DSB (Austria) - W108 2273800-1
From GDPRhub
| DSB - W108 2273800-1 | |
|---|---|
 | |
| Authority: | DSB (Austria) |
| Jurisdiction: | Austria |
| Relevant Law: | Article 4(7) GDPR §24 DSG §27 DSG §68 AVG Article 130 |
| Type: | Complaint |
| Outcome: | Rejected |
| Started: | |
| Decided: | |
| Published: | |
| Fine: | n/a |
| Parties: | n/a |
| National Case Number/Name: | W108 2273800-1 |
| European Case Law Identifier: | ECLI:AT:BVWG:2023:W108.2273800.1.00 |
| Appeal: | n/a |
| Original Language(s): | German |
| Original Source: | RIS (in DE) |
| Initial Contributor: | Annkathrin.a.dix |
DPA rejected an individual’s data protection complaint for failing to lodge a complaint within the time-limit prescribed by domestic law.
English Summary
Facts
On 20 March 2021, an incident occurred in traffic between the complainant (the data subject) and an individual (the reporter), who subsequently filed a complaint at the police station. On 28 September 2021, the complainant inspected the complaint and the associated police file after being informed that the proceedings had been discontinued. The complainant discovered that the reporter knew their name at the time of filing the complaint. As a result, the data subject submitted a (data protection) complaint to the relevant data protection authority (DPA) on 23 October 2021. They alleged a violation of the right to secrecy under § 1 Datenschutzgesetz (Data Protection Act) (DSG) by the police officer involved in their case. On 21 September 2022, the DPA handling the case issued a decision, dismissing the complainant's data protection complaint against the police officer on the grounds that the police officer did not have controller status within the meaning of Article 4(7) Datenschutz-Grundverordnung (General Data Protection Regulation) (GDPR). Following the dismissal, the complainant lodged a new data protection complaint against the police officer involved in a letter dated 09 October 2022. Upon the request of the DPA, the data subject provided a statement that they became aware of the violation of the right to secrecy in December 2021 based on subsequent inquiries. Therefore, they argued that their new complaint filed in October 2022 was timely. On 30 January 2023, the authorities alleged that the data subject made contradictory statements regarding their knowledge of the alleged violation. On 06 February 2023, the complainant responded that there was no contradiction and provided an explanation. The data subject made further submissions on 28 March 2023, highlighting that their new complaint was not identical to the first complaint because the responsible person had changed. They argued that the concept of the ‘responsible person’ should be defined and interpreted broadly to allow complainants to make mistakes in identifying responsible individuals without invalidating their complaints. The data subject further reiterated that their second complaint was timely, and was proven. On 19 May 2023, the authorities rejected the complainant's data protection complaint filed on 09 October 2022. The authority argued that the complainant's request to address the data protection complaint had expired as the one-year limitation period from the date of knowledge of the adverse event had already lapsed, as stipulated in § 24(4) (DSG). The complainant was aware of the adverse event on 28 September 2021, as exemplified in their own statements. However, the complaint was only lodged on 10 October 2022.
Holding
The Court held that the deadlines specified in §24 DSG are preclusive deadlines, which must be considered ex officio if the facts are established without objection. It emphasised that the fact that the current data protection complaint filed (on 09 October 2022) targeted the same alleged data protection violation by the officer on 20 March 2021, and was directed at another respondent, did not matter. The subjective deadline of one year under § 24(4) DSG had already expired with respect to the data protection issue in question. The complainant did not lodge the said complaint within one year of becoming aware of the alleged offending event, which resulted in the expiration of the right to complaint handling in accordance with § 24(4) DSG. The Court also argued that these deadlines do not disproportionately restrict the right to lodge a complaint under Article 77 GDPR. Moreover, § 68(1) Allgemeines Verwaltungsverfahrensgesetz (General Administrative Procedure Act) (AVG) has the purpose of preventing the reexamination of a previously resolved matter. In accordance with said provision, the reconsideration of a matter that was already legally decided based on the complainant's initial data protection complaint from 23 October 2021, and the decision made by the DPA, is not allowed. Therefore, the filing of a data protection complaint was no longer permissible and the DPA was justified in refusing to deal with the content of the data protection complaint and rejecting it in the contested decision. The legality of the authority’s decision on 21 September 2022 could therefore not be questioned in these proceedings. Since the contested decision was held to be legal as stipulated in Article 130 paragraph 1 Z 1 Bundes-Verfassungsgesetz (Federal Constitutional Law)(B-VG), the decision upheld the verdict.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
Postal address: Erdbergstrasse 192 – 196 1030 Vienna Tel: +43 1 601 49 – 0 Fax: + 43 1 711 23-889 15 41 E-mail: einlaufstelle@bvwg.gv.at www.bvwg.gv.at Decision date 15.12.2023 Reference number W108 2273800-1/6E IN THE NAME OF THE REPUBLIC! The Federal Administrative Court, through Judge Mag. BRAUCHART as chair, and the expert lay judge Dr. FELLNER-RESCH and the expert lay judge Mag. KUNZ as assessor and assessor on the complaint of XXXX against the decision of the data protection authority dated May 19, 2023, ref. D124.1324/22 2023-0.279.721, concerning Rejection of a data protection complaint (party involved: State Police Directorate XXXX ) rightly ruled: A) The complaint is dismissed as unfounded in accordance with Section 28 Para. 2 VwGVG. B) The appeal is not admissible in accordance with Art. 133 Para. 4 B-VG. Reasons for the decision: I. Course of proceedings/facts: 1. The background concerns the proceedings with the number D124.5175 of the data protection authority (authority concerned before the Federal Administrative Court): - 2 - 1.1. In a written statement dated October 23, 2021, the complainant submitted a complaint pursuant to Article 77 of the General Data Protection Regulation (GDPR) or Section 24 of the Data Protection Act (DSG; hereinafter: data protection complaint) to the authority concerned concerning a violation of the right to information pursuant to Article 15 of the GDPR and the right to confidentiality pursuant to Section 1 of the DSG and stated in summary that on March 20, 2021, he had been reported to the XXXX police station by XXXX (hereinafter: L. or the complainant) for allegedly crossing a barrier line. In the course of filing the report, the police officer Inspector XXXX (hereinafter: M.) passed on his personal details (at least his name) to L. without legal basis and without his knowledge or consent. In addition, the police refused to provide information pursuant to Article 15 of the GDPR. 1.2. With the order to remedy the defects dated November 8, 2021, the complainant was asked, among other things, to supplement his information on the respondent to state whether action should be taken against the XXXX city police command and to provide more detailed information on the timeline when he became aware of the alleged violation of law. 1.3. In a statement dated November 22, 2021, the complainant stated that he had known since September 28, 2021 that the complainant had personal data concerning him that he must have learned from M. On that day, he had been at the XXXX state police directorate (now a co-involved party) to view the report and the files. 1.4. In a submission dated December 15, 2021, the complainant expanded his complaint about non-response or incorrect information from the State Police Directorate XXXX as well as the unauthorized disclosure of numerous personal data, such as his PIN number, to the complainant in the course of the accident report submitted by the State Police Directorate. In summary, he claimed that not only had it been proven that M. had divulged personal data to the complainant for his report, but that the police had also passed on further personal data, such as his PIN number, to the complainant via the accident report without reason. 1.5. With a supplementary order to remedy the defects dated February 10, 2022, the complainant was again asked to supplement the information on the respondent to indicate whether he wanted to take action against M., the State Police Directorate XXXX (now a co-involved party) or another respondent. - 3 - 1.6. In a statement dated February 26, 2022, the complainant stated that there were naturally two respondents, but in the case of authorities, this distinction was likely to be hair-splitting, since the official department was always liable for subordinates, i.e. the State Police Directorate or, ultimately, the Ministry of the Interior. The authority concerned must clarify this question of liability; he cannot and does not have to commission any legal opinions on this matter. It is undisputed that the violation of the right to confidentiality was first committed by M. because he gave his personal data to the person making the report without any reason and included it in the report. The second violation was then committed by the State Police Directorate, which included his cell phone number in the accident report. 1.7. At the request of the authority concerned, the State Police Directorate XXXX (now a co-involved party) submitted a statement on May 4, 2022, in which it was stated that the data protection complaint filed against its employee M. would have to be rejected for formal reasons, especially since an individual federal official could never be the target of a data protection complaint, but rather it should be directed against the competent authority. This is based on Section 26 of the Data Protection Act, according to which the director of a monocratically organized authority for which the body was active should be considered as the person responsible for the public sector in the present case. 1.8. After being informed of the results of the investigation and sending the statement of May 4, 2022 to the complainant, the complainant replied in a written statement of June 18, 2022 that the authority concerned - if M. was not the person responsible for his actions - should have complained about this from the beginning or simply relabeled his complaint. In any case, a respondent (meaning: the complainant) is not obliged to conduct detective work to determine the names of the internal superiors, monocratic external representatives or those responsible. It is undisputed that M. passed on his personal data to the complainant on March 20, 2021 without reason and without legal basis and that this data protection violation was committed by M. The authority concerned would have to establish who his superior or the person responsible was. In any case, his complaint should not be rejected, but at best extended to include any superiors. The authority concerned should undertake such an extension immediately upon receipt of the complaint or advise the complainant to do so. However, he points out that the legal opinion of the State Police Directorate is not comprehensible even to the lawyers he consulted and contradicts current practice. He himself has filed complaints against several employees of the city council and has been found right by the authority concerned, - 4 - without having investigated "monocratic heads of authorities". It is also pointless to ponder whether only "persons responsible for processing" or also minor employees like M. can violate the GDPR. 1.9. By a final decision dated September 21, 2022, GZ: D124.5175/2022-0.454.248, the authority concerned dismissed the complainant's data protection complaint of October 23, 2021 (received on October 28, 2021) against M. for alleged violation of the right to confidentiality and against the State Police Directorate XXXX (now a co-involved party) for alleged violation of the right to information as unfounded. The authority concerned essentially justified its decision regarding the complainant's data protection complaint against M. as follows: Section 26 of the Data Protection Act states that an individual federal officer, such as M. in the case at issue, can never be the target of a data protection complaint, rather the complaint must be directed against the competent authority. M.'s actions were attributable to the State Police Directorate, which should therefore have been designated as a party in the proceedings before the data protection authority in accordance with Section 26 Paragraph 2 of the Data Protection Act. There were no indications that M. had processed the complainant's data on his own authority outside of the area of activity assigned to him. M. was clearly designated as the respondent several times in the complaint by the complainant. However, if a respondent is unambiguously designated, the authority concerned is prevented from conducting proceedings against another respondent, as otherwise proceedings would be conducted against a party to the proceedings with whom the complainant did not wish to enter into proceedings. An official reinterpretation is therefore inadmissible. According to the case law of the Federal Administrative Court, this applies even if the respondent designated cannot be considered to be a responsible party in accordance with Article 4 Paragraph 7 of the GDPR. Since there was no action relevant to data protection law that could be legally attributed to M., named in the complaint, as the respondent, he could not have violated the complainant's right to confidentiality. 2. The proceedings in question: 2.1. In a written submission dated October 9, 2022, the complainant filed the data protection complaint entitled "new complaint against State Police Directorate XXXX (the now co-participating party, note) due to Insp. XXXX (M., note) impermissible disclosure of personal data to third parties: violation of the right to confidentiality and information" with the authority concerned. - 5 - In this, the complainant stated: His data protection complaint of October 23, 2021 against M. was essentially rejected without review by the authority concerned's decision of September 21, 2022. The decision is difficult to assess legally, so that an "appeal" to the administrative court does not appear to be expedient. Instead, it would be sensible to amend the original complaint based on the (inconclusive) argument of the authority concerned and to submit it again. The fact that M. cannot be a "responsible person" in the sense of the GDPR is extremely questionable and the reference to the SPG or the StVO is irrelevant in terms of data protection law. The unfounded reference by the authority concerned to the old, essentially no longer valid, DSG in the decision is also unclear and irrelevant. The argument of the authority concerned is absurd, in particular it always explicitly referred to the party involved as the "2nd respondent", but then claimed that it had neglected to name them as the respondent. In any case, on February 26, 2022, at the request of the authority concerned, he also named the other party involved as the respondent, which the authority concerned completely ignored. The definition of the person responsible within the meaning of the GDPR is also difficult to interpret in the case of secret, non-official data transfer by M., so of course only M. himself could be responsible for his data sharing. Only M. decided on his own that he had improperly shared data that he had become aware of in the course of his work with third parties. In accordance with the wishes of the authority concerned, the old complaint will be reformulated and resubmitted to the new respondent "LPD XXXX". 2.2. With the order to remedy the defects dated November 29, 2022, the complainant was asked to provide information on the timeline and to announce when he became aware of the alleged violation of law (sharing of his personal data). 2.3. The complainant submitted a statement on December 18, 2022 and stated that he only learned of the violation of the right to confidentiality in December 2021. Although he first learned of the existence of the complaint against him on September 28, 2021, he was not yet able to estimate at that time which personal data M. or the other party involved had passed on. By answering his inquiries to the other party involved, he then became aware of new circumstances and documents from December 2021 onwards that proved a much larger and more systematic data transfer. Since he was only able to recognize the connections in December 2021, which information had been passed on to whom and when, his new, second complaint from October 2022 was also timely. - 6 - 2.4. In response to a further allegation by the authority concerned on January 30, 2023, according to which the complainant's statements regarding knowledge of the alleged violation of law were contradictory, since he stated on the one hand that he had been aware of the violation of the right to confidentiality from December 15, 2021, and on the other hand that he had learned on September 28, 2021 that a police officer had passed on his personal data to a third party, the complainant stated in a written statement dated February 6, 2023 that there could be no question of a contradiction. He had learned of the existence of the report on September 28, 2021, but of course could not have known at that time how the complainant had known his name and other personal data, even if it was obvious that M. had diligently requested data about him and divulged it to the complainant. He had therefore sent an inquiry or a request for information to the police department, in which he had inquired why the complainant knew his name and from whom he had obtained this information. Only the information provided by the police by ADir XXXX (hereinafter: K.) on December 9th, 2021, which he received on December 13th, 2021, contained the first official information on how the complainant knew his personal data. Only then was it evident and proven to him that the police themselves had passed on his data to the complainant. His new complaint of October 9th, 2022 about K.'s information of December 9th, 2021 was therefore clearly timely. 2.5. The co-participating party submitted a statement on this on March 14, 2023, in which it essentially stated: The matter had been decided, since the authority concerned had already legally rejected the complaint as unfounded on the same matter with a decision dated September 21, 2022, under number D124.5175/2022-0.454.248. Apart from that, the new complaint appears to be out of time in accordance with Section 24 (4) DSG in conjunction with Article 77 GDPR. In addition, reference is made to the statements of the co-participating party in the proceedings on the above-mentioned number. 2.6. The complainant replied to this in a submission dated March 28, 2023, summarizing that it was wrong that his complaint was identical to the first complaint, since the person responsible had changed. The authority concerned also takes the view that the term "person responsible" must be broadly defined and that complainants must be allowed to make mistakes in the designation of the person responsible without this invalidating complaints. The second complaint was also very much within the deadline, as he had already demonstrated. - 7 - 2.7. The authority concerned informed the complainant of the results of the investigation by letter dated April 12, 2023 and pointed out that, based on the complainant's statements from the current proceedings and the already concluded proceedings relating to number D124.5175, it was suspected that he had become aware of the complaining event (alleged unlawful disclosure of his personal data to third parties) by September 28, 2021 at the latest. On October 23, 2021, the complainant filed a complaint regarding the violation of the right to confidentiality with the data protection authority and claimed that M. had passed on personal details to the complainant. In the current proceedings, however, the complainant states that he only became aware of the violation of the right to confidentiality in December 2021, i.e. only about two months after filing his complaint, which is blatantly contradictory. 2.8. In a written statement dated April 15, 2023, the complainant stated that on September 28, 2021, it had not been proven that M. had divulged his personal data to the complainant, and that it could have been any other police officer on duty on March 20, 2021. On December 13, 2021, a completely new subject of the complaint arose, since the police or K. had prepared a fictitious accident report in the fall of 2021 that contained new personal data about him. This report could not have existed in March 2021, which is why only M. could have passed on the data. But that is not at all relevant, since his second complaint is of course also about K.'s fictitious accident report, which contains new personal data, e.g. his PIN number. The fact that he had already had reason to believe on September 28, 2021 that M. had unlawfully divulged personal data to the person who made the complaint is correct, but not the sole subject of his second complaint of October 9, 2022, because the main reason for his complaint only became known to him on December 13, 2021. 2.9.With the now contested decision of May 19, 2023, number D124.1324/222023- 0.279.721, the complainant's data protection complaint of October 9, 2022 against the co-involved party was rejected for violation of the right to confidentiality. After describing the course of the proceedings, the authority concerned initially stated that the subject matter of the complaint, based on the complainant's submission initiating the proceedings, was the question of whether the co-involved party had violated the complainant's right to confidentiality by M. unlawfully passing on the complainant's personal data to third parties. The subject matter of the complaint was not the question of whether the complainant's right to confidentiality had been violated by the police or K. unlawfully passing on new personal data of the complainant through a "fictitious" accident report. This submission is to be regarded as a new complaint and will be dealt with in a separate procedure. The question of whether the party involved had violated the complainant's right to information was dealt with in another procedure with the reference number D124.1540/22, in which procedure a decision was issued on February 22, 2023. Legally, the authority concerned held that the complainant's claim (to process the data protection complaint in question) had expired because the relative preclusion period of one year from knowledge of the complaining event within the meaning of Section 24 (4) DSG had already expired. The complainant had already become aware of the complaining event on September 28, 2021, which is clear from his statements, but the complaint was not filed until October 10, 2022. If he now argues that on September 28, 2021, it was not proven that M. had divulged personal data to the complainant, but that it could also have been another police officer, this is contradicted by the fact that the complainant had unequivocally stated both in the complaint filed on October 23, 2021 under the reference number of the authority concerned D124.5175 and in the present proceedings that he considered his right to confidentiality to have been violated because M. had passed on his personal data to third parties. By filing the complaint in the present proceedings and in the proceedings under reference number D124.5175, it is clear that the complainant had no doubt that M. had passed on his personal data to third parties. If he now subsequently claims that he could not have known which police officer had passed on his data and that he therefore only became aware of the complaining event later, this argument is not credible. The complainant's argument that he only became aware on December 13, 2021 that the police or K. had passed on his personal data to third parties through K.'s fictitious accident report is not relevant to the present proceedings, since this is a different event that is not the subject of the complaint and cannot be used for the time of obtaining knowledge. The data protection complaint was therefore to be rejected. 11. The complainant lodged a timely party complaint against this decision with the Federal Administrative Court in accordance with Article 130, paragraph 1, item 1 of the Federal Constitutional Law, in which he essentially repeated his previous arguments and argued that the authority concerned had improperly narrowed the subject matter of his new complaint to the question of whether M. had passed on personal data to L. on March 20, 2021. The authority concerned thus ignored the essential fact that it was undisputed that he had only received information from the co-participating party on December 13, 2021 on the question of who had passed on his personal data to L., when and how. The focus of his second complaint was the incorrect information provided by the co-participating party or K. on December 9, 2021. The second complaint of October 9, 2022 was therefore in any case timely.12. The authority concerned did not make use of the possibility of a preliminary decision on the complaint and submitted the complaint together with the relevant files of the administrative procedure to the Federal Administrative Court for a decision, defending the contested decision. 13. The Federal Administrative Court sent the complaint to the other party involved by way of a complaint notification in accordance with Section 10 of the Administrative Court Act (VwGVG) for information and comment. 14. The other party involved subsequently made no further comment. II. The Federal Administrative Court considered: 1. Findings: The course of proceedings/facts described under point I. form the basis for the findings. It is therefore clear in particular: On March 20, 2021, at around 11:40 a.m., an incident occurred in road traffic in XXXX between the complainant and XXXX (L.). On the same day, L. filed a complaint against the complainant with the XXX police station for crossing a barrier line. After the complainant was informed of the discontinuation of the proceedings, he inspected the complaint and the associated police file at the XXXX State Police Directorate (co-involved party) on September 28, 2021. Since the complainant assumed that L. should not have known his name at the time of the report, he submitted a data protection complaint to the relevant authority on October 28, 2021 in a written statement dated October 23, 2021, alleging, among other things, a violation of the right to confidentiality pursuant to Section 1 of the Data Protection Act by the police officer of the co-involved party XXXX (M.) and stated that M. had passed on his personal details (at least - 10 - his name) to L. on March 20, 2021 when filing the report or taking the report. By decision of September 21, 2022, number D124.5175/2022-0.454.248, the authority concerned rejected the complainant's data protection complaint of October 23, 2021 against M. for alleged violation of the right to confidentiality due to lack of controller status within the meaning of Art. 4 Z 7 GDPR and against the co-involved party for alleged violation of the right to information as unfounded. Subsequently, the complainant filed a data protection complaint against the co-involved party in a written submission dated October 9, 2022 for the impermissible disclosure of his name by M. to L. in the course of collecting or recording the report on March 20, 2021. 2. Assessment of evidence: The findings are based on the content of the administrative files submitted by the authority concerned and the court files in question. The relevant investigation results and documents are contained in the administrative files submitted. The authority concerned carried out a flawless, proper investigation procedure and correctly established the relevant facts in the grounds for the contested decision in accordance with the files. The complainant did not object to the facts established by the authority concerned and the assessment of evidence in his complaint or only did so in an unsubstantiated manner. The facts relevant to the decision are therefore established. 3. Legal assessment: 3.1. According to Art. 130 Para. 1 Z 1 B-VG, the administrative courts rule on complaints against the decision of an administrative authority on the grounds of illegality. According to § 6 BVwGG, the Federal Administrative Court decides by single judges, unless federal or state laws provide for decisions by senates. According to § 27 Data Protection Act (DSG) as amended, the Federal Administrative Court decides by senate in proceedings on complaints against decisions due to violation of the duty to inform pursuant to § 24 paragraph 7 and the data protection authority's duty to decide. The senate consists of a chairperson and one expert lay judge each from the circle of employers and employees. - 11 - The procedure of the administrative courts, with the exception of the Federal Finance Court, is regulated by the VwGVG, Federal Law Gazette I 2013/33 as amended by Federal Law Gazette I 2013/122 (§ 1 leg.cit.). According to § 58 paragraph 2 VwGVG, conflicting provisions that were already published at the time this federal law came into force remain in force. According to Section 17 VwGVG, unless otherwise provided in this federal law, the provisions of the AVG with the exception of Sections 1 to 5 and Part IV, the provisions of the Federal Fiscal Code - BAO, Federal Law Gazette No. 194/1961, the Agricultural Procedure Act - AgrVG, Federal Law Gazette No. 173/1950, and the Civil Service Procedure Act 1984 - DVG, Federal Law Gazette No. 29/1984, and, in addition, those procedural provisions in federal or state laws that the authority applied or should have applied in the proceedings preceding the proceedings before the administrative court, are to be applied mutatis mutandis to the procedure for complaints pursuant to Article 130 Paragraph 1 B-VG. According to Section 28 Paragraph 2 VwGVG, the administrative court must decide on the merits of complaints pursuant to Article 130 Paragraph 1 Item 1 B-VG if (1.) the relevant facts are established or (2.) the establishment of the relevant facts by the administrative court itself is in the interest of speed or is associated with a significant cost saving. 3.2. The complaint was filed within the deadline and the other procedural requirements are also met. 3.3. On the merits: 3.3.1. Since in the present case the authority concerned rejected the data protection complaint, the only issue in the complaint procedure is the question of the legality of the rejection (see, for example, VwGH March 27, 2019, Ra 2019/10/0020). 3.3.2. The provisions of the Data Protection Act (DSG) and Regulation (EU) 2016/679 (General Data Protection Regulation), GDPR, relevant to the complaint procedure in question are (excerpts, including heading): Section 1 Paragraphs 1 and 2 DSG: - 12 - Fundamental right to data protection Section 1. (1) Everyone has the right to keep personal data concerning him or her confidential, in particular with regard to respect for his or her private and family life, insofar as there is a legitimate interest in doing so. The existence of such an interest is excluded if data is not accessible to a confidentiality claim due to its general availability or its lack of traceability to the person concerned. (2) To the extent that the use of personal data is not in the vital interest of the data subject or with his consent, restrictions on the right to confidentiality are only permissible to protect the overriding legitimate interests of another party, and in the case of interventions by a state authority only on the basis of laws that are necessary for the reasons set out in Article 8 paragraph 2 of the European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR), Federal Law Gazette No. 210/1958. Such laws may only provide for the use of data that are particularly worthy of protection by their nature to protect important public interests and must at the same time establish appropriate guarantees for the protection of the data subject's interests in confidentiality. Even in the case of permissible restrictions, the interference with the fundamental right may only be carried out in the mildest way that achieves the objective. Section 24 DSG Paragraphs 1 and 4 DSG: Complaint to the data protection authority Section 24. (1) Every data subject has the right to complain to the data protection authority if they believe that the processing of personal data concerning them violates the GDPR or Section 1 or Article 2, Chapter 1. (4) The right to have a complaint dealt with expires if the complainant does not submit it within one year of becoming aware of the event giving rise to the complaint, but at the latest within three years of the event allegedly occurring. Late complaints must be rejected. Art. 4 Z 7 GDPR: Definitions Art. 4. For the purposes of this Regulation, the following terms shall apply: 7. “controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing personal data; where the purposes and means of such processing are specified by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law; 3.3.3. Applied to the present case, this means the following: 3.3.3.1. It should be noted in advance that the subject matter of the proceedings is only the rejection of the data protection complaint of October 9, 2022 against the co-participating party regarding the alleged violation of the right to confidentiality pursuant to Section 1 of the Data Protection Act due to the disclosure of the complainant's name by the police authority M. acting on their behalf to the complainant L. in the course of the filing of the report or the recording of the report on March 20, 2021. The authority concerned only agreed on this matter in the contested decision. However, the subject matter of the proceedings - as the authority concerned also stated in the contested decision - is not the alleged violation of the right to confidentiality pursuant to Section 1 of the Data Protection Act due to the disclosure of the complainant's personal data, among other things. his PIN number, in the course of handing over an accident report dated March 20, 2021 or a photo insert dated March 26, 2021 to L., which the complainant, according to his statements, learned about on December 13, 2021, as well as the alleged violation of the right to information pursuant to Art. 15 GDPR by the party involved.Contrary to the statements of the complainant in the party complaint, the authority concerned did not improperly limit the subject matter of the proceedings of his "new complaint" to the question of whether M. had passed on personal data to L. on March 20, 2021, but expressly stated in the contested decision that a new investigation must be conducted with regard to the (not the subject of the proceedings here) alleged violation of the right to confidentiality under Section 1 of the Data Protection Act due to the passing on of the complainant's personal data, including his PIN number, in the course of handing over the accident report of March 20, 2021 to L., which is why this submission is to be regarded as a new complaint and dealt with in a separate procedure. Furthermore, the authority concerned has stated that with regard to the alleged violation of the right to information pursuant to Art. 15 GDPR, a decision had already been issued on February 22, 2023, in reference number D124.1540/22 (see pages 4 and 8 of the contested decision). 3.3.3.2. Against this background (with regard to the subject matter of the proceedings), the rejection of the complainant's data protection complaint of October 9, 2022 against the other party involved due to violation of the right to confidentiality, which was pronounced by the authority concerned in the contested decision, was justified: 3.3.3.2.1. According to Section 24 Paragraph 4 of the Data Protection Act, the right to have a complaint dealt with expires if the complainant does not submit it within one year of becoming aware of the event giving rise to the complaint, but at the latest within three years of the event allegedly occurring. Late complaints must be rejected. - 14 - The deadlines specified in Section 24 DSG are preclusive deadlines (see OGH 31.07.2015, 6 Ob 45/15h and Jahnel, Data Protection Law, Update, p. 191 on the predecessor provision of Section 34 Para. 1 DSG 2000 and Bresich, Dopplinger, Dörnhöfer, Kunnert, Riedl, DSG, p. 190 on Section 24 DSG), which must be taken into account ex officio, i.e. in the case of established facts without objection (cf. Dohr/Pollirer/Weiss/Knyrim, Data Protection Law, Section 34, Note 2 on the predecessor provision of Section 34 Para. 1 DSG 2000). From Bresich, Dopplinger, Dörnhöfer, Kunnert, Riedl it emerges that the limitation rule of Section 24 Para. 4 DSG with regard to the time limits for the expiration of the right to have a complaint dealt with largely corresponds to Section 34 Para. 1 DSG 2000 (subjective period of one year from knowledge of the facts and objective period of three years from the occurrence of the event). It is also not apparent that the time limits of Section 24 DSG would disproportionately restrict the right to lodge a complaint under the GDPR. 3.3.3.2.2. The subject of the data protection matter at hand here is - as has already been explained - an alleged violation of the right to confidentiality pursuant to Section 1 DSG by the party involved due to alleged data transfer by its police authority M. to L. in the course of filing or recording the report on March 20, 2021. As the complainant himself states in several submissions (see in particular the submission of April 15, 2023), he had knowledge of the report since the inspection of the files of the co-participating party on September 28, 2021, as well as of the (from his point of view) data protection violation that occurred when the report was collected or recorded by M., who had passed on his name to the complainant L., and thus had knowledge of the complaining event within the meaning of Section 24 (4) DSG since that point in time. In this regard, the complainant also filed a data protection complaint dated October 23, 2021 against M. with the relevant authority on October 28, 2021, alleging violation of the right to confidentiality by M., which was rejected as unfounded by the relevant authority in a decision dated September 21, 2022, reference number D124.5175/2022-0.454.248, on the grounds, among other things, that the complainant had unambiguously identified M. as the respondent, but that he did not have the status of controller in accordance with Art. 4 Z 7 GDPR. If the present data protection complaint of October 9, 2022 now again challenges the same alleged data protection violation by M. of March 20, 2021 and is merely directed against another respondent or data protection officer, this does not change the fact that with regard to the data protection facts at issue in the proceedings or the aggravating event of which the complainant became aware on September 28, 2021, the one-year subjective period of Section 24 (4) DSG had already expired and the filing of a data protection complaint was therefore no longer permissible. 3.3.3.2.3. Contrary to the complainant's statements in the data protection complaint at hand, in the proceedings under number D124.5175 before the authority concerned, he always only named M. and not the other party involved as the respondent for the alleged violation of the right to confidentiality (in particular not in the submission of February 26, 2022). This is evident in particular from the data protection complaint of October 23, 2021 and the submissions of February 26, 2022 and June 18, 2022 in the proceedings of the authority concerned regarding the number D124.5175, as well as from the data protection complaint in question of October 9, 2022, in which the complainant still assumes that with regard to the disclosure of the complainant's name to L. in the course of the filing or recording of the report on March 20, 2021, "naturally" only M. himself could be responsible for the data disclosure, since only M. alone had decided that he had improperly passed on data that had become known to him in the course of his duties to third parties. The co-involved party was named as the respondent by the complainant in the proceedings before the authority under number D124.5175 only with regard to the violation of the right to confidentiality in the course of handing over the accident report dated March 20, 2021 or the photo attachment dated March 26, 2021, which is not the subject of the proceedings here, and with regard to the violation of the right to information pursuant to Art. 15 GDPR, which is also not the subject of the proceedings here. The complainant's objection that the authority itself always explicitly named the co-involved party as the "2nd respondent" in its decision of September 21, 2022, but then claimed that it had neglected to name it as the respondent, is also incorrect. As can be seen from the above-mentioned decision of the authority concerned, the naming of the co-involved party as the "2nd respondent" only concerns the alleged violation of the right to information in accordance with Art. 15 GDPR, which is not the subject of the proceedings here. 3.3.3.2.4. Whether the authority concerned made procedural or assessment errors in its proceedings relating to number D124.5175, for example whether it should have issued the complainant with an order to remedy the defects with the consequences of Section 13 AVG before issuing the decision, can remain undecided in the present case, since the matter of the complaint procedure is only the question of the legality of the rejection of the data protection complaint in question, but not the legality of the decision issued by the authority concerned on September 21, 2022, which has become final and binding. The renewed substantive treatment of the matter, which has already been decided with final and binding effect due to the complainant's data protection complaint - 16 - of October 23, 2021 and the aforementioned decision of the authority concerned, is contrary to Section 68 Paragraph 1 AVG, the purpose of which is to prevent the reopening of a matter that has already been decided. It should be noted, however, that the authority concerned did not discuss the violation of the complainant's right to confidentiality pursuant to Section 1 DSG by the co-participating party due to an alleged data transfer by its body M. on March 20, 2021 in its decision of September 21, 2022. 3.3.3.2.5.The complainant therefore did not submit the present data protection complaint within one year of becoming aware of the event causing the complaint, which resulted in the expiration of the right to have the complaint dealt with in accordance with Section 24 Paragraph 4 of the Data Protection Act. The authority concerned was therefore right to refuse to deal with the content of the data protection complaint in the contested decision and to reject the data protection complaint. 3.3.4. The alleged illegality of the decision therefore does not exist. The proceedings also did not reveal that the decision was illegal for other reasons not asserted. Since the contested decision is therefore not illegal within the meaning of Article 130 Paragraph 1 Item 1 of the Federal Constitutional Court Act, the decision was to be made in accordance with the ruling. 3.4.The holding of an oral hearing could be dispensed with in accordance with Section 24 Paragraphs 1 and 4 of the Administrative Court Act. In the present case, there is no party request for an oral hearing. Moreover, the oral discussion does not lead to any further clarification of the legal matter and the need to hold a hearing is not apparent, even with regard to Article 6 Paragraph 1 of the ECHR and Article 47 of the Charter of Fundamental Rights. The facts relevant to the decision have been clarified here, the proceedings concern only legal questions. In the sense of the case law of the European Court of Human Rights (see, for example, European Court of Human Rights 10 May 2007, No. 7.401/04 [Hofbauer/Austria 2]; European Court of Human Rights 03 May 2007, No. 17.912 [Bösch/Austria]), an oral hearing is not required to resolve legal questions. Article 6 of the ECHR and Article 47 of the Charter of Fundamental Rights therefore do not preclude the waiver of an oral hearing. B) According to Section 25a Paragraph 1 VwGG, the administrative court must state in its ruling or decision whether the appeal is admissible in accordance with Article 133 Paragraph 4 B-VG. The ruling must be briefly justified. - 17 - The present decision does not depend on the resolution of a legal question that is of fundamental importance. There is neither a lack of case law from the Administrative Court nor does the decision in question deviate from the case law of the Administrative Court; furthermore, the present case law of the Administrative Court cannot be judged to be inconsistent. There are also no other indications of the fundamental importance of the legal questions to be resolved. It was therefore necessary to state that the appeal is not admissible in accordance with Article 133 Paragraph 4 B-VG.
