Court case HFD:2021:125 – Court Ruling (Finland, 2021)

The Regional Government of Åland had appointed Mr A as head of the regional Ålandic DPA for a probationary period of one year. Pursuant to section 10(2) of the Act on Public Officials in the Region of Åland, the Government of Åland stated that they would not propose the appointment of A to a permanent post and that A's term of office would therefore automatically come to and end after the one-year probationary period. At the end of the probationary period, the Government of Åland issued a notice confirming that Mr A's term of office had ended. Mr A however applied to the Supreme Administrative Court of Finland for the annulment of this decision, which he considered contrary to the GDPR. The Supreme Administrative Court considered that the notice issued by the Government of Åland constituted an administrative decision terminating Mr A's mandate. The Supreme Administrative Court found that, in addition to national legislation, A's role as head of the data protection authority is also regulated by EU law, and in particular by the GDPR. Although the GDPR does not contain explicit provisions regarding probationary period, the minimum length of the term of any member of any data protection authority is "no less than four years", as set in Article 54(1)(d) GDPR. As a consequence, the termination of A's mandate at the end of the probationary period could not be considered in line with the GDPR. The Supreme Administrative Court further noted that leaving Mr A without any possibility of appeal against that decision would be contrary to the right to a fair trial as protected under the Finnish Constitution, Article 19 TFEU and Article 47 CFR. As Mr A's mandate and termination had not been assessed in the light of the provisions of the GDPR, the Supreme Administrative Court concluded that the decision to terminate Mr A's mandate had to be annulled and the matter referred back to the Government of Åland for reconsideration.