitled ‘Position’, provides in subparagraph 4:

1990年12月20日《联邦数据保护法》（Bundesdatenschutzgesetz，以下简称“BDSG”）第6款（1990 I，第2954页），2018年5月25日至2019年11月25日生效的版本（BGBl. 2017 I，第2097页），标题为“职位”，在第4分段中规定：

‘The dismissal of the data protection officer shall be permitted only by applying Paragraph 626 of the Bürgerliches Gesetzbuch [(German Civil Code), in the version of 2 January 2002 (BGBl. 2002 I, p. 42, corrigenda BGBl. 2002 I, p. 2909, and BGBl. 2003 I, p. 738)] accordingly. The data protection officer’s employment shall not be terminated unless there are facts that give the public body just cause to terminate without notice. The data protection officer’s employment shall not be terminated for one year after the activity as the data protection officer has ended, unless the public body has just cause to terminate without notice.’

只有适用《德国民法典》第626条，才允许解雇数据保护官（德国民法典，2002年1月2日第I版，第42页，更正版BGBl 2002 第I版，第2909页和BGBl. 2003年第I版，第738页）。除非事实证明公共机构有正当理由在不通知的情况下终止雇佣关系，否则不得解除与数据保护官的雇佣关系。在数据保护官员的职务终止后的一年内，除非公共机构有足够事实依据无需提前通知解雇，否则不得解除数据保护官员的雇佣合同。

Paragraph 38 of the BDSG, entitled ‘Data protection officers of private bodies’, provides:

‘(1) In addition to Article 37(1)(b) and (c) of the [GDPR], the controller and processor shall designate a data protection officer if they generally continuously employ at least ten persons dealing with the automated processing of personal data. …

(2) Paragraph 6(4), (5), second sentence, and (6) shall apply; however, Paragraph 6(4) shall apply only if the designation of a data protection officer is mandatory.’

BDSG第38段题为“私营机构的数据保护官”，规定：

(1) 除GDPR第37(1)条第(b)款和第(c)款外，如果控制者和处理者通常连续雇用至少10人进行个人数据的自动化处理，则应指定一名数据保护官。…

(2) 第6条第(4)款、第(5)款第二句、第(6)款应予以适用；但是，第6条第(4)款仅在必须指定数据保护官的情况下适用。

Paragraph 134 of the Civil Code, in the version published on 2 January 2002 (‘the Civil Code’), entitled ‘Statutory prohibition’, reads as follows:

‘Any legal act contrary to a statutory prohibition shall be void except as otherwise provided by law.’

在2002年1月2日公布的题为“法定禁令”的《民法典》中，第134条内容如下：

除法律另有规定外，任何违反法定禁令的法律行为均属无效。

（图片来源于网络）

Paragraph 626 of the Civil Code, entitled ‘Termination without notice with just cause’, provides:

‘(1) The employment relationship may be terminated by either party to the contract with just cause without giving notice where facts are present on the basis of which the terminating party cannot reasonably be expected to continue the employment relationship to the end of the notice period or to the agreed end of the employment relationship, taking all circumstances of the individual case into account and weighing the interests of both parties to the contract.

(2) Termination may take place only upon expiry of a period of two weeks. That period starts to run when the person entitled to terminate becomes aware of the facts serving as the basis for termination. …’

德国《民法典》第626条题为“因正当理由而不通知解雇”，规定：

(1) 考虑到个案的所有情况，并权衡合同双方的利益，合同的任何一方均可在不发出通知的情况下，以正当理由终止雇用关系，如果存在相关事实证明不能合理地期望终止方将雇佣关系延续到通知期结束或约定的雇佣关系结束。

(2) 只有在两周的期限届满后才能终止。该期限从有权解雇的人了解到作为解雇依据的事实开始计算。

Leistritz is a company governed by private law, which is required under German law to designate a data protection officer. LH performed the duties of ‘head of legal affairs’ within that company from 15 January 2018 and those of data protection officer from 1 February 2018.

Leistritz是一家受德国私法管辖的公司，根据德国法律，该公司必须指定一名数据保护官。LH自2018年1月15日起担任该公司的“法律事务主管”，自2018年2月1日起履行数据保护官的职责。

By letter of 13 July 2018, Leistritz terminated LH’s employment contract with notice, with effect from 15 August 2018, invoking a restructuring measure of that company, in the context of which the activity of internal legal adviser and the data protection service were to be outsourced.

在2018年7月13日的信函中，Leistritz援引该公司的重组措施通知终止了LH的雇佣合同，并自2018年8月15日起生效。在此情形下，内部法律顾问和数据保护服务的工作将外包。

The courts adjudicating on the substance, before which LH challenged the validity of the termination of her contract, ruled that that termination was invalid, since, in accordance with the combined provisions of Paragraph 38(2) and the second sentence of Paragraph 6(4) of the BDSG, LH’s contract could be terminated extraordinarily only if there was just cause, owing to her status as data protection officer. The restructuring measure described by Leistritz did not, they found, constitute such a cause.

LH对终止其雇佣合同的有效性提出质疑，法院裁定该终止无效，因为根据BDSG第38条第(2)款和第6(4)段第二句的合并规定，同时考虑到LH是数据保护官员，其合同只有在有正当理由的情况下才能终止。法院认为，Leistritz所称的重组措施无法构成正当理由。

The referring court, before which Leistritz has brought an appeal on a point of law (‘Revision’), observes that, under German law, the termination of LH’s contract is void pursuant to those provisions and Paragraph 134 of the Civil Code. Nonetheless, it points out that the applicability of Paragraph 38(2) and of the second sentence of Paragraph 6(4) of the BDSG depends on whether EU law, and in particular the second sentence of Article 38(3) of the GDPR, allows legislation of a Member State to make the termination of a data protection officer’s employment contract subject to stricter conditions than those provided for by EU law. If it does not, the referring court would have to uphold the appeal on a point of law.

Leistritz已就法律问题提出上诉（“Revision”），提请法院认为，根据德国法律规定和《德国民法典》第134条，终止LH的合同是无效的。尽管如此，法院指出，BDSG第38(2)段和第6(4)段第二句的适用性取决于欧盟法律，特别是GDPR第38(3)条第二句，在终止数据保护官的雇佣合同方面，是否允许成员国的立法设定比欧盟法律规定更严苛的条件。如果不是，提请法院将维持相关法律问题的上诉。

The referring court states that its doubts arise particularly from the existence of a divergence in the national legal literature. On the one hand, the majority view considers that the special protection against termination provided for by the combined provisions of Paragraph 38(2) and the second sentence of Paragraph 6(4) of the BDSG constitutes a substantive rule of employment law in respect of which the European Union does not have legislative competence, with the result that those provisions are not contrary to the second sentence of Article 38(3) of the GDPR. On the other hand, according to the proponents of the minority view, the links between that protection and the position of data protection officer conflict with EU law and give rise to economic pressure to retain a data protection officer on a long-term basis once he or she has been designated.

提请法院指出，其疑问主要源于国家法律文献中存在的分歧。一方面，主流观点认为BDSG第38(2)段和第6(4)段第二句的合并规定提供的防止解雇的特殊保护构成了就业法的实质性规则，欧盟对此没有立法权，因此这些规定并不违反GDPR第38(3)条第二句。另一方面，根据少数派观点，这种保护与数据保护官职位之间的联系与欧盟法律相冲突，并且一旦数据保护官被指定，就导致公司承担长期保留数据保护官职位的经济压力。

In those circumstances, the Bundesarbeitsgericht (Federal Labour Court, Germany) decided to stay the proceedings and to refer the following questions to the Court of Justice for a preliminary ruling:

在这种情况下，德国联邦劳工法院决定中止诉讼程序，并将以下问题提交法院进行初步裁决：

‘(1) Is the second sentence of Article 38(3) of [the GDPR] to be interpreted as precluding a provision in national law, such as Paragraph 38(1) and (2) in conjunction with the second sentence of Paragraph 6(4) of the [BDSG], which declares ordinary termination of the employment contract of the data protection officer by the data controller, who is his or her employer, to be impermissible, irrespective of whether his or her contract is terminated for performing his or her tasks?

If the first question is answered in the affirmative:

‘(1) GDPR第38条第(3)款的第二句话是否应解释为排除国内法中的规定？例如BDSG第38条第(1)款和第(2)款及BDSG第6条第(4)款的第二句话，该条款宣布不允许作为雇主的数据控制者在通常情况下终止与数据保护官的雇佣合同，无论合同的终止是否是因为雇员的工作表现。

如果对第一个问题的回答是肯定的：

（图片来源于网络）

(2) Does the second sentence of Article 38(3) of the GDPR also preclude such a provision in national law if the designation of the data protection officer is not mandatory in accordance with Article 37(1) of the GDPR, but is mandatory only in accordance with the law of the Member State?

If the first question is answered in the affirmative:

(2) 如果根据GDPR第37(1)条，数据保护官员的指定不是强制性的，但仅根据成员国法律是强制性的，那么GDPR第38(3)条第二句是否也排除了成员国法中的这种规定？

如果对第一个问题的回答是肯定的：

(3) Is the second sentence of Article 38(3) of the GDPR based on a sufficient enabling clause, in particular in so far as this covers data protection officers that are party to an employment contract with the data controller?’

(3) GDPR第38条第(3)款的第二句话是否基于充分的授权条款，尤其是在涉及与数据控制者签订雇佣合同的数据保护官时？'

By its first question, the referring court asks, in essence, whether the second sentence of Article 38(3) of the GDPR must be interpreted as precluding national legislation which provides that a controller or a processor may terminate the employment contract of a data protection officer, who is a member of his or her staff, only with just cause, even if the contractual termination is not related to the performance of that officer’s tasks.

通过第一个问题，提交裁决的法院实质上询问的是，是否必须将GDPR第38(3)条第二句解释为排除成员国立法，该立法规定，只有在有正当理由的情况下，控制者或处理者才可以终止作为其工作人员的数据保护官的雇佣合同，即使合同的终止与雇员的工作表现无关。

As is clear from settled case-law, in interpreting a provision of EU law, it is necessary to consider not only its wording, by considering the latter’s usual meaning in everyday language, but also the context in which the provision occurs and the objectives pursued by the rules of which it is part (judgment of 22 February 2022, Stichting Rookpreventie Jeugd and Others, C‑160/20, EU:C:2022:101, paragraph 29 and the case-law cited).

从现有判例法中可以清楚地看出，在解释欧盟法律的一项条款时，不仅需要考虑其措辞以及该措辞在日常用语中的通常含义，还需要考虑该条款出现的背景及其所属规则所追求的目标（2022年2月22日的判决，Stichting Rookpreventie Jeugd and Others, C-160/20，EU:C:2022:101，第29段和所引用的判例法)。

In the first place, as regards the wording of the provision at issue, it should be noted that Article 38(3) of the GDPR provides, in its second sentence, that ‘he or she shall not be dismissed or penalised by the controller or the processor for performing his [or her] tasks’.

首先，关于争议条款的措辞，应当指出的是，GDPR第38条第3款第二句规定，“他或她不得因履行其任务而被控制者或处理者解雇或处罚”。

At the outset, it should be noted that the GDPR does not define the terms ‘dismissed’, ‘penalised’ and ‘for performing his [or her] tasks’ featuring in the second sentence of Article 38(3).

首先，应该指出的是，GDPR没有定义第38条第3款第二句中的“解雇”、“处罚”和“履行其任务”。

That being so, first, in accordance with the meaning which those words have in everyday language, the prohibition of the dismissal, by a controller or processor, of a data protection officer or of the imposition, by a controller or processor, of a penalty on him or her means, as the Advocate General essentially observed in points 24 and 26 of his Opinion, that that officer must be protected against any decision terminating his or her duties, by which he or she would be placed at a disadvantage or which would constitute a penalty.

因此，首先，根据这些词语在日常用语中的含义，禁止控制者或处理者解雇数据保护官，或对其施加惩罚意味着，正如检察长在其意见的第24和26点中实质性指出的那样，必须保护该官员免受任何终止其职务的决定的影响，因为这将使其处于不利地位或受到惩罚。

In that regard, a measure terminating a data protection officer’s employment contract taken by his or her employer and terminating the employment relationship existing between that officer and that employer and, therefore, also terminating the function of data protection officer in the undertaking concerned may constitute such a decision.

在这方面，可能构成这种决定的有雇主终止与数据保护官的雇佣合同及其雇佣关系的措施，以及相应终止的数据保护官在相关企业中的职务。

Second, the second sentence of Article 38(3) of the GDPR clearly applies without distinction both to the data protection officer who is a member of the staff of the controller or processor and to the person who fulfils the tasks on the basis of a service contract concluded with the latter, in accordance with Article 37(6) of the GDPR.

其次，GDPR第38条第3款第二句明确适用于作为控制者或处理者工作人员的数据保护官，以及根据GDPR第37条第6款，基于与控制者或处理者签订的服务合同履行任务的人员。

It follows that the second sentence of Article 38(3) of the GDPR is intended to apply to the relationship between a data protection officer and a controller or processor, irrespective of the nature of the employment relationship between that controller and the latter.

因此，GDPR第38(3)条第二句旨在适用于数据保护官与控制者或处理者之间的关系，无论该控制者与后者之间的雇佣关系性质如何。

Third, it should be noted that that provision imposes a limit which consists, as the Advocate General stated, in essence, in point 29 of his Opinion, in prohibiting the termination of a data protection officer’s employment contract on a ground relating to the performance of his or her tasks, which include, in particular, under Article 39(1)(b) of the GDPR, monitoring compliance with EU or Member State legal provisions and with the policies of the controller or processor in relation to the protection of personal data.

第三，应当注意，正如总检察长在其意见第29点中所指出的，该条款施加了一项限制，实质上包括禁止以与其履行任务有关的理由终止数据保护官的雇佣合同，其中特别包括GDPR第39(1)(b)条，监督遵守欧盟或成员国法律规定以及控制者或处理者有关个人数据保护的政策。

In the second place, as regards the objective pursued by the second sentence of Article 38(3) of the GDPR, it must first be pointed out that recital 97 of that regulation states that data protection officers, whether or not they are employees of the controller, should be in a position to perform their duties and tasks in an independent manner. In that regard, such independence must necessarily enable them to carry out those tasks in accordance with the objective of the GDPR, which seeks, inter alia, as is apparent from recital 10 thereof, to ensure a high level of protection of natural persons within the European Union and, to that end, to ensure a consistent and homogeneous application of the rules for the protection of the fundamental rights and freedoms of such natural persons with regard to the processing of personal data throughout the European Union (judgment of 6 October 2020, La Quadrature du Net and Others, C‑511/18, C‑512/18 and C‑520/18, EU:C:2020:791, paragraph 207 and the case-law cited).

其次，关于GDPR第38(3)条第二句所追求的目标，必须首先指出，该条例的叙文97规定，无论数据保护官是否是控制者的雇员，都应该能够以独立的方式履行其职务。在这方面，这种独立性必须使他们能够根据GDPR的目标执行这些任务，除其他外，正如叙文10中所述，该目标寻求确保在欧盟内对自然人的高水平保护，并为此目的确保在整个欧盟处理个人数据时一致和统一地适用保护这些自然人的基本权利和自由的规则（2020年10月6日的判决，La Quadrature du Net and Others，C-511/18、C-512/18和C-520/18，EU:C:2020:791，第207段和引用的判例法）。

（图片来源于网络）

Second, the objective of ensuring the functional independence of the data protection officer, as it follows from the second sentence of Article 38(3) of the GDPR, is also apparent from the first and third sentences of that provision, which require that that officer is not to receive any instructions regarding the exercise of those tasks and is to report directly to the highest level of management of the controller or processor, and from Article 38(5), which provides that, with regard to that exercise, that officer is to be bound by secrecy or confidentiality.

其次，根据GDPR第38(3)条第二句，确保数据保护官职能独立性的目标在该条款的第一句和第三句中也很明显。其要求数据保护官不会收到任何关于履行此类责任的指示，并可以直接向控制者或处理者的最高管理层进行报告。第38(5)条规定，数据保护官在完成其任务时负有保密义务。

Thus, the second sentence of Article 38(3) of the GDPR, by protecting the data protection officer against any decision which terminates his or her duties, places him or her at a disadvantage or constitutes a penalty, where such a decision relates to the performance of his or her tasks, must be regarded as essentially seeking to preserve the functional independence of the data protection officer and, therefore, to ensure that the provisions of the GDPR are effective. By contrast, that provision is not intended to govern the overall employment relationship between a controller or a processor and staff members who are likely to be affected only incidentally, to the extent strictly necessary for the achievement of those objectives.

因此，GDPR第38(3)条第二句保护数据保护官员免受任何终止其职责、使其处于不利地位或构成处罚的决定的影响，如果这种决定涉及其任务的履行，则必须被视为实质上寻求维护数据保护官的职能独立性，从而确保GDPR行之有效。相较而言，该规定无意管理控制者或处理者与可能只是偶然受到影响的工作人员之间的总体雇佣关系，但仅限于实现这些目标所必需的范围。

That interpretation is supported, in the third place, by the context of that provision and, in particular, by the legal basis on which the EU legislature adopted the GDPR.

第三，该条款的上下文，特别是欧盟立法机构通过GDPR的法律依据支持这种解释。

As is apparent from the preamble to the GDPR, that regulation was adopted on the basis of Article 16 TFEU, paragraph 2 of which provides, in particular, that the European Parliament and the Council of the European Union are, by means of regulations, acting in accordance with the ordinary legislative procedure, to lay down the rules relating, first, to the protection of natural persons with regard to the processing of personal data by the EU institutions, bodies, offices or agencies and by the Member States when carrying out activities which fall within the scope of EU law and, second, to the free movement of such data.

从GDPR序言中可以看出，该条例是根据TFEU第16条通过的，该条第2段特别规定，欧洲议会和欧盟理事会通过条例，按照普通立法程序，制定如下规则：首先，在欧盟机构、机关、办公室或机构以及成员国在开展属于欧盟法律范围内的活动时处理个人数据方面保护自然人；其次，保护此类数据的自由流动。

By contrast, apart from the specific protection of the data protection officer provided for in the second sentence of Article 38(3) of the GDPR, the fixing of rules on protection against the termination of the employment contract of a data protection officer employed by a controller or by a processor does not fall within the scope of the protection of natural persons with regard to the processing of personal data or within the scope of the free movement of such data, but within the field of social policy.

相较而言，除了GDPR第38条第(3)款第二句中规定的对数据保护官的具体保护之外，确定被控制者或处理者雇用的数据保护官的雇佣合同的终止规则不属于在处理个人数据方面对自然人的保护范围，也不属于此类数据自由流动的范畴，而是属于社会政策领域。

In that regard, it should be borne in mind, first, that, under Article 4(2)(b) TFEU, the European Union and the Member States have, in the field of social policy, for the aspects defined in that Treaty, a shared competence for the purposes of Article 2(2) thereof. Second, and as is specified in Article 153(1)(d) TFEU, the European Union is to support and complement the activities of the Member States in the field of the protection of workers in cases where their employment contract is terminated (see, by analogy judgment of 19 November 2019, TSN and AKT, C‑609/17 and C‑610/17, EU:C:2019:981, paragraph 47).

在这方面，应该铭记，首先，根据《欧盟运行条约》（Treaty on the Functioning of the European Union，以下简称“TFEU”）第4(2)(b)条，欧盟及其成员国在社会政策领域，就该条约所界定的方面而言，拥有共同的权限，以实现条约第2(2)条的目的。其次，正如TFEU第153(1)(d)条所规定的，欧盟将支持、补足成员国在雇佣合同终止时保护劳动者的行为（参见2019年11月19日的类比判决，TSN和AKT，C-609/17和C-610/17，EU:C:2019:981，第47段）。

That being so, as is clear from Article 153(2)(b) TFEU, it is by means of directives that the Parliament and the Council may lay down minimum requirements in that regard, since such minimum requirements cannot, according to the Court’s case-law, in the light of Article 153(4) TFEU, prevent any Member State from maintaining or introducing more stringent protective measures that are compatible with the Treaties (see, to that effect judgment of 19 November 2019, TSN and AKT, C‑609/17 and C‑610/17, EU:C:2019:981, paragraph 48).

因此，正如TFEU条约第153(2)(b)明确的，欧洲议会和欧洲理事会可以通过颁布指令的方式规定这方面的最低要求，因为根据法院判例和TFEU第153(4)条，这种最低要求不能阻止任何成员国维持或采取符合条约的更严格的保护措施（见2019年11月19日TSN和AKT案的判决，C-609/17和C-610/17）。

It follows, as the Advocate General stated, in essence, in point 44 of his Opinion, that each Member State is free, in the exercise of its retained competence, to lay down more protective specific provisions on the termination of a data protection officer’s employment contract, in so far as those provisions are compatible with EU law and, in particular, with the provisions of the GDPR, particularly the second sentence of Article 38(3) thereof.

因此，正如总检察长在其意见第44点中所述，实质上，各成员国在行使其保留的权限时，都可以自由地就终止数据保护官雇佣合同制定更具保护性的具体规定，只要这些规定符合欧盟法律，特别是符合GDPR的规定，尤其是其中第38(3)条第二句。

In particular, as the Advocate General observed in points 50 and 51 of his Opinion, such increased protection cannot undermine the achievement of the objectives of the GDPR. That would be the case if it prevented any termination of the employment contract, by a controller or by a processor, of a data protection officer who no longer possesses the professional qualities required to perform his or her tasks or who does not fulfil those tasks in accordance with the provisions of the GDPR.

特别是，正如检察长在其意见的第50和51点中所指出的，这种加强保护不能损害GDPR目标的实现。例如，这种加强保护防止了不再具备履职素质或未能履职的数据保护官被控制者或处理者终止雇佣合同，契合GDPR的规定。

In the light of the foregoing considerations, the answer to the first question is that the second sentence of Article 38(3) of the GDPR must be interpreted as not precluding national legislation which provides that a controller or a processor may terminate the employment contract of a data protection officer, who is a member of his or her staff, only with just cause, even if the contractual termination is not related to the performance of that officer’s tasks, in so far as such legislation does not undermine the achievement of the objectives of the GDPR.

鉴于上述考虑，对第一个问题的答复是，必须将GDPR第38(3)条第二句解释为不排除国家立法。该立法规定，只要不妨碍GDPR目标的实现，在有正当理由的情况下，即使合同终止与雇员的工作无关，控制者或处理者也可以终止作为其工作人员的数据保护官的雇佣合同。

In the light of the answer given to the first question, there is no need to answer the second and third questions.

鉴于对第一个问题的答复，无需回答第二和第三个问题。

Since these proceedings are, for the parties to the main proceedings, a step in the action pending before the national court, the decision on costs is a matter for that court. Costs incurred in submitting observations to the Court, other than the costs of those parties, are not recoverable.

由于对主要诉讼程序的当事方来说，这些诉讼是国家法院未决诉讼的一个步骤，因此关于费用的决定由该法院作出。除这些当事方的费用外，向法院提交意见的费用不可收回。

On those grounds, the Court (First Chamber) hereby rules:

基于这些理由，法院（第一分庭）特此裁定：

The second sentence of Article 38(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), must be interpreted as not precluding national legislation which provides that a controller or a processor may terminate the employment contract of a data protection officer, who is a member of his or her staff, only with just cause, even if the contractual termination is not related to the performance of that officer’s tasks, in so far as such legislation does not undermine the achievement of the objectives of that regulation.

欧洲议会和欧洲理事会在2016年4月27日颁布的关于在个人数据处理和此类数据自由流动方面保护自然人的条例第2016/679号第38(3)条第二句，以及废除指令95/46/EC(GDPR)的行为必须解释为不排除“控制者或处理者可以终止作为其雇员的数据保护官的雇佣合同”的成员国立法。该成员国立法规定只要不妨碍GDPR目标的实现，在有正当理由的情况下，即使合同终止与雇员的工作无关，控制者或处理者也可以终止作为其工作人员的数据保护官的雇佣合同。