https://gdprhub.eu/api.php?action=feedcontributions&user=ML&feedformat=atomGDPRhub - User contributions [en]2024-03-28T11:32:47ZUser contributionsMediaWiki 1.39.6https://gdprhub.eu/index.php?title=LG_Frankfurt_am_Main_-_2-03_O_48/19&diff=11880LG Frankfurt am Main - 2-03 O 48/192020-10-27T12:34:50Z<p>ML: Created page with "{{COURTdecisionBOX |Jurisdiction=Germany |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=LG Frankfurt am Main |Court_With_Country=LG Frankfurt am Main (German..."</p>
<hr />
<div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=Germany<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=LG Frankfurt am Main<br />
|Court_With_Country=LG Frankfurt am Main (Germany)<br />
<br />
|Case_Number_Name=2-03 O 48/19<br />
|ECLI=ECLI:DE:LGFFM:2020:0903.2.03O48.19.00<br />
<br />
|Original_Source_Name_1=Bürgerservice Hessenrecht<br />
|Original_Source_Link_1=https://www.lareda.hessenrecht.hessen.de/bshe/document/LARE200001581<br />
|Original_Source_Language_1=German<br />
|Original_Source_Language__Code_1=DE<br />
<br />
|Date_Decided=03.09.2020<br />
|Date_Published=<br />
|Year=2020<br />
<br />
|GDPR_Article_1=Article 16 GDPR<br />
|GDPR_Article_Link_1=Article 16 GDPR<br />
|GDPR_Article_2=Article 82 GDPR<br />
|GDPR_Article_Link_2=Article 82 GDPR<br />
<br />
<br />
|National_Law_Name_1=§§ 823, 1004 German Civil Code (Bürgerliches Gesetzbuch - BGB)<br />
|National_Law_Link_1=https://www.gesetze-im-internet.de/englisch_bgb/index.html<br />
|National_Law_Name_2=Art. 1, 2, 12 Basic Law for the Republik of Germany (Grundgesetz - GG)<br />
|National_Law_Link_2=https://www.gesetze-im-internet.de/englisch_gg/index.html<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_From_Body=<br />
|Appeal_From_Case_Number_Name=<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
|<br />
}}<br />
<br />
The court held that if the operator of a social network deletes a contribution and blocks the user, but restores the contribution in response to the user's complaint, the risk of recurrence is not immediately absent. If the operator restores the contribution in response to the complaint, it must provide sufficiently serious evidence that its (unlawful) conduct will not be repeated. This is not sufficient if the user's block is not also lifted. <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The defendant blocked the plaintiff's contribution on 25.12.2018 (p. 776 of the annex) with the statement that his contribution did not comply with the F-Community standards. The plaintiff filed an appeal against the decision and tried to persuade the defendant to lift the block.<br />
<br />
On 27.12.2018 the defendant reactivated the contribution - after a re-evaluation of the disputed mail - with the following words: "We are sorry that we misunderstood this. We have re-examined your contribution and confirmed that it meets our Community standards...". However, the blocking of the plaintiff's profile continued.<br />
<br />
=== Dispute ===<br />
The plaintiff asks whether the defendant's terms of use for deleting so-called hate messages are invalid. Furthermore, it is questioned whether the Community standards of spring 2018 had become part of the contract. In this respect, the defendant might rely on the amendment clause in clause 13 of the previous terms and conditions, as it violates § 307 (1) sentence 1 BGB or § 308 no. 5 BGB if the forced consent to the amendment of the terms of use was immoral.<br />
<br />
=== Holding ===<br />
The court held that if the operator of a social network deletes a contribution and blocks the user, but restores the contribution in response to the user's complaint, the risk of recurrence is not immediately absent. The operator cannot invoke a "free shot". Instead, the principles developed in the case law on rectification are to be applied to such a constellation.<br />
<br />
If the operator restores the contribution in response to the complaint, it must provide sufficiently serious evidence that its (unlawful) conduct will not be repeated. This is not sufficient if the user's block is not also lifted. It could remain open here whether in such a case the operator is at all entitled to block the user immediately after deletion of the contribution.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the German original. Please refer to the German original for more details.<br />
<br />
<pre><br />
Court: LG Frankfurt 3rd Civil Chamber<br />
Decision date: 03.09.2020<br />
File number: 2-03 O 48/19<br />
ECLI: ECLI:DE:LGFFM:2020:0903.2.03O48.19.00<br />
Document type: Judgment<br />
Source: Hesse<br />
Standards: § 823 BGB, § 1004 BGB, art. 1 GG, art. 2 GG, art. 12 GG ... more<br />
Document tab<br />
<br />
Short textLong text<br />
<br />
No "free shot" for the operator of a social network in case of deletion and blocking<br />
<br />
Guiding principle<br />
<br />
1.<br />
If the operator of a social network deletes a contribution and blocks the user, but restores the contribution in response to the user's complaint, the risk of recurrence is not immediately absent. The operator cannot invoke a "free shot". Instead, the principles developed in the case law on rectification are to be applied to such a constellation.<br />
<br />
2.<br />
If the operator restores the contribution in response to the complaint, it must provide sufficiently serious evidence that its (unlawful) conduct will not be repeated. This is not sufficient if the user's block is not also lifted. It could remain open here whether in such a case the operator is at all entitled to block the user immediately after deletion of the contribution.<br />
<br />
Note<br />
<br />
contestable<br />
<br />
Tenor<br />
<br />
1) The defendant is ordered to refrain from enforcing administrative detention of its management board members for each offence, avoiding an administrative fine of up to EUR 250,000.00 or, alternatively, administrative detention for up to 6 months,<br />
<br />
"Thank you for your beautiful and very fitting words! It is always frightening for us too to realize that most Germans are Nazis - but we will never give up and will only stop when everything that reminds us of the German being has been erased from our minds! Never again shall anything in Germany or German culture remind us!<br />
<br />
2) The defendant is ordered to compensate the plaintiff for legal fees for the extrajudicial activity amounting to EUR 334.75 by payment to the law firm ... to the law firm.<br />
<br />
3. dismisses the remainder of the action<br />
<br />
4) The applicant is ordered to pay 65% of the costs of the proceedings and the defendant 35%.<br />
<br />
5. the judgment is provisionally enforceable, for the plaintiff in respect of the claim in point 1 against a security of EUR 3,000 and otherwise against a security of 110% of the amount to be enforced in each case. Furthermore, the plaintiff may avert enforcement by providing security in the amount of 110% of the amount to be enforced on the basis of the judgment, unless the defendant provides security in the amount of 110% of the respective amount to be enforced prior to enforcement.<br />
<br />
Facts of the case<br />
<br />
The parties are in dispute over the admissibility of the deletion of a contribution, the blocking of the plaintiff's account, information, damages and pre-trial legal fees in connection with a contribution made by the plaintiff to F.<br />
<br />
The defendant operates the website and the social network www.f.com. The social network is operated by the Defendant's parent company based in California, USA. For Europe, the provider and contractual partner of the users of F is the Defendant based in Dublin, Ireland. The use of the social network F is based on a one-time registration with clear data.<br />
<br />
Since 2008, the plaintiff has been a user of the service offered by the defendant and administrator of the F site "M".<br />
<br />
The defendant provides the users with terms and conditions of business which consist, inter alia, of the conditions of use (Annex K1 = pp. 163 et seq., loc. cit.) and the Community standards (Annex K3 = pp. 96 et seq., loc. cit.).<br />
<br />
The Community Standards No. 12 in the version of spring 2018 states, among other things (emphasis added by the Court)<br />
<br />
"12. hate speech<br />
<br />
We do not allow hate speech in F. Hate speech creates an environment of intimidation, excludes people and in certain cases can promote violence in the real world.<br />
<br />
We define hate speech as a direct attack on persons based on protected characteristics: ethnicity, national origin, religious affiliation, sexual orientation, gender, gender identity, disability or illness. Immigration status is also a protected characteristic to a certain extent. We define assault as violent or dehumanising language, statements of inferiority or calls to exclude or isolate people. We classify attacks into three levels of severity as described below.<br />
<br />
Sometimes people share content containing hate speech of other people in order to raise awareness or provide education on a particular issue. For example, words or terms that would otherwise violate our standards may be used to explain or express support. In such cases we allow the content to be used, but expect the person sharing such content to make their intention clear so that they can better understand the background. If this intention is unclear, the content may be removed.<br />
<br />
We allow humour and social criticism in connection with these topics. We also believe that users who share such comments act more responsibly when using their real names.<br />
<br />
The following contents are prohibited:<br />
<br />
Severity 1 attacks are attacks aimed at a person or group of persons who meet any of the above characteristics or immigration status (including all sub-groups, except those who have committed violent or sexual crimes). An attack is defined here as follows:<br />
<br />
- Any violent expression or support in written or visual form<br />
<br />
- Dehumanising language or images. These include the following:<br />
<br />
...<br />
<br />
Severity 2 attacks are attacks aimed at a person or group of persons who meet one of the above characteristics. An attack is defined here as follows:<br />
<br />
- statements of inferiority or images which imply that a person or group of persons has physical, mental or moral deficiencies<br />
<br />
- Physical (including "deformed", "underdeveloped", "hideous", "ugly")<br />
<br />
- Mental (including "retarded", "disabled", "low IQ", "stupid", "idiot")<br />
<br />
- Moral (including "bitch", "cheat", "cheap", "scrounger")<br />
<br />
- Expressions of contempt or their pictorial equivalent, such as<br />
<br />
...<br />
<br />
Severity 3 attacks are attacks that call for the exclusion or isolation of a person or group of persons on the basis of the above characteristics. We allow criticism of immigration laws and discussion of the limitations of these laws.<br />
<br />
Content that describes persons in a disparaging manner or attacks them with disparagement. Insults are defined as expressions or words that are commonly used as insulting terms for the above characteristics.<br />
<br />
Previously, the plaintiff had referred to old Community standards according to Annex K 22, pp. 126 ff., 136 d.A. These standards state, inter alia<br />
<br />
"[The defendant] removes all hate messages, i.e. content which directly attacks persons on the basis of the following characteristics:<br />
<br />
- race,<br />
<br />
- Ethnicity,<br />
<br />
- National origin,<br />
<br />
- Religious affiliation,<br />
<br />
- Sexual orientation,<br />
<br />
- Gender or gender identity or<br />
<br />
- Severe disability or illness".<br />
<br />
For the details of the defendant's Community standards in the version of 08.10.2019, which now contains the definition of hate speech in point 11, reference is made to Annex B 25.<br />
<br />
The defendant informed the plaintiff on 19 April 2018 that it had updated its conditions and guidelines. The plaintiff was given the opportunity to review them and was informed of the consequences of non-acceptance. However, the plaintiff was not able to use the service, or not fully use it, before consent was given. In that regard, the defendant made the continued use of its service conditional upon the acceptance of the updated terms and conditions of use. The plaintiff expressly agreed to the updated conditions on 24.04.2018 (Annex B 41).<br />
<br />
On 23.12.2018 at 19.03 hrs, the following article (Annex B 41) was posted on page "M" at F (Annex B 19):<br />
<br />
"M" will boycott Christmas again this year. We do not celebrate German-Christian shit-shit traditions that deliberately exclude Muslim people. Tomorrow evening we will first go to "Al-Arabiyya", our favourite Moroccan. And during the holidays we will boost the sales of the surrounding kebab stands. Of course, we will also be drinking like crazy. There is no other way to bear this monocultural festival of exclusion. Blow the head off against Germany! #BoycottChristmas #FCKAfD #we are more".<br />
<br />
One user commented on this after a mail from another user: "Haha, fully broken", as follows according to sheet 20 of this issue:<br />
<br />
"What's kaput about the fact that these people have a little more sense than most, because they are right! It's just hard to bear in this xenophobic Germany and all the misery in the world...".<br />
<br />
On 24 December 2018, the plaintiff posted the following contribution - which is the subject of the dispute - on the platform of the defendant in accordance with page 15 of the statement of claim (p. 17 and p. 776 of the German version):<br />
<br />
"@W Thank you for your beautiful and very fitting words! It is always frightening for us too to realize that most Germans are Nazis - but we will never give up and will only stop when everything that reminds us of the German being has been erased from our minds! Never again shall anything remind us of Germany or German culture!<br />
<br />
The defendant blocked the plaintiff's contribution on 25.12.2018 (pg. 776 of the German version) with the remark that his contribution did not comply with the F-Community standards. The plaintiff filed an appeal against the decision and tried to persuade the defendant to lift the block.<br />
<br />
On 27.12.2018 the defendant reactivated the contribution - after a re-evaluation of the disputed mail - with the following words: "We are sorry that we misunderstood this. We have re-examined your contribution and confirmed that it meets our Community standards...". However, the blocking of the plaintiff's profile continued.<br />
<br />
On 02.01.2019 the plaintiff turned to his local representatives. They obtained a cover note from the legal protection insurance for the extrajudicial and judicial activities. The plaintiff is requesting exemption from legal fees for the out-of-court activity in the amount of EUR 597.74 and for obtaining the cover note for the court proceedings in the amount of EUR 729.23. The plaintiff requested the defendant in a lawyer's letter dated 09.01.2019 (Annex K 13, pp. 173 et seq. of the German version) to lift the blockage, among other things.<br />
<br />
The plaintiff is of the opinion that the defendant's terms of use for deleting so-called hate messages are invalid. The Community standards of spring 2018 had not become part of the contract. In this respect, the defendant cannot rely on the amendment clause in clause 13 of the previous terms and conditions, as it violates § 307 (1) sentence 1 BGB or § 308 no. 5 BGB. The forced consent to the amendment of the terms of use was immoral.<br />
<br />
The applicant's contribution does not infringe the defendant's Community standards and does not constitute hate speech. The challenged statement by the plaintiff was a permissible expression of opinion. In the political context, the term "Nazi" is an abbreviation for National Socialist. Although its use could contain a disparaging assessment, in the end, however, in the given context it was rather an accusation of political extremism as well as the increasing xenophobia towards refugees. A disparagement or abuse of a person or even a group of persons was out of the question from the outset due to the lack of reference to a specific person or at least a definable, individualisable group of persons.<br />
<br />
There is no attack in accordance with the defendant's Community standards. The statement does not attack anyone on account of their origin or ethnicity or other characteristics mentioned therein. Rather, the text only represents agreement with the view of another user, which is becoming increasingly xenophobic towards Germany. The "Germans" mentioned there would not be attacked because of their origin or similar, but because of their behaviour and attitudes. The article also conveys to the fleeting average reader that it represents a critical examination of the behaviour and views of some Germans with regard to how they deal with the reception of refugees or the refugee debate. The plaintiff does not imply with his contribution that all Germans without exception are "Nazis". It is a permissible value judgement. The purpose of the hate speech paragraph is to protect minorities, which is obviously not the case with the group of "Germans". Critical comments on the current attitude of many Germans towards immigration were permissible as a debate on the matter.<br />
<br />
The defendant's conditions - both in the old and the new version - were not transparent and thus ineffective. It is hardly transparent for the user which sanctions a violation of Community standards would incur. There is also undue discrimination. There was also a breach of Paragraph 138(1) of the BGB.<br />
<br />
The blocking of the account constituted an unlawful interference with the plaintiff's general right of personality.<br />
<br />
The application for a declaratory judgement pursuant to Paragraph 1 is not an abstract application for a declaratory judgement in preparation for a subsequent, further application for performance, but an application for a continuation of the proceedings, which is intended to clarify the lack of conformity of the defendant's conduct. Alternatively, the plaintiff would be entitled to a data correction claim against the defendant under Article 16 DSGVO.<br />
<br />
The plaintiff was also entitled to injunctive relief against the defendant under the contract of use pursuant to § 241 (2) BGB in conjunction with § 241 (2) of the German Civil Code (BGB). § Section 1004 of the Civil Code by analogy and a claim for compensation or damages as a fictitious licence fee or under Article 82(2) of the DSGVO on account of inadmissible data processing. The damage caused by the refusal to use the network was to be assessed at EUR 50 per day.<br />
<br />
The plaintiff applies (after partial withdrawal of the application for reimbursement of pre-litigation lawyer's fees for obtaining the confirmation of coverage under 6.b),<br />
<br />
1. declare that the blocking of the plaintiff's profile (https://www.F.com/S) on www.F.com on 24 December 2018 was unlawful<br />
<br />
in the alternative,<br />
<br />
in the event that the Court of First Instance should find that there is no interest in finding the facts,<br />
<br />
order the defendant to correct the applicant's data in such a way that the existence of a breach of the conditions of use is removed from the record by the contribution deleted on 24.10.2018 and the counter recording the number of breaches is reset by one breach<br />
<br />
2. order the defendant to refrain from re-blocking the plaintiff for posting the following text on www.F.com or from deleting the contribution if it relates to a contribution about a stabbing in an asylum seekers' home In the event of an offence, a fine of up to EUR 250,000 or, alternatively, administrative detention or the threat of administrative detention will be imposed on the members of the Management Board,<br />
<br />
"Thank you for your beautiful and very fitting words! It is always frightening for us too to realize that most Germans are Nazis. But we will never give up and will only stop when everything reminds us of the German being, has been erased from our minds! Never again shall anything remind us of Germany or German culture!<br />
<br />
3. order the defendant to provide the plaintiff with information as to whether the blockage pursuant to clause 1 was carried out by a commissioned company, and in the latter case, by which,<br />
<br />
4. order the defendant to provide the plaintiff with information as to whether it has received concrete or abstract instructions, notices, advice or any other suggestions from the Federal Government or subordinate departments with regard to the deletion of contributions and/or the blocking of users, and if so, which ones,<br />
<br />
5. order the defendant to pay the applicant damages of EUR 1 500 plus interest at 5 percentage points above the base rate since 24 December 2018<br />
<br />
6. order the defendant to pay the applicant's legal fees<br />
<br />
a. for the extrajudicial activity in the amount of EUR 597.74; and<br />
<br />
c. for obtaining a cover note for the action amounting to EUR 729.23<br />
<br />
by payment to the law firm ... to the law firm.<br />
<br />
The defendant claims that the Court should<br />
<br />
dismiss the action.<br />
<br />
The defendant challenges the inadmissibility of paragraph 1 of the application on the ground of the priority of the action for performance.<br />
<br />
The defendant takes the view that its Community standards serve to strike a fair balance between the freedom of expression of users and the interests of the Community and the interests of the defendant. The Community standards are sufficiently clear and transparent and are effective and enforceable. The amendment of the conditions of use was effective.<br />
<br />
It is sufficient for a contribution to be admissible for it to be deleted if, from the point of view of an average fugitive reader, it can reasonably be interpreted as an infringement of the defendant's rules and guidelines.<br />
<br />
The statement made by the plaintiff in the article in question referred to "Germans" in general as "Nazis" and thus as right-wing extremists, anti-Semites, racists and generally horrible people. Contrary to the provisions in the Community standards, in particular on so-called hate speech, this statement had - at the time of the initial assessment, justifiably - created the appearance of expressing contempt for Germans in general or for all Germans and of attacking a group of people on the basis of their national origin. According to the complainant, the post office included a derogatory choice of words and appeared to express contempt and disgust towards Germans as a group. The unfounded description of "most" Germans as "Nazis" was presented as an insulting attack which contained expressions of disgust and hatred towards a group of people.<br />
<br />
The interests of the plaintiff in the publication of apparently harmful content, such as the contribution at issue here, could not outweigh the rights of the defendant, who would have an interest worthy of protection in working towards a civilised culture of communication.<br />
<br />
The defendant was entitled temporarily to block the applicant's account for certain functions when the post in question was removed.<br />
<br />
The alternative claim to the first plea in law is unfounded. First, the data were not incorrect and, second, the request was unfounded, since the defendant had revised its original decision and restored the mail.<br />
<br />
As regards the claim for an injunction, the applicant submits in particular that there is no risk of repetition. The applicant has not suffered any damage either. The application in question is also inadmissible because it is not sufficiently specific.<br />
<br />
The defendant initially refused to accept service because the documents had not been translated (p. 383 of the application). The plaintiff then applied for a judgment by default in a written statement dated 08.08.2019 (pp. 288 et seq., German version). Before a possible judgement by default was issued, the defendant indicated its readiness to defend in a written statement dated 23 August 2019 (pp. 348 et seq., German version), while maintaining its position that there had been no effective service.<br />
<br />
For further details, reference is made to the pleadings exchanged between the parties, including annexes and the other contents of the file.<br />
<br />
Grounds for the decision<br />
<br />
I.<br />
<br />
The action is admissible in part only.<br />
<br />
The LG Frankfurt a.M. has international and local jurisdiction. This is not in dispute between the parties, so that it can be assumed that the court seised has jurisdiction in any case on the basis of a statement without objections pursuant to Art. 26 (1) sentence 1 of the Brussels Ia Regulation 1215/2012 (cf. also BGH NJW 2018, 3178 marginal no. 16).<br />
<br />
The claim under No. 1, which is directed at a declaratory finding that the cancellation of the plaintiff's contribution is unlawful, is inadmissible under § 256 (1) of the German Code of Civil Procedure (ZPO), since it does not seek a declaration of a current legal relationship and the plaintiff has no interest in a declaratory finding.<br />
<br />
Admittedly, this does not already follow from the fact that the action would only be directed at establishing a preliminary question or an element of a legal relationship, even if, in principle, mere elements or preliminary questions of a legal relationship, pure facts or, for example, the unlawfulness of conduct cannot be the subject of an action for a declaratory judgment (see BGH NJW-RR 2015, 915). For the interpretation of the application for a declaratory judgment on point 1. shows that it aims to establish that the defendant had no right to block the plaintiff's user account, i.e. to establish the non-existence of a legal relationship within the meaning of § 256 (1) ZPO (Munich Higher Regional Court, order of 22 August 2019 - 18 U 1310/19, BeckRS 2019, 26477).<br />
<br />
However, the necessary interest in declaratory judgment is lacking. In principle, an action for a declaratory judgement can only be based on the existence or non-existence of a current legal relationship. An interest worthy of protection in the determination of a past legal relationship can only be considered in exceptional cases if the determination may still have legal consequences for the present and the future (BGH NJW-RR 2016, 1404; Zöller/Greger, ZPO, 33rd ed. 2020, § 256 marginal no. 3a). Since the present motion for a declaratory judgment relates to a measure taken by the defendant which has been undisputedly terminated, the admissibility of the motion depends on whether the plaintiff still has a legitimate interest in the declaratory judgment that the defendant was not allowed to "block" plaintiff's accounts. This is not the case here.<br />
<br />
In this respect, the plaintiff has submitted that the contested blocking will continue to be recorded in the defendant's system in the plaintiff's data record even after its expiry (p. 71 of the annex) and will be taken into account in the imposition of sanctions in the event of future violations of Community standards. However, the plaintiff could or would have to assert a possible claim for removal of this note by submitting a corresponding claim for benefits. The mere determination of the unlawfulness of the block would not yet lead to the removal of the note from the plaintiff's data set (cf. also OLG Munich, decision of 22 August 2019 - 18 U 1310/19, BeckRS 2019, 26477 marginal no. 7; cf. also OLG Dresden, decision of 11 December 2019 - 4 U 1680/19; LG Frankfurt a.M., judgement of 5 March 2020 - 2-03 O 411/18).<br />
<br />
II.<br />
<br />
According to the second plea in law, the plaintiff has a claim against the defendant for an injunction not to block or delete again the contribution in dispute from the contract concluded between the parties pursuant to section 241 (2) BGB in conjunction with section 1004 BGB by analogy. This is because the deletion of the plaintiff's contribution by the defendant was unlawful.<br />
<br />
a. The asserted claims are to be assessed under German law pursuant to Art. 3 (1), Art. 6 (2) of the Rome I Regulation 593/2008. This is not in dispute between the parties. Furthermore, the parties have agreed in the terms of use of the defendant that German law shall apply (see also LG Hamburg, Urt. v. 31.05.2019 - 305 O 117/18, BeckRS 2019, 21755 marginal no. 18).<br />
<br />
b. The parties have concluded a contract on the use of the defendant's social network, which is a contract under the law of obligations with elements of the lease, contract for work and services (LG Frankfurt a.M., decision of 10 September 2018 - 2-03 O 310/18, MMR 2018, 770; see also KG Berlin DNotZ 2018, 286 marginal no. 56 with further details; OLG Munich NJW 2018, 3115). The subject matter of this contract is also the rules of conduct provided by the defendant as GTC.<br />
<br />
c. The basis for the claim of the user of a social media platform to refrain from deleting a text contribution posted by him on the platform as well as the blocking based on this is the claim for performance from the contract, by which the platform operator undertakes to enable the user to use the services offered by it, in conjunction with § 241 para. 2 BGB and the indirect third-party effect of the user's fundamental right to freedom of opinion (Art. 5 Para. 1 GG) (OLG Munich, decision of 22.08.2019 - 18 U 1310/19, BeckRS 2019, 26477 marginal no. 7 with further details; see also LG Frankfurt a.M., Decision of 10 September 2018 - 2-03 O 310/18, MMR 2018, 770). The same must also apply to the user's claim to reactivate a deleted text contribution on the platform if the deletion was carried out in violation of the user's fundamental right to freedom of opinion and thus unjustified or illegal.<br />
<br />
d. The examination of the non-conformity of the defendant's conduct with the contract, taking into account and weighing up the conflicting interests in connection with § Section 241(2) of the German Civil Code is based on the contractual terms and conditions which have been submitted by the defendant since spring 2018. Contrary to the opinion of the plaintiff, these have been effectively agreed in the form of a contractual amendment.<br />
<br />
In this context, it may be questionable whether the amendment of the GTCs would have been possible on the basis of the amendment clause in section 13 of the previous terms of use or whether this clause violates § 307 BGB in conjunction with the evaluations to be derived from § 308 No. 4 and 5 BGB. This is because the amended terms of use have become effective in the present case with the consent of the plaintiff.<br />
<br />
It is undisputed between the parties that the defendant informed the plaintiff on 19.04.2018 that it had updated its conditions and guidelines and that the plaintiff expressly agreed to the updated conditions on 24.04.2018.<br />
<br />
The notification received by the plaintiff when calling up the defendant's service about the intended change of the terms and conditions of use in conjunction with the request to accept them by clicking a button is to be regarded as an offer to conclude an amendment agreement within the meaning of § 145 BGB. A contract concluded by clicking on a button has in principle an individual character, even if the declarations of intent of which it is composed have pre-formulated components. In such a case, the new version of the GTC is not included on the basis of a pre-formulated amendment clause but on the basis of an amendment contract concluded between the parties in accordance with general rules on declarations of intent and legal transactions (MünchKommBGB/Basedow, 8th edition 2019, § 305 marginal 86, 90). The plaintiff has accepted this individual offer within the meaning of § 145 BGB.<br />
<br />
Contrary to the plaintiff's opinion, the offer forced on him either to accept the terms of use or to terminate his contract with the defendant is also not to be considered immoral. Even though the defendant may have an outstandingly important position in the field of social networks in Germany, it is not subject to any obligation to contract, but is free to choose its contractual partners within the framework of general prohibitions of discrimination (LG Frankfurt a.M., Judgement of 03.09.2020 - 2-03 O 282/20; OLG Dresden NJW-RR 2020, 429 marginal no. 4; LG Bremen MMR 2020, 426 marginal no. 37; LG Frankfurt a.M., judgement of 05.03.2020 - 2-03 O 411/20). On the other hand, however, it is also not apparent why the acceptance of the amended conditions should be so unreasonable for the plaintiff that a de facto forced consent should be regarded as immoral. On the contrary, the clarification made by the amendment, inter alia, of the concept of hate speech and the sanctions regime applicable in the event of violations, favours the users because it limits the plaintiff's discretion to delete contributions compared to the previous version (see OLG Dresden AfP 2020, 56, 57 with further references). It is also not apparent that the amendment imposed on the plaintiff would have created an unlawful coercive position for the plaintiff. The amendment of the conditions was therefore permissible (also OLG Dresden AfP 2020, 56, 57; OLG Karlsruhe, order of 18 December 2018 - 7 W 66/18; LG Bremen, judgement of 20.06.2019 - 7 O 1618/18, BeckRS 2019, 12419; LG Frankfurt a.M., judgement of 05.03.2020 - 2-03 O 411/18).<br />
<br />
e. The terms of use and the Community standards referred to therein are contractual terms pre-formulated for a large number of contracts and thus general terms and conditions of business within the meaning of § 305 Para. 1 BGB (OLG Dresden NJW 2018, 3111; OLG Stuttgart NJW-RR 2019, 35; LG Hamburg, Urt. v. 31.05.2019 - 305 O 117/18, BeckRS 2019, 21755 marginal no. 23).<br />
<br />
The definition of "hate speech" laid down in No. 12 of the Community Standards, which is the subject of the dispute here, and the sanction in No. 3.2 of the Terms of Use which is linked to it do not violate § 307 (1) sentence 2 or (2) BGB.<br />
<br />
Clause 3.2 of the Terms of Use links the removal of contributions and the other sanctions regulated there to a violation of the Terms of Use, the Community standards and other conditions and guidelines of the defendant of F and thus to criteria that can in principle be objectified. The reference to the other terms and conditions, also available on the defendant's website, does not render the clause opaque. A - also dynamic - reference to further sets of rules does not prevent the transparency of a regulation (OLG Dresden NJW 2018, 3111).<br />
<br />
Paragraph 12 of the Community standards contains a detailed definition, written in easily understandable language, of the concept of hate speech adopted from the Anglo-American language area. The fact that the attacks included here include not only formal insults and abusive criticism, but also expressions of opinion which are permissible as a consequence of freedom of opinion under Article 5.1 of the Basic Law, does not affect the transparency of the provision. The user who takes note of paragraph 12 of the Community standards will recognise that any kind of violent and dehumanising language, including "statements of inferiority or calls to exclude persons" may be punishable by a sanction, as paragraph 3.2 of the Terms of Use does not provide for any restriction in this respect. It may not be possible for him to understand the meaning of the division into three degrees of severity, because neither the Community standards nor the Terms of Use provide for a sanctions regime graded according to these degrees of severity. However, he will draw the conclusion from this that the sanctions provided for in clause 3.2 of the Terms of Use can be imposed irrespective of these degrees of severity (OLG Dresden NJW 2018, 3111). Accordingly, the defendant's terms and conditions of use are predominantly regarded as effective in case law (cf. also OLG Karlsruhe MMR 2020, 52 marginal no. 29 et seq.; KG Berlin, order of 09.01.2020 - 10 W 29/19).<br />
<br />
Nor is there any surprising clause within the meaning of § 305c BGB (see in this respect OLG Dresden NJW 2018, 3111 marginal no. 15 with further details; OLG Dresden AfP 2020, 56; OLG Karlsruhe MMR 2020, 52 marginal no. 35). In principle, the operator of a social network can also enforce its rules of conduct by removing unlawful content or by blocking a user account (LG Frankfurt a.M., decision of 10 September 2018 - 2-03 O 310/18, MMR 2018, 770; Schwartmann/Ohr in Schwartmann, Praxishanduch IT-, Urheber- und Medienrecht, 4th ed. 2018, ch. 11, marginal no. 40; cf. on an F-page also VG München, judgement of 10 September 2018, para. 3111, marginal no. 15 with further details; OLG Karlsruhe MMR 2020, 52 marginal no. 35). 27.10.2017 - M 26 K 16.5928).<br />
<br />
f. The deletion of the plaintiff's contribution was unlawful.<br />
<br />
aa.<br />
<br />
According to the consistent case-law of the Federal Constitutional Court, fundamental rights have an indirect third-party effect inasmuch as the Basic Law, in its section on fundamental rights, has at the same time established elements of objective order which, as a fundamental decision under constitutional law, are valid for all areas of law and thus also influence private law (BVerfG NJW 1987, 827 marginal no. 25; BVerfG NJW 1958, 257 marginal no. 26). In this function, the fundamental rights do not aim at the most consistent minimisation of encroachments that restrict freedom, but must be developed in a balance of equal freedom. In this context, conflicting fundamental rights positions must be taken into account in their interaction and balanced out in accordance with the principle of practical concordance in such a way that they are as effective as possible for all parties involved (cf. BVerfG NJW 2018, 1667 marginal no. 32 - stadium ban with further references).<br />
<br />
The legal content of the fundamental rights as objective norms unfolds in private law through the medium of the provisions directly dominating this area of law, in particular the general clauses and other terms that are open to interpretation and require interpretation and must be interpreted in the sense of this legal content (BVerfG NJW 1987, 827 marginal no. 25). In the present case, the provision of § 241.2 of the Civil Code constitutes the general clause that needs to be concretised, the interpretation of which must take account of the fundamental right to freedom of expression asserted by the plaintiff (Article 5.1 of the Basic Law).<br />
<br />
According to Art. 5 (1) 2 of the Basic Law, the fundamental right of freedom of opinion finds barriers (alone) in the provisions of general laws, in the statutory provisions for the protection of young people and in the right to personal honour, although according to the "Lüth" case-law of the Federal Constitutional Court, there is an interaction between the scope of protection and the barriers in such a way that, although the barriers set limits to the wording in accordance with the fundamental right, they must themselves be interpreted on the basis of the recognition of the fundamental significance of this fundamental right in a free and democratic state and thus themselves be restricted again in their effect of limiting the fundamental right (BVerfGE 7, 198, 208 et seq. - Lüth; Maunz/Dürig-Grabenwarter, GG, 82nd EL 2018, Article 5(1) marginal no. 139). In this context, it should be noted that the fundamental rights here have an indirect effect on the relationship between the parties and that the other fundamental rights affected in the individual case must therefore also be included in the constitutionally prescribed weighing of interests (Maunz/Dürig-Grabenwarter, loc.cit., Article 5(1) marginal no. 145 with further references). In order to assess the defendant's conduct, therefore, its interests, which are protected by fundamental rights, must also be taken into account and weighed up.<br />
<br />
With regard to a specific statement, the defendant's interest in the operation of its platform, which is protected by Article 12 (1) of the Basic Law, must therefore be taken into account when assessing the indirect effect of the fundamental rights (LG Frankfurt a.M., decision of 10 September 2018 - 2-03 O 310/18, MMR 2018, 770 with further reference). As a result, the conflicting interests are to be reconciled as gently as possible by means of practical concordance.<br />
<br />
Accordingly, the prerequisite for such a block is first of all that the exclusion is objectively justified and not arbitrary (LG Frankfurt a.M., decision of 10.09.2018 - 2-03 O 310/18, MMR 2018, 770 m.w.r.). According to these provisions, a ban can also be justified under Article 5 (1) of the Basic Constitutional Law, taking into account the freedom of opinion available to the person making the statement, if the person making the statement has repeatedly committed the offence and has thus both violated the rights of other users and disturbed the course of the discussion in the long term. In this context, consideration may also be given to whether the behaviour of the person making the statement is suitable for preventing further objective discussion or keeping other users away. In case of sustained, insulting behaviour, the operator shall not be obliged to continue to tolerate the user (LG Frankfurt a.M., decision of 10.09.2018 - 2-03 O 310/18, MMR 2018, 770 m.w.N.).<br />
<br />
In application of these principles and in consideration of the respective interests of the parties, the deletion of a contribution can therefore be regarded as justified in any case if it is to be regarded as "hate speech" within the meaning of the defendant's community conditions (LG Frankfurt a.M., decision of 10 September 2018 - 2-03 O 310/18, MMR 2018, 770 m.w.n.; also OLG München NJW 2018, 3115; OLG Stuttgart, judgement of 23.01.2019 - 4 U 214/18, BeckRS 2019, 5526; OLG Dresden NJW 2018, 3111; OLG Dresden AfP 2020, 56; KG Berlin, decision of 09.01.2020 - 10 W 29/19; LG Bremen, judgement of 20.06.2019 - 7 O 1618/18, BeckRS 2019, 12419).<br />
<br />
ibid.<br />
<br />
The first step in the assessment is to determine the meaning of the statement.<br />
<br />
In principle, the decisive factor in determining the content of the statement is not the meaning that the person making the statement wanted to attach to it, but the meaning objectified in the statement, which is to be determined by interpretation (BVerfGE 82, 43, 51 et seq.; BVerfG NJW 2005, 1341 - hostile to enforcement; BGH NJW 1982, 1805 - Schwarzer Filz; Löffler/Steffen, PresseR, 6th ed. 2015, § 6 margin no. 90 with further details).<br />
<br />
The interpretation must always be based on the wording of the statement, which does not, however, conclusively define its meaning. Rather, the meaning is also determined by the context in which the disputed statement is placed and by the accompanying circumstances under which it falls, insofar as these are recognisable to the recipient (BVerfG NJW 1995, 3303). The accompanying photojournalism is to be consulted for the interpretation of the verbatim report. The statement may not be taken out of the context of its relevance and considered in isolation (BGH NJW 2009, 3580; NJW 2009, 1872; NJW 2005, 279; NJW 1994, 915). Distant interpretations must be excluded. If the meaning is unambiguous on the basis of this yardstick, it must be used as the basis for further examination. If, however, it turns out that an impartial and understanding audience perceives the statement as ambiguous, or if considerable parts of the audience understand the content differently in each case, the further examination must be based on the assumption of ambiguous content (BVerfG NJW 2006, 207 marginal no. 31 - Stolpe; on the above as a whole, cf. 22.08.2017 - 18 U 1632/17, BeckRS 2017, 127834).<br />
<br />
In this context, the understanding of the recipient to whom the statement is directed, taking into account the circumstances that are perceptible to him or her and that help determine the meaning of the statement, must be taken into account (BVerfGE 93, 266, 295 - Soldaten sind Mörder II; BVerfG NJW 2003, 1303 - Benetton-Werbung; Löffler/Steffen, loc. cit.) The decisive factor here is the average reader (Löffler/Steffen, loc.cit., § 6 marginal 90 with further details).<br />
<br />
The overall context as a prerequisite for the correct legal assessment of the specific statement - and thus also the alleged unlawfulness of the deletion/blocking - must be presented and proven in accordance with the general principles of the burden of presentation and proof by the plaintiff who wants to derive claims against the defendant from this (OLG Munich, Beschl. of 22 August 2019 - 18 U 1310/19, BeckRS 2019, 26477 marginal no. 14; cf. also OLG Cologne, order of 18 October 2018 - 15 W 57/18, K&R 2018, 803 = BeckRS 2018, 26063).<br />
<br />
cc.<br />
<br />
The following statement by the plaintiff, which is the subject of the dispute, is an expression of opinion, as the judgmental and opinionated part predominates. It is also not to be regarded as an abusive criticism.<br />
<br />
"Thank you for your beautiful and very appropriate words! It is always frightening for us too to realize that most Germans are Nazis. But we will never give up and will only stop when everything reminds us of the German being, has been erased from our thoughts! Never again shall anything remind us of Germany or German culture!<br />
<br />
The plaintiff thereby expresses the view expressed by another user that there is a high level of xenophobia in Germany, especially towards refugees. He deals with the accusation of political extremism. as well as the increasing xenophobia towards refugees. The statement that most Germans are "Nazis" is an assessment which, if only because of the lack of reference to a specific person or at least a definable, individualisable group of people, does not constitute a disparagement or insult to a person or even group. The article also conveys to the fleeting average reader that it represents a critical examination of the behaviour and views of some Germans with regard to how they deal with the reception of refugees or the refugee debate.<br />
<br />
Expressions of opinion are only to be treated as inadmissible if they cross the line into abusive criticism. Basically, abusive criticism is only present if a statement lacks any factual reference, if the debate on the content is withdrawn and if the focus is on defamation, which is primarily intended to reduce the level of criticism beyond polemical and exaggerated criticism (BVerfG NJW 2016, 2870; OLG Frankfurt NJW 2013, 798, 799; Wenzel/Burkhardt/Peifer, Das Recht der Wort- und Bildberichterstattung, 6th ed. 2018, Chapter 5 marginal no. 97) and the attack on the person concerned is no longer understandable even from the point of view of the critic and taking into account his or her commitment to the cause (BVerfG NJW 1991, 95 - Zwangsdemokrat; BVerfG NJW 1993, 1462 - Böll/Henscheid; BVerfG NJW 1994, 2413 - Kassenarzt; BGH NJW 1987, 1400 - Oberfaschist; BVerfG NJW 1983, 1415 - Designation of the CSU as "NPD Europas"; Soehring/Hoene, Presserecht, 6. 2019, § 20 marginal 9a; Löffler/Steffen, loc. cit, § 6 recital 190).<br />
<br />
These conditions are not met here. The context of the statement, also with regard to the previous contribution by user W, is, to the court's conviction, a critical examination of the exclusion and xenophobia towards refugees, especially in politically right or "right-wing" countries. right-wing extremist circles, which the plaintiff describes as "Nazis" (cf. in this respect also OLG Hamburg, NJW 1992, 2035, which regarded the designation of a religious community as a "Nazi sect" as an expression of opinion which did not cross the line into abusive criticism; Wenzel/Burkhardt/Peifer, loc. cit, para. 5 marginal nos. 98, 101).<br />
<br />
dd.<br />
<br />
In application of the above principles, the plaintiff's statement is also not to be regarded as "hate speech".<br />
<br />
The defendant defines "hate speech" as follows<br />
<br />
"We define hate speech as a direct attack on persons based on protected characteristics: ethnicity, national origin, religious affiliation, sexual orientation, gender, gender identity, disability or illness. Immigration status is also to some extent a protected characteristic. We define assault as violent or dehumanising language, statements of inferiority or calls to exclude or isolate people. We classify attacks into three levels of severity as described below.<br />
<br />
The following contents are prohibited:<br />
<br />
Severity 1 attacks are attacks aimed at a person or group of persons who meet any of the above characteristics or immigration status requirements (including all sub-groups except those who have committed violent or sexual crimes). An attack is defined here as follows:<br />
<br />
- Any violent expression or support in written or visual form<br />
<br />
- Dehumanising language or images. These include the following:<br />
<br />
... [Violent and sex offenders; other offenders ]<br />
<br />
Attacks with severity level 2 are attacks that are aimed at a person or group of persons to whom one of the above characteristics applies. An attack is defined here as follows:<br />
<br />
- statements of inferiority or images that imply that a person or group of persons has physical, mental or moral deficiencies<br />
<br />
- Physical (including "deformed", "underdeveloped", "hideous", "ugly")<br />
<br />
- Mental (including "retarded", "disabled", "low IQ", "stupid", "idiot")<br />
<br />
- Moral (including "bitch", "cheat", "cheap", "scrounger")<br />
<br />
- Expressions of contempt or their pictorial equivalent, such as<br />
<br />
...<br />
<br />
Severity 3 attacks are attacks that call for the exclusion or isolation of a person or group of persons on the basis of the above characteristics. We allow criticism of immigration laws and discussion of the limitations of these laws.<br />
<br />
Content that describes persons in a disparaging manner or attacks them with disparagement. Insults are defined as expressions or words that are commonly used as insulting terms for the above characteristics.<br />
<br />
These requirements are not met in the present case by the statement in dispute.<br />
<br />
It is true that the plaintiff in his statement refers to a "national origin" or "ethnic affiliation" of the protected characteristics from the defendant's conditions, namely the "Germans".<br />
<br />
However, an attack in accordance with the defendant's community standards does not exist. No one is attacked by the statement because of his or her origin or ethnicity or other characteristics mentioned there. The text is rather to be understood in the overall context as agreement with the previous user's view that Germany or its citizens were becoming increasingly xenophobic. The "Germans" mentioned there are not attacked because of their origin, but because of their behaviour and attitudes.<br />
<br />
The Chamber shares the plaintiff's assessment that his contribution does not imply that all Germans without exception are "Nazis". It is permissible to express a critical view of the current attitude of many Germans towards immigration as a debate on the matter. This assessment was apparently also shared by the defendant when it reactivated the contribution on 27 December 2018 and confirmed in writing that the contribution met its community standards.<br />
<br />
After all, the defendant was not able to use the statement of objections as a reason for the deletion, already due to its own conditions. Contrary to the defendant's assessment, even the fleeting average reader did not have to get the impression that the plaintiff wanted to express contempt towards all or most Germans as a group.<br />
<br />
Accordingly, the plaintiff can also demand that the statement in dispute not be deleted. Reference is made to the above statements on the unlawfulness of the deletion.<br />
<br />
There is also the risk of repetition necessary for the claim for injunction. As a rule, the first inspection indicates the risk of repetition (consistent case law BGH, NJW 2018, 3506 marginal no. 26 - direct mailing; BGH, NJOZ 2018, 194 marginal no. 17; in each case with further references). In general, the risk of recurrence can be refuted by issuing a declaration of discontinuance subject to a penalty (BGH, NJOZ 2018, 194 marginal no. 17), which, however, was refused by the defendant. The defendant thus shows that there is still a risk of recurrence (cf. BGH, GRUR 1998, 1045, 1046 - Brennwertkessel).<br />
<br />
In this respect, the defendant refers to the fact that there is no risk of recurrence because, in response to the plaintiff's complaint, it restored the contribution in dispute. In view of the large number of contributions published on its platform, it must be given the possibility of first deleting contributions and (only) restoring them after a complaint.<br />
<br />
Even under the impression of the case-law cited by the defendant (see OLG Hamm, judgement of 5 March 2020 - I-4 U 113/19, submitted as Annex B109, p. 961), the Board does not follow this. As a result, the defendant pleads here for a kind of "free shot" in assessing the unlawfulness of contributions on its platform. In this context, the Chamber certainly recognises that the defendant or the employees deployed by it have to evaluate contributions in a short period of time and have to make difficult decisions.<br />
<br />
However, in the present case at least, the Defendant cannot invoke this fact, irrespective of the fact that the Defendant would not have given a substantiated and admissible presentation on the high expenditure it postulated, e.g. which measures it, for its part, has taken in the context of the assessment of contributions and which - possibly insurmountable - difficulties it nevertheless faces.<br />
<br />
The assumption of a "free shot", as advocated by the defendant, would have the result that, contrary to the above-mentioned principles, the defendant could at any time and arbitrarily, i.e. without sufficient factual justification, delete contributions at least for a limited period of time and possibly rely on the fact that the user concerned does not lodge a complaint or does not lodge it emphatically enough. This is not appropriate in weighing up the conflicting interests of the parties.<br />
<br />
In cases such as the present one, the Board is rather of the opinion that the principles developed in the case law on the elimination of the risk of repetition by means of a correction can be applied mutatis mutandis. It is recognised that the risk of recurrence can be eliminated even in circumstances other than those in which a cease-and-desist declaration with penalty clause is issued. However, strict requirements must be imposed on the rebuttal of the presumption (BGH, NJOZ 2018, 194 para. 17; BGH, NJW 2005, 594, 595). In this respect, it should be necessary that the infringer makes it clear beyond all doubt that he will not repeat the contested assertion under any circumstances (Soehring/Hoene, loc.cit., § 30 marginal no. 11). If the party making the statement has revoked his statement or published a correction, it can generally be assumed that the risk of repetition has ceased (OLG Dresden, AfP 2011, 189; Wenzel/Burkhardt, loc.cit., para. 12 marginal no. 17 with further references). A written apology to the injured party should also suffice (Soehring/Hoene, loc.cit., § 30 marginal no. 11 with further references). However, the correction must be made in a sufficiently clear form. It must be possible to discern a final distancing from the offended statement (BVerfG, NJW 2004, 589 - Hair colour of the Federal Chancellor (there only reference to the contrary opinion of the plaintiff); Wenzel/Burkhardt, loc. cit.) Whether the correction was preceded by a request from the person concerned is irrelevant (Wenzel/Burkhardt, loc.cit., para. 12, marginal no. 17 with further references). Even simple deletion - or, in the present case, restoration - is not sufficient (cf. OLG Köln MMR 2012, 197).<br />
<br />
It may also be necessary to take into account if the party making the statement defends its legality in the proceedings for the statement without at the same time making it clear that this is done solely for the purposes of legal defence and with the binding assurance that the disputed statement will not be repeated regardless of the outcome of the legal dispute (BGH NJW 1998, 1391 - Klartext; BGH NJW-RR 2001, 1483; Soehring/Hoene, loc. cit.)<br />
<br />
The defendant's conduct in this case does not meet these requirements. Admittedly, in response to the plaintiff's complaint, the defendant informed him that the contribution was again available and apologised for having misunderstood the contribution. Thus, the defendant has fulfilled the requirements set out above in the starting point. However, it is not disputed between the parties that the defendant has just not lifted the block imposed on the plaintiff. On the contrary, it continued to exist. If the defendant admits, however, that it wrongly deactivated the plaintiff's contribution, then it must also show its seriousness that it will not repeat this act. In this respect, the defendant has not made any submissions as to whether, following the applicant's successful complaint, it took steps to ensure that his contribution would not be deleted again in the event of a repetition. However, this could have been expected if the defendant had seriously intended, by restoring the contribution, to show that it had committed an error which should not be repeated, as it were, so as to eliminate the risk of repetition. In this context, it could be left open whether the defendant would have been entitled under these principles at all to impose a ban on the user at the same time as deactivating the plaintiff's contribution - which even according to its submission was at least not clearly illegal - or whether it should not have first threatened to do so and possibly imposed a ban after waiting for a period for appeal.<br />
<br />
In view of all this, it cannot be assumed that the risk of recurrence has ceased to exist in this case.<br />
<br />
The decision on the threat of an administrative penalty is based on § 890 ZPO.<br />
<br />
(3) In view of the inadmissibility of the application for a declaratory judgment in respect of paragraph 1, the alternatively submitted application for correction of data had to be examined (application in respect of paragraph 1). However, this is unfounded.<br />
<br />
The data subject of a data processing operation - as here undoubtedly is the plaintiff - can demand that the data controller correct incorrect data pursuant to Art. 16 DSGVO. According to Art. 4 No. 1 DSGVO, personal data is individual information about personal or factual circumstances. Incorrect personal data must be corrected. Personal data is incorrect if the information it contains about the person concerned does not correspond to reality (Sydow/Peuker, DSGVO, 2nd ed. 2018, Art. 16 marginal 7 with further details). It is irrelevant to the question of incorrectness whether the person responsible can be accused of fault. The extent of the incorrectness is also irrelevant (BeckOK-DatenschutzR/Worms, 33rd Ed. 01.08.2020, DS-GVO Art. 16 marginal no. 52).<br />
<br />
However, only facts can be correct or incorrect, i.e. concrete events or conditions of the past or present that are accessible to evidence. Value judgments are therefore not covered by the scope of application of Art. 16 DS-GVO unless they can be traced back to facts (Sydow/Peuker, loc. cit, Art. 16 marginal 7; Gola/Reif, DS-GVO, 2nd ed. 2018, Art. 16 marginal 10; Kühling/Buchner-Herbst, DS-GVO, 2nd ed. 2018, Art. 16 marginal 9; differentiating Ehmann/Selmayr-Kamann/Braun, DSGVO, 2nd ed. 2018, Art. 16 marginal 20; BeckOK-DatenschutzR/Worms, op. cit.)<br />
<br />
In this case, the plaintiff objects to the defendant's alleged remark that there had been a "breach" of the terms of use. As described above, this is a legal assessment which the defendant initially affirmed and then, after review, denied. Accordingly, there is a value judgment (on legal assessments as value judgment see also BGH NJW 2016, 1584 marginal no. 20 - Nerzquäler; as well as here LG Köln, Urt. v. 13.05.2019 - 21 O 283/19, Annex B60; LG Marburg, judgment of 17.05.2019 - 2 O 150/15, enclosure B55).<br />
<br />
In addition, the defendant has submitted, without contest, that it has revised its original decision and restored the Post Office. The data are therefore already "corrected", so that a possible claim for correction would already have been fulfilled.<br />
<br />
(4) The plaintiff has no claim against the defendant for information as to whether the defendant commissioned a company to carry out the examination (application under 3).<br />
<br />
In principle, a claim for information can arise from § 242 BGB if the legal relationship existing between the parties means that the beneficiary is excusably uncertain about the existence or scope of his right and the obligated party can easily provide the information required to eliminate the uncertainty. As a rule, the party against whom the claim for benefits is to be asserted is the party for whom the information is required. However, it is not apparent that the involvement of a third company could give rise to further claims by the plaintiff against the defendant, particularly since the defendant's general terms and conditions, in particular its data directive, provide for very extensive rights to use and pass on data collected from the users of its services and it is not apparent that any damage could arise from disclosure to commissioned companies (cf. OLG Munich, decision of 22.08.2019 - 18 U 1310/19, BeckRS 2019, 26477 marginal no. 22; OLG Munich, 07.01.2020 - 18 U 2346/19; see also LG Hamburg, judgement of 31.05.2019 - 305 O 117/18, BeckRS 2019, 21755 marginal no. 51 et seq.)<br />
<br />
5 The plaintiff is also not entitled to information as to whether the defendant has received concrete or abstract instructions, advice, suggestions or any other proposals from the Federal Government or subordinate departments with regard to the deletion of contributions and/or the blocking of users, and if so, which ones (motion on 4.).<br />
<br />
There is no basis for a claim. Moreover, the right to information obviously does not serve the purpose of being able to choose the most favourable method of calculating damages, but solely to obtain information about possible other persons responsible for the deletion of contributions in the defendant's social network. Furthermore, claims of the plaintiff against the Federal Republic of Germany, which should be prepared, are not apparent (cf. Munich Higher Regional Court, 7 January 2020 - 18 U 2346/19). Thus there is also no need for legal redress (OLG Munich, decision of 22.08.2019 - 18 U 1310/19, BeckRS 2019, 26477 marginal no. 24; LG Hamburg, judgement of 31.05.2019 - 305 O 117/18, BeckRS 2019, 21755 marginal no. 54; see also OLG Oldenburg, judgement of 27.01.2020 – 13 U 128/19).<br />
<br />
6 Nor can the plaintiff demand payment of damages (motion under 5).<br />
<br />
a. For the award of monetary compensation, there is no serious impairment of the plaintiff with simultaneous existence of serious fault on the part of the defendant (see also Oldenburg Higher Regional Court, judgment of 27 January 2020 - 13 U 128/19). By deleting his contribution and temporarily blocking his account, the plaintiff was only restricted in the form of his social contact. It was possible for him to contact other people via other media.<br />
<br />
b. Insofar as the plaintiff bases his claim for payment on the occurrence of material damage due to the lack of use of the network during the blocking period and insofar as he demands payment of a notional licence fee of EUR 50 per day, he does not get away with this. According to the so-called differential hypothesis, the assumption of material damage presupposes, in principle, that the actual value of the injured party's assets is less than the value that the assets would have had without the event giving rise to the obligation to pay compensation. According to this, there is obviously no damage to the plaintiff, as he would not have received a licence fee for the use of his F-profile and the data stored there even without a block (LG Frankfurt a.M., judgement of 5 March 2020 - 2-03 O 411/18; cf. 27.01.2020 - 13 U 128/19; LG Hamburg, judgement of 31.05.2019 - 305 O 117/18, BeckRS 2019, 21755 marginal no. 57).<br />
<br />
c. A fictitious calculation of damage is also out of the question. According to case law, this is only considered permissible in exceptional cases. The Chamber does not consider it appropriate to apply it to the blocking of an F-account (see LG Hamburg, Urt. v. 31.05.2019 - 305 O 117/18, BeckRS 2019, 21755 marginal no. 57; LG Traunstein, judgment of 13.12.2019 – 8 O 2622/18).<br />
<br />
d. Nor does the plaintiff's claim arise from Art. 82 (1) DSGVO. It is already not apparent that the defendant would have processed the plaintiff's data - at least with regard to the block in dispute here - in a manner that is contrary to data protection law. According to the defendant's general terms and conditions, the defendant may carry out such deletions and issue blocks. In this case, however, the processing of the data for this purpose is also covered by Art. 6 (1) lit. b) DSGVO. The plaintiff has not sufficiently substantiated the fact that the defendant's data processing would be illegal for other reasons. Moreover, it is also not apparent what damage the plaintiff should have suffered as a result of the allegedly unlawful processing.<br />
<br />
7) The plaintiff is entitled to compensation for pre-litigation costs (motion under 6), but not to the amount claimed.<br />
<br />
a. The plaintiff may also claim reimbursement of the pre-court warning costs for the out-of-court warning letter under §§ 683, 677, 670 BGB in conjunction with § 257 BGB (application under 6.a), but not to the extent requested.<br />
<br />
If the amount of the warning costs is based on the object value of the warning, the costs of an only partially justified warning shall only be reimbursed if the warning was justified. The amount of the compensation claim is to be determined by determining the value of the subject matter to be determined according to the justified part of the warning (BGH (VI. Zivilsenat) NJW 2017, 1550 marginal no. 28 - Michael Schumacher; different in the area of competition law BGH (I. Zivilsenat) GRUR 2010, 744 marginal no. 52 - special newsletter: Quotelung).<br />
<br />
According to the case law of the OLG Frankfurt a.M. (decision of 07.09.2018 - 16 W 38/18, NJOZ 2019, 576), the amount in dispute for the claim for omission of the deletion and blocking is generally EUR 3,000, i.e. EUR 4,500 in the main proceedings. As only the "omission", not also the blocking, is the subject of the action here in accordance with the motion for an action under No. 2., the plaintiff can demand from the defendant exemption from pre-court attorney's fees, including lump sum and value added tax, from an object value of 3,000 EUR, i.e. in the amount of 334.75 EUR.<br />
<br />
b. In order to obtain a cover note for the action in accordance with the motion for action under no. 6 lit. c., the plaintiff cannot demand compensation for the lawyer's fees incurred in this respect. It was reasonable to expect the plaintiff to first obtain a cover note himself and only after refusal of the insurance to issue a further lawyer's order to take action against the legal expenses insurance company (see OLG Oldenburg, judgement of 27 January 2020 - 13 U 128/19). The plaintiff has already failed to explain the relevant circumstances, but rather only referred to the fact that in other cases the legal protection insurance company only took action upon request by the lawyer.<br />
<br />
7 The decision on costs is based on § 92 (1) ZPO. The cost ratio takes into account the mutual winning and losing of the parties.<br />
<br />
8 The decision on provisional enforceability is based on sections 708 no. 11, 709 and 711 of the Code of Civil Procedure.<br />
<br />
9. the plaintiff was not to be granted a discount on the defendant's representative's statement of 25 August 2020. It is not apparent that the plaintiff was not able to respond to the defendant's written statement, which mainly contained legal arguments and was only a few pages long, until or during the oral proceedings. In particular, the week's time limit laid down in Section 132(1) of the Code of Civil Procedure has been complied with.<br />
</pre></div>MLhttps://gdprhub.eu/index.php?title=LG_Frankfurt_am_Main_-_2-03_O_282/19&diff=11879LG Frankfurt am Main - 2-03 O 282/192020-10-27T11:43:10Z<p>ML: Revised grammar and shortened it.</p>
<hr />
<div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=Germany<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=LG Frankfurt am Main<br />
|Court_With_Country=LG Frankfurt am Main (Germany)<br />
<br />
|Case_Number_Name=2-03 O 282/19<br />
|ECLI=ECLI:DE:LGFFM:2020:0903.2.03O282.19.00<br />
<br />
|Original_Source_Name_1=www.lareda.hessenrecht.hessen.de<br />
|Original_Source_Link_1=https://www.lareda.hessenrecht.hessen.de/bshe/document/LARE200001580<br />
|Original_Source_Language_1=German<br />
|Original_Source_Language__Code_1=DE<br />
<br />
|Date_Decided=03.09.2020<br />
|Date_Published=<br />
|Year=2020<br />
<br />
<br />
<br />
|National_Law_Name_1=§ 620 of German Civil Code (Bürgerliches Gesetzbuch (BGB)<br />
|National_Law_Link_1=https://www.gesetze-im-internet.de/bgb/__620.html<br />
|National_Law_Name_2=§ 626 of German Civil Code (Bürgerliches Gesetzbuch (BGB)<br />
|National_Law_Link_2=https://www.gesetze-im-internet.de/bgb/__626.html<br />
|National_Law_Name_3=§ 13 (6) of German Telemedia Act (Telemediengesetz (TMG)<br />
|National_Law_Link_3=https://www.gesetze-im-internet.de/tmg/__13.html<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_From_Body=<br />
|Appeal_From_Case_Number_Name=<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Ditto K Thomas<br />
|<br />
}}<br />
<br />
The court held that the operator of a social network may check the identity of a user according to his terms and conditions. If they ask the user to reveal or disclose the identity and the user refuses the verification, the operator can cancel the concluded contract and can delete login account of a member .<br />
==English Summary==<br />
<br />
===Facts===<br />
The defendant operates the website and the social network Platform. Asccording to the terms and conditions of the defendant`s network the use of this network is based on a one-time registration with valued identification. The plaintiff registered in this network as a user of the service. The defendant transferred the plaintiff's account to account verification proceedings and they requested the plaintiff to confirm the authenticity of his account, by presenting a copy of his ID or picture, or by entering a confirmation code from one of his devices. The plaintiff did not answered the defendants request. This is why the defendant blocked and deleted the account without giving any further reasons. Thereafter, the plaintiff tried to contact the defendant to restore his account, but did not succeed. <br />
<br />
===Dispute===<br />
Is the plaintiff entitled to claim to be able to enter into a contract with the defendant without verification of his identity according to the defendant's terms of use?. <br />
<br />
Can the plaintiff maintain anonymity on the Internet according to section 13 (6) TMG, which provides for the anonymous use of telemedia services? <br />
<br />
Is section 13 (6) of the German Telemedia Act (Telemediengesetz - TMG) still effective after the GDPR has come into force? <br />
===Holding===<br />
The court found that the defendant had a right to extraordinary termination, because the plaintiff violated his obligations according to the stipulated terms of user conditions on the defendant´s platform. In this case, the defendant does not know the plaintiff personally and concludes contracts with him only via the Internet. This is why they may obtain knowledge of the identity of its contractual partner, but the plaintiff is also free to not use the defendant´s service.<br />
<br />
The court concluded that the plaintiff has the right to register under a different name or to register in accordance with section 13 (6) of the German Telemedia Act under a pseudonym, and the defendant did not require the plaintiff to designate his profile with his own name, but only to disclose it to the defendant. Section 13 (6) of the German Telemedia Act (TMG) is not applicable in this case.<br />
==Comment==<br />
''Share your comments here!''<br />
<br />
==Further Resources==<br />
''Share blogs or news articles here!''<br />
<br />
==English Machine Translation of the Decision==<br />
The decision below is a machine translation of the German original. Please refer to the German original for more details.<br />
<br />
<pre><br />
Court: District Court Frankfurt 3rd civil chamber (Landgericht Frankfurt 3. Zivilkammer (LG Frankfurt)<br />
Decision date: 03.09.2020<br />
File number: 2-03 O 282/19<br />
ECLI: ECLI: DE: LGFFM: 2020:0903.2.03O282.19.00<br />
Document type: Judgment<br />
State: Hessen<br />
Laws: § 620 and § 626 of German Civil Code (Bürgerliches Gesetzbuch (BGB)<br />
And § 13 (6) of German Telemedia Act (Telemediengesetz (TMG)<br />
To cancel an account on a social network after a denied to producing identity check verification.<br />
Guideline Principle<br />
The operator of a social network can basically check the identity of a user according to their conditions. If they ask to the user to reveal his or her identifying method and the user refuses this verification, the operator can cancel the concluded contract.<br />
Note<br />
challengeable.<br />
Tenor<br />
The application is dismissed.<br />
Orders the plaintiff to pay the costs of the proceedings.<br />
The judgement is provisionally enforceable against a security deposit of 110% of the amount to be enforced.<br />
Facts<br />
The parties are in dispute about the admissibility of the deletion of a profile on the defendant's platform, damages and pre-trial attorney fees.<br />
The defendant operates the website and the social network www.F.com. The social network is operated by the Defendant's parent company based in California, USA. For Europe, the provider and contractual partner of the users of F is the Defendant with its registered office in Dublin, Ireland. The use of the social network F is based on a one-time registration with clear data.<br />
The Defendant provides the users with terms and conditions of business, which consist, among other things, of the Terms of Use (Annex K1) and the Community Standards (Annex K3).<br />
Clause 1 of these Terms of Service states, among other things :<br />
"We combat harmful conduct and protect and support our community:<br />
People can only form communities at F if they feel safe. We employ dedicated teams around the world and develop advanced technical systems to detect misuse of our products, harmful behavior toward others, and situations where we may be able to help support and protect our community. If we learn of such content or behavior, we will take appropriate action, such as offering help, removing content, blocking access to certain features, deactivating an account, or contacting law enforcement authorities. We will share information with other F-Companies if we become aware of abuse or harmful behavior by anyone using one of our products."<br />
Clause 3 reads among others (emphasis here):<br />
3.1 Who can use F<br />
When people stand behind their opinions and actions, our community is safer and more accountable. That is why you must do the following:<br />
-Use the same name that you use in your daily life.<br />
-Provide accurate and correct information about yourself.<br />
-Create only one account (your own) and use your chronicle for personal purposes.<br />
-Do not share your password, give others access to your F account, or transfer your account to someone else (without our consent).<br />
We try to make F available comprehensively and for everyone. However, you may not use F if the following applies:<br />
3.2 What you can share and do on F<br />
We want people to use F to express themselves and share content that is important to them. However, this must not be at the expense of the safety and well-being of others or the integrity of our community. You therefore agree not to engage in (or encourage or assist others to engage in) the conduct described below:<br />
1.you may not use our products to do or share anything to which the following applies:<br />
-It violates these Terms of Use, our Community Standards, or any other terms, conditions, and policies that apply to your use of F<br />
-It is unlawful, misleading, discriminatory or fraudulent.<br />
-It violates or infringes the rights of another person, such as their intellectual property rights.<br />
2.you may not upload viruses or malicious code or do anything that may interrupt, overload or impair the proper functioning or appearance of our products.<br />
3.you may not (without our prior consent) access, collect or attempt to access data from our products by any automated means that you are not authorized to access.<br />
We can remove or block content that violates these regulations.<br />
If we remove any content you share because it violates our community standards, we will notify you accordingly and explain what options you have to request further review, unless you have materially or repeatedly violated these Terms of Use, or notification by us could result in legal liability for us or others, harm our community, compromise or disrupt the integrity or operation of our services, systems or products, or we are prevented from doing so by technical limitations or are prohibited from doing so by law.<br />
To help us promote our community, we encourage you to report content or conduct that you believe violates your rights (including intellectual property rights) or our terms of use and policies.<br />
If the important reason is a violation of an obligation of these terms of use, the termination is only permissible after the unsuccessful expiration of a granted remedy period or after an unsuccessful warning. However, a time limit for remedy is not required if the other party seriously and finally refuses to fulfil its obligations or if, after weighing the interests of both parties, special circumstances justify immediate termination.<br />
You can read more about what you can do if your account has been deactivated and how to contact us if you think we have deactivated your account by mistake.<br />
If you delete your account or we deactivate it, these Terms of Use will end as an agreement between you and us, but the following provisions will continue to apply: 3.3.1, 4.2 through 4.5.<br />
The plaintiff registered on 07.03.2019 as a user of the service offered by the defendant, using the e-mail address r...@web.de.<br />
The defendant transferred the plaintiff's account to the so-called "fake account checkpoint" and requested the plaintiff to confirm the authenticity of his account, e.g. by presenting a copy of his ID or picture, or by entering a confirmation code from one of his devices. The plaintiff did not comply.<br />
On 09.03.2019, the defendant blocked the plaintiff's account without giving reasons.<br />
The plaintiff tried to persuade the defendant to restore his account, but do not succeeded<br />
On March 25, 2019, the plaintiff turned to his local attorneys of record. These obtained a confirmation of cover from the legal expense’s insurance for the out-of-court activity, for which the plaintiff claimed legal fees from an object value of 8,000 EUR plus lump sum and value added tax, a total of 729.23 EUR. The plaintiff requested the defendant with a lawyer's letter dated 11.04.2019 (Annex K 13, Bl. 122 d.A.) to lift the blockage, among other things.<br />
The plaintiff is of the opinion that the parties have concluded a contract for the use of the defendant's platform, which is a continuing obligation with elements of a lease, work and service contract. This contract had the character of remuneration.<br />
The Defendant's terms of use were not effectively amended in spring 2018.<br />
In addition, the blocking or deactivation of an account of the defendant without giving reasons was fundamentally illegal. The Defendant has no ordinary right of termination. It can be seen from Sections 4.1 and 4.2 of the Terms of Use that the Defendant only has an extraordinary right of termination if one party violates its obligations. Only the User may terminate the contract at any time without giving reasons in accordance with clause 4.1 of the Terms of Use. By deleting the plaintiff's account without giving reasons, the defendant had violated its own terms of use.<br />
The defendant bears the burden of proof for the reason of an extraordinary termination. The defendant had also not had the right to force the plaintiff to submit evidence.<br />
The plaintiff can require accordingly restoration. This covers also the re-establishment of all contents linked with its profile.<br />
The damage caused by the refusal to use the network had to be assessed at 50 EUR per day.<br />
The plaintiff requests,<br />
1. to completely restore the plaintiff's profile deleted on 08.03.2019 (registration e-mail: r...@web.de) on www.F.com and in particular to restore all links of this profile to the profiles of other users as they existed at the time of deletion; and to grant the plaintiff access to this account<br />
2. order the defendant to pay the applicant damages in the amount of EUR 1 500 plus interest at 5 percentage points above the prime rate since 8 March 2019<br />
3. order the defendant to pay the applicant's legal fees<br />
a. for the extrajudicial activity in the amount of EUR 691.33 and<br />
b. for obtaining a cover note for the extrajudicial activity in the amount of EUR 201.71; and<br />
c. for obtaining a cover note for the claim in the amount of EUR 729.23<br />
by payment to the law firm ... to the law firm.<br />
<br />
The defendant claims that the Court should<br />
<br />
dismiss the application.<br />
The defendant alleges that it was entitled to assume that the plaintiff had created a bogus account.<br />
Defendant believes that it has a right to deactivate its users' accounts under clauses 1, 3 and 4 of the Terms of Service. It was entitled to terminate the contract with the plaintiff because he had violated the terms of use. He had registered a bogus account and, in particular, had not submitted any evidence at her request. She was also entitled to request the plaintiff to provide evidence. It also granted him a period of time in which he could prove his identity, so that a period of time was set for remedy within the meaning of Section 4.2 of the Terms of Use. The defendant is also not obliged to provide a user with a reason for deactivating his account. Among other things, this is not provided for in § 626 para. 2 sentence 3 BGB. Nor could the violation of such an obligation lead to the invalidity of the termination, but only to a claim for information about the reason for the measure.<br />
The plaintiff had not suffered any damage. The corresponding application was also inadmissible, as it was not sufficiently specified.<br />
The defendant initially refused to accept service because the documents were not translated (p. 175 of the annex). The plaintiff then applied for a default judgment in a written statement dated September 10, 2019. Before a possible default judgment was issued, the defendant indicated its readiness to defend in a written statement dated 16 September 2019, while maintaining its position that there had been no effective service.<br />
For further details, reference is made to the pleadings exchanged between the parties, including annexes and other contents of the file.<br />
Reasons for decision<br />
The action is admissible, but unfounded.<br />
I.<br />
The LG Frankfurt a.M. has international and local jurisdiction. This is not in dispute between the parties, so that in any case, on the basis of a statement without objections pursuant to Art. 26 para. 1 p. 1 of the Brussels Ia Regulation 1215/2012, it can be assumed that the court seised has jurisdiction (see also BGH NJW 2018, 3178 marginal no. 16).<br />
1. the plaintiff has no claim against the defendant for the activation of his profile (application under 1.). In particular, such a claim does not arise from the contract concluded between the parties.<br />
a. The claims asserted shall be assessed under German law in accordance with Art. 3 para. 1, Art. 6 para. 2 of Rome I-VO 593/2008. This is not in dispute between the parties. Furthermore, the parties have agreed in the terms of use of the defendant that German law shall apply (see also LG Hamburg, Urt. v. 31.05.2019 - 305 O 117/18, BeckRS 2019, 21755 marginal no. 18).<br />
b. In principle, the contract between a user and the defendant on the use of the defendant's social network is a contract under the law of obligations with elements of a lease, contract for work and services (LG Frankfurt a.M., decision of 10.09.2018 - 2-03 O 310/18, MMR 2018, 770; see also KG Berlin DNotZ 2018, 286 marginal no. 56 with further details; OLG Munich NJW 2018, 3115). The object of this contract is also the rules of conduct provided by the defendant as GTC.<br />
c. The examination of the lack of conformity of the defendant's conduct in consideration and weighing of the conflicting interests in connection with the § 241 para. 2 BGB (German Civil Code) is based on the contractual conditions which have been provided by the defendant since spring 2018. Contrary to the plaintiff's opinion, these have already been effectively agreed upon for the reason that the plaintiff, after his presentation, had not registered with the defendant until March 2019 and thus under the new terms of use.<br />
d. The Terms of Use and the Community Standards referred to therein are contractual terms pre-formulated for a large number of contracts and thus general terms and conditions within the meaning of § 305 (1) BGB (OLG Dresden NJW 2018, 3111; OLG Stuttgart NJW-RR 2019, 35; LG Hamburg, Urt. v. 31.05.2019 - 305 O 117/18, BeckRS 2019, 21755 marginal no. 23).<br />
e. The plaintiff may not demand the restoration of his profile on this basis.<br />
In the present case, it is not materially relevant whether the parties are in dispute here about a contract obligation of the defendant or about a permissible termination of the user relationship by the defendant.<br />
In this respect, the chronological sequence must be taken into account in particular. After the plaintiff's presentation in the statement of claim, it initially appeared as if the plaintiff had been using the defendant's platform for a long time and the defendant had suddenly decided to delete his profile without giving reasons. On the one hand, the plaintiff failed to state that he had only registered with the defendant on March 7, 2019 and that the defendant had indisputably requested the plaintiff to provide proof of his identity and he had not complied with this request.<br />
It also remained undisputed that the defendant's request to the plaintiff was made in direct connection with his registration with the defendant. The plaintiff registered on 07.03.2019, the defendant placed his profile in a "fake account checkpoint" and requested him to provide proof of identity. After the plaintiff failed to comply, the defendant deleted his profile already on March 9, 2019.<br />
aa.<br />
In such a constellation, one may assume that the present dispute between the parties does not revolve around whether the defendant was entitled to delete the contribution and block or delete his profile due to a certain behaviour of the plaintiff, e.g. a statement that was inadmissible under the defendant's terms of use. Rather, the issue in this case could be whether the plaintiff is entitled to claim against the defendant to be able to enter into a contract with the defendant without verification of his identity according to the defendant's terms of use, obliging the defendant to provide him with its services. The core of the dispute could accordingly be whether the defendant is subject to a contract obligation.<br />
In this respect, one could consider it harmless that the defendant only carried out its review after the plaintiff had registered with the defendant's service and subsequently deleted his profile instead of not even admitting the plaintiff to its platform beforehand and not concluding a contract of use. Due to the close temporal connection one could nevertheless assume that here the quasi first-time entrance to the platform of the deplored ones stands in the controversy.<br />
However, the defendant is not subject to a general obligation to contract (OLG Dresden NJW-RR 2020, 429 marginal no. 4; LG Bremen MMR 2020, 426 marginal no. 37; LG Frankfurt a.M., judgement of 03.05.2020 - 2-03 O 411/20). <br />
If the plaintiff fundamentally refuses to cooperate, the defendant cannot be obliged to conclude a contract of use with him.<br />
But in the end that was not the point.<br />
bb.<br />
Even if one does not assume that an obligation to contract of the defendant is in dispute, but rather the question whether the defendant was allowed to terminate the contract with the plaintiff, this termination would have to be regarded as effective.<br />
In this respect, it is again irrelevant whether the defendant only had an extraordinary right of termination or also an ordinary right of termination according to § 620 para. 2 BGB, which is referred to in section 4.2 para. 2 of its terms and conditions of use, in which it is stated that the right of termination for good cause remains unaffected, from which one can conclude that there should also be a right of ordinary termination.<br />
However, the defendant also had a right to extraordinary termination. Because the plaintiff offended against its obligations from the contract. Section 3.1 of the Terms of Use stipulates that the user is obliged to provide information about himself. Accordingly, it must also be possible for the defendant to be able to verify such information to a reasonable extent (cf. for the enforcement of the terms of use of a rating portal OLG Cologne, Urt. v. 26.06.2019 - 15 U 91/19, P. 26). This is because it can be assumed in principle that a contractual partner may obtain certainty about the identity of his counterpart. Since the defendant here does not know the plaintiff personally and concludes contracts with him only via the Internet, one can assume that it may choose other means to obtain knowledge of the identity of its contractual partner. In this respect, the plaintiff is free not to use the service of the defendant (see OLG Dresden NJW-RR 2020, 429 marginal no. 4; LG Bremen MMR 2020, 426 marginal no. 37) if he does not wish to disclose his identity.<br />
In this respect, the Chamber is aware that maintaining anonymity on the Internet can be very important and Section 13 (6) TMG provides for the anonymous use of Telemedia services. On the one hand, however, the user knows the defendant's service requires him to provide information about his person. This is also stipulated in the terms of use. Whether the plaintiff will claim to remain anonymous in such a case, although the defendant has decided to apply its terms of use to him, can ultimately remain open. Furthermore, the plaintiff is ultimately free to use other social networks that waive the disclosure of identity if he does not wish to meet these requirements.<br />
Because the deplored one offered to that extent here different possibilities to the plaintiff, in order to prove its identity and/or to prove that the again put on account is not a "Fake account". The defendant did not categorically demand the presentation of an identity card - in contrast to the plaintiff - but also considered the presentation of a picture or similar to be sufficient. According to the defendant's undisputed submission, it would even have been sufficient for this purpose if the plaintiff had transmitted a confirmation code from one of his devices, which would not necessarily have entailed the disclosure of his identity.<br />
Here the deplored one decided to examine the identity of the plaintiff and requested him to produce proofs.<br />
Insofar as Section 4.2 of the Terms of Use requires a time limit for remedy or a warning, this was granted by requesting the plaintiff to provide evidence within the set time limit. However, he did not comply with this request.<br />
Even with the argument of the plaintiff's representative at the hearing that § 13 (6) TMG prohibits the use of a clear name, the plaintiff does not succeed. In this respect, it is already questionable whether Section 13 (6) of the German Telemedia Act (TMG) will still be effective after the DSGVO has come into force. According to the parties, however, the present case does not concern the enforcement of the obligation to use clear names. The plaintiff did not claim to have registered with his real name, but only provided an e-mail address. Furthermore, the defendant has shown that it would have accepted the transmission of a picture (without name) or even the sending of a confirmation code from one of its devices in order to verify his identity, so that the plaintiff was not obliged to disclose his name.<br />
Even if the Chamber assumes that the plaintiff registered under a different name or (possibly in accordance with Section 13 (6) of the German Telemedia Act) under a pseudonym, the defendant did not require the plaintiff to designate his profile with his own name, but only that he disclose it to the defendant.<br />
2) In the absence of a breach of duty by the defendant, a claim for damages by the plaintiff is excluded (application to 2), whereby it is not necessary to state whether the plaintiff would be entitled to such a claim at all and in general (cf. negative for the case of the temporary blocking of the user account LG Frankfurt a.M., judgement of 5 March 2020 - 2-03 O 427/18).<br />
3. in the absence of a main claim, there are also no claims for reimbursement of out-of-court attorney fees (application under 3.).<br />
4. the decision on costs is based on § 91 ZPO (German Code of Civil Procedure), as the plaintiff is fully unsuccessful.<br />
5. the decision on provisional enforceability is based on § 709 ZPO.<br />
6. the plaintiff was not to be granted a discount on the written pleadings of the representatives of the defendant of 26.08.2020. It is not evident that the plaintiff could not get involved in the oral proceedings with the plaintiff's written statement, which contained predominantly legal arguments and was only a few pages long. In particular, the week's deadline of § 132 para. 1 ZPO has been observed.<br />
<br />
https://www.lareda.hessenrecht.hessen.de/bshe/document/LARE200001580<br />
<br />
</pre></div>MLhttps://gdprhub.eu/index.php?title=HDPA_(Greece)_-_37/2020&diff=11807HDPA (Greece) - 37/20202020-10-20T14:41:18Z<p>ML: /* Dispute */</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Greece<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoGR.jpg<br />
|DPA_Abbrevation=HDPA<br />
|DPA_With_Country=HDPA (Greece)<br />
<br />
|Case_Number_Name=37/2020<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=HDPA<br />
|Original_Source_Link_1=https://www.dpa.gr/portal/page?_pageid=33%2C15453&_dad=portal&_schema=PORTAL&_piref33_15473_33_15453_15453.etos=2020&_piref33_15473_33_15453_15453.arithmosApofasis=&_piref33_15473_33_15453_15453.thematikiEnotita=-1&_piref33_15473_33_15453_15453.ananeosi=%CE%91%CE%BD%CE%B1%CE%BD%CE%AD%CF%89%CF%83%CE%B7<br />
|Original_Source_Language_1=Greek<br />
|Original_Source_Language__Code_1=EL<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Decided=<br />
|Date_Published=02.10.2020<br />
|Year=2020<br />
|Fine=1000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 4(7) GDPR<br />
|GDPR_Article_Link_1=Article 4 GDPR#7<br />
<br />
<br />
|National_Law_Name_1=Article 11 L. 3471/2006<br />
|National_Law_Link_1=https://www.lawspot.gr/nomikes-plirofories/nomothesia/nomos-3471-2006<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Antigoni Logotheti<br />
|<br />
}}<br />
<br />
The HDPA fined politician €1.000 for unsolicited political communication (SMS) without consent or any other legal basis according to the national provisions on unsolicited communications. <br />
<br />
==English Summary==<br />
<br />
===Facts===<br />
Individual submitted a complaint on unsolicited political communications (SMS) he received by politician to whom he had no previous connection/relation. <br />
<br />
===Dispute===<br />
<br />
Is unsolicited communication via SMS of a politician to whom the recipient never had contact legal?<br />
===Holding===<br />
The HDPA found that the politician acts as data controller for this communication and that he did not obtain the recipient's consent. However, the politician provided and satisfied the rights of access and objection. <br />
<br />
The HDPA upheld the complaint and imposed the proportionate fine of EUR 1000. <br />
<br />
==Comment==<br />
''Share your comments here!''<br />
<br />
==Further Resources==<br />
''Share blogs or news articles here!''<br />
<br />
==English Machine Translation of the Decision==<br />
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.<br />
<br />
<pre><br />
PROTECTION OF PERSONAL DATA<br />
37/2020<br />
(Department)<br />
The Personal Data Protection Authority met in a department composition at its headquarters on 19-02-2020 at the invitation of its President, in order to examine the case mentioned in the history of the present. Charalambos Anthopoulos attended as President of the Authority Constantine Menoudakou and Deputy President Georgios Batzalexis, the alternate members Evangelos Papakonstantinou and Emmanuel Dimogenontakis, replacing the regular members Konstantinos Lambrinoudakis and Elenis Martsoukou respectively, who, although legally called in writing, did not participate as an alternate member. The meeting was attended by Georgios Roussopoulos, special scientist – auditor as assistant rapporteur and Irene Papageorgopoulou, employee of the administrative affairs department of the Authority, as secretary.<br />
The Authority took into account the following:<br />
The Authoritywas submitted to the Authority first. C/ES/4904/12-07-2019 complaint by A concerning an unclaimed communication policy (SMS message) for <br />
promotion of B’s candidacy in the parliamentary elections of...<br />
In particular, according to the complaint, the complainant received on, on his mobile phone number, an SMS with “B” appearing as sender, which was of a political nature for the purposes of promoting the candidate’s candidacy in the forthcoming parliamentary elections of 26 May 2019, without having any previous relationship with him. The message was "The Lady...WE DECIDE ON OUR LIVES.WE VOTE... WE SUPPORT B!FOR EXCEPTION...’.The complainant also states that he contacted the above telephone number and, in a question as to the origin of the number, referred to him as a source of a regional part of a professional body in which he was formerly registered because of his professional status. The complainant now resides in another city.<br />
In the context of the examination of this complaint, the Authority sent the complainant the number one. C/EX/4904-1/09-08-2019 document, in which he asked for his views on the complainants, taking into account the guidelines he has issued for political communication.<br />
The complainant replied to the Authority within a short period of time, with number one. C/ES/5808/26-08-2019, in which it summarises:<br />
1) Accepts the sending of the message as part of the activity of notifying his candidacy in the parliamentary elections.<br />
2) He states that the recipients arose after selecting his mobile phone contacts, as well as from the corresponding messages he had sent in the previous parliamentary elections in 2015.<br />
3) Knowing that the legislation had to be complied with, he tried to make a further selection of the recipients.<br />
4) The message included the fixed phone of his office so that, in the event of an inconvenience, the recipient could request an exemption from a possible subsequent shipment.<br />
5) Some of the figures on the list that he drew up came from colleagues of the complainant, members of the professional body, as prior to the 2015 elections, he served as the... Regional Committee.<br />
6) The complainant was the only addressee to complain, in the communication with whom they recognised the error and excluded him from the list of recipients.<br />
Then the Authority called the no. No. C/EX/7600/05-11-2019 document complained to a hearing at the meeting of the Department of the Authority on 04-12-2019, during which the above-mentioned complaint was discussed and the general practice followed for communication of a political nature by electronic means. That meeting was attended by the complainant, who stated his views orally and then submitted the number first. C/ES/8441/04-12-2019 memorandum. In addition to the original memorandum, it states:<br />
1) The complainant had received a similar message in the 2015 elections without protesting.<br />
2) The message was sent to a list extracted from the candidate’s mobile phone. A sample of the extracted file shall be provided.<br />
3) The complainant considers that there is previous contact and relationship.<br />
4) The indication of the text ‘For Exemption’ and the telephone number of the complainant’s office indicates that, if the recipient so wishes, they are excluded. The applicant’s collaborators had been specifically instructed to send SMS only to persons with whom there were already previous online contacts and had not requested their exemption, so they had accepted them.<br />
5) The practice of the complainant is no different from what all the nominees have done.<br />
6) There was no intention of disturbing the complainant.<br />
The Authority, after examination of the evidence in the file, the hearing after hearing the rapporteur and the Assistant rapporteur, who left after the case and before the conference and the decision, and after an in-depth discussion<br />
HE THOUGHT ACCORDING TO THE LAW.<br />
1. According to the article. That’s 4 bets.7 of General Regulation (EU) 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as Regulation), which is applicable from 25 May 2018, is defined as 'the natural or legal person, public authority,serviceor other body which, alone or jointly with others, determines the purposes and manner of processing personal data’.<br />
2. The issue of making unsolicited communications by any means of electronic communication, without human intervention, for direct marketing purposes of products or services and for all types of advertising purposes, is regulated in article 11 of Law 3471/2006 for the protection of personal data in the field of electronic communications. According to this article, such communication is permitted only if the subscriber expressly consents in advance. Exceptionally, according to Art.11 par.3 of Law 3471/2006, the e-mail contact details obtained legally, in the context of the sale of products or services or other transaction, may be used to directly promote similar products or services of the supplier or to serve similar purposes, even when the recipient of the message has not given his prior consent, provided that he is given in a clear and distinct manner the possibility of objecting, in an easy and free manner, to the collection and use of the data, as well as to the collection and use of the data, as well as to the use of the information.<br />
the use ofit.<br />
3. Specifically for political communication through electronic means without human intervention and in accordance with the Authority’s guidelines on the processing of personal data for the purpose of political communication, taking into account both article 11 of Law 3471/2006, and the Authority’s Directive 1/2010 on political communication and the General Regulation (EU) 2016/679 on the protection of individuals with regard to the processing of personal data, which is implemented from 25 May 2018, the following shall apply:<br />
Political communication is of interest from the point of view of the protection of personal data, at any time, whether pre-electional or otherwise, by political parties, MPs, MEPs, factions and holders of elected positions in local government or candidates in parliamentary elections, elections to the European Parliament and local elections. Such persons shall become controllers in accordance with Regulation (EU) 2016/679, Article 4, point.7) where they define the purpose and method of processing. For example, when Members of Parliament or candidates receive data from political parties and process them for their personal political communication, they also become controllers. In this capacity and on the basis of the principle of accountability, they must be able to demonstrate compliance with their obligations and processing rules.<br />
4. When political communication is made using electronic means of communication, without human intervention, through public communication networks, such as the case of emails, the communication presupposes,¬in accordance with article 11 par.1 Law 3471/2006, as applicable, the prior consent of the data subject, without prejudice to paragraph 3 of the same article, as applicable. It is also noted that short text messages (SMS) are also emails according to the definitions of Law 3471/2006 and Directive 2002/58/EC.<br />
5. Political communication by electronic means without human intervention and without the consent of the data subject shall be permitted only if the following conditions are cumulatively met:<br />
(a)The contact details have been lawfully obtained in the context of previous, similar contact with data subjects, and the subject during the collection of the data was informed of their use for the purpose of political communication, was given the opportunity to object to this use but did not express it. Prior contact need not be purely political, e.g. it is legitimate to send messages when the e-mail data were collected in the context of a previous invitation to participate in an event or action, regardless of its political nature. On the contrary, it is not considered to constitute such contact and it is not lawful to use electronic contact information for the purpose of the communication policy when these data were obtained in the context of a professional relationship, such as the use of the client file by a candidate. The controller shall provide the data subject with the opportunity to exercise the right of objection in an easy and clear manner, including in any political communication message. Each communication requires a clear and clear indication of the identity of the sender or person for whose benefit the message is sent, as well as a valid address to which the recipient of the message may request the termination of the communication.<br />
6. In this particular case, the complainant, on the basis of the above, has, as a controller, made a political communication by sending short text messages (SMS).Therefore, the legality of the mission is ensured only if the provisions referred to in paragraphs 4 above have been complied with. The responses of the controller shall indicate the<br />
as follows:<br />
7. The controller had not received prior consent from the person to whom he sent a political communication message. Also, the contact details of the recipient of the message had not come into his possession as part of a previous similar contact with him. On the contrary, his personal information was obtained in the context of a previous activity in a professional and trade union body, which is not related to the specific political activity of the controller.<br />
8. The controller did not specify to the Authority the exact number of messages sent. In this regard, he only mentions that he sent to a list of contacts extracted from his mobile phone.<br />
9. The controller provided the data subject with the opportunity to exercise the right of opposition in an easy and clear manner. Indeed, the complainant exercised the right of access and opposition by telephone and the controller responded.<br />
10. By virtue of his capacity, the controller was fully aware of the current legal framework for political communication and of the Authority’s guidelines published and sent to political parties as early as April 2019.<br />
11. The controller cooperated with the Authority by responding without delay to the documents for clarification, providing the requested information both at the Authority’s meeting and in the memorandum submitted.<br />
12. No administrative penalty has been imposed on the controller by the Authority in the past. <br />
On the basis of the foregoing, the Authority unanimously considers that, according to article 11 of Law 3471/2006, the conditions of enforcement against the controller, based on article 13 of Law 3471/2006 in conjunction with article 21 par. 1 verse b of Law 2472/1997 and the article of 84 Law 4624/2019, the administrative sanction, referred to in the operative part of the present, which is judged proportional to the gravity of the infringement.<br />
FOR THEIR SAKES<br />
The Personal Data Protection Authority:<br />
It imposes on B the effective, proportionate and dissuasive administrative fine that is appropriate in this particular case according to its specific circumstances, amounting to a thousand EUR (1.000,00) for the aforementioned infringement of article 11 of Law 3471/2006.<br />
The President-in-Office <br />
<br />
Mr Charalambos Anthopoulos<br />
<br />
Irene Papageorgopoulou<br />
<br />
</pre></div>MLhttps://gdprhub.eu/index.php?title=DSB_(Austria)_-_2020-0.349.984&diff=11805DSB (Austria) - 2020-0.349.9842020-10-20T13:04:02Z<p>ML: </p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Austria<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoAT.png<br />
|DPA_Abbrevation=DSB<br />
|DPA_With_Country=DSB (Austria)<br />
<br />
|Case_Number_Name=DSB-D205.023<br />
|ECLI=ECLI:AT:DSB:2020:2020.0.349.984<br />
<br />
|Original_Source_Name_1=Rechtsinformationssystem des Bundes<br />
|Original_Source_Link_1=https://www.ris.bka.gv.at/Dokument.wxe?ResultFunctionToken=69253fd5-484d-443d-a8d6-453678ce520b&Position=1&Abfrage=Dsk&Entscheidungsart=Undefined&Organ=Undefined&SucheNachRechtssatz=True&SucheNachText=True&GZ=&VonDatum=01.01.1990&BisDatum=&Norm=&ImRisSeitVonDatum=&ImRisSeitBisDatum=&ImRisSeit=Undefined&ResultPageSize=100&Suchworte=&Dokumentnummer=DSBT_20200626_2020_0_349_984_00<br />
|Original_Source_Language_1=German<br />
|Original_Source_Language__Code_1=DE<br />
<br />
|Type=Complaint<br />
|Outcome=Rejected<br />
|Date_Decided=26.06.2020<br />
|Date_Published=<br />
|Year=2020<br />
|Fine=None<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 4(22) GDPR<br />
|GDPR_Article_Link_1=Article 4 GDPR#22<br />
|GDPR_Article_2=Article 5(1)(a) GDPR<br />
|GDPR_Article_Link_2=Article 5 GDPR#1a<br />
|GDPR_Article_3=Article 5(1)(b) GDPR<br />
|GDPR_Article_Link_3=Article 5 GDPR#1b<br />
|GDPR_Article_4=Article 5(1)(f) GDPR<br />
|GDPR_Article_Link_4=Article 5 GDPR#1f<br />
|GDPR_Article_5=Article 6(1)(c) GDPR<br />
|GDPR_Article_Link_5=Article 6 GDPR#1c<br />
|GDPR_Article_6=Article 6(1)(f) GDPR<br />
|GDPR_Article_Link_6=Article 6 GDPR#1f<br />
<br />
<br />
|National_Law_Name_1=§ 1 Abs. 1, 2 DSG - Datenschutzgesetz (Data Protection Act)<br />
|National_Law_Link_1=https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=bundesnormen&Gesetzesnummer=10001597<br />
|National_Law_Name_2=§ 4 Abs. 1 DSG - Datenschutzgesetz (Data Protection Act)<br />
|National_Law_Link_2=https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=bundesnormen&Gesetzesnummer=10001597<br />
|National_Law_Name_3=§ 3 (4) PMG - Postmarktgestez (Postal Market Law)<br />
|National_Law_Link_3=https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=Bundesnormen&Gesetzesnummer=20006582<br />
|National_Law_Name_4=§ 5 (3) PMG - Postmarktgestez (Postal Market Law)<br />
|National_Law_Link_4=https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=Bundesnormen&Gesetzesnummer=20006582<br />
|National_Law_Name_5=§ 12 (1) PMG - Postmarktgestez (Postal Market Law)<br />
|National_Law_Link_5=https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=Bundesnormen&Gesetzesnummer=20006582<br />
|National_Law_Name_6=§ 20(1) PMG - Postmarktgestez (Postal Market Law)<br />
|National_Law_Link_6=https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=Bundesnormen&Gesetzesnummer=20006582<br />
<br />
|Party_Name_1=Österreichische Post AG<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
|<br />
}}<br />
<br />
The Austrian DPA decided that the electronic recording and storing of identity card data in the course of collecting a postal item (registered mail) is lawful.<br />
<br />
==English Summary==<br />
<br />
===Facts===<br />
The complainant was not at home when a registered mail has been tried to be handed over. Therefore, he needed to collect it at the postal office. In order to identify the complainant as the adressee of the registered mail, an employee asked for his identity card and "scanned" it with a special identity card reader, however, no copy of the document itself was made.<br />
<br />
The complainant alleges that the Post AG infringed confidentiality obligations by making a copy of the identity card (recording by means of a scanning device and the storage of the identity card data).<br />
<br />
===Dispute===<br />
Has the Österreichische Post AG infringed the complainant's right to confidentiality by an employee who was electronically recording and storing identity card data of the complainant in the course of collecting a postal item (registered mail)?<br />
<br />
===Holding===<br />
The processing of identity card data in order to verify the person collecting registered mail is lawful.<br />
<br />
As a universal service provider within the meaning of Article 3(4) in conjunction with Article 12(1) of the PMG, the defendant is subject to the provisions of the PMG and must therefore be regarded as the addressee of the legal obligations arising from that law.<br />
Private entities, § 26 (4) DSG, may base their actions on an enabling norm in the sense of Article 6 (1) (c) and Article 5 (1) (a) GDPR.<br />
<br />
The provisions of the PMG do not create a legal obligation to process personal data under Article 6 (1) (c) GDPR.<br />
<br />
Article 6 (1) (f) GDPR data can be procesed if they constitute the legitimate interests of a party. Here, the Post AG might have been exposed to warranty claims, damage etc. if the claimant would not have been identified correctly. These data are also necessary to defend their legal claims and the fundamental rights and freedoms of the data subject, i.e. secrecy, are not overriding the one of the Post AG. <br />
<br />
The collection and storage of identification data for the purpose of defending legal claims relating to postal items is within the scope of general life experience and was in this respect also easily foreseeable by the complainant, no special categories of data were processed, the storage period of six months is also proportionate.<br />
<br />
==Comment==<br />
''Share your comments here!''<br />
<br />
==Further Resources==<br />
''Share blogs or news articles here!''<br />
<br />
==English Machine Translation of the Decision==<br />
The decision below is a machine translation of the German original. Please refer to the German original for more details.<br />
<br />
<pre><br />
<br />
Decision-making authority<br />
Data Protection Authority<br />
Document type<br />
Decision text<br />
Decision type<br />
Decision Complaint<br />
Business figures<br />
2020-0.349.984<br />
Decision date<br />
26.06.2020<br />
Appeal to the BVwG/VwGH/VfGH<br />
This decision is final.<br />
Standard<br />
DSG §1 Abs1<br />
DSG §1 Abs2<br />
DSG §4 Abs1<br />
PMG §3 Z4<br />
PMG §3 Z12<br />
PMG §5 Abs3<br />
PMG §12 Abs1<br />
PMG §20 Abs1<br />
DSGVO Art4 Z2<br />
DSGVO Art5 Abs1 lita<br />
DSGVO Art5 Abs1 litb<br />
DSGVO Art5 Abs1 litf<br />
DSGVO Art6 Abs1 litc<br />
DSGVO Art6 Abs1 litf<br />
Text<br />
<br />
GZ: 2020-0.349.984 of 26 June 2020 (procedure number: DSB-D205.023)<br />
<br />
Note Processor: Names and companies, legal forms and product names, addresses (including URLs, IP and e-mail addresses), file numbers (and similar), etc., as well as their initials and abbreviations may be abbreviated and/or changed for reasons of pseudonymisation. Obvious spelling, grammar and punctuation errors have been corrected.<br />
<br />
The respondent's company name was not pseudonymised here, since according to the reasons for the decision, the universal service provider pursuant to Section 12 (1) PMG was involved in the procedure in this role, and the respondent is listed as such in the cited Act. Moreover, a meaningful pseudonymisation was not possible due to multiple references to the respondent's business activities as a universal service provider in the facts of the case (e.g. registered letter, "yellow slip"). However, the interest in secrecy of the respondent who won the proceedings and whose actions were found to be lawful does not outweigh here the public interest in the publication of the decision required by law under section 23(2) of the DSG].<br />
<br />
DECISION<br />
<br />
SPEECH<br />
<br />
The data protection authority decides on the data protection complaint of Gustav A*** (complainant) of 17 April 2019 against Österreichische Post AG (respondent) for violation of the right to secrecy as follows<br />
<br />
- The complaint is dismissed as unfounded.<br />
<br />
Legal basis: Article 4(2), Article 5(1)(f), Article 6(1)(c) and (f), Article 13, Article 51(1), Article 57(1)(f) and Article 77(1) of Regulation (EU) 2016/679 (Basic Regulation on data protection, hereinafter referred to as the DSGVO), OJ No Article 119 of 4 May 2016, p. 1; Articles 1(1) and (2), 18(1) and 24(1) and (5) of the Data Protection Act (Datenschutzgesetz, DSG), Federal Law Gazette I No 165/1999 as amended; Article 3(4) and (12), Article 12, Article 17 and Article 20 of the Postal Market Act (Postal Market Act, PMG), Federal Law Gazette I No 123/2009 as amended;<br />
<br />
EXPLANATIONS<br />
<br />
A. Arguments of the parties and procedure<br />
<br />
1 In his submission of 17 April 2019 initiating the proceedings, repeated on 23 June 2019 and 26 July 2019, the complainant alleged a violation of the right to confidentiality as well as a violation of the respondent's information duties.<br />
<br />
The alleged breach of the duty to provide information is the subject of separate proceedings concerning the business number DSB-D205.246.<br />
<br />
As regards the alleged breach of confidentiality, the complainant submitted the following summarised submissions:<br />
<br />
The complainant had remedied a letter addressed to him by means of a so-called "yellow slip" on 29 March 2019 at a branch of the respondent. In the course of that repair, an employee of the defendant requested the production of an identity card of the complainant, which was produced by the complainant. Subsequently, however, the employee made a copy against his will and without his permission. The identity card was placed on a scanner and the data was recorded electronically. The complainant further submits that even in the respondent's General Terms and Conditions ("AGB-Brief National") under point 3.5.2, there is only reference to a document in case of doubt as to identity, and not to data collection.<br />
<br />
By decision of 22 July 2019 (ref. no.: DSB-D205.023/0001-DSB-2019), the data protection authority invited the respondent to submit comments.<br />
<br />
4 By submission of 20 August 2019, the defendant submitted the following observations:<br />
<br />
It was correct that the complainant had remedied a recommanded (= with a take-over certificate) registered letter in a branch of the defendant, since he had not been found at the time of the attempted delivery. He had therefore been informed, by means of a "yellow slip", of the attempted delivery and of the deposit of the item and of the need to produce an official identity document with a photograph when the item was rectified. The notice of deposit also contained a reference to the defendant's data protection notices, which provided information in particular on the processing of identity card data.<br />
<br />
When the complainant rectified the consignment, an employee of the defendant asked the complainant to present a photo ID and subsequently automatically recorded the specific ID data, as is usual when a person is not personally known to the employee. A scanning device was used to record the ID card data, which merely reads out concrete data from the respective ID card, namely the type of ID card, the ID card number, the issuing authority and date of birth as well as the corresponding name - no copy was made. The complainant had acknowledged receipt of the registered mail on the card.<br />
<br />
The challenged processing of the identity card data was necessary in order to fulfil a legal obligation to which the respondent was subject as the person responsible (Article 6(1)(c) DSGVO): under Section 3(12) PMG, the acceptance of registered mailings to the correct recipient had to be acknowledged. Unless the respondent is personally known to the respondent, the handover to the correct person is only possible within the framework of an identification/authentication procedure to be carried out, i.e. by presenting an official photo ID. In accordance with Section 20 PMG, the respondent had issued general terms and conditions (in particular "AGB Brief"), which had also been approved by the regulatory authority. This also resulted in the need for a confirmation of takeover and a determination of identity (points 3.3 and 3.5.2 of the national letter contract terms and point 4.1 of the product and price list ("PVV") for return receipt letters, including registered letters). It was apparent from these documents (GTC and PVV) that the handing over of a registered letter was only permissible after prior identification or authentication. The respondent had collected the identification data for the purpose of identification or authentication and thus kept them for 6 months for the possible handling of potential investigations (item 3.10 of the GTC Letter national) as well as possible warranty cases (item 4 of the GTC Letter national), i.e. for the assertion, exercise or defence of legal claims and also for the implementation of the contractual relationship with the sender, and deleted them afterwards. A processing and storage authorisation is also based on the fact that the respondent is exposed to possible warranty claims and/or claims for damages if a consignment is not handed over properly, in particular to the correct recipient. It must therefore be possible to defend oneself at least within the statutory warranty period. In the context of any proceedings before the data protection authority, the defendant must also be able to prove its freedom, for example, that it has complied with its duty of care and has verifiably verified the identity of the transferee. The respondent referred to the time-limit laid down in Paragraph 24(4) of the DSG and a more detailed decision of the data protection authority concerning the admissibility of a copy of the identity document for the purpose of checking identity.<br />
<br />
Furthermore, the processing of the identity card data in order to safeguard the legitimate interests of the respondent and the respective sender in the sense of Article 24(4) of the DSG. Art. 6 para. 1 lit. f DSGVO in order to ensure correct allocation to the actually addressed recipient and to be able to provide the sender with proof of this. This was the only way to prevent any possible abuse. The interests of the respondent and its contractual partner outweighed the interests or fundamental rights and freedoms of the complainant. There would be no noticeable impairment of the complainant, as only the necessary data would be stored, which would be protected in accordance with Section 5 of the PMG and by comprehensive technical and organisational measures.<br />
<br />
The defendant also stated that it had complied with its duties to provide information and referred to the "data protection notices" which were available on its website.<br />
<br />
By decision of 19 September 2019 (ref. DSB-D205.023/0003-DSB/2019), the data protection authority granted the complainant the right to be heard and to submit comments.<br />
<br />
The complainant made no further submissions.<br />
<br />
B. Object of the complaint<br />
<br />
The subject of the complaint is the question whether the respondent has infringed the complainant's right to confidentiality by an employee of the respondent electronically recording and storing identity card data of the complainant in the course of collecting a postal item (registered mail).<br />
<br />
The alleged violation of the information duties is dealt with separately in the procedure concerning the business number DSB-D205.246 and was therefore not the subject of the present proceedings.<br />
<br />
C. Findings of the facts<br />
<br />
1 On 29 March 2019, the complainant replied to a letter sent at the (post) office ****, **** XY, *** street *. The respondent had informed the complainant at a point in time which could not be further specified about an unsuccessful delivery attempt and the subsequent deposit in the said post office by means of a notification about a deposited item ("yellow slip"). This was a non-official, recomanded (with a take-over certificate) registered letter.<br />
<br />
(2) The complainant, after having been requested to do so by an employee of the respondent, presented his official photo identification in the course of the rectification of the consignment. Subsequently, the identity card data: type of ID card, ID card number, issuing authority, date of birth and the corresponding name were recorded electronically using a scanning device and stored for 6 months. After the retention period expired, the data in question were deleted. However, no copy of the ID document itself was made.<br />
<br />
Evaluation of evidence: The findings result from the concurring submissions of the parties, in particular the submission of the complainant of 17 April 2019 and the submission of the respondent of 20 August 2019.<br />
<br />
3 The following General Terms and Conditions of the respondent were valid as of 29 March 2019:<br />
<br />
Assessment of evidence: The findings result from the respondent's submission of 20 August 2019 and were not disputed by the complainant.<br />
<br />
D. From a legal point of view, the following follows:<br />
<br />
The complainant alleges that the respondent infringed confidentiality obligations by making a copy of the identity card (recording by means of a scanning device and the storage of the identity card data).<br />
<br />
In conclusion, there is no justification for these statements:<br />
<br />
D.1 Re Art. 6 (1) lit. c DSGVO:<br />
<br />
Under Section 1(1) of the DSGVO, everyone has the right to the confidentiality of personal data relating to him or her, in particular with regard to respect for his or her private and family life, provided there is an interest worthy of protection.<br />
<br />
Under Section 1, paragraph 2 of the DSG, restrictions on the right to secrecy, insofar as the use of personal data is not in the vital interest of the person concerned or with his or her consent, are only permissible in order to safeguard the overriding legitimate interests of another.<br />
<br />
The data processing in question was neither carried out in the vital interest of the complainant nor did consent exist, which is why its lawfulness had to be examined on the basis of the protection of overriding legitimate interests: According to the case law of the data protection authority, a breach of confidentiality obligations does not exist in particular if the rules of the DPA and the principles enshrined therein, which are to be regarded as implementing provisions under Article 4 (1) DPA, have not been breached (cf. the notice of 31 October 2018, GZ DSB-D123.076/0003-DSB/2018).<br />
<br />
Under Article 5 (1) (b) of the DPA, personal data must be collected for specified, explicit and legitimate purposes and may not be further processed in a way incompatible with those purposes ("purpose limitation"). The processing of personal data is justified, inter alia, if it is necessary to fulfil a legal obligation to which the controller is subject (Art. 6 para. 1 lit. c DSGVO) or to safeguard the legitimate interests of the controller or of a third party, provided that the interests or fundamental rights and freedoms of the data subject which require the protection of personal data do not prevail (Art. 6 para. 1 lit. f DSGVO).<br />
<br />
Art. 6 para. 1 lit. c DSGVO in conjunction with the PMG and Art. 6 para. 1 lit. f DSGVO are relevant in this context:<br />
<br />
However, the respondent also correctly referred to the legal obligations under the PMG:<br />
<br />
§ Section 3 no. 4 and no. 12 PMG reads as follows (emphasis added by the data protection authority):<br />
<br />
Definitions<br />
<br />
§ 3.<br />
<br />
For the purposes of this Act<br />
<br />
[...]<br />
<br />
4.<br />
<br />
<br />
"Universal service operator" means one or more designated universal service operators under section 12(1) or one or more designated postal service providers under section 12(2);<br />
<br />
<br />
[...]<br />
<br />
12.<br />
<br />
<br />
"Registered item" shall mean a postal item which is insured by the postal service provider against loss, theft or damage on a flat-rate basis and in respect of which the sender is provided, where appropriate at his or her request, with a confirmation of receipt of the item and/or its delivery to the addressee;<br />
<br />
<br />
<br />
§ Section 12 PMG reads as follows (emphasis added by the data protection authority)<br />
<br />
Universal service provider<br />
<br />
§ 12.<br />
<br />
(1) Upon entry into force of this Federal Act, Austrian Post will be designated as the universal service operator.<br />
<br />
[...]<br />
<br />
§ Section 20 of the PMG and its title reads as follows (emphasis added by the data protection authority):<br />
<br />
General Terms and Conditions of the Universal Service Operator<br />
<br />
§ 20.<br />
<br />
(1) The universal service operator shall, in accordance with the provisions of this Act and the regulations for services in the universal service area adopted on the basis of this Act, issue general terms and conditions of business.<br />
<br />
[...]<br />
<br />
In any event, a legal obligation under Article 6(1)(c) of the DSGVO is to be understood as an obligation under objective law (Frenzel in Paal/Pauly, Datenschutz-Grundverordnung Art. 6, margin no. 16) which may result in particular from a legal basis in a Member State or in Union law and which, moreover, relates directly to data processing (Kastelitz/Hötzendorfer/Tschohl in Knyrim, DatKomm Art. 6 DSGVO, margin no. 39).<br />
<br />
As a universal service provider within the meaning of Article 3(4) in conjunction with Article 12(1) of the PMG, the defendant is subject to the provisions of the PMG and must therefore be regarded as the addressee of the legal obligations arising from that law.<br />
<br />
According to the consistent case-law of the Constitutional Court on the quality of an obligatory standard in the sense of Section 1 (2) of the German Data Protection Act (2000), this standard must "specify with sufficient precision, i.e. predictable for everyone, under which conditions the determination or use of data for the performance of specific administrative tasks is permissible. The respective legislator must therefore, in the sense of Section 1 (2) of the Data Protection Act (2000) § 1 (2) DSG 2000, the respective legislator must therefore provide for a substantive regulation in the sense that the cases of permissible encroachments on the fundamental right to data protection are specified and limited (VfSlg. 18.146/2007).<br />
<br />
In doing so, the data protection authority does not overlook the fact that this case law refers to an overriding norm which is intended to legitimise official action, which is not the case here.<br />
<br />
Nevertheless, this case law can also apply mutatis mutandis if those responsible in the private sector (Section 26 (4) DSG) base their actions on an enabling norm in the sense of Article 6 (1) (c) DSGVO. This also follows from Art. 5 (1) lit. a DSGVO, according to which personal data are processed in a lawful manner, in good faith and in a manner comprehensible to the data subject.<br />
<br />
It must therefore be examined whether the provisions of the PMG may create a legal obligation to process personal data under Art. 6 (1) lit. c DSGVO.<br />
<br />
§ Section 3 no. 12 PMG stipulates the need to confirm receipt or delivery of the consignment. However, Section 3 No. 12 PMG does not make any statement about the mere determination, i.e. the recording or storage of personal (ID) data beyond this. This applies equally to Section 20 (1) PMG, which merely sets out the constitution of general terms and conditions, but does not impose any legal obligation to process personal data.<br />
<br />
Moreover, it should be noted that even the respondent's General Terms and Conditions cannot constitute a legal obligation due to the lack of substantive legal quality.<br />
<br />
As a result, the provisions of the PMG in conjunction with Article 6(1)(c) of the DSGVO put forward by the respondent do not constitute a legal basis for the scanning and storage of the complainant's identity document.<br />
<br />
D.2 To safeguard legitimate interests (Art. 6 para. 1 lit. f DSGVO):<br />
<br />
It must then be examined whether the processing of the complainant's personal data was necessary to safeguard the legitimate interests of the respondent or a third party within the meaning of Article 6 paragraph 1 letter f DSGVO.<br />
<br />
According to the ECJ's rulings, the processing is permissible on the legal basis of "legitimate interest" under three cumulative conditions: i) the controller or the third party(ies) exercising a legitimate interest third parties to whom the data are disclosed, (ii) the necessity of the processing of personal data for the purposes of the legitimate interest and (iii) the fundamental rights and freedoms of the data subject do not prevail over the legitimate interest perceived (see, with regard to Directive 95/46/EC, ECJ judgment of 11 December 2019, C-708/18 [TK] Rz 40 mwN).<br />
<br />
(i) Legitimate interests of the data controller or a third party<br />
<br />
It must first be examined whether the respondent or a third party had a legitimate interest in processing the identity card data of the complainant in question:<br />
<br />
To this end, the respondent argued, inter alia, that it might have been exposed to warranty claims and/or claims for damages by the sender and that the processing was therefore necessary to safeguard or defend its legal claims.<br />
<br />
In this respect, it must be noted that the respondent's interest in being able to defend itself sufficiently in the event of a legal dispute, at least within the statutory warranty period, and to provide proof of the lawful transfer to the correct person, was certainly to be regarded as justified (cf. Kastelitz/Hötzendorfer/Tschohl in Knyrim, DatKomm Art 6 DSGVO Rz. 54).<br />
<br />
Against this background, the existence of a legitimate interest of the respondent in the processing of the identity card data in question was to be affirmed.<br />
<br />
ii) Necessity of the data processing<br />
<br />
Furthermore, it should also be recognised that the processing of the complainant's identity card data could be used to prove that the data had been handed over to the correct recipient in the event of a dispute.<br />
<br />
iii) No overriding of the fundamental rights and freedoms of the data subject<br />
<br />
Finally, the respondent's established interest in data processing had to be compared with the complainant's claim to secrecy and a possible predominance had to be examined.<br />
<br />
In doing so, the reasonable expectations of the complainant were to be taken into account, i.e. in particular whether he could reasonably foresee, at the time of the collection of the identification data and in view of the circumstances under which it was carried out, that processing for this purpose might possibly take place (see ErwG. 47 of the DSGVO). In any event, the collection and storage of identification data for the purpose of defending legal claims relating to postal items is within the scope of general life experience and was in this respect also easily foreseeable by the complainant.<br />
<br />
In order to weigh up the specific interests involved, it should also be noted that no special categories of personal data pursuant to Article 9(1) DSGVO, no data relevant to criminal law pursuant to Article 10 DSGVO and no other personal data were processed which would involve a particularly intensive encroachment on the fundamental right to secrecy.<br />
<br />
The categories of data processed by the respondent are in no way excessive and the storage period of six months is in no way to be regarded as disproportionate. Also in view of the case law of the European Court of Justice, no excessive data processing can be seen here: Moreover, the processing was limited to the absolutely necessary, both in terms of the volume of data processed and the storage period (cf. e.g. ECJ 11.12.2014, C-212/13, Ryneš), as the respondent stored the ID card data for only six months and thus only for a clearly defined, non excessive period of time.<br />
<br />
D.3 Result:<br />
<br />
Against this background, the data protection authority comes to the conclusion that the legitimate interests of the respondent outweigh the fundamental rights and freedoms of the complainant and that the processing was lawfully carried out on the basis of "legitimate interests" pursuant to Article 6 (1) lit. f of the DPA.<br />
<br />
The complaint was therefore to be dismissed as inadmissible.<br />
Keywords<br />
Confidentiality, lawfulness of processing, postal service, universal service provider, registered letter, person collecting, scanning of photo identification, authorisation standard, general terms and conditions, balancing of interests<br />
European Case Law Identifier (ECLI)<br />
ECLI:AT:DSB:2020:2020.0.349.984<br />
Last updated on<br />
29.09.2020<br />
Document number<br />
DSBT_20200626_2020_0_349_984_00<br />
</pre></div>MLhttps://gdprhub.eu/index.php?title=DSB_(Austria)_-_2020-0.349.984&diff=11785DSB (Austria) - 2020-0.349.9842020-10-19T13:59:41Z<p>ML: Added §§</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Austria<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoAT.png<br />
|DPA_Abbrevation=DSB<br />
|DPA_With_Country=DSB (Austria)<br />
<br />
|Case_Number_Name=DSB-D205.023<br />
|ECLI=ECLI:AT:DSB:2020:2020.0.349.984<br />
<br />
|Original_Source_Name_1=Rechtsdatenbank<br />
|Original_Source_Link_1=https://www.ris.bka.gv.at/Dokument.wxe?ResultFunctionToken=69253fd5-484d-443d-a8d6-453678ce520b&Position=1&Abfrage=Dsk&Entscheidungsart=Undefined&Organ=Undefined&SucheNachRechtssatz=True&SucheNachText=True&GZ=&VonDatum=01.01.1990&BisDatum=&Norm=&ImRisSeitVonDatum=&ImRisSeitBisDatum=&ImRisSeit=Undefined&ResultPageSize=100&Suchworte=&Dokumentnummer=DSBT_20200626_2020_0_349_984_00<br />
|Original_Source_Language_1=German<br />
|Original_Source_Language__Code_1=DE<br />
<br />
|Type=Complaint<br />
|Outcome=Rejected<br />
|Date_Decided=26.06.2020<br />
|Date_Published=<br />
|Year=2020<br />
|Fine=None<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 4(22) GDPR<br />
|GDPR_Article_Link_1=Article 4 GDPR#22<br />
|GDPR_Article_2=Article 5(1)(a) GDPR<br />
|GDPR_Article_Link_2=Article 5 GDPR#1a<br />
|GDPR_Article_3=Article 5(1)(b) GDPR<br />
|GDPR_Article_Link_3=Article 5 GDPR#1b<br />
|GDPR_Article_4=Article 5(1)(f) GDPR<br />
|GDPR_Article_Link_4=Article 5 GDPR#1f<br />
|GDPR_Article_5=Article 6(1)(c) GDPR<br />
|GDPR_Article_Link_5=Article 6 GDPR#1c<br />
|GDPR_Article_6=Article 6(1)(f) GDPR<br />
|GDPR_Article_Link_6=Article 6 GDPR#1f<br />
<br />
<br />
|National_Law_Name_1=§ 1 Abs. 1, 2 DSG - Datenschutzgesetz (Data Protection Act)<br />
|National_Law_Link_1=https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=bundesnormen&Gesetzesnummer=10001597<br />
|National_Law_Name_2=§ 4 Abs. 1 DSG - Datenschutzgesetz (Data Protection Act)<br />
|National_Law_Link_2=https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=bundesnormen&Gesetzesnummer=10001597<br />
|National_Law_Name_3=§ 3 (4) PMG - Postmarktgestez (Postal Market Law)<br />
|National_Law_Link_3=https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=Bundesnormen&Gesetzesnummer=20006582<br />
|National_Law_Name_4=§ 5 (3) PMG - Postmarktgestez (Postal Market Law)<br />
|National_Law_Link_4=https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=Bundesnormen&Gesetzesnummer=20006582<br />
|National_Law_Name_5=§ 12 (1) PMG - Postmarktgestez (Postal Market Law)<br />
|National_Law_Link_5=https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=Bundesnormen&Gesetzesnummer=20006582<br />
|National_Law_Name_6=§ 20(1) PMG - Postmarktgestez (Postal Market Law)<br />
|National_Law_Link_6=https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=Bundesnormen&Gesetzesnummer=20006582<br />
<br />
|Party_Name_1=Österreichische Post AG<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
|<br />
}}<br />
<br />
The Austrian DPA decided that the electronic recording and storing of identity card data in the course of collecting a postal item (registered mail) is lawful.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The complainant was not at home when a registered mail has been tried to be handed over. Therefore, he needed to collect it at the postal office. In order to identify the complainant as the adressee of the registered mail, an employee asked for his identity card and "scanned" it with a special identity card reader, however, no copy of the document itself was made.<br />
<br />
The complainant alleges that the Post AG infringed confidentiality obligations by making a copy of the identity card (recording by means of a scanning device and the storage of the identity card data).<br />
<br />
=== Dispute ===<br />
Has the Österreichische Post AG infringed the complainant's right to confidentiality by an employee who was electronically recording and storing identity card data of the complainant in the course of collecting a postal item (registered mail)?<br />
<br />
=== Holding ===<br />
The processing of identity card data in order to verify the person collecting registered mail is lawful.<br />
<br />
As a universal service provider within the meaning of Article 3(4) in conjunction with Article 12(1) of the PMG, the defendant is subject to the provisions of the PMG and must therefore be regarded as the addressee of the legal obligations arising from that law.<br />
Private entities, § 26 (4) DSG, may base their actions on an enabling norm in the sense of Article 6 (1) (c) and Art. 5 (1) (a) GDPR.<br />
<br />
The provisions of the PMG do not create a legal obligation to process personal data under Art. 6 (1) lit. c GDPR.<br />
<br />
Art. 6 (1) (f) GDPR data can be procesed if they constitute the legitimate interests of a party. Here, the Post AG might have been exposed to warranty claims, damage etc. if the claimant would not have been identified correctly. These data are also necessary to defend their legal claims and the fundamental rights and freedoms of the data subject, i.e. secrecy, are not overriding the one of the Post AG. <br />
<br />
The collection and storage of identification data for the purpose of defending legal claims relating to postal items is within the scope of general life experience and was in this respect also easily foreseeable by the complainant, no special categories of data were processed, the storage period of six months is also proportionate.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the German original. Please refer to the German original for more details.<br />
<br />
<pre><br />
<br />
Decision-making authority<br />
Data Protection Authority<br />
Document type<br />
Decision text<br />
Decision type<br />
Decision Complaint<br />
Business figures<br />
2020-0.349.984<br />
Decision date<br />
26.06.2020<br />
Appeal to the BVwG/VwGH/VfGH<br />
This decision is final.<br />
Standard<br />
DSG §1 Abs1<br />
DSG §1 Abs2<br />
DSG §4 Abs1<br />
PMG §3 Z4<br />
PMG §3 Z12<br />
PMG §5 Abs3<br />
PMG §12 Abs1<br />
PMG §20 Abs1<br />
DSGVO Art4 Z2<br />
DSGVO Art5 Abs1 lita<br />
DSGVO Art5 Abs1 litb<br />
DSGVO Art5 Abs1 litf<br />
DSGVO Art6 Abs1 litc<br />
DSGVO Art6 Abs1 litf<br />
Text<br />
<br />
GZ: 2020-0.349.984 of 26 June 2020 (procedure number: DSB-D205.023)<br />
<br />
Note Processor: Names and companies, legal forms and product names, addresses (including URLs, IP and e-mail addresses), file numbers (and similar), etc., as well as their initials and abbreviations may be abbreviated and/or changed for reasons of pseudonymisation. Obvious spelling, grammar and punctuation errors have been corrected.<br />
<br />
The respondent's company name was not pseudonymised here, since according to the reasons for the decision, the universal service provider pursuant to Section 12 (1) PMG was involved in the procedure in this role, and the respondent is listed as such in the cited Act. Moreover, a meaningful pseudonymisation was not possible due to multiple references to the respondent's business activities as a universal service provider in the facts of the case (e.g. registered letter, "yellow slip"). However, the interest in secrecy of the respondent who won the proceedings and whose actions were found to be lawful does not outweigh here the public interest in the publication of the decision required by law under section 23(2) of the DSG].<br />
<br />
DECISION<br />
<br />
SPEECH<br />
<br />
The data protection authority decides on the data protection complaint of Gustav A*** (complainant) of 17 April 2019 against Österreichische Post AG (respondent) for violation of the right to secrecy as follows<br />
<br />
- The complaint is dismissed as unfounded.<br />
<br />
Legal basis: Article 4(2), Article 5(1)(f), Article 6(1)(c) and (f), Article 13, Article 51(1), Article 57(1)(f) and Article 77(1) of Regulation (EU) 2016/679 (Basic Regulation on data protection, hereinafter referred to as the DSGVO), OJ No Article 119 of 4 May 2016, p. 1; Articles 1(1) and (2), 18(1) and 24(1) and (5) of the Data Protection Act (Datenschutzgesetz, DSG), Federal Law Gazette I No 165/1999 as amended; Article 3(4) and (12), Article 12, Article 17 and Article 20 of the Postal Market Act (Postal Market Act, PMG), Federal Law Gazette I No 123/2009 as amended;<br />
<br />
EXPLANATIONS<br />
<br />
A. Arguments of the parties and procedure<br />
<br />
1 In his submission of 17 April 2019 initiating the proceedings, repeated on 23 June 2019 and 26 July 2019, the complainant alleged a violation of the right to confidentiality as well as a violation of the respondent's information duties.<br />
<br />
The alleged breach of the duty to provide information is the subject of separate proceedings concerning the business number DSB-D205.246.<br />
<br />
As regards the alleged breach of confidentiality, the complainant submitted the following summarised submissions:<br />
<br />
The complainant had remedied a letter addressed to him by means of a so-called "yellow slip" on 29 March 2019 at a branch of the respondent. In the course of that repair, an employee of the defendant requested the production of an identity card of the complainant, which was produced by the complainant. Subsequently, however, the employee made a copy against his will and without his permission. The identity card was placed on a scanner and the data was recorded electronically. The complainant further submits that even in the respondent's General Terms and Conditions ("AGB-Brief National") under point 3.5.2, there is only reference to a document in case of doubt as to identity, and not to data collection.<br />
<br />
By decision of 22 July 2019 (ref. no.: DSB-D205.023/0001-DSB-2019), the data protection authority invited the respondent to submit comments.<br />
<br />
4 By submission of 20 August 2019, the defendant submitted the following observations:<br />
<br />
It was correct that the complainant had remedied a recommanded (= with a take-over certificate) registered letter in a branch of the defendant, since he had not been found at the time of the attempted delivery. He had therefore been informed, by means of a "yellow slip", of the attempted delivery and of the deposit of the item and of the need to produce an official identity document with a photograph when the item was rectified. The notice of deposit also contained a reference to the defendant's data protection notices, which provided information in particular on the processing of identity card data.<br />
<br />
When the complainant rectified the consignment, an employee of the defendant asked the complainant to present a photo ID and subsequently automatically recorded the specific ID data, as is usual when a person is not personally known to the employee. A scanning device was used to record the ID card data, which merely reads out concrete data from the respective ID card, namely the type of ID card, the ID card number, the issuing authority and date of birth as well as the corresponding name - no copy was made. The complainant had acknowledged receipt of the registered mail on the card.<br />
<br />
The challenged processing of the identity card data was necessary in order to fulfil a legal obligation to which the respondent was subject as the person responsible (Article 6(1)(c) DSGVO): under Section 3(12) PMG, the acceptance of registered mailings to the correct recipient had to be acknowledged. Unless the respondent is personally known to the respondent, the handover to the correct person is only possible within the framework of an identification/authentication procedure to be carried out, i.e. by presenting an official photo ID. In accordance with Section 20 PMG, the respondent had issued general terms and conditions (in particular "AGB Brief"), which had also been approved by the regulatory authority. This also resulted in the need for a confirmation of takeover and a determination of identity (points 3.3 and 3.5.2 of the national letter contract terms and point 4.1 of the product and price list ("PVV") for return receipt letters, including registered letters). It was apparent from these documents (GTC and PVV) that the handing over of a registered letter was only permissible after prior identification or authentication. The respondent had collected the identification data for the purpose of identification or authentication and thus kept them for 6 months for the possible handling of potential investigations (item 3.10 of the GTC Letter national) as well as possible warranty cases (item 4 of the GTC Letter national), i.e. for the assertion, exercise or defence of legal claims and also for the implementation of the contractual relationship with the sender, and deleted them afterwards. A processing and storage authorisation is also based on the fact that the respondent is exposed to possible warranty claims and/or claims for damages if a consignment is not handed over properly, in particular to the correct recipient. It must therefore be possible to defend oneself at least within the statutory warranty period. In the context of any proceedings before the data protection authority, the defendant must also be able to prove its freedom, for example, that it has complied with its duty of care and has verifiably verified the identity of the transferee. The respondent referred to the time-limit laid down in Paragraph 24(4) of the DSG and a more detailed decision of the data protection authority concerning the admissibility of a copy of the identity document for the purpose of checking identity.<br />
<br />
Furthermore, the processing of the identity card data in order to safeguard the legitimate interests of the respondent and the respective sender in the sense of Article 24(4) of the DSG. Art. 6 para. 1 lit. f DSGVO in order to ensure correct allocation to the actually addressed recipient and to be able to provide the sender with proof of this. This was the only way to prevent any possible abuse. The interests of the respondent and its contractual partner outweighed the interests or fundamental rights and freedoms of the complainant. There would be no noticeable impairment of the complainant, as only the necessary data would be stored, which would be protected in accordance with Section 5 of the PMG and by comprehensive technical and organisational measures.<br />
<br />
The defendant also stated that it had complied with its duties to provide information and referred to the "data protection notices" which were available on its website.<br />
<br />
By decision of 19 September 2019 (ref. DSB-D205.023/0003-DSB/2019), the data protection authority granted the complainant the right to be heard and to submit comments.<br />
<br />
The complainant made no further submissions.<br />
<br />
B. Object of the complaint<br />
<br />
The subject of the complaint is the question whether the respondent has infringed the complainant's right to confidentiality by an employee of the respondent electronically recording and storing identity card data of the complainant in the course of collecting a postal item (registered mail).<br />
<br />
The alleged violation of the information duties is dealt with separately in the procedure concerning the business number DSB-D205.246 and was therefore not the subject of the present proceedings.<br />
<br />
C. Findings of the facts<br />
<br />
1 On 29 March 2019, the complainant replied to a letter sent at the (post) office ****, **** XY, *** street *. The respondent had informed the complainant at a point in time which could not be further specified about an unsuccessful delivery attempt and the subsequent deposit in the said post office by means of a notification about a deposited item ("yellow slip"). This was a non-official, recomanded (with a take-over certificate) registered letter.<br />
<br />
(2) The complainant, after having been requested to do so by an employee of the respondent, presented his official photo identification in the course of the rectification of the consignment. Subsequently, the identity card data: type of ID card, ID card number, issuing authority, date of birth and the corresponding name were recorded electronically using a scanning device and stored for 6 months. After the retention period expired, the data in question were deleted. However, no copy of the ID document itself was made.<br />
<br />
Evaluation of evidence: The findings result from the concurring submissions of the parties, in particular the submission of the complainant of 17 April 2019 and the submission of the respondent of 20 August 2019.<br />
<br />
3 The following General Terms and Conditions of the respondent were valid as of 29 March 2019:<br />
<br />
Assessment of evidence: The findings result from the respondent's submission of 20 August 2019 and were not disputed by the complainant.<br />
<br />
D. From a legal point of view, the following follows:<br />
<br />
The complainant alleges that the respondent infringed confidentiality obligations by making a copy of the identity card (recording by means of a scanning device and the storage of the identity card data).<br />
<br />
In conclusion, there is no justification for these statements:<br />
<br />
D.1 Re Art. 6 (1) lit. c DSGVO:<br />
<br />
Under Section 1(1) of the DSGVO, everyone has the right to the confidentiality of personal data relating to him or her, in particular with regard to respect for his or her private and family life, provided there is an interest worthy of protection.<br />
<br />
Under Section 1, paragraph 2 of the DSG, restrictions on the right to secrecy, insofar as the use of personal data is not in the vital interest of the person concerned or with his or her consent, are only permissible in order to safeguard the overriding legitimate interests of another.<br />
<br />
The data processing in question was neither carried out in the vital interest of the complainant nor did consent exist, which is why its lawfulness had to be examined on the basis of the protection of overriding legitimate interests: According to the case law of the data protection authority, a breach of confidentiality obligations does not exist in particular if the rules of the DPA and the principles enshrined therein, which are to be regarded as implementing provisions under Article 4 (1) DPA, have not been breached (cf. the notice of 31 October 2018, GZ DSB-D123.076/0003-DSB/2018).<br />
<br />
Under Article 5 (1) (b) of the DPA, personal data must be collected for specified, explicit and legitimate purposes and may not be further processed in a way incompatible with those purposes ("purpose limitation"). The processing of personal data is justified, inter alia, if it is necessary to fulfil a legal obligation to which the controller is subject (Art. 6 para. 1 lit. c DSGVO) or to safeguard the legitimate interests of the controller or of a third party, provided that the interests or fundamental rights and freedoms of the data subject which require the protection of personal data do not prevail (Art. 6 para. 1 lit. f DSGVO).<br />
<br />
Art. 6 para. 1 lit. c DSGVO in conjunction with the PMG and Art. 6 para. 1 lit. f DSGVO are relevant in this context:<br />
<br />
However, the respondent also correctly referred to the legal obligations under the PMG:<br />
<br />
§ Section 3 no. 4 and no. 12 PMG reads as follows (emphasis added by the data protection authority):<br />
<br />
Definitions<br />
<br />
§ 3.<br />
<br />
For the purposes of this Act<br />
<br />
[...]<br />
<br />
4.<br />
<br />
<br />
"Universal service operator" means one or more designated universal service operators under section 12(1) or one or more designated postal service providers under section 12(2);<br />
<br />
<br />
[...]<br />
<br />
12.<br />
<br />
<br />
"Registered item" shall mean a postal item which is insured by the postal service provider against loss, theft or damage on a flat-rate basis and in respect of which the sender is provided, where appropriate at his or her request, with a confirmation of receipt of the item and/or its delivery to the addressee;<br />
<br />
<br />
<br />
§ Section 12 PMG reads as follows (emphasis added by the data protection authority)<br />
<br />
Universal service provider<br />
<br />
§ 12.<br />
<br />
(1) Upon entry into force of this Federal Act, Austrian Post will be designated as the universal service operator.<br />
<br />
[...]<br />
<br />
§ Section 20 of the PMG and its title reads as follows (emphasis added by the data protection authority):<br />
<br />
General Terms and Conditions of the Universal Service Operator<br />
<br />
§ 20.<br />
<br />
(1) The universal service operator shall, in accordance with the provisions of this Act and the regulations for services in the universal service area adopted on the basis of this Act, issue general terms and conditions of business.<br />
<br />
[...]<br />
<br />
In any event, a legal obligation under Article 6(1)(c) of the DSGVO is to be understood as an obligation under objective law (Frenzel in Paal/Pauly, Datenschutz-Grundverordnung Art. 6, margin no. 16) which may result in particular from a legal basis in a Member State or in Union law and which, moreover, relates directly to data processing (Kastelitz/Hötzendorfer/Tschohl in Knyrim, DatKomm Art. 6 DSGVO, margin no. 39).<br />
<br />
As a universal service provider within the meaning of Article 3(4) in conjunction with Article 12(1) of the PMG, the defendant is subject to the provisions of the PMG and must therefore be regarded as the addressee of the legal obligations arising from that law.<br />
<br />
According to the consistent case-law of the Constitutional Court on the quality of an obligatory standard in the sense of Section 1 (2) of the German Data Protection Act (2000), this standard must "specify with sufficient precision, i.e. predictable for everyone, under which conditions the determination or use of data for the performance of specific administrative tasks is permissible. The respective legislator must therefore, in the sense of Section 1 (2) of the Data Protection Act (2000) § 1 (2) DSG 2000, the respective legislator must therefore provide for a substantive regulation in the sense that the cases of permissible encroachments on the fundamental right to data protection are specified and limited (VfSlg. 18.146/2007).<br />
<br />
In doing so, the data protection authority does not overlook the fact that this case law refers to an overriding norm which is intended to legitimise official action, which is not the case here.<br />
<br />
Nevertheless, this case law can also apply mutatis mutandis if those responsible in the private sector (Section 26 (4) DSG) base their actions on an enabling norm in the sense of Article 6 (1) (c) DSGVO. This also follows from Art. 5 (1) lit. a DSGVO, according to which personal data are processed in a lawful manner, in good faith and in a manner comprehensible to the data subject.<br />
<br />
It must therefore be examined whether the provisions of the PMG may create a legal obligation to process personal data under Art. 6 (1) lit. c DSGVO.<br />
<br />
§ Section 3 no. 12 PMG stipulates the need to confirm receipt or delivery of the consignment. However, Section 3 No. 12 PMG does not make any statement about the mere determination, i.e. the recording or storage of personal (ID) data beyond this. This applies equally to Section 20 (1) PMG, which merely sets out the constitution of general terms and conditions, but does not impose any legal obligation to process personal data.<br />
<br />
Moreover, it should be noted that even the respondent's General Terms and Conditions cannot constitute a legal obligation due to the lack of substantive legal quality.<br />
<br />
As a result, the provisions of the PMG in conjunction with Article 6(1)(c) of the DSGVO put forward by the respondent do not constitute a legal basis for the scanning and storage of the complainant's identity document.<br />
<br />
D.2 To safeguard legitimate interests (Art. 6 para. 1 lit. f DSGVO):<br />
<br />
It must then be examined whether the processing of the complainant's personal data was necessary to safeguard the legitimate interests of the respondent or a third party within the meaning of Article 6 paragraph 1 letter f DSGVO.<br />
<br />
According to the ECJ's rulings, the processing is permissible on the legal basis of "legitimate interest" under three cumulative conditions: i) the controller or the third party(ies) exercising a legitimate interest third parties to whom the data are disclosed, (ii) the necessity of the processing of personal data for the purposes of the legitimate interest and (iii) the fundamental rights and freedoms of the data subject do not prevail over the legitimate interest perceived (see, with regard to Directive 95/46/EC, ECJ judgment of 11 December 2019, C-708/18 [TK] Rz 40 mwN).<br />
<br />
(i) Legitimate interests of the data controller or a third party<br />
<br />
It must first be examined whether the respondent or a third party had a legitimate interest in processing the identity card data of the complainant in question:<br />
<br />
To this end, the respondent argued, inter alia, that it might have been exposed to warranty claims and/or claims for damages by the sender and that the processing was therefore necessary to safeguard or defend its legal claims.<br />
<br />
In this respect, it must be noted that the respondent's interest in being able to defend itself sufficiently in the event of a legal dispute, at least within the statutory warranty period, and to provide proof of the lawful transfer to the correct person, was certainly to be regarded as justified (cf. Kastelitz/Hötzendorfer/Tschohl in Knyrim, DatKomm Art 6 DSGVO Rz. 54).<br />
<br />
Against this background, the existence of a legitimate interest of the respondent in the processing of the identity card data in question was to be affirmed.<br />
<br />
ii) Necessity of the data processing<br />
<br />
Furthermore, it should also be recognised that the processing of the complainant's identity card data could be used to prove that the data had been handed over to the correct recipient in the event of a dispute.<br />
<br />
iii) No overriding of the fundamental rights and freedoms of the data subject<br />
<br />
Finally, the respondent's established interest in data processing had to be compared with the complainant's claim to secrecy and a possible predominance had to be examined.<br />
<br />
In doing so, the reasonable expectations of the complainant were to be taken into account, i.e. in particular whether he could reasonably foresee, at the time of the collection of the identification data and in view of the circumstances under which it was carried out, that processing for this purpose might possibly take place (see ErwG. 47 of the DSGVO). In any event, the collection and storage of identification data for the purpose of defending legal claims relating to postal items is within the scope of general life experience and was in this respect also easily foreseeable by the complainant.<br />
<br />
In order to weigh up the specific interests involved, it should also be noted that no special categories of personal data pursuant to Article 9(1) DSGVO, no data relevant to criminal law pursuant to Article 10 DSGVO and no other personal data were processed which would involve a particularly intensive encroachment on the fundamental right to secrecy.<br />
<br />
The categories of data processed by the respondent are in no way excessive and the storage period of six months is in no way to be regarded as disproportionate. Also in view of the case law of the European Court of Justice, no excessive data processing can be seen here: Moreover, the processing was limited to the absolutely necessary, both in terms of the volume of data processed and the storage period (cf. e.g. ECJ 11.12.2014, C-212/13, Ryneš), as the respondent stored the ID card data for only six months and thus only for a clearly defined, non excessive period of time.<br />
<br />
D.3 Result:<br />
<br />
Against this background, the data protection authority comes to the conclusion that the legitimate interests of the respondent outweigh the fundamental rights and freedoms of the complainant and that the processing was lawfully carried out on the basis of "legitimate interests" pursuant to Article 6 (1) lit. f of the DPA.<br />
<br />
The complaint was therefore to be dismissed as inadmissible.<br />
Keywords<br />
Confidentiality, lawfulness of processing, postal service, universal service provider, registered letter, person collecting, scanning of photo identification, authorisation standard, general terms and conditions, balancing of interests<br />
European Case Law Identifier (ECLI)<br />
ECLI:AT:DSB:2020:2020.0.349.984<br />
Last updated on<br />
29.09.2020<br />
Document number<br />
DSBT_20200626_2020_0_349_984_00<br />
</pre></div>MLhttps://gdprhub.eu/index.php?title=DSB_(Austria)_-_2020-0.349.984&diff=11783DSB (Austria) - 2020-0.349.9842020-10-19T13:52:26Z<p>ML: Created page with "{{DPAdecisionBOX |Jurisdiction=Austria |DPA-BG-Color= |DPAlogo=LogoAT.png |DPA_Abbrevation=DSB |DPA_With_Country=DSB (Austria) |Case_Number_Name=DSB-D205.023 |ECLI=ECLI:AT:D..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Austria<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoAT.png<br />
|DPA_Abbrevation=DSB<br />
|DPA_With_Country=DSB (Austria)<br />
<br />
|Case_Number_Name=DSB-D205.023<br />
|ECLI=ECLI:AT:DSB:2020:2020.0.349.984<br />
<br />
|Original_Source_Name_1=Rechtsdatenbank<br />
|Original_Source_Link_1=https://www.ris.bka.gv.at/Dokument.wxe?ResultFunctionToken=69253fd5-484d-443d-a8d6-453678ce520b&Position=1&Abfrage=Dsk&Entscheidungsart=Undefined&Organ=Undefined&SucheNachRechtssatz=True&SucheNachText=True&GZ=&VonDatum=01.01.1990&BisDatum=&Norm=&ImRisSeitVonDatum=&ImRisSeitBisDatum=&ImRisSeit=Undefined&ResultPageSize=100&Suchworte=&Dokumentnummer=DSBT_20200626_2020_0_349_984_00<br />
|Original_Source_Language_1=German<br />
|Original_Source_Language__Code_1=DE<br />
<br />
|Type=Complaint<br />
|Outcome=Rejected<br />
|Date_Decided=26.06.2020<br />
|Date_Published=<br />
|Year=2020<br />
|Fine=None<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 4(22) GDPR<br />
|GDPR_Article_Link_1=Article 4 GDPR#22<br />
|GDPR_Article_2=Article 5(1)(a) GDPR<br />
|GDPR_Article_Link_2=Article 5 GDPR#1a<br />
|GDPR_Article_3=Article 5(1)(b) GDPR<br />
|GDPR_Article_Link_3=Article 5 GDPR#1b<br />
|GDPR_Article_4=Article 5(1)(f) GDPR<br />
|GDPR_Article_Link_4=Article 5 GDPR#1f<br />
|GDPR_Article_5=Article 6(1)(c) GDPR<br />
|GDPR_Article_Link_5=Article 6 GDPR#1c<br />
|GDPR_Article_6=Article 6(1)(f) GDPR<br />
|GDPR_Article_Link_6=Article 6 GDPR#1f<br />
<br />
<br />
|National_Law_Name_1=§ 1 Abs. 1, 2 DSG - Datenschutzgesetz (Data Protection Act)<br />
|National_Law_Link_1=https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=bundesnormen&Gesetzesnummer=10001597<br />
|National_Law_Name_2=§ 4 Abs. 1 DSG - Datenschutzgesetz (Data Protection Act)<br />
|National_Law_Link_2=https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=bundesnormen&Gesetzesnummer=10001597<br />
<br />
|Party_Name_1=Österreichische Post AG<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
|<br />
}}<br />
<br />
The Austrian DPA decided that the electronic recording and storing of identity card data in the course of collecting a postal item (registered mail) is lawful.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The complainant was not at home when a registered mail has been tried to be handed over. Therefore, he needed to collect it at the postal office. In order to identify the complainant as the adressee of the registered mail, an employee asked for his identity card and "scanned" it with a special identity card reader, however, no copy of the document itself was made.<br />
<br />
The complainant alleges that the Post AG infringed confidentiality obligations by making a copy of the identity card (recording by means of a scanning device and the storage of the identity card data).<br />
<br />
=== Dispute ===<br />
Has the Österreichische Post AG infringed the complainant's right to confidentiality by an employee who was electronically recording and storing identity card data of the complainant in the course of collecting a postal item (registered mail)?<br />
<br />
=== Holding ===<br />
The processing of identity card data in order to verify the person collecting registered mail is lawful.<br />
<br />
As a universal service provider within the meaning of Article 3(4) in conjunction with Article 12(1) of the PMG, the defendant is subject to the provisions of the PMG and must therefore be regarded as the addressee of the legal obligations arising from that law.<br />
Private entities, § 26 (4) DSG, may base their actions on an enabling norm in the sense of Article 6 (1) (c) and Art. 5 (1) (a) GDPR.<br />
<br />
The provisions of the PMG do not create a legal obligation to process personal data under Art. 6 (1) lit. c GDPR.<br />
<br />
Art. 6 (1) (f) GDPR data can be procesed if they constitute the legitimate interests of a party. Here, the Post AG might have been exposed to warranty claims, damage etc. if the claimant would not have been identified correctly. These data are also necessary to defend their legal claims and the fundamental rights and freedoms of the data subject, i.e. secrecy, are not overriding the one of the Post AG. <br />
<br />
The collection and storage of identification data for the purpose of defending legal claims relating to postal items is within the scope of general life experience and was in this respect also easily foreseeable by the complainant, no special categories of data were processed, the storage period of six months is also proportionate.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the German original. Please refer to the German original for more details.<br />
<br />
<pre><br />
<br />
Decision-making authority<br />
Data Protection Authority<br />
Document type<br />
Decision text<br />
Decision type<br />
Decision Complaint<br />
Business figures<br />
2020-0.349.984<br />
Decision date<br />
26.06.2020<br />
Appeal to the BVwG/VwGH/VfGH<br />
This decision is final.<br />
Standard<br />
DSG §1 Abs1<br />
DSG §1 Abs2<br />
DSG §4 Abs1<br />
PMG §3 Z4<br />
PMG §3 Z12<br />
PMG §5 Abs3<br />
PMG §12 Abs1<br />
PMG §20 Abs1<br />
DSGVO Art4 Z2<br />
DSGVO Art5 Abs1 lita<br />
DSGVO Art5 Abs1 litb<br />
DSGVO Art5 Abs1 litf<br />
DSGVO Art6 Abs1 litc<br />
DSGVO Art6 Abs1 litf<br />
Text<br />
<br />
GZ: 2020-0.349.984 of 26 June 2020 (procedure number: DSB-D205.023)<br />
<br />
Note Processor: Names and companies, legal forms and product names, addresses (including URLs, IP and e-mail addresses), file numbers (and similar), etc., as well as their initials and abbreviations may be abbreviated and/or changed for reasons of pseudonymisation. Obvious spelling, grammar and punctuation errors have been corrected.<br />
<br />
The respondent's company name was not pseudonymised here, since according to the reasons for the decision, the universal service provider pursuant to Section 12 (1) PMG was involved in the procedure in this role, and the respondent is listed as such in the cited Act. Moreover, a meaningful pseudonymisation was not possible due to multiple references to the respondent's business activities as a universal service provider in the facts of the case (e.g. registered letter, "yellow slip"). However, the interest in secrecy of the respondent who won the proceedings and whose actions were found to be lawful does not outweigh here the public interest in the publication of the decision required by law under section 23(2) of the DSG].<br />
<br />
DECISION<br />
<br />
SPEECH<br />
<br />
The data protection authority decides on the data protection complaint of Gustav A*** (complainant) of 17 April 2019 against Österreichische Post AG (respondent) for violation of the right to secrecy as follows<br />
<br />
- The complaint is dismissed as unfounded.<br />
<br />
Legal basis: Article 4(2), Article 5(1)(f), Article 6(1)(c) and (f), Article 13, Article 51(1), Article 57(1)(f) and Article 77(1) of Regulation (EU) 2016/679 (Basic Regulation on data protection, hereinafter referred to as the DSGVO), OJ No Article 119 of 4 May 2016, p. 1; Articles 1(1) and (2), 18(1) and 24(1) and (5) of the Data Protection Act (Datenschutzgesetz, DSG), Federal Law Gazette I No 165/1999 as amended; Article 3(4) and (12), Article 12, Article 17 and Article 20 of the Postal Market Act (Postal Market Act, PMG), Federal Law Gazette I No 123/2009 as amended;<br />
<br />
EXPLANATIONS<br />
<br />
A. Arguments of the parties and procedure<br />
<br />
1 In his submission of 17 April 2019 initiating the proceedings, repeated on 23 June 2019 and 26 July 2019, the complainant alleged a violation of the right to confidentiality as well as a violation of the respondent's information duties.<br />
<br />
The alleged breach of the duty to provide information is the subject of separate proceedings concerning the business number DSB-D205.246.<br />
<br />
As regards the alleged breach of confidentiality, the complainant submitted the following summarised submissions:<br />
<br />
The complainant had remedied a letter addressed to him by means of a so-called "yellow slip" on 29 March 2019 at a branch of the respondent. In the course of that repair, an employee of the defendant requested the production of an identity card of the complainant, which was produced by the complainant. Subsequently, however, the employee made a copy against his will and without his permission. The identity card was placed on a scanner and the data was recorded electronically. The complainant further submits that even in the respondent's General Terms and Conditions ("AGB-Brief National") under point 3.5.2, there is only reference to a document in case of doubt as to identity, and not to data collection.<br />
<br />
By decision of 22 July 2019 (ref. no.: DSB-D205.023/0001-DSB-2019), the data protection authority invited the respondent to submit comments.<br />
<br />
4 By submission of 20 August 2019, the defendant submitted the following observations:<br />
<br />
It was correct that the complainant had remedied a recommanded (= with a take-over certificate) registered letter in a branch of the defendant, since he had not been found at the time of the attempted delivery. He had therefore been informed, by means of a "yellow slip", of the attempted delivery and of the deposit of the item and of the need to produce an official identity document with a photograph when the item was rectified. The notice of deposit also contained a reference to the defendant's data protection notices, which provided information in particular on the processing of identity card data.<br />
<br />
When the complainant rectified the consignment, an employee of the defendant asked the complainant to present a photo ID and subsequently automatically recorded the specific ID data, as is usual when a person is not personally known to the employee. A scanning device was used to record the ID card data, which merely reads out concrete data from the respective ID card, namely the type of ID card, the ID card number, the issuing authority and date of birth as well as the corresponding name - no copy was made. The complainant had acknowledged receipt of the registered mail on the card.<br />
<br />
The challenged processing of the identity card data was necessary in order to fulfil a legal obligation to which the respondent was subject as the person responsible (Article 6(1)(c) DSGVO): under Section 3(12) PMG, the acceptance of registered mailings to the correct recipient had to be acknowledged. Unless the respondent is personally known to the respondent, the handover to the correct person is only possible within the framework of an identification/authentication procedure to be carried out, i.e. by presenting an official photo ID. In accordance with Section 20 PMG, the respondent had issued general terms and conditions (in particular "AGB Brief"), which had also been approved by the regulatory authority. This also resulted in the need for a confirmation of takeover and a determination of identity (points 3.3 and 3.5.2 of the national letter contract terms and point 4.1 of the product and price list ("PVV") for return receipt letters, including registered letters). It was apparent from these documents (GTC and PVV) that the handing over of a registered letter was only permissible after prior identification or authentication. The respondent had collected the identification data for the purpose of identification or authentication and thus kept them for 6 months for the possible handling of potential investigations (item 3.10 of the GTC Letter national) as well as possible warranty cases (item 4 of the GTC Letter national), i.e. for the assertion, exercise or defence of legal claims and also for the implementation of the contractual relationship with the sender, and deleted them afterwards. A processing and storage authorisation is also based on the fact that the respondent is exposed to possible warranty claims and/or claims for damages if a consignment is not handed over properly, in particular to the correct recipient. It must therefore be possible to defend oneself at least within the statutory warranty period. In the context of any proceedings before the data protection authority, the defendant must also be able to prove its freedom, for example, that it has complied with its duty of care and has verifiably verified the identity of the transferee. The respondent referred to the time-limit laid down in Paragraph 24(4) of the DSG and a more detailed decision of the data protection authority concerning the admissibility of a copy of the identity document for the purpose of checking identity.<br />
<br />
Furthermore, the processing of the identity card data in order to safeguard the legitimate interests of the respondent and the respective sender in the sense of Article 24(4) of the DSG. Art. 6 para. 1 lit. f DSGVO in order to ensure correct allocation to the actually addressed recipient and to be able to provide the sender with proof of this. This was the only way to prevent any possible abuse. The interests of the respondent and its contractual partner outweighed the interests or fundamental rights and freedoms of the complainant. There would be no noticeable impairment of the complainant, as only the necessary data would be stored, which would be protected in accordance with Section 5 of the PMG and by comprehensive technical and organisational measures.<br />
<br />
The defendant also stated that it had complied with its duties to provide information and referred to the "data protection notices" which were available on its website.<br />
<br />
By decision of 19 September 2019 (ref. DSB-D205.023/0003-DSB/2019), the data protection authority granted the complainant the right to be heard and to submit comments.<br />
<br />
The complainant made no further submissions.<br />
<br />
B. Object of the complaint<br />
<br />
The subject of the complaint is the question whether the respondent has infringed the complainant's right to confidentiality by an employee of the respondent electronically recording and storing identity card data of the complainant in the course of collecting a postal item (registered mail).<br />
<br />
The alleged violation of the information duties is dealt with separately in the procedure concerning the business number DSB-D205.246 and was therefore not the subject of the present proceedings.<br />
<br />
C. Findings of the facts<br />
<br />
1 On 29 March 2019, the complainant replied to a letter sent at the (post) office ****, **** XY, *** street *. The respondent had informed the complainant at a point in time which could not be further specified about an unsuccessful delivery attempt and the subsequent deposit in the said post office by means of a notification about a deposited item ("yellow slip"). This was a non-official, recomanded (with a take-over certificate) registered letter.<br />
<br />
(2) The complainant, after having been requested to do so by an employee of the respondent, presented his official photo identification in the course of the rectification of the consignment. Subsequently, the identity card data: type of ID card, ID card number, issuing authority, date of birth and the corresponding name were recorded electronically using a scanning device and stored for 6 months. After the retention period expired, the data in question were deleted. However, no copy of the ID document itself was made.<br />
<br />
Evaluation of evidence: The findings result from the concurring submissions of the parties, in particular the submission of the complainant of 17 April 2019 and the submission of the respondent of 20 August 2019.<br />
<br />
3 The following General Terms and Conditions of the respondent were valid as of 29 March 2019:<br />
<br />
Assessment of evidence: The findings result from the respondent's submission of 20 August 2019 and were not disputed by the complainant.<br />
<br />
D. From a legal point of view, the following follows:<br />
<br />
The complainant alleges that the respondent infringed confidentiality obligations by making a copy of the identity card (recording by means of a scanning device and the storage of the identity card data).<br />
<br />
In conclusion, there is no justification for these statements:<br />
<br />
D.1 Re Art. 6 (1) lit. c DSGVO:<br />
<br />
Under Section 1(1) of the DSGVO, everyone has the right to the confidentiality of personal data relating to him or her, in particular with regard to respect for his or her private and family life, provided there is an interest worthy of protection.<br />
<br />
Under Section 1, paragraph 2 of the DSG, restrictions on the right to secrecy, insofar as the use of personal data is not in the vital interest of the person concerned or with his or her consent, are only permissible in order to safeguard the overriding legitimate interests of another.<br />
<br />
The data processing in question was neither carried out in the vital interest of the complainant nor did consent exist, which is why its lawfulness had to be examined on the basis of the protection of overriding legitimate interests: According to the case law of the data protection authority, a breach of confidentiality obligations does not exist in particular if the rules of the DPA and the principles enshrined therein, which are to be regarded as implementing provisions under Article 4 (1) DPA, have not been breached (cf. the notice of 31 October 2018, GZ DSB-D123.076/0003-DSB/2018).<br />
<br />
Under Article 5 (1) (b) of the DPA, personal data must be collected for specified, explicit and legitimate purposes and may not be further processed in a way incompatible with those purposes ("purpose limitation"). The processing of personal data is justified, inter alia, if it is necessary to fulfil a legal obligation to which the controller is subject (Art. 6 para. 1 lit. c DSGVO) or to safeguard the legitimate interests of the controller or of a third party, provided that the interests or fundamental rights and freedoms of the data subject which require the protection of personal data do not prevail (Art. 6 para. 1 lit. f DSGVO).<br />
<br />
Art. 6 para. 1 lit. c DSGVO in conjunction with the PMG and Art. 6 para. 1 lit. f DSGVO are relevant in this context:<br />
<br />
However, the respondent also correctly referred to the legal obligations under the PMG:<br />
<br />
§ Section 3 no. 4 and no. 12 PMG reads as follows (emphasis added by the data protection authority):<br />
<br />
Definitions<br />
<br />
§ 3.<br />
<br />
For the purposes of this Act<br />
<br />
[...]<br />
<br />
4.<br />
<br />
<br />
"Universal service operator" means one or more designated universal service operators under section 12(1) or one or more designated postal service providers under section 12(2);<br />
<br />
<br />
[...]<br />
<br />
12.<br />
<br />
<br />
"Registered item" shall mean a postal item which is insured by the postal service provider against loss, theft or damage on a flat-rate basis and in respect of which the sender is provided, where appropriate at his or her request, with a confirmation of receipt of the item and/or its delivery to the addressee;<br />
<br />
<br />
<br />
§ Section 12 PMG reads as follows (emphasis added by the data protection authority)<br />
<br />
Universal service provider<br />
<br />
§ 12.<br />
<br />
(1) Upon entry into force of this Federal Act, Austrian Post will be designated as the universal service operator.<br />
<br />
[...]<br />
<br />
§ Section 20 of the PMG and its title reads as follows (emphasis added by the data protection authority):<br />
<br />
General Terms and Conditions of the Universal Service Operator<br />
<br />
§ 20.<br />
<br />
(1) The universal service operator shall, in accordance with the provisions of this Act and the regulations for services in the universal service area adopted on the basis of this Act, issue general terms and conditions of business.<br />
<br />
[...]<br />
<br />
In any event, a legal obligation under Article 6(1)(c) of the DSGVO is to be understood as an obligation under objective law (Frenzel in Paal/Pauly, Datenschutz-Grundverordnung Art. 6, margin no. 16) which may result in particular from a legal basis in a Member State or in Union law and which, moreover, relates directly to data processing (Kastelitz/Hötzendorfer/Tschohl in Knyrim, DatKomm Art. 6 DSGVO, margin no. 39).<br />
<br />
As a universal service provider within the meaning of Article 3(4) in conjunction with Article 12(1) of the PMG, the defendant is subject to the provisions of the PMG and must therefore be regarded as the addressee of the legal obligations arising from that law.<br />
<br />
According to the consistent case-law of the Constitutional Court on the quality of an obligatory standard in the sense of Section 1 (2) of the German Data Protection Act (2000), this standard must "specify with sufficient precision, i.e. predictable for everyone, under which conditions the determination or use of data for the performance of specific administrative tasks is permissible. The respective legislator must therefore, in the sense of Section 1 (2) of the Data Protection Act (2000) § 1 (2) DSG 2000, the respective legislator must therefore provide for a substantive regulation in the sense that the cases of permissible encroachments on the fundamental right to data protection are specified and limited (VfSlg. 18.146/2007).<br />
<br />
In doing so, the data protection authority does not overlook the fact that this case law refers to an overriding norm which is intended to legitimise official action, which is not the case here.<br />
<br />
Nevertheless, this case law can also apply mutatis mutandis if those responsible in the private sector (Section 26 (4) DSG) base their actions on an enabling norm in the sense of Article 6 (1) (c) DSGVO. This also follows from Art. 5 (1) lit. a DSGVO, according to which personal data are processed in a lawful manner, in good faith and in a manner comprehensible to the data subject.<br />
<br />
It must therefore be examined whether the provisions of the PMG may create a legal obligation to process personal data under Art. 6 (1) lit. c DSGVO.<br />
<br />
§ Section 3 no. 12 PMG stipulates the need to confirm receipt or delivery of the consignment. However, Section 3 No. 12 PMG does not make any statement about the mere determination, i.e. the recording or storage of personal (ID) data beyond this. This applies equally to Section 20 (1) PMG, which merely sets out the constitution of general terms and conditions, but does not impose any legal obligation to process personal data.<br />
<br />
Moreover, it should be noted that even the respondent's General Terms and Conditions cannot constitute a legal obligation due to the lack of substantive legal quality.<br />
<br />
As a result, the provisions of the PMG in conjunction with Article 6(1)(c) of the DSGVO put forward by the respondent do not constitute a legal basis for the scanning and storage of the complainant's identity document.<br />
<br />
D.2 To safeguard legitimate interests (Art. 6 para. 1 lit. f DSGVO):<br />
<br />
It must then be examined whether the processing of the complainant's personal data was necessary to safeguard the legitimate interests of the respondent or a third party within the meaning of Article 6 paragraph 1 letter f DSGVO.<br />
<br />
According to the ECJ's rulings, the processing is permissible on the legal basis of "legitimate interest" under three cumulative conditions: i) the controller or the third party(ies) exercising a legitimate interest third parties to whom the data are disclosed, (ii) the necessity of the processing of personal data for the purposes of the legitimate interest and (iii) the fundamental rights and freedoms of the data subject do not prevail over the legitimate interest perceived (see, with regard to Directive 95/46/EC, ECJ judgment of 11 December 2019, C-708/18 [TK] Rz 40 mwN).<br />
<br />
(i) Legitimate interests of the data controller or a third party<br />
<br />
It must first be examined whether the respondent or a third party had a legitimate interest in processing the identity card data of the complainant in question:<br />
<br />
To this end, the respondent argued, inter alia, that it might have been exposed to warranty claims and/or claims for damages by the sender and that the processing was therefore necessary to safeguard or defend its legal claims.<br />
<br />
In this respect, it must be noted that the respondent's interest in being able to defend itself sufficiently in the event of a legal dispute, at least within the statutory warranty period, and to provide proof of the lawful transfer to the correct person, was certainly to be regarded as justified (cf. Kastelitz/Hötzendorfer/Tschohl in Knyrim, DatKomm Art 6 DSGVO Rz. 54).<br />
<br />
Against this background, the existence of a legitimate interest of the respondent in the processing of the identity card data in question was to be affirmed.<br />
<br />
ii) Necessity of the data processing<br />
<br />
Furthermore, it should also be recognised that the processing of the complainant's identity card data could be used to prove that the data had been handed over to the correct recipient in the event of a dispute.<br />
<br />
iii) No overriding of the fundamental rights and freedoms of the data subject<br />
<br />
Finally, the respondent's established interest in data processing had to be compared with the complainant's claim to secrecy and a possible predominance had to be examined.<br />
<br />
In doing so, the reasonable expectations of the complainant were to be taken into account, i.e. in particular whether he could reasonably foresee, at the time of the collection of the identification data and in view of the circumstances under which it was carried out, that processing for this purpose might possibly take place (see ErwG. 47 of the DSGVO). In any event, the collection and storage of identification data for the purpose of defending legal claims relating to postal items is within the scope of general life experience and was in this respect also easily foreseeable by the complainant.<br />
<br />
In order to weigh up the specific interests involved, it should also be noted that no special categories of personal data pursuant to Article 9(1) DSGVO, no data relevant to criminal law pursuant to Article 10 DSGVO and no other personal data were processed which would involve a particularly intensive encroachment on the fundamental right to secrecy.<br />
<br />
The categories of data processed by the respondent are in no way excessive and the storage period of six months is in no way to be regarded as disproportionate. Also in view of the case law of the European Court of Justice, no excessive data processing can be seen here: Moreover, the processing was limited to the absolutely necessary, both in terms of the volume of data processed and the storage period (cf. e.g. ECJ 11.12.2014, C-212/13, Ryneš), as the respondent stored the ID card data for only six months and thus only for a clearly defined, non excessive period of time.<br />
<br />
D.3 Result:<br />
<br />
Against this background, the data protection authority comes to the conclusion that the legitimate interests of the respondent outweigh the fundamental rights and freedoms of the complainant and that the processing was lawfully carried out on the basis of "legitimate interests" pursuant to Article 6 (1) lit. f of the DPA.<br />
<br />
The complaint was therefore to be dismissed as inadmissible.<br />
Keywords<br />
Confidentiality, lawfulness of processing, postal service, universal service provider, registered letter, person collecting, scanning of photo identification, authorisation standard, general terms and conditions, balancing of interests<br />
European Case Law Identifier (ECLI)<br />
ECLI:AT:DSB:2020:2020.0.349.984<br />
Last updated on<br />
29.09.2020<br />
Document number<br />
DSBT_20200626_2020_0_349_984_00<br />
</pre></div>MLhttps://gdprhub.eu/index.php?title=Pers%C3%B3nuvernd_-_2020010601&diff=11642Persónuvernd - 20200106012020-10-13T13:31:22Z<p>ML: Created page with "{{DPAdecisionBOX |Jurisdiction=Iceland |DPA-BG-Color= |DPAlogo=LogoIS.png |DPA_Abbrevation=Persónuvernd |DPA_With_Country=Persónuvernd (Iceland) |Case_Number_Name=Mál nr...."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Iceland<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoIS.png<br />
|DPA_Abbrevation=Persónuvernd<br />
|DPA_With_Country=Persónuvernd (Iceland)<br />
<br />
|Case_Number_Name=Mál nr. 2020010601<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Persónuvernd<br />
|Original_Source_Link_1=https://www.personuvernd.is/urlausnir/urskurdur-um-rett-einstaklings-til-upplysinga-um-uppflettingar-i-malaskrarkerfi-rikislogreglustjora-loke<br />
|Original_Source_Language_1=Icelandic<br />
|Original_Source_Language__Code_1=IS<br />
<br />
|Type=Complaint<br />
|Outcome=Partly Upheld<br />
|Date_Decided=<br />
|Date_Published=<br />
|Year=<br />
|Fine=None<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 4(1) GDPR<br />
|GDPR_Article_Link_1=Article 4 GDPR#1<br />
|GDPR_Article_2=Article 15 GDPR<br />
|GDPR_Article_Link_2=Article 15 GDPR<br />
<br />
<br />
|National_Law_Name_1=Art. 6 reglugerð nr. 322/2001<br />
|National_Law_Link_1=https://www.reglugerd.is/reglugerdir/allar/nr/322-2001<br />
|National_Law_Name_2=Art. 8 reglugerð nr. 322/2001<br />
|National_Law_Link_2=https://www.reglugerd.is/reglugerdir/allar/nr/322-2001<br />
|National_Law_Name_3=Art. 13 reglugerð nr. 322/2001<br />
|National_Law_Link_3=https://www.reglugerd.is/reglugerdir/allar/nr/322-2001<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
|<br />
}}<br />
<br />
A person requested the police to give access to information on the employees who looked up his personal information in the Office's electronic case file system can be refused, however, the request on searches of other responsible parties needs to be answered.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The complainant requested the police to give access to information on the employees who looked up his personal information in the Office's electronic case file system and on searches of other responsible parties needs. These requested where refused.<br />
<br />
=== Dispute ===<br />
Is the refusal of the request to access information on the employees who looked up personal data in the Office´s electronic case file system and on otherresponsible parties in accordance with applicable law?<br />
<br />
=== Holding ===<br />
The decision of the National Commissioner of Police to refuse information on the employees who looked up his personal information in the Office's electronic case file system, on the timing of searches, as well as on their number, was legitimate.<br />
<br />
The decision of the National Commissioner of Police to refuse information on searches of other responsible parties in the Office's electronic case file system, as well as on the purpose of its own searches, was not legitimate.<br />
<br />
The procedure of the National Commissioner of Police in processing a request for information on the processing of his personal information was in accordance with applicable law.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.<br />
<br />
<pre><br />
Ruling on the right of an individual to information on searches in the case file system of the National Commissioner of Police (LÖKE)<br />
Case no. 2020010601<br />
<br />
10/8/2020<br />
<br />
The Data Protection Authority has ruled in a case in which an attempt was made to refuse the National Commissioner of Police to provide an individual with certain information about searches of his personal information in the Office's case file system (LÖKE), as well as the Office's procedure for the request for information. The Data Protection Authority came to the conclusion that the National Commissioner of Police had been allowed to refuse the complainant information about which employees looked him up in the office's electronic file system, when the searches were made, as well as their number. On the other hand, the National Commissioner of Police would not have been allowed to deny the complainant information about which persons were responsible for searching personal information about him in the case file system, as well as information about the purpose of searching the complainant's personal information. It was also the conclusion of the Data Protection Authority that the procedure of the National Commissioner of Police in processing the complainant's request for information had been in accordance with Act no. 90/2018, Coll. Regulation (EU) 2016/679, and Regulation no. 322/2001.<br />
Ruling<br />
<br />
<br />
At a meeting of the Board of the Data Protection Authority on 29 September 2020, the following ruling was issued in case no. 2020010601 (formerly 2019030664):<br />
<br />
I. Procedure<br />
<br />
1.<br />
Outline of proceedings and proceedings<br />
<br />
On 15 March 2019, the Data Protection Authority received a complaint from [B]'s lawyer on behalf of [A] (hereinafter referred to as the complainant) about the National Commissioner of Police's response to the complainant's request for information on how often he had been searched in the police case file, LÖKE. established, who had been responsible for the searches, when the searches had been made and for what purpose. The complaint relates to the fact that the National Commissioner of Police rejected the complainant's request, processed it too late and did not fulfill his duty to provide guidance that the complainant was allowed to refer the decision to the Data Protection Authority. The complaint was accompanied, among other things, by a copy of the complainant's request to the National Commissioner of Police, dated 23 April 2018, and a copy of the decision of the National Commissioner of Police, dated October 23<br />
<br />
By letter dated On 2 May 2019, the National Commissioner of Police was notified of the complaint and invited to comment on it. The National Commissioner of Police responded with letters dated May 22 and July 23 s.á. The letters were accompanied by an overview of the number of searches of the complainant's ID number in the case file system of the police and the prosecuting authority, in the register of names and the guilt section, dated. 10 May this year, confirmation of the registration of the complainant's complaint with the National Commissioner of Police, as well as a copy of the complainant's lawyer's e-mail to the National Commissioner of Police, dated September 24, 2018. By letter dated On 13 August 2019, the reply letters of the National Commissioner of Police were presented to the complainant and he was invited to submit comments. The complainant's lawyer replied by letter dated September 19 By letter dated March 18, 2020, the Data Protection Authority requested further information from the National Commissioner of Police. The National Commissioner of Police responded by letter dated. April 8, s.á. By letter dated On 16 April this year, the National Commissioner of Police's reply letter was presented to the complainant and he was invited to submit comments. On June 9, s.á. The complainant's lawyer confirmed that he did not intend to comment further, but reiterated his previous case.<br />
<br />
All the above documents have been taken into account in resolving the case, although not all of them are specifically described in the following ruling.<br />
<br />
The handling of the case has been delayed due to significant concerns at the Data Protection Authority.<br />
2.<br />
The complainant's views<br />
<br />
The complainant relies on the fact that he was entitled to the requested information on the basis of Article 8. of Regulation no. 322/2001, on the processing of personal information by the police. Regarding the right to information, he also refers to Article 15. of the Administrative Procedure Act no. 37/1993 and the second paragraph. Article 17 Act no. 90/2018, on personal protection and the processing of personal information, in addition to the views behind the rules regarding the parties' right to information from the government.<br />
<br />
Pursuant to Article 9 of Regulation no. 322/2001 to limit the right to information of registered individuals, but the provision must be clarified narrowly as it contains an exception to the principle of the right to information of individuals according to Art. her. The National Commissioner of Police, however, did not base his refusal on the conditions of Art. of the Regulation had been complied with, but the refusal was based on Art. her. It will not be seen that Art. of the Regulation has been applicable. Therefore, the complainant considers the refusal to be illegal.<br />
<br />
The complainant considers that his request for information falls within the wording of Article 8. of Regulation no. 322/2001. Instructions in the Act on Confidentiality will generally not be considered to reduce individuals' right to information about themselves and it does not matter to the complainant's right to information that the regulation contains instructions on limited authority of police officers to process personal information from the case file system. The complainant's access to information from the case file system is a prerequisite for him to be able to appeal the handling of the information to the committee for supervision of the police.<br />
<br />
The complainant also considers that the views expressed in the ruling of the Data Protection Authority from 8 March 2017, in case no. 2016/835, was based on and the National Commissioner of Police had referred in his reasoning was not sufficient to justify the refusal of his request as other points of view had been tried in that case. There has been no attempt at the right to information on searches in the police case file system and therefore there has been no attempt at rules on the right to information and restrictions on that right according to Regulation no. 322/2001. In addition, a ruling in the case in question was announced before the entry into force of Act no. 90/2018, which has enshrined the principle of transparency, among other things. Furthermore, the complainant's request in the present case concerned more issues than were discussed in the ruling in question. Therefore, it would have been more in line with the views of proportionality to refuse only the provision of information on which employees had looked up the complainant in the case file system, the National Commissioner of Police considered there to be reasons to do so, but there was nothing to prevent the complainant from providing other information. The complainant considers, notwithstanding the above, that Art. of Regulation no. 322/2001, which stipulates the dissemination of personal information, opposes that the provisions of point 3 Paragraph 1 Article 8 it will be clarified that the complainant's right to information only covers the dissemination of his personal information to an outside party.<br />
<br />
Finally, the complaint contains comments on the National Commissioner of Police's procedure regarding the complainant's request for access. It states that the complainant sent his request to the National Commissioner of Police on 23 April 2018, but that it was not answered until six months later, i.e. on 23 October 2018. The complainant considers that the processing time in question has, among other things, violated Article 8. of Regulation no. 322/2001, which stipulates that a complaint must be processed as soon as possible and no later than within one month of receipt of the complaint. On the other hand, the complaint states that the reasoning of the National Commissioner of Police was scarce and that it did not contain sufficient instructions on the authority to complain to the Data Protection Authority or information on the deadline in that connection.<br />
<br />
3.<br />
The views of the National Commissioner of Police<br />
<br />
In a letter from the National Commissioner of Police, dated 22 May 2019, states that in the ruling of the Data Protection Authority in case no. 2004/144 states that the then applicable provisions of point 3. Paragraph 1 Article 18 Act no. 77/2000, on personal protection and handling of personal information, which was identical to the provisions of point 3. Paragraph 1 Article 8 of Regulation no. 322/2001, does not apply when information is received between individual employees of the same responsible party. In the ruling of the Data Protection Authority in case no. 2016/835 states that the provision covers the transfer of personal information from the responsible party to another responsible party. With reference to the grounds of the above rulings, the complainant's request was rejected. The concept of recipients of personal information has not been expanded with the entry into force of Act no. 90/2018 and therefore does not apply to individual police employees and others who have access to the police case file system.<br />
It is technically possible to provide the complainant with information about all the employees who have looked him up and the times and number of searches. If an individual considers that information about him / her, which is registered in the case file system, is being handled illegally, he or she can lodge a complaint on that occasion with the relevant police department or the committee for police supervision, which investigates whether personal information has been handled in accordance with law and rules. All employees are bound by a duty of confidentiality according to Act no. 70/1996 on the rights and obligations of government employees and the Police Act no. 90/1996. Furthermore, employees' access to personal information is not more extensive than is necessary in view of the tasks they carry out, in accordance with Article 13. of Regulation no. 322/2001. Chiefs of Police and heads of institutions can access information on employee searches and they are therefore the only ones in a position to assess whether searches are related to cases they handle. If an employee has not been registered in a case that he or she looks up, the person in question must be given the opportunity to explain the reason for the search. Failure to do so may give rise to an unfounded suspicion of breach of trust. In this connection, reference is made to the grounds for the ruling of the Data Protection Authority in case no. 2004/144. Furthermore, information on the number of searches, their timing and purpose is not information to which the complainant is entitled according to the first paragraph. Article 8 of Regulation no. 322/2001.<br />
<br />
The letter also states that the National Commissioner of Police has responded to the complainant's request within the monthly deadline specified in the second paragraph. Article 8 of Regulation no. 322/2001. The Office's investigation revealed that the complainant's complaint was first received on 24 September 2018 when the complainant's lawyer sent an e - mail to the official e - mail address of the National Commissioner of Police.<br />
<br />
As previously stated, the National Commissioner of Police's letter to the Data Protection Authority included an overview of the number of searches of the complainant's ID number in the police register and the prosecution, in the register of names and fines by office. By letter dated On 23 July 2019, the National Commissioner of Police informed the Data Protection Authority that the office did not comment on the complainant receiving a copy of the summary in question.<br />
<br />
In a letter from the National Commissioner of Police to the Data Protection Authority, dated 8 April 2020, states that the office considers it appropriate to provide the complainant with information about the purpose of the National Commissioner of Police's search of the complainant in the case file system, but that this search was made in order to obtain information on the number of searches of the complainant's ID number. However, the National Commissioner of Police is only in a position to obtain information from the employees of his office and assess the purpose of their searches and whether that information may be disseminated.<br />
<br />
<br />
It is referred to that in the rules of the National Commissioner of Police from 25 September 2019 on supervision of searches in the police system, it is stated that the chiefs of police of each office can monitor the searches of their employees and supervise their employees. The complainant can, on the basis of information on searches within the office, contact the relevant office and request further information. Those who monitor searches in the police system have access to information on employee searches. However, they do not have access to information on searches of ID numbers, but the National Commissioner of Police has assisted the offices with such information from the action register. The letter also states that the complainant's right to information was in fact limited with reference to the fact that it was necessary to protect the rights of others, cf. Paragraph 1 Article 9 of Regulation no. 322/2001 on the processing of personal data by the police. More specifically, these are employees of the police and other institutions who have access to the police system and that unsubstantiated suspicions of breach of confidentiality may fall on employees who have access to the system and need to use it for their work, if further information about them is shared, such as names or ID numbers.<br />
II.<br />
Assumptions and conclusion<br />
<br />
1.<br />
Delimitation of a case<br />
<br />
This case concerns an individual's request for certain information from the action register for searches of information about him that has been registered electronically in the case file system of the National Commissioner of Police, as well as information on the purpose of those searches.<br />
2.<br />
Scope - Legal Transition<br />
<br />
Scope of Act no. 90/2018, on personal data protection and the processing of personal data, and Regulation (EU) 2016/679, cf. Paragraph 1 Article 4 of the Act, and thereby the authority of the Data Protection Authority, cf. Paragraph 1 Article 39 of the Act, covers the processing of personal data that is partly or wholly automatic and the processing by other methods than automatic of personal data that are or are to become part of a file.<br />
<br />
Personal information includes information about a person who is personally identifiable or personally identifiable, and an individual is considered personally identifiable if it is possible to identify him / her, directly or indirectly, with reference to his or her identity or one or more factors that are characteristic of him or her, cf. 2. tölul. Article 3 Act no. 90/2018 and point 1. Article 4 of the Regulation.<br />
<br />
According to para. Article 4 Act no. 90/2018, the Act and Regulation (EU) 2016/679 do not apply to the processing of personal data by the state in preventing, investigating, prosecuting or prosecuting criminal offenses or enforcing criminal sanctions. On the other hand, it should be noted that when the complainant's request was received by the National Commissioner of Police, on 24 September 2018, certain provisions of the Act on the Processing of Personal Data that concerned the State's activities in the field of penitentiary, cf. Provisional Provision III, incl. Articles 3 and 39 their. The provisions of Article 17 of the Act, which stipulates the right of access and information of individuals, was, on the other hand, not among the provisions that applied to such processing.<br />
<br />
According to Temporary Provision II in Act no. 90/2018, hold regulations issued by the Minister on the basis of the previous Act no. 77/2000 on personal protection and handling of personal information, its validity does not contravene Act no. 90/2018 or Regulation (EU) 2016/679. In comments on the provision in the bill that became Act no. 90/2018 states that this is a collection of rules, some of which are of great significance, such as Regulation no. 322/2001.<br />
<br />
It follows from the above that when the complainant's request was submitted to the National Commissioner of Police, his right to information was exercised in accordance with Regulation no. 322/2001, which applied to the electronic processing of personal information by the police, cf. Article 1 her. According to the first paragraph. Article 39 Act no. 90/2018, the Data Protection Authority supervises the implementation of those laws, Regulation (EU) 2016/679, special provisions in laws that deal with the processing of personal data and other rules on the subject. It follows from this provision that the Data Protection Authority handled the implementation of Regulation no. 322/2001.<br />
<br />
It should also be noted that after this complaint was received by the Data Protection Authority, Act no. 75/2019 on the processing of personal information for law enforcement purposes, which apply to the processing of personal information by the competent authorities which takes place for law enforcement purposes, cf. Paragraph 1 Article 3 of the Act, but the term personal information is defined in point 1. Article 2 Act no. 75/2019 in the same way as is done in Act no. 90/2018.<br />
<br />
With Article 37 Act no. 75/2019, Temporary Provision III in Act no. 90/2018 was amended in such a way that the provisions of that law were not extended to the processing of personal information concerning the state's activities in the field of penitentiary. It is also to be considered that Regulation no. 322/2001 has now been deleted, cf. Paragraph 2 Article 10 of Regulation no. 577/2020 on police records and the processing of personal data for law enforcement purposes, which entered into force on 12 June 2020. According to para. Article 3 Act no. 75/2019, they apply to the processing of personal information that is partially or completely automated and to the processing by other methods than automatic processing of personal information that is or should be part of a file. According to the first paragraph. Article 30 Act no. 75/2019, the Data Protection Authority supervises the implementation of that Act, but of the provision and the aforementioned provision of the first paragraph. Article 39 Act no. 90/2018 means that the Data Protection Authority also supervises the implementation of Regulation no. 577/2020. The Data Protection Authority is of the opinion that one of the things that must be examined in this case is whether the complainant can have a greater right to information about the processing of his personal information in the case file system of the police according to current law.<br />
<br />
The Data Protection Authority considers it appropriate to consider that in the case file system of the National Commissioner of Police, personal information about the complainant is registered within the meaning of point 2. Article 3 Act no. 90/2018, 1. tölul. Article 4 Regulation (EU) 2016/679 and point 1. Article 2 Act no. 75/2019. On the other hand, it is not considered appropriate to consider that information on searches in the case file system is considered to be the complainant's personal information within the meaning of the cited provisions, but that it is information on the processing of the complainant's personal information.<br />
<br />
The processing in question fell within the scope of Act no. 90/2018 and Regulation no. 322/2001 when the National Commissioner of Police processed the complainant's request but now falls within the scope of Act no. 75/2019 and Regulation no. 577/2020. In the light of the above and in the light of the above, this case concerns the processing of personal information which falls within the competence of the Data Protection Authority.<br />
3.<br />
Responsible party<br />
<br />
The person responsible for the processing of personal information complies with Act no. 90/2018 and no. 75/2019 is named the responsible party. According to point 6. Article 3 Act no. 90/2018 refers to an individual, legal entity, government authority or other party who decides alone or in collaboration with other purposes and methods of processing personal information, cf. 7. tölul. Article 4 Regulation (EU) 2016/679. According to point 4. Article 2 Act no. 75/2019, the responsible party is considered to be the competent authority that determines, alone or in collaboration with others, the purpose and methods of processing personal information.<br />
<br />
As such, the National Commissioner of Police is considered to be responsible for the processing involved in maintaining the police records provided for in Article 2. of Regulation no. 577/2020, Coll. before Article 2 of Regulation no. 322/2001, and by preserving and making accessible to other users the complainant's personal information in an electronic case file system. In addition, the National Commissioner of Police is considered to be responsible for the processing of the complainant's own personal data in the complainant's personal information in the case file system, incl. their views. On the other hand, the National Commissioner of Police will not be held responsible for the processing of the personal information in question by employees of other offices and institutions, such as for searches or registrations, according to the aforementioned law. In view of the above, as well as the fact that the complaint is directed only to the National Commissioner of Police, this ruling does not apply to the complainant's right to information about other than the National Commissioner of Police's processing of the complainant's personal data registered in the case file system.<br />
4.<br />
Legal environment<br />
<br />
In this case, the complainant's request for certain information on searches in the National Commissioner of Police's electronic case file system is being resolved, as well as whether the National Commissioner of Police has processed the complainant's request in accordance with the relevant procedural rules.<br />
According to the first paragraph. Article 8 of Regulation no. 322/2001, a registered individual had the right to receive information from the police about what information about him was or had been processed (point 1), the purpose of the processing (point 2) and who received, had received or would receive information about he (point 3). According to para. the same articles, the police should provide written knowledge if requested. The application had to be processed as soon as possible and no later than within one month of receipt.<br />
<br />
According to para. Article 13 Act no. 75/2019, a registered individual has the right to confirmation from the responsible party as to whether personal information about him is processed and, if so, the right to access the personal information. In addition, a registered individual has the right, among other things, to receive information about the purpose of the processing and its legal basis (cf. section a of the provision) and the recipients of the information (cf. section c). According to point c of the third paragraph. the same articles may deny a request for access in part or in full, taking into account the legitimate interests and rights of the data subject to protect the interests of others than the data subject.<br />
4.1.<br />
The complainant's right of access and information<br />
4.1.1.<br />
Information on who was responsible for the searches<br />
<br />
In this case, it is examined, among other things, whether the complainant had or is entitled to information from the National Commissioner of Police as to who was responsible for looking up his information in the Office's electronic case file system. In this connection, the Data Protection Authority considers that the employees of the National Commissioner of Police have looked it up in the Office's electronic case file system, cf. a discussion of responsibility for the processing of personal data referred to in Chapter 3 of Annex II. part of the front. The Data Protection Authority also understands from the request that it concerned information on which guarantors had looked up the complainant's personal information in the system.<br />
<br />
The provisions of the first paragraph. Article 8 of Regulation no. 322/2001 was unanimous 1-3. tölul. Paragraph 1 Article 18 older law no. 77/2000, on personal protection and handling of personal information. Accordingly, it should be assumed that the same points of view are sought in the interpretation of the provisions. In the opinion of the Data Protection Authority, it is not particularly important in this connection that the regulation provision relates to the right to information for the processing of personal data by the police.<br />
<br />
In the opinion of the Data Protection Authority, it will not be assumed that in the provisions of point 3. Paragraph 1 Article 8 of Regulation no. 322/2001 had the right of individuals to be informed when information is received between individual employees of the responsible party, but the provision only applied to the right of individuals to be informed about the dissemination of personal information to other responsible parties. With reference to this, the complainant will not be considered to have had the right to receive information from the action register of the National Commissioner of Police's case file system on the individual employees 'offices' information on the complainant's registered in the system, based on the cited provision. Is that explanation in accordance with the ruling of the Data Protection Authority from 28 February 2005 in case no. 2004/144 and from 8 March 2017 in case no. 2016/835, which tested the rights of individuals according to point 3. Paragraph 1 Article 18 Act no. 77/2000, which was identical to the cited provision of Regulation no. 322/2001.<br />
<br />
However, it also follows from the above explanation that the complainant was entitled to information from the National Commissioner of Police as to which responsible parties had looked up his information in the case file system, but the complainant's request was rejected in this respect. On the other hand, it is clear that the complainant has received the information in question during the proceedings.<br />
It will then be examined whether the complainant can now have a greater right to information about the National Commissioner of Police's employees' information on the complainant in the Office's case file system on the basis of the provision of the second paragraph. Article 13 the current Act no. 75/2019.<br />
<br />
According to comments on the provision in the bill that became Act no. 75/2019 is therefore intended to implement the provisions of 13-15. gr. of Directive (EU) 2016/680. The provisions of Article 14 of the Directive concerns the right of registered persons to access, which, inter alia, provides for the right of an individual to information on recipients or categories of recipients who have received personal data. In the opinion of the Data Protection Authority, the wording of the provision in question in the Directive is not broader in this respect than Article 12 (a). of Directive 95/46 / EC, which the first paragraph of Art. Article 8 of Regulation no. 322/2001 was materially based on. It cannot be seen that the definition of the term "recipient" has been substantially changed in this respect in Directive (EU) 2016/680. Finally, it should be noted that neither the wording of Article 13 Act no. 75/2019 or interpretative documents are considered to indicate that the legislation was intended to extend the right of individuals to information of the kind attempted here. In view of the above, the Data Protection Authority considers that it must be assumed that the complainant does not have the right to receive information from the National Commissioner of Police's action file system on individual employees' searches of information about the complainant registered in the system, based on the cited provision.<br />
<br />
It should be noted that since the information in question from the event registration is not considered to be the complainant's personal information, as described in Chapter 3 in II. part above, the complainant will not be considered entitled to receive a copy of the information in question on the basis of the first sentence. Paragraph 2 Article 13 Act no. 75/2019.<br />
4.1.2.<br />
Information on timing and number of searches<br />
<br />
It will then be decided whether the complainant had or is entitled to information on when and how often the National Commissioner of Police looks up his personal information in the case file system, cf. a discussion of responsibility for the processing of personal data referred to in Chapter 3 of Annex II. part of the front.<br />
<br />
In the opinion of the Data Protection Authority, the wording of the first paragraph will not be inferred. Article 8 of Regulation no. 322/2001 nor explanatory documents that the National Commissioner of Police should have provided the complainant with information on the timing or number of searches. The Data Protection Authority therefore considers that it must be assumed that the National Commissioner of Police was authorized to reject the complainant's request for the information in question on the grounds that his right to knowledge under the provision did not apply to them.<br />
<br />
It cannot be seen that the complainant's right to information on the timing and number of searches of his personal information in the National Commissioner of Police's case file system has been increased by the second paragraph. Article 13 Act no. 75/2019, Coll. Directive (EU) 2016/680. Accordingly, the Data Protection Authority does not consider it appropriate to require the National Commissioner of Police to provide the complainant with the information in question.<br />
4.1.3.<br />
Information on the purpose of browsing<br />
<br />
The complainant's request to the National Commissioner of Police also concerned information on the purpose of looking up his personal information in the Office's electronic case file system.<br />
<br />
The National Commissioner of Police has stated that the office is only in a position to provide information on the purpose of searches in the police case file system by its own employees and not employees of other institutions that have access to the case file system. On the other hand, those who supervise the system at the relevant institutions can obtain such information from their own employees. With reference to the comments of the National Commissioner of Police, it is not agreed that the National Commissioner of Police should or should have provided the complainant with information in this regard, as he did not have access to the information in question and is therefore not responsible for its processing. Article 3 Act no. 90/2018 and point 4. Article 2 Act no. 75/2019, as outlined in Chapter 3 in II. part above. On the other hand, it is examined here whether the National Commissioner of Police should have provided the complainant with information about the purpose of the search of his own employees.<br />
<br />
As stated in Chapter 4 above, the complainant was entitled to information on the purpose of processing, cf. 2. tölul. Paragraph 1 Article 8 of Regulation no. 322/2001. The Data Protection Authority considers that it must be assumed that the provision in question contained the complainant's right to receive information on the purpose of searching for his personal information in the case file system, which was carried out by the National Commissioner of Police. From the answers of the National Commissioner of Police, however, it can be deduced that the office first carried out such a search after the complainant's request had been processed, ie. under the operation of this case. It is also clear that the complainant has now received information about the purpose of that processing.<br />
4.2.<br />
Procedure of the National Commissioner of Police<br />
<br />
Finally, it remains to be determined whether the procedure of the National Commissioner of Police regarding the complainant's request was in accordance with Regulation no. 322/2001 and Act no. 90/2018. More specifically, it is examined whether the time it took the National Commissioner of Police to process the complainant's request was in accordance with the law, as well as whether the National Commissioner of Police provided the complainant with adequate instructions on the authority to complain to the Data Protection Authority.<br />
<br />
From the explanations of the National Commissioner of Police and the documents he has submitted, it can only be concluded that the office first granted the complainant's request on 24 September 2018. This has not been objected to by the complainant. The decision of the National Commissioner of Police is dated 23 October 2018. The decision will be considered to involve the final processing of the case by the National Commissioner of Police, although the office later gave the complainant access to some of the information his request was for processing this case. To this end, the Data Protection Authority considers that the National Commissioner of Police has processed the complainant's complaint within the time limit laid down in the second paragraph. Article 8 of Regulation no. 322/2001.<br />
<br />
There was also no provision for the duty of the National Commissioner of Police to provide guidance regarding the right of individuals to file a refusal pursuant to Article 8. of Regulation no. 322/2001 under the Data Protection Authority, in the provision itself or in the provisions of Act no. 90/2018, Coll. also Regulation (EU) 2016/679, which applied to the processing of personal data by the police when the events of this case took place. Accordingly, it cannot be assumed that the lack of instructions from the National Commissioner of Police to the complainant about his authority to refer the decision to the Data Protection Authority constituted a violation of the provisions of the Act or Regulation no. 322/2001.<br />
<br />
It should be noted, however, that in the 3rd sentence. Paragraph 4 Article 13 Act no. 75/2019, which came into force after the National Commissioner of Police processed the complainant's complaint, now stipulates the obligation of the responsible party to inform the data subject of his right to lodge a complaint with the Data Protection Authority in cases where the responsible party restricts or denies a registered person access to his personal information.<br />
3.<br />
Conclusion<br />
<br />
In view of all the above, it is the conclusion of the Data Protection Authority that the National Commissioner of Police was allowed to refuse the complainant information about which employees looked him up in the office's electronic file system, when the searches were made, as well as their number.<br />
<br />
On the other hand, it is the conclusion of the Data Protection Authority that the National Commissioner of Police was not allowed to refuse the complainant information about which persons were responsible for searching personal information about him in the case file system, as well as information about the purpose of searching the complainant's personal information. In light of the fact that the complainant was provided with the information in question during the operation of this case, it is not considered whether special instructions should be directed to the National Commissioner of Police regarding access to them.<br />
<br />
Finally, it is the conclusion of the Data Protection Authority that the procedure of the National Commissioner of Police in processing the complainant's request for information was in accordance with Act no. 90/2018, Coll. Regulation (EU) 2016/679, and Regulation no. 322/2001.<br />
U r s k u r ð a r o r ð:<br />
<br />
The decision of the National Commissioner of Police to refuse [A] information on the employees who looked up his personal information in the Office's electronic case file system, on the timing of searches, as well as on their number, was in accordance with Regulation no. 322/2001 on the processing of personal information by the police and Act no. 90/2018 on personal data protection and the processing of personal data, cf. Regulation (EU) 2016/679.<br />
<br />
The decision of the National Commissioner of Police to refuse [A] information on searches of other responsible parties in the Office's electronic case file system, as well as on the purpose of its own searches, was not in accordance with Regulation no. 322/2001 on the processing of personal information by the police and Act no. 90/2018 on personal data protection and the processing of personal data, cf. Regulation (EU) 2016/679.<br />
<br />
The procedure of the National Commissioner of Police in processing a request [A] for information on the processing of his personal information was in accordance with Act no. 90/2018 and Regulation no. 322/2001.<br />
<br />
In Privacy, September 29, 2020<br />
<br />
Björg Thorarensen<br />
chairman<br />
<br />
Ólafur Garðarsson Björn Geirsson<br />
<br />
Vilhelmína Haraldsdóttir Þorvarður Kári Ólafsson<br />
</pre></div>MLhttps://gdprhub.eu/index.php?title=RvS_-_201905347/1/A3&diff=11449RvS - 201905347/1/A32020-10-01T15:31:13Z<p>ML: Created page with "{{COURTdecisionBOX |Jurisdiction=Netherlands |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation= Raad van State |Court_With_Country= Raad van State (Netherlands)..."</p>
<hr />
<div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=Netherlands<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation= Raad van State<br />
|Court_With_Country= Raad van State (Netherlands)<br />
<br />
|Case_Number_Name=201905347/1/A3<br />
|ECLI= ECLI:NL:RVS:2020:2315<br />
<br />
|Original_Source_Name_1=Uitspraaken rechtspraak<br />
|Original_Source_Link_1=https://uitspraken.rechtspraak.nl/inziendocument?id=ECLI:NL:RVS:2020:2315&showbutton=true&keyword=AVG<br />
|Original_Source_Language_1=Dutch<br />
|Original_Source_Language__Code_1=NL<br />
<br />
|Date_Decided=30.09.2020<br />
|Date_Published=30.09.2020<br />
|Year=2020<br />
<br />
|GDPR_Article_1=Article 5 GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR<br />
|GDPR_Article_2=Article 6 GDPR<br />
|GDPR_Article_Link_2=Article 6 GDPR<br />
|GDPR_Article_3=Article 17(3) GDPR<br />
|GDPR_Article_Link_3=Article 17 GDPR#3<br />
|GDPR_Article_4=Article 17(3)(e) GDPR<br />
|GDPR_Article_Link_4=Article 17 GDPR#3e<br />
<br />
<br />
<br />
|Party_Name_1=Minister for Agriculture, Nature and Food Quality<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_From_Body=de rechtbank Oost-Brabant<br />
|Appeal_From_Case_Number_Name= 18/2775 <br />
|Appeal_From_Status=<br />
|Appeal_From_Link=<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
|<br />
}}<br />
<br />
The court held that the personal data of the claimants which is in a documents that contains data from dog handlers and shared with different institutions shall be deleted, although a civil action is still pending.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
In 2013, as part of the integrated approach to rogue dog trafficking by the Police National Unit Animal Welfare Expertise Centre, a so-called pre-weighing document has been drawn up. This document contains data from dog handlers with sufficient indicators to justify further investigation. The dog handlers listed in the pre-road document are included in the general roadmap 'Canitas project' (hereafter: the roadmap) that has been drawn up for a national enforcement action day, and which in section 1.4 contains a diagram with data from dog handlers. The data of applicant and appellant are included in this diagram. The project involved cooperation with, among others, the National Animal Protection Inspectorate and the Dutch Food and Consumer Product Safety Authority. Within the framework of integral enforcement, the roadmap was shared with the administrative bodies affiliated to the Regional Information and Expertise Centre East Brabant.<br />
<br />
The applicant and the appellant have requested the deletion of their data from the pre-weighing document and the schedule according to the GDPR. The Minister takes the view that data in the roadmap will not be processed unlawfully. In addition, the right to be forgotten of Article 17 GDPR is not intended to correct or delete opinions with which the applicants disagree. Moreover, in connection with the processing of their data, the applicant and the appellant also brought civil proceedings for damages against the Minister. In that context, the data are necessary for the substantiation of a legal action, so that the exception in Article 17(3) GDPR applies, according to the Minister.<br />
<br />
=== Dispute ===<br />
The central question in the civil proceedings is whether the initial processing of the personal data in connection with the prevention and pursuit of animal welfare was lawful and whether Article 17 (3) (e) GDPR can be applied.<br />
<br />
=== Holding ===<br />
The court held that the applellants appeal is well founded, the personal data shall be deleted.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.<br />
<br />
<pre><br />
ECLI:NL:RVS:2020:2315<br />
<br />
Authority<br />
Council of State<br />
Date of pronouncement<br />
30-09-2020<br />
Date of publication<br />
30-09-2020 <br />
Case number<br />
201905347/1/A3<br />
Jurisdictions<br />
Administrative law<br />
Special features<br />
Appeals<br />
Content indication<br />
<br />
By decision of 7 May 2018, the Minister for Agriculture, Nature and Food Quality rejected the requests of [the applicant] and [the appellant] for the removal of their personal data. In 2013, as part of the integrated approach to rogue dog trafficking by the Police National Unit Animal Welfare Expertise Centre, a so-called pre-war document has been drawn up. This document contains data from dog handlers with sufficient indicators to justify further investigation. The dog handlers listed in the pre-road document are included in the general roadmap 'Canitas project' (hereafter: the roadmap) that has been drawn up for a national enforcement action day, and which in section 1.4 contains a diagram with data from dog handlers. The data of [applicant] and [appellant] are included in this diagram.<br />
Sites<br />
Rechtspraak.nl<br />
Enriched pronunciation <br />
<br />
Ruling<br />
<br />
201905347/1/A3.<br />
<br />
Date of judgment: 30 September 2020<br />
<br />
SECTION<br />
<br />
ADMINISTRATIVE LAW<br />
<br />
Judgment on the appeal of:<br />
<br />
[appellant], residing at [residence],<br />
<br />
against the judgment of the District Court of Oost-Brabant of 5 July 2019 in Case No 18/2775 in the case between:<br />
<br />
[applicant] and [appellant]<br />
<br />
and<br />
<br />
the Minister for Agriculture, Nature and Food Quality.<br />
<br />
Process sequence<br />
<br />
By decision of 7 May 2018, the Minister rejected [the applicant's] and [the appellant's] request for the deletion ('erasure') of their personal data.<br />
<br />
By decision of 8 November 2018, the Minister dismissed [the applicant's] and [the appellant's] objections to that decision as unfounded.<br />
<br />
By decision of 14 May 2019, the Minister amended in part the decision of 8 November 2018 and upheld [the applicant's] objection. In so doing, the Minister revoked the decision of 7 May 2018 in so far as it concerned the data of [the applicant] and removed the data of [the applicant] from the documents referred to in the application.<br />
<br />
By judgment of 5 July 2019, the Court dismissed as inadmissible the action brought by [the applicant] and [the appellant] against that decision in so far as it was brought by [the applicant] and as unfounded in so far as it was brought by [the appellant]. That judgment is annexed.<br />
<br />
The appellant has appealed against that judgment.<br />
<br />
The Minister made a written submission.<br />
<br />
The appellant has submitted further documents.<br />
<br />
The Division heard the case at the hearing on 23 September 2019, at which [the appellant], represented by [the appellant], and the Minister, represented by T. Gilhaus and M.M.C. van Graafeiland, lawyers in The Hague, appeared.<br />
<br />
After the conclusion of the investigation at the hearing, the Division reopened the investigation. [appellant] and the Minister submitted further documents on request.<br />
<br />
The Minister and [the appellant] submitted further documents.<br />
<br />
None of the parties stated within the set period that they wished to exercise their right to be heard again at the hearing, after which the Division closed the investigation pursuant to Section 8:57(3), read in conjunction with Section 8:108(1) of the General Administrative Law Act (Awb).<br />
<br />
Considerations<br />
<br />
In advance<br />
<br />
1. In view of the exceptional situation created in the Netherlands by the outbreak of the coronavirus and the related measures taken by the Dutch Government to prevent the spread of this virus, the planned second session on 14 April 2020 could not take place. The department informed the parties that, after a thorough examination of the file in order to decide on the contentious issues, it does not consider it necessary to hold a second meeting. The parties were given the opportunity to indicate that they would nevertheless like to make use of the right to be heard at a hearing. None of the parties has done so. The Division has therefore decided to settle the case without further hearing.<br />
<br />
Introduction<br />
<br />
2. In 2013, as part of the integrated approach to rogue dog trafficking by the Police National Unit Animal Welfare Expertise Centre, a so-called pre-weighing document has been drawn up. This document contains data from dog handlers with sufficient indicators to justify further investigation. The dog handlers listed in the pre-road document are included in the general roadmap 'Canitas project' (hereafter: the roadmap) that has been drawn up for a national enforcement action day, and which in section 1.4 contains a diagram with data from dog handlers. The data of [applicant] and [appellant] are included in this diagram. The project involved cooperation with, among others, the National Animal Protection Inspectorate and the Dutch Food and Consumer Product Safety Authority (hereafter: NVWA). Within the framework of integral enforcement, the roadmap was shared with the administrative bodies affiliated to the Regional Information and Expertise Centre East Brabant.<br />
<br />
3. Pursuant to the Personal Data Protection Act (Wbp), [the applicant] and [the appellant] have requested the deletion of their data from the pre-weighing document and the schedule in paragraph 1.4 of the plan. The Minister takes the view that [appellant's] data in the roadmap will not be processed unlawfully. In addition, the right to forgetting Article 17 of the General Data Protection Regulation (hereinafter: APR) is not intended to correct or delete opinions with which the applicants disagree. Moreover, in connection with the processing of their data, [the applicant] and [the appellant] also brought civil proceedings for damages against the Minister. In that context, the data are necessary for the substantiation of a legal action, so that the exception in Article 17(3) of the AVG applies, according to the Minister.<br />
<br />
The court's ruling<br />
<br />
4. The Court considered that the Minister had, by the decision of 14 May 2019, granted the application in so far as it relates to the data of [the applicant]. The action, in so far as it relates to [the applicant's] data, was therefore dismissed as inadmissible on the ground that there was no interest in the proceedings. Furthermore, in the opinion of the District Court, the Minister took the view on good grounds that Article 17(3) of the AVG is applicable. This means that [the appellant] is not entitled to have its data erased from the documents because of the ongoing civil proceedings. It is irrelevant here whether the processing of the personal data in the documents can be regarded as unlawful. Nor is it relevant that a judgment was rendered by the court in the civil proceedings on 15 May 2019, because an appeal has been lodged against that judgment, according to the court.<br />
<br />
What is the scope of the appeal?<br />
<br />
5. Although the notice of appeal was signed by [the applicant] and [the appellant], it became clear at the hearing that [the applicant] is acting as agent of [the appellant]. Grounds of appeal were put forward against the dismissal of the appeal only to the extent that it was submitted by [the appellant]. The Division will therefore assume in the following that the appeal was lodged only by [the appellant].<br />
<br />
Assessment framework<br />
<br />
6. On 25 May 2018 the AVG became applicable and the Wbp was repealed. The AVG applies to these proceedings because the decision on objections dates from after 25 May 2018.<br />
<br />
7. The relevant legislation and regulations are listed in the appendix. This appendix is attached to the decision and forms part of it.<br />
<br />
The appeal of [appellant]<br />
<br />
8. [appellant] argues that the schedule in the roadmap is a black list, the data of which must be regularly checked and updated. In this context, it draws attention to the requirements arising from the judgment of the Section of 4 July 2007, ECLI:NL:RVS:2007:BA8742. On the basis of these requirements, the lawfulness of the processing must be assessed before the exception provided for in Article 17(3) of the AVG can be invoked. These requirements are not met in this case, because the scheme was drawn up in a careless manner and a careful weighing of interests was not carried out before the data were processed. According to [Appellant], the processing of its data is therefore not in accordance with Article 5(1)(a), (c) and (d) of the AVG.<br />
<br />
The further position of the Minister<br />
<br />
9. The Minister states that the data of [appellant] included in the script were processed on the basis of Article 6, first paragraph, opening words and under e, of the AVG. Because the Dutch Food and Consumer Product Safety Authority (hereinafter: NVWA) was to participate in an action day in the field of animal health and animal welfare, the processing was necessary for the fulfilment of the NVWA's public task. Since the NVWA did not compile the documents itself, the NVWA could not decide to erase data from those documents either. At the time of the decisions on objections, [appellant's] data were processed only in connection with the pending civil proceedings. In the context of those proceedings it is important that the original documents are available to the Minister. This further processing as referred to in Article 6(4) of the AVG is compatible with the original purpose of processing. Therefore, no separate legal basis is required. In addition, there has never been any question of maintaining an active blacklist. The data of [appellant] only appear in the schedule included in the script compiled at the time. The personal data are and have been processed in a lawful, proper and transparent manner that complies with Article 5, first paragraph, opening words and under a, and Article 6, first paragraph, opening words and under e, of the AVG. There is also no question of factually incorrect data, but [the appellant] contests the conclusion of the police that her personal data had to be included in the scheme. The right of correction is not intended for that purpose, according to the Minister.<br />
<br />
Can Article 17(3) of the AVG be applied?<br />
<br />
10. Article 17 of the AVG reads:<br />
<br />
"1. The data subject has the right to obtain from the controller the erasure of personal data relating to him without unreasonable delay and the controller is obliged to erase personal data without unreasonable delay where one of the following applies:<br />
<br />
a. to c. [...];<br />
<br />
d. the personal data have been processed unlawfully;<br />
<br />
e. and f. [...].<br />
<br />
2. […]<br />
<br />
3. Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:<br />
<br />
a. to d. [...];<br />
<br />
e. for the institution, exercise or substantiation of legal claims.<br />
<br />
10.1. The [Appellant's] argument concerning the order of assessment is unsuccessful. In view of the system and the text of Article 17 of the AVG, the court was entitled to assess whether the exception of Article 17(3)(e) of the AVG arose and was not obliged to first assess the lawfulness of the processing. However, pending appeal - after reopening the investigation - the Minister based the decision on objection on a different basis. The Division deduced from this that Article 17(3) of the AVG had been abandoned as a basis. In the further document of 24 December 2019 the Minister stated that the basis of the processing is further processing that is compatible with the original purpose of processing, as referred to in Article 6, paragraph 4, of the AVG. For this reason, the rejection of [the appellant's] request must be upheld according to the Minister.<br />
<br />
The appeal by [appellant] is well-founded for this reason and the judgment under appeal will be set aside. In doing what the court should do, the Division will annul the decision on appeal of 8 November 2018 insofar as it declares [appellant's] appeal unfounded. In the following it will be examined whether the legal consequences of the decision can be upheld to the extent that they can be maintained on the basis of lawful further processing as referred to in article 6, fourth paragraph, of the AVG.<br />
<br />
Is the further processing of [appellant's] personal data compatible with the original purpose?<br />
<br />
11. In answering the question whether the purpose of the further processing is compatible with the original purpose, account must be taken, inter alia, of the factors mentioned in Article 6(4)(a) to (e) of the AVG. These factors concern the relationship between the purposes for which the personal data were originally collected and the purposes of the intended further processing, the framework in which the personal data were collected, the nature of the personal data, the possible consequences of the intended further processing for the data subjects and the existence of appropriate safeguards. Article 6(4) of the AVG thus formulates an exception to the so-called purpose limitation principle and must therefore be interpreted strictly.<br />
<br />
11.1. Although, on appeal, the Minister takes the view that there is further processing for the purposes of a civil action for damages and the present administrative procedure and that the criteria of Article 6(4) of the AVG have therefore been met, he does not explain this viewpoint, or at least insufficiently, on the basis of these criteria. According to the Minister, the data of [the appellant] were initially processed for the purpose of informing the NVWA of the national action day. In connection with the data processing for that action day by the NVWA, [the applicant] and [the appellant] commenced civil proceedings for damages against, inter alia, the Minister. As explained by both parties at the hearing, the central question in the civil proceedings is whether the initial processing of the personal data was lawful. Only in connection with the civil proceedings and the present proceedings are the personal data still being processed by the NVWA. The Minister's further document states that the further processing is compatible with the original purpose of the processing. According to the Minister, there is a link between the two purposes, since in both cases the lawfulness of the processing is called into question. This brings us to the subject matter of these proceedings and the civil proceedings. However, this does not provide sufficient insight into the link between the purpose for which the data were initially processed and the purpose of further processing. Indeed, the mere fact that [the applicant] and [the appellant] brought civil proceedings for damages as a result of the initial processing of data against, inter alia, the Minister does not mean that the purpose of the further processing of those data for the purposes of those proceedings for damages is therefore already compatible with the purpose for which the personal data were initially collected (informing the NVWA). The same applies to the further processing of those data for the purposes of these proceedings. Furthermore, according to the Minister, the frameworks in which the personal data have been collected are the same and the consequences are limited, since the data are only processed for the purpose of proceedings initiated by [the applicant] and [the appellant]. Even with these unsubstantiated assertions, the Minister has not made it sufficiently clear that, taking into account the criteria referred to above, it must be concluded that the purpose of further processing is compatible with the purpose of the initial processing.<br />
<br />
11.2. The conclusion is that the Minister has insufficiently substantiated that further processing has a sound basis. In view of this, there is no reason to maintain the legal consequences of the decision on objection.<br />
<br />
Final considerations<br />
<br />
12. The appellant's appeal is well founded. The Court's decision, in so far as attacked, should be set aside. In doing what the Court should do, the Division will set aside the decision of 8 November 2018 to the extent that it dismissed [the appellant's] objection as unfounded.<br />
<br />
13. With a view to an efficient settlement of the dispute the Division sees reason to stipulate, pursuant to Section 8:113(2) of the General Administrative Law Act (Awb), that the new decision to be taken by the Minister on [the appellant's] objection may only be appealed against by the Division.<br />
<br />
14. There was no evidence of legal costs eligible for reimbursement.<br />
<br />
Decision<br />
<br />
The Administrative Jurisdiction Division of the Council of State:<br />
<br />
I. declares the appeal well-founded;<br />
<br />
II. sets aside the judgment of the District Court of Oost-Brabant of 5 July 2019 in case no. 18/2775 in so far as it dismissed [the appellant's] appeal as unfounded;<br />
<br />
III. declares [the appellant's] appeal lodged with the District Court well-founded;<br />
<br />
IV. annuls the decision of the Minister of Agriculture, Nature and Food Quality of 8 November 2018, ref. 494-24678, in so far as it dismisses [the appellant's] objection as unfounded;<br />
<br />
V. provides that the new decision to be taken by the Minister of Agriculture, Nature and Food Quality on [the Appellant's] objection can only be appealed to the Division;<br />
<br />
VI. orders the Minister for Agriculture, Nature and Food Quality to pay [the appellant] the court fee of € 259.00 (in words: two hundred and fifty-nine euros) for the handling of the appeal.<br />
<br />
Thus determined by C.H.M. van Altena, Chairman, and C.M. Wissels and C.C.W. Lange, Members, in the presence of M.H. Kuggeleijn-Jansen, Registrar.<br />
<br />
The chairman was prevented from signing the ruling.<br />
<br />
The Registrar was prevented from signing the ruling.<br />
<br />
Pronounced in public on 30 September 2020<br />
<br />
545.<br />
<br />
<br />
<br />
ANNEX<br />
<br />
<br />
<br />
AVG<br />
<br />
Article 5<br />
<br />
1. Personal data must be<br />
<br />
a) be processed in a manner which is lawful, adequate and transparent as regards the data subject ("lawfulness, adequacy and transparency");<br />
<br />
(b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes; further processing for archiving in the public interest, scientific or historical research or statistical purposes shall not be considered incompatible with the original purposes pursuant to Article 89(1) ('purpose limitation');<br />
<br />
(c) adequate, relevant and limited to what is necessary for the purposes for which they are processed ("minimal data processing");<br />
<br />
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data which are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without undue delay ('accuracy');<br />
<br />
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data are processed solely for the purposes of filing in the public interest, scientific or historical research or statistical purposes in accordance with Article 89(1) provided that the appropriate technical and organisational measures are taken to safeguard the rights and freedoms of the data subject as required by this Regulation ("storage restrictions");<br />
<br />
(f) processed by the application of appropriate technical or organisational measures in such a way that they ensure appropriate security and protect, inter alia, against unauthorised or unlawful processing and accidental loss, destruction or harm ("integrity and confidentiality").<br />
<br />
Article 6<br />
<br />
1. Processing shall be lawful only if and in so far as at least one of the following conditions is fulfilled:<br />
<br />
[...]<br />
<br />
e. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;<br />
<br />
[…]<br />
<br />
4. Where processing for a purpose other than that for which the personal data were collected is not based on the data subject's consent or on a provision of Union law or a provision of national law which constitutes a necessary and proportionate measure within a democratic society to safeguard the objectives referred to in Article 23(1), the controller shall take into account, inter alia, when assessing whether processing for a purpose other than that for which the personal data were originally collected is compatible:<br />
<br />
a. any relationship between the purposes for which the personal data were collected and the purposes of the intended further processing;<br />
<br />
b. the framework in which the personal data have been collected, in particular as regards the relationship between the data subjects and the controller;<br />
<br />
c. the nature of the personal data, in particular whether special categories of personal data are processed, in accordance with Article 9, and whether personal data relating to criminal convictions and offences are processed, in accordance with Article 10;<br />
<br />
d. the possible consequences of the intended further processing for the data subjects;<br />
<br />
e. the existence of appropriate safeguards, which may include encryption or pseudonymisation.<br />
<br />
</pre></div>MLhttps://gdprhub.eu/index.php?title=DSB_(Austria)_-_2020-0.225.643&diff=11448DSB (Austria) - 2020-0.225.6432020-10-01T15:01:34Z<p>ML: Created page with "{{DPAdecisionBOX |Jurisdiction=Austria |DPA-BG-Color= |DPAlogo=LogoAT.png |DPA_Abbrevation=DSB |DPA_With_Country=DSB (Austria) |Case_Number_Name=DSBT_20200612_2020_0_225_643..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Austria<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoAT.png<br />
|DPA_Abbrevation=DSB<br />
|DPA_With_Country=DSB (Austria)<br />
<br />
|Case_Number_Name=DSBT_20200612_2020_0_225_643_00 <br />
|ECLI=ECLI:AT:DSB:2020:2020.0.225.643 <br />
<br />
|Original_Source_Name_1=Rechtsinformationssystem des Bundes<br />
|Original_Source_Link_1=https://www.ris.bka.gv.at/Dokument.wxe?ResultFunctionToken=46c44aef-6738-43c1-aa62-8746dd5b8ebc&Position=1&Abfrage=Dsk&Entscheidungsart=Undefined&Organ=Undefined&SucheNachRechtssatz=True&SucheNachText=True&GZ=&VonDatum=01.01.1990&BisDatum=&Norm=&ImRisSeitVonDatum=&ImRisSeitBisDatum=&ImRisSeit=Undefined&ResultPageSize=100&Suchworte=&Dokumentnummer=DSBT_20200612_2020_0_225_643_00<br />
|Original_Source_Language_1=German<br />
|Original_Source_Language__Code_1=DE<br />
<br />
|Type=Complaint<br />
|Outcome=Rejected<br />
|Date_Decided=12.06.2020<br />
|Date_Published=<br />
|Year=2020<br />
|Fine=None<br />
|Currency=<br />
<br />
<br />
<br />
|National_Law_Name_1=DSG 2000 §§1 (1), (2), 4 (no. 2), 9 (no. 3) (Austrian Data Protection Act)<br />
|National_Law_Link_1=https://www.ris.bka.gv.at/Dokumente/BgblPdf/1999_165_1/1999_165_1.pdf<br />
|National_Law_Name_2=DSG §§ 24, (5), 69 (4), (5) (Austrian Data Protection Act)<br />
|National_Law_Link_2=https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=bundesnormen&Gesetzesnummer=10001597<br />
|National_Law_Name_3=VersVG §§ 11a (1) (no. 3), (2) (no. 2), 34 (1), (2) (Austrian Insurance Law)<br />
|National_Law_Link_3=https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=Bundesnormen&Gesetzesnummer=10001979<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
|<br />
}}<br />
<br />
The DSB helds that, there is therefore no violation of the right to secrecy, as the transmission of health data can be based on § 11a (1) item 3 and (2) item 2 VersVG and the complainant has an obligation to provide information and evidence to the respondent on the basis of the clear order in § 34 VersVG.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
As a civil servant, the complainant has a supplementary insurance policy with the defendant, which was set up by the Land of Upper Austria as a group insurance scheme. The defendant requires the original pharmacy receipts to be provided in order to provide the service. These vouchers state the names of the medicines purchased. <br />
<br />
The insurance company required the complainant to submit original pharmacy receipts. The submitted proof of customer sales from the pharmacy was not sufficient. In order to benefit from an insurance policy, he was forced to disclose health-related data, which would be subject to confidentiality. These pharmacy receipts list the names of the medicines purchased. He considers that the insurance company has no interest in knowing what medicines the customer needs. This is subject to the confidentiality obligation of both the doctor and the pharmacy.<br />
<br />
=== Dispute ===<br />
The subject of the complaint is whether the defendant infringed the complainant's right to confidentiality by requiring the original invoices of a pharmacy, and not merely the pharmacy's proof of customer sales, in order to pay an insurance benefit to the complainant.<br />
<br />
<br />
=== Holding ===<br />
In substantive terms, however, the matter is to be assessed in accordance with the provisions of Sections 1 to 9 of the DSG 2000 and the VersVG applicable until the end of 24 May 2018, the date of the alleged breach of the right to confidentiality, because at that time the DSGVO and the necessary amendments to the VersVG by Federal Law Gazette I No. 16/2018 were not yet applicable.<br />
<br />
Under Section 9 No. 3 DSG 2000, the use of sensitive data is permissible, inter alia, if the authorisation or obligation to use it arises from statutory provisions, provided that these serve to safeguard an important public interest. The complainant has an obligation to provide information and evidence to the respondent on the basis of the clear order in § 34 VersVG.<br />
<br />
In this case, the transmission of health data can be based on § 11a (1) item 3 and (2) item 2 VersVG.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the German original. Please refer to the German original for more details.<br />
<br />
<pre><br />
Decision-making authority<br />
<br />
Data Protection Authority<br />
Decision date<br />
<br />
12.06.2020<br />
Business figures<br />
<br />
2020-0.225.643<br />
Appeal to the BVwG/VwGH/VfGH<br />
<br />
This decision is final.<br />
<br />
Text<br />
<br />
GZ: 2020-0.225.643 of 12 June 2020 (procedure number: DSB-D124.2138)<br />
<br />
Note Processor: Names and companies, legal forms and product names, addresses (including URLs, IP and e-mail addresses), file numbers (and similar), etc., as well as their initials and abbreviations may be abbreviated and/or changed for reasons of pseudonymisation. Obvious spelling, grammar and punctuation errors have been corrected].<br />
<br />
DECISION<br />
<br />
SPEECH<br />
<br />
The data protection authority decides on the data protection complaint of Mag. Erwin A*** (complainant) of 6 May 2018 against N***-Versicherung AG (respondent) for violation of the right to secrecy as follows:<br />
<br />
- The complaint is dismissed as unfounded.<br />
<br />
Legal basis: §§ 1 to 9 DSG 2000, BGBl. I No. 165/1999 as amended by BGBl. I No. 132/2015, as well as § 24 para. 5 of the Data Protection Act (DSG), BGBl. I No. 165/1999 as amended; §§ 11a and 34 of the Insurance Contract Act (VersVG), BGBl. No. 2/1959 as amended by BGBl. I No. 112/2016.<br />
<br />
EXPLANATIONS<br />
<br />
A. Arguments of the parties and procedure<br />
<br />
1 In his submission of 6 May 2018, the complainant submitted that he had supplementary insurance with the defendant. The insurance company required him to submit original pharmacy receipts. The submitted proof of customer sales from the pharmacy was not sufficient. In order to benefit from an insurance policy, he was forced to disclose health-related data, which would be subject to confidentiality. These pharmacy receipts list the names of the medicines purchased. He considers that the insurance company has no interest in knowing what medicines the customer needs. This is subject to the confidentiality obligation of both the doctor and the pharmacy. In his view, the insurance company should be satisfied with the pharmacy's proof of customer sales, which clearly shows how many prescription medicines were purchased in an insurance year. He had already communicated this on 20 February 2018 in the course of a submission in the control and ombudsman procedure. The data protection authority had informed him that there was no possible infringement of the law due to a manifestly non-transfer of data and that the data protection authority could not take action in this case. This meant that he had to disclose the data in order for a breach of data protection to occur in the first place. The complainant had therefore contacted the author of the above-mentioned communication from the data protection authority by telephone in order to ask whether the ex lege guaranteed data protection in Austria would only apply once a breach of data protection had occurred. Ultimately, the complainant had been given to understand that he actually had to disclose these data in order for a breach of data protection to occur and for the data protection authority to be able to prosecute it. The complainant considered this to be a provocation by the authorities. He had nevertheless complied with this and sent the original supporting documents containing sensitive data to the defendant. This was the breach of data protection.<br />
<br />
Sensitive data would require the explicit consent of the person concerned. For effective consent to be given, the Data Protection Act requires that the will of the person concerned be freely given, specific, unambiguous and given after prior information. It was for the respondent to demonstrate that such consent had been properly given. The respondent had not complied with his written request to provide evidence of such consent to request, collect or process data. There is neither a necessity for this requested data transfer nor consent to it, let alone the right to demand it, let alone to enforce it (no authorisation or obligation).<br />
<br />
By letter of 5 March 2020, received on 10 March 2020, the complainant submitted that he had already lodged a complaint with the Austrian data protection authority on 6 May 2018. To date - more than one and a half years later - he has not received any reply or settlement. Data protection was apparently not taken seriously in Austria.<br />
<br />
In a letter of 25 March 2020, the defendant summarised that the complainant's complaint was identical in substance to the complaint of 20 February 2018 regarding CPC: DSB-D216.669/0003-DSB/2018 and did not contain any substantiated new objections. In both submissions, the complainant complained that the defendant insisted on the transmission of the original pharmacy invoices for the provision of services.<br />
<br />
It should be noted that the proceedings concerning the joint venture: DSB-D216.669/0003-DSB/2018 were closed on 20 February 2018 and the defendant was informed of this by letter of 17 April 2018. The defendant referred to the opinion of 16 March 2018 and added the following additional information:<br />
<br />
As already stated in the statement of March 2018, the General Terms and Conditions of Insurance (AVB) constitute the most important legal basis alongside the provisions of the Insurance Contract Act (VersVG). They would constitute a description and limitation of the insurance cover.<br />
<br />
The data from the original invoices in question are processed for the purpose of assessing and fulfilling claims arising from the insurance contract with the person concerned.<br />
<br />
The General Conditions of Insurance for Medical Expenses and Hospital Daily Allowance Insurance (AVB 1999) applicable here are the conditions applicable to all tariffs, the scope of benefits of which is, however, limited by the tariff actually concluded. Under those conditions, the cost of medicines prescribed in the context of medical treatment and obtained from a pharmacy is reimbursed. According to point 7.1 of the GIP, payment is made on the basis of original invoices, which are balanced and show, inter alia, the person actually receiving the treatment, a description of the services provided and the dates of the treatment.<br />
<br />
A prescription fee confirmation from a pharmacy does not meet the criteria of the GPI 1999 and therefore cannot be accepted as a replacement for an original invoice. Apart from that, the confirmation of prescription fees does not contain all the information necessary for the verification of the insured event, such as: the name of the service (medicine). Thus, the assessment of claims under an insurance contract cannot be based on the prescription fee confirmation.<br />
<br />
Furthermore, according to § 34 VersVG, the policyholder is obliged to provide the insurer with all information necessary to determine the insured event or the extent of the insurer's obligation to pay benefits. According to this provision, the insurer can demand evidence to the extent that the policyholder can reasonably be expected to obtain it. In this context, it should be pointed out in particular that the presentation of these original invoices is provided for in the AVB 1999.<br />
<br />
The processing of personal health data was also carried out in accordance with § 11a para. 1 no. 3 VersVG, according to which the insurer may process personal health data in connection with insurance relationships in which the state of health of the insured or an injured party is significant, to the extent that this is indispensable for the assessment and fulfilment of claims arising from an insurance contract.<br />
<br />
These personal health data are determined in accordance with §11a para. 2 no. 2 VersVG, according to which the insurer may only determine personal health data for the purposes mentioned in para. 1 on the basis of documents provided by the policyholder or the injured party. For this reason, too, it was necessary for the complainant to make the documents available.<br />
<br />
The complainant's argumentation could therefore not be accepted, since the defendant's action fully complied with the legal provisions and since this was indispensable for the assessment and fulfilment of claims arising from an insurance contract and for determining the extent of the insurer's obligation to provide benefits.<br />
<br />
In a letter of 6 April 2020, the complainant submitted in summary that the defendant justified its action on the basis of the VersVG and claimed that it was entitled to request and process personal health data - for the purpose of establishing the insured event and the extent of the insurer's obligation to provide benefits - to the extent that this was indispensable for the assessment and fulfilment of claims arising from an insurance contract.<br />
<br />
According to the complainant's legal view, personal health data are not necessary for this purpose at all, especially since the insurance company has in any event a guarantee that a net invoice issued by a pharmacy for a medicine will in any event relate to a medicine prescribed by a doctor, since it will in any event only reimburse prescription medicines prescribed by doctors. This implies that personal health data are in no way necessary, let alone "indispensable", for the assessment and fulfilment of claims arising from an insurance contract. Moreover, the restriction "insofar" clearly indicates that a condition applies, which the insurer admits but grossly disregards.<br />
<br />
It was noted in this context that, as a consequence - and also due to the processing error of the data protection authority - the complainant had been obliged to disclose sensitive personal health data also in 2019 and 2020.<br />
<br />
Nor could there be a conflict of norms between the VersVG and the DSG, since the Data Protection Act was in any event the higher-ranking norm. Thus, there was no sufficient legal basis for the respondent to demand pharmacy receipts or invoices from pharmacies which would provide any sensitive personal health data. This is not least to be seen in the extension of medical confidentiality, since pharmacists also have a duty of confidentiality which is being undermined.<br />
<br />
To put it plainly, it was simply not the respondent's business if someone was suffering from severe depression and needed permanent specialist medical treatment for it, which the EUR 85 annual maximum rate did not even come close to covering anyway.<br />
<br />
B. Object of complaint<br />
<br />
It follows from the complainant's arguments that the subject of the complaint is whether the defendant infringed the complainant's right to confidentiality by requiring the original invoices of a pharmacy, and not merely the pharmacy's proof of customer sales, in order to pay an insurance benefit to the complainant.<br />
<br />
C. Findings of the facts<br />
<br />
As a civil servant, the complainant has a supplementary insurance policy with the defendant, which was set up by the Land of Upper Austria as a group insurance scheme. The defendant requires the original pharmacy receipts to be provided in order to provide the service. These vouchers state the names of the medicines purchased.<br />
<br />
By letter of 20 February 2018, the complainant essentially submitted, in the context of a control and ombudsman procedure under Paragraph 30 of the DSG 2000, that the insurance company (the defendant) required him to submit the original pharmacy receipts. The submitted proof of customer sales from the pharmacy was not sufficient. On those pharmacy receipts, the name of the medicines purchased is stated, which is of no interest to the insurance company. This procedure was recorded in the minutes of the proceedings at GZ: DSB-D216.669.<br />
<br />
By letter of 20 March 2018, the data protection authority sent the complainant an opinion of the respondent, informing him that this opinion stated that "original invoices based on the insurance contract concluded between the parties to the contract must be submitted for the provision of services. In this context, it should be noted that there is no possible infringement of the law by an apparent failure to disclose the data and that the Data Protection Authority cannot act in this case.<br />
<br />
The proceedings were informally closed by letter dated 17 April 2018.<br />
<br />
By letter of 6 May 2018, the complainant lodged a new complaint after the original invoices had been submitted by him.<br />
<br />
Due to an internal error, this complaint was not recorded in the minutes. It was only due to the urgency of the complainant on 10 March 2020 that the complaint was dealt with as regards its substance.<br />
<br />
Assessment of evidence: The findings are based on the parties' submissions and the contents of the file or the file GZ: DSB-D216.669.<br />
<br />
D. From a legal point of view, the following follows:<br />
<br />
This complaint is to be decided on in accordance with the new legal situation (DSG as amended by Federal Law Gazette I No. 24/2018) under section 24(5) of the DSG.<br />
<br />
In substantive terms, however, the matter is to be assessed in accordance with the provisions of Sections 1 to 9 of the DSG 2000 and the VersVG applicable until the end of 24 May 2018, the date of the alleged breach of the right to confidentiality, because at that time the DSGVO and the necessary amendments to the VersVG by Federal Law Gazette I No. 16/2018 were not yet applicable.<br />
<br />
There is no question that data have already been transferred in the present proceedings. The complainant alleges that the submission of a confirmation of prescription fees is sufficient for the payment of the insurance benefit and that his right to confidentiality is infringed by the submission of the original invoices, since the defendants thereby gain knowledge of the medicines prescribed for him - and indirectly of his state of health.<br />
<br />
The data which are the subject of the proceedings provide information about the complainant's health and are therefore sensitive data within the meaning of Paragraph 4(2) of the DSG 2000. Accordingly, the permissibility of the processing is governed exclusively by Paragraph 9 of the DSG 2000.<br />
<br />
Under Section 9 No. 3 DSG 2000, the use of sensitive data is permissible, inter alia, if the authorisation or obligation to use it arises from statutory provisions, provided that these serve to safeguard an important public interest.<br />
<br />
The processing of health data in the context of insurance law is governed by Section 11a of the VersVG, pursuant to paragraph 1 of which the insurer may process personal health data in connection with insurance relationships in which the state of health of the insured or an injured party is significant, insofar as this is indispensable for the administration of existing insurance contracts (no. 2) or for the assessment and fulfilment of claims arising from an insurance contract (no. 3).<br />
<br />
Pursuant to § 11a para. 2 VersVG, insurers may only determine personal health data for the purposes mentioned in para. 1 in the following manner, namely, inter alia, by interviewing the person who is to be insured or who is already insured, or by interviewing the injured party (no. 1) or on the basis of documents provided by the policyholder or the injured party (no. 2).<br />
<br />
§ Section 34 VersVG obliges the policyholder to provide information to the insurer if this is necessary to establish the insured event or the extent of the insurer's obligation to pay benefits. The insurer may demand documents to the extent that the policy holder can reasonably be expected to obtain them.<br />
<br />
The obvious purpose of the obligation to provide information and evidence is to compensate the insurer's lack of information towards the policyholder. Naturally, the policyholder is more comprehensively informed than the insurer about the life circumstances affecting him. He should therefore provide the insurer with all information known to him and follow up on documents available to him. The policyholder must first notify the insurer of the occurrence of the insured event (§ 33 VersVG) and then, upon request, provide the insurer with further information and/or documents to verify his obligation to pay benefits within the meaning of § 34 VersVG. This is an obligation of the policyholder. The insurer may demand such information as it deems necessary if it may be significant for the reason and scope of its obligation to pay benefits (see the ruling of the Austrian Supreme Court of 5 November 2014, GZ 7 Ob 180/14t mwN).<br />
<br />
It can also be seen from the OGH's case law on § 34 VersVG that the policyholder must provide all information necessary to establish the insured event. The insurer can demand the information that he considers necessary; however, he is obliged to prove that the requested information was necessary (see Grubmann, VersVG8 § 34 (status 1.7.2017, rdb.at) E 10 mwN).<br />
<br />
The obligation to provide evidence within the meaning of § 34 (2) VersVG basically includes all documents which the policyholder has at his own disposal or which he can obtain from third parties (i.e. which already exist). The voucher obligation is a correlative to the obligation to provide information, so that the justification of the request for information is also the standard for the justification of the request for vouchers. Only in rare exceptional cases will it be unreasonable for the policyholder to present documents that are in his power of disposal (see again Grubmann, loc.cit., E 63 mwN).<br />
<br />
2. applied to the present case, this means<br />
<br />
The complainant has an obligation to provide information and evidence to the respondent on the basis of the clear order in § 34 VersVG.<br />
<br />
In this case, the transmission of health data can be based on § 11a (1) item 3 and (2) item 2 VersVG.<br />
<br />
The respondent, on the other hand, has the burden of proof that the requested documents are actually necessary to establish the insured event or the extent of the obligation to provide benefits.<br />
<br />
It must therefore be examined whether the respondent was right to insist that the complainant provide it with the original invoices of the pharmacies and not merely sales receipts.<br />
<br />
If this is the case, point 7.1 AVB 1999 can be seen as a concretisation of § 34 VersVG (see in this respect, with regard to the General Conditions for Legal Expenses Insurance - ARB 2000, again the already quoted ruling of the Supreme Court of 5 November 2014).<br />
<br />
In its statement of 16 March 2018, the respondent already stated that a mere confirmation of prescription fees would not allow any possible erroneous double submissions to be identified and that therefore a correct processing by its employees in the interest of the community of insured persons as a whole could not be guaranteed.<br />
<br />
The complainant has not substantiated his objection.<br />
<br />
In this respect, it appears "conceivable" that the defendant needs the original invoices in order to assess the relevant facts, namely the exact scope of its obligation to provide benefits.<br />
<br />
In conclusion, there is therefore no violation of the right to secrecy, which is why the decision had to be taken in accordance with the ruling.<br />
<br />
In so far as the complainant complains that, in order to lodge a complaint with the data protection authority, he was forced to submit the original invoices and thus to disclose sensitive data, he must be replied that, instead of bringing proceedings before the data protection authority, he could have chosen not to submit original invoices and, if the defendant refused to pay its insurance benefits, to bring a civil action against it.<br />
European Case Law Identifier<br />
<br />
ECLI:AT:DSB:2020:2020.0.225.643<br />
</pre></div>MLhttps://gdprhub.eu/index.php?title=HmbBfDI_(Hamburg)_-_H%26M&diff=11439HmbBfDI (Hamburg) - H&M2020-10-01T14:09:23Z<p>ML: Created page with "{{DPAdecisionBOX |Jurisdiction=Germany |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoDE-HH.png |DPA_Abbrevation=HmbBfDI |DPA_With_Country=HmbBfDI (Hamburg) |Case_Numb..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Germany<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoDE-HH.png<br />
|DPA_Abbrevation=HmbBfDI<br />
|DPA_With_Country=HmbBfDI (Hamburg)<br />
<br />
|Case_Number_Name=H&M<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit<br />
|Original_Source_Link_1=https://datenschutz-hamburg.de/pressemitteilungen/2020/10/2020-10-01-h-m-verfahren<br />
|Original_Source_Language_1=German<br />
|Original_Source_Language__Code_1=DE<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Decided=<br />
|Date_Published=01.10.2020<br />
|Year=<br />
|Fine=35258708<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 5 GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR<br />
|GDPR_Article_2=Article 6 GDPR<br />
|GDPR_Article_Link_2=Article 6 GDPR<br />
<br />
<br />
<br />
|Party_Name_1=H&M Hennes & Mauritz Online Shop A.B. & Co. KG<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Not appealed<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
|<br />
}}<br />
<br />
The Data Protection Authority of Hamburg fined H&M with EUR 35 258 708 for processing data concerning the private life of employees, making them available to up to 50 managers and making employment related decisions on these data.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
H&M with seat in Hamburg operates a service center in Nuremberg. Since at least 2014, issues concerning the private life of employees have been comprehensively recorded and stored. E.g. after absence due to illness or because of vacation, the respective teamleader conducted a "Welcome Back Talk". Detailed information, e.g. information on the symptoms of illness and diagnoses of the employees, has been noted and stored. Moreover, some supervisors also used information that they heard by accident, for example about family problems and religious beliefs in order to store them on the network drive, which could be accessed by up to 50 managers of the company. This network drive was used to evaluate the performance of the employees and to make employment decisions. <br />
<br />
This data collection became public due to a technical configuration error in October 2019. The data stored on the network drive could be seen company-wide for hours. <br />
<br />
=== Dispute ===<br />
What kind of data has been collected and stored regarding the employees of H&M in Nuremberg?<br />
<br />
=== Holding ===<br />
H&M is fined in the amount of EUR 35 258 708 for processing data concerning the private life of employees, making them available to up to 50 managers and making employment related decisions on these data. Therefore, H&M has to introduce corrective measures, provide employees with damages and an apology.<br />
<br />
== Comment ==<br />
This summary is based on a press release.<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the German original. Please refer to the German original for more details.<br />
<br />
<pre><br />
35.3 million Euro fine for data protection violations in H&M's service centre<br />
01.10.2020 - H&M<br />
<br />
In the case of the monitoring of several hundred employees of the H&M service centre in Nuremberg by the centre management, the Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) has issued a fine of 35,258,707.95 euros against H&M Hennes & Mauritz Online Shop A.B. & Co. KG.<br />
<br />
The company is based in Hamburg and operates a service centre in Nuremberg. At least since 2014, some of the employees have been subject to extensive recording of their private circumstances. Corresponding notes were permanently stored on a network drive. After holiday and sick leave - even short absences - the supervising team leaders conducted a so-called Welcome Back Talk. After these talks, in many cases not only the employees' concrete holiday experiences were recorded, but also symptoms of illness and diagnoses. In addition, some supervisors acquired a broad knowledge of their employees' private lives through individual and corridor discussions, ranging from rather harmless details to family problems and religious beliefs. The findings were partly recorded, digitally stored and were sometimes readable by up to 50 other managers throughout the company. The recordings were sometimes made in great detail and updated over time. In addition to a meticulous evaluation of individual work performance, the data collected in this way was used, among other things, to obtain a profile of the employees for measures and decisions in the employment relationship. The combination of researching their private lives and the ongoing recording of the activities they were engaged in led to a particularly intensive intervention in the rights of those affected.<br />
<br />
The data collection became known when, as a result of a configuration error, the notes were accessible company-wide for a few hours in October 2019. After the Hamburg Commissioner for Data Protection and Freedom of Information was informed about the data collection by press reports, he first ordered the contents of the network drive to be completely "frozen" and then demanded that it be handed over. The company complied and submitted a data set of around 60 gigabytes for evaluation. Interrogations of numerous witnesses confirmed the documented practices after analysis of the data.<br />
<br />
The discovery of the serious violations prompted those responsible to take various remedial measures. The HmbBfDI was presented with a comprehensive concept for how data protection is to be implemented at the Nuremberg site from now on. In order to come to terms with past events, the management has not only expressly apologised to those affected. It has also followed the suggestion to pay the employees a considerable amount of unbureaucratic compensation. In this respect, this is an unprecedented commitment to corporate responsibility following a data protection violation. Further elements of the newly introduced data protection concept include a newly appointed data protection coordinator, monthly data protection status updates, more strongly communicated whistleblower protection and a consistent information concept.<br />
<br />
Prof. Dr. Johannes Caspar, the Hamburg Commissioner for Data Protection and Freedom of Information, comments: "The present case documents a serious disregard for employee data protection at the H&M site in Nuremberg. The level of the fine imposed is therefore appropriate and suitable to deter companies from violating the privacy of their employees.<br />
<br />
Management's efforts to compensate those affected on site and to restore confidence in the company as an employer are to be seen in a very positive light. The transparent information provided by those responsible and the guarantee of financial compensation show the will to give those affected the respect and appreciation they deserve as dependent employees in their daily work for their company.<br />
</pre></div>MLhttps://gdprhub.eu/index.php?title=Rb._Amsterdam_-_c/13/673085_/_HA_ZA_19-340&diff=11419Rb. Amsterdam - c/13/673085 / HA ZA 19-3402020-09-29T11:47:24Z<p>ML: Created page with "{{COURTdecisionBOX |Jurisdiction=Netherlands |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=Rb. Amsterdam |Court_With_Country=Rb. Amsterdam (Netherlands) |C..."</p>
<hr />
<div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=Netherlands<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=Rb. Amsterdam<br />
|Court_With_Country=Rb. Amsterdam (Netherlands)<br />
<br />
|Case_Number_Name=c/13/673085 / HA ZA 19-340<br />
|ECLI=ECLI:NL:RBAMS:2020:2112<br />
<br />
|Original_Source_Name_1=de Rechtspraak - Uitspraken<br />
|Original_Source_Link_1=https://uitspraken.rechtspraak.nl/inziendocument?id=ECLI:NL:RBAMS:2020:2112&showbutton=true&keyword=AVG<br />
|Original_Source_Language_1=Dutch<br />
|Original_Source_Language__Code_1=NL<br />
<br />
|Date_Decided=02.04.2020<br />
|Date_Published=23.09.2020<br />
|Year=2020<br />
<br />
|GDPR_Article_1=Article 17(1) GDPR<br />
|GDPR_Article_Link_1=Article 17 GDPR#1<br />
|GDPR_Article_2=Article 17(3)(b) GDPR<br />
|GDPR_Article_Link_2=Article 17 GDPR#3b<br />
<br />
|EU_Law_Name_1=Article 6 (1) ECHR<br />
|EU_Law_Link_1=https://www.echr.coe.int/documents/convention_eng.pdf<br />
<br />
|National_Law_Name_1=Article 14(1) International Covenant on Civil and Political Rights<br />
|National_Law_Link_1=https://treaties.un.org/doc/publication/unts/volume%20999/volume-999-i-14668-english.pdf<br />
|National_Law_Name_2=Article 21 Grondwet (Dutch Basic Law)<br />
|National_Law_Link_2=https://www.denederlandsegrondwet.nl/id/vkugbqvdq7wh/hoofdstuk_1_grondrechten<br />
|National_Law_Name_3=Article 21 Grondwet (Dutch Article 5(1) of the Law on the Organisation of the JudiciaryBasic Law)<br />
|National_Law_Link_3=https://www.rechtspraak.nl/SiteCollectionDocuments/Wet-op-de-Rechterlijke-Organisatie_EN.pdf<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_From_Body=rechtbank Den Haag<br />
|Appeal_From_Case_Number_Name=ECLI:NL:RBDHA:2019:6302 <br />
|Appeal_From_Status=<br />
|Appeal_From_Link=<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
|<br />
}}<br />
<br />
The court hold that a deletion of a previous court decision cannot be obtained due to the public interests mentioned in Article 17 (3) GDPR, which override the interest of the data subject whose data are anonymised in the concerned ruling.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The applicant requested to delete a previous court decision from the website "rechtspraak.nl" according to Article 17 (1) GDPR, because the applicant claims that he/she could be identified by it and therefore creates a reason to deport him/her.<br />
<br />
=== Dispute ===<br />
The issue in this case is whether the State is obliged to remove, in whole or in part, the judment of 28 June 2019 of the District Court of The Hague, published in accordance with the anonymisation guidelines, from www.rechtspraak.nl.<br />
<br />
=== Holding ===<br />
The court hold that to the extent that the applicant is reasonably identifiable person the applicant cannot obtain the deletion of the data referred to in Article 17 GDPR, because Article 17 (3) (b) GDPR precludes this. By publishing the decision, the District Court of The Hague fulfils its constitutional obligation that judicial decisions must be taken publicly (Article 6 (1) ECHR, Article 14(1) International Covenant on Civil and Political Rights, Article 21 Dutch Basic Law and Article 5(1) of the Law on the Organisation of the Judiciary). Consequently, the applicant does not have the right to incorrect information under Article 17(1) GDPR.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.<br />
<br />
<pre><br />
ECLI:NL:RBAMS:2020:2112<br />
<br />
Authority<br />
Court of Amsterdam<br />
Date of pronouncement<br />
02-04-2020<br />
Date of publication<br />
23-09-2020 <br />
Case number<br />
c/13/673085 / HA ZA 19-340<br />
Jurisdictions<br />
Civil Justice<br />
Special features<br />
First instance - single<br />
Content indication<br />
<br />
Rejection of a request under Article 17 of the AVG to remove an anonymised utterance from www.rechtspraak.nl.<br />
Sites<br />
Rechtspraak.nl<br />
Enriched pronunciation <br />
<br />
Ruling<br />
<br />
available at<br />
COURT IN AMSTERDAM<br />
<br />
Private law department<br />
<br />
Case number / petition number: C/13/673085 / HA RK 19-340<br />
<br />
Decision of 2 April 2020<br />
<br />
in the case of<br />
<br />
[applicant] ,<br />
<br />
residing at [residence] ,<br />
<br />
the applicant,<br />
<br />
appeared in person,<br />
<br />
by<br />
<br />
the legal person governed by public law<br />
<br />
STATE OF THE NETHERLANDS,<br />
<br />
having its registered office in The Hague, the Netherlands,<br />
<br />
defendant,<br />
<br />
Lawyer M.M.C. van Graafeiland, The Hague.<br />
<br />
The parties will hereinafter be referred to as [the applicant] and the State.<br />
1 The proceedings<br />
1.1.<br />
<br />
The course of the procedure is evident:<br />
<br />
-<br />
<br />
the application, together with its annexes, lodged at the Registry of the District Court of The Hague on 19 August 2019,<br />
-<br />
<br />
the order of 30 September 2019 of the District Court of The Hague referring the case back to that court,<br />
-<br />
<br />
the interim decision of 21 November 2019 providing for an oral hearing,<br />
-<br />
<br />
lodged at the Registry on 27 December 2019,<br />
-<br />
<br />
the supplementary application, together with the reduction/adjustment application, together with annexes, received at the Registry on 30 December 2019,<br />
-<br />
<br />
further documents from [the applicant] , received at the Registry on 6 January 2020,<br />
-<br />
<br />
the minutes of the oral procedure of 8 January 2020 and the (procedural) documents referred to therein,<br />
-<br />
<br />
the State's letter of 29 January 2020 containing comments on the minutes,<br />
-<br />
<br />
the (fax) letter of 30 January 2020 from [the applicant] replying to the letter of 29 January 2020 from the State,<br />
-<br />
<br />
the e-mail messages of 13 February 2020 from the parties to the registry. <br />
<br />
1.2.<br />
<br />
After the conclusion of the oral procedure, the Court referred the case to (the internal rekestenrol of) 13 February 2020 for the parties to take a simultaneous document in which they will inform the Court whether the Court of Appeal of Amsterdam has made a decision in the appeal lodged by [the applicant] against the decision of the District Court of Noord Holland of 14 March 2019. In the e-mail messages referred to under 1.1. dated 13 February 2020, the parties informed the Court that [the applicant] had withdrawn its appeal, so that the Court of Appeal will not rule. Subsequently, a date was set for the delivery of the decision. The parties were informed of the postponed date.<br />
1.3.<br />
<br />
That decision was taken in the light of the State's comments on the minutes and [the applicant's] response to them.<br />
2 The facts<br />
2.1.<br />
<br />
On 28 June 2019, the District Court of The Hague adopted a decision ('the decision') in a dispute between [the applicant] and Google LLC concerning the removal of search results from Google's search engine. In that decision, the Court ordered [the applicant], at Google's request, to pay the costs of the proceedings after it had withdrawn its applications following the oral procedure and to assess the substance of the dispute. The [applicant] brought an appeal against the decision.<br />
2.2.<br />
<br />
The decision was published under number ECLI:NL:RBDHA:2019:6302 on www.rechtspraak.nl and rendered anonymous in accordance with the anonymisation guidelines for the publication of judgments on rechtspraak.nl.<br />
2.3.<br />
<br />
In a letter dated 11 July 2019, [the applicant] requested the court of The Hague to immediately (within 24 hours) remove the decision from www.rechtspraak.nl on the basis of Article 17 of Regulation (EU) 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJEU L 119/1 of 27 April 2016) (hereafter: AVG).<br />
2.4.<br />
<br />
On 12 July 2019, the administrative secretary also confirmed the receipt of the removal request to [the applicant] by the District Court of The Hague, as coordinator for requests for information on privacy, and that she was unable to respond within the set period of 24 hours. On the same day [the applicant] responded by stating that Article 17(1) of the AVG provides that the data subject has the right to obtain the deletion of personal data relating to him without unreasonable delay and that the controller is obliged to delete personal data without unreasonable delay.<br />
2.5.<br />
<br />
In a letter dated 1 August 2019, the President of the District Court of The Hague wrote to [the applicant] that the request for deletion had been rejected because the business content of a judicial decision as part of the legal analysis falls outside the scope of the AVG and thus outside the scope of the possibilities for deletion of personal data provided therein.<br />
3 The dispute<br />
3.1.<br />
<br />
The applicant claims that the Court should declare the decision - in summary - enforceable on a provisional basis and order the State:<br />
<br />
to order the State, within one day of the issue of that order, or at least within a reasonable period to be determined by the court, to remove and keep the order posted at www.rechtspraak.nl;<br />
<br />
within one day after the issuance of this order, or at least a reasonable period of time to be determined by the court, order the State to remove and keep removed the extracts from the order on www.rechtspraak.nl, in accordance with production 1 e of the revised application;<br />
<br />
to pay a penalty payment of €50,000, or at least a sum to be determined by the court, for each breach of the order requested under a, or, at the option of [the applicant], of €500 for each day or part thereof that the State fails to comply with all or part of this order, up to a maximum of €50,000;<br />
<br />
the costs of the proceedings.<br />
<br />
3.2.<br />
<br />
The applicant's requests are based on Article 17 of the AVG. In summary, it submits that the published decision contains personal data which are traceable to the applicant and which lend themselves to removal. According to [the applicant], the State cannot rely on the exception provided for in Article 6(1)(c) of the AVG, because there is no (statutory) obligation to publish judgments on the internet, not on the basis of Article 6 of the European Convention on Human Rights (ECHR) and Article 121 of the Constitution (Gw). The Besluit Selectiecriteria uit spreektdatabank rechtspraak.nl is not a law. It has been adopted without competence and is not binding. Nor is there any need for publication in the register of judgments. Furthermore, publication is not a judicial task in the sense of Article 23 paragraph 1 opening words and under f AVG.<br />
<br />
It is true that the publication of the decision complies with the anonymisation guidelines of the jurisprudence, but these guidelines do not comply with the AVG, because the definition of personal data differs from Article 4 AVG. The [applicant] fears that the anonymised decision will be found on www.rechtspraak.nl and will be used against her in order to blacken her. Even if she is successful in the appeal proceedings, the decision will continue to be published on the internet. In addition, according to the applicant, the publication does not serve any reasonable purpose.<br />
3.3.<br />
<br />
The State puts forward a defence and concludes that the application under 3.2(a) should be dismissed as inadmissible or, in any event, that the other applications should be dismissed, and orders [the applicant] to pay the costs of the proceedings.<br />
<br />
In summary, the State submits primarily that, according to settled case-law, legal analyses as such do not constitute personal data, so that it is not possible to apply for their removal by relying on the AVG. In that context, the State points out that, by order of 14 March 2019 in a dispute between [the applicant] and the District Court of The Hague concerning the removal of a judgment of 3 June 2015 from www.rechtspraak.nl, the District Court of Noord Holland rejected [the applicant's] application for removal. In that regard, the Court considered that the representation of the capacity of the parties to the proceedings, the facts and the assessment relate to the factual content of a judicial decision, which is determined by rules of procedural law in conjunction with substantive law and is therefore part of the legal analysis itself.<br />
<br />
In the alternative, the State submits that, in the light of the provisions of Article 17(3)(b) AVG, there are no grounds for ordering expulsion. In so far as the published decision already contains personal data which can be traced back to [the applicant], there is a basis for doing so within the meaning of Article 6 of the AVG. With the publication on www.rechtspraak.nl, the District Court of The Hague complies with its disclosure obligation arising from the principle of public access to judicial decisions as prescribed in Article 6 ECHR and Article 121 Gw. This general interest of publicity is in contrast to the interest and fundamental right of [the applicant] to protection of her privacy. In order to protect the latter right, the directive provides for an adequate and proportionate measure for the anonymisation of judgments to be published.<br />
<br />
Finally, the State submits that there is no evidence of exceptional circumstances making it necessary to proceed with the expulsion of the decision. [the applicant] has not substantiated its claim that it has suffered damage as a result of the publication, whereas, as far as an outsider is concerned, the decision cannot (properly) be traced back to it.<br />
3.4.<br />
<br />
The parties' submissions are set out in more detail below, in so far as they are relevant.<br />
4 The assessment<br />
4.1.<br />
<br />
This case concerns the question whether the State is obliged to remove all or part of the decision of the District Court of The Hague of 28 June 2019, published in accordance with the anonymisation guidelines, from www.rechtspraak.nl.<br />
4.2.<br />
<br />
The request of [the applicant] was filed after 25 May 2018, so that the AVG must be applied to the request. As an EU regulation, the AVG is directly applicable in each Member State (cf. article 99 AVG). The AVG is the successor to Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereafter: the Personal Data Directive), as implemented in the Personal Data Protection Act (hereafter: the Wbp). The court's starting point is that the rulings of the Court of Justice of the European Union (CJEU) and the Supreme Court handed down at the time of the Personal Data Directive and Wbp also apply now that the AVG is in force.<br />
4.3.<br />
<br />
Pursuant to Article 17(1)(c) of the AVG, [the applicant] has the right to obtain the erasure of her personal data if she has objected to the processing of personal data relating to her on the basis of Article 6(1)(e) or (f) of the AVG in accordance with Article 21(1) of the AVG and there are no overriding compelling legitimate grounds for processing. Article 17 paragraph 3, opening words and under b AVG states that paragraph 1 does not apply insofar as processing is necessary for the performance of a task in the public interest.<br />
4.4.<br />
<br />
Article 17 of the AVG states that the right to erasure is limited to personal data. The interpretation of the term 'personal data' therefore determines the scope of the right of erasure.<br />
4.5.<br />
<br />
Pursuant to Article 4.1 of the AVG, personal data is 'all information about an identified or identifiable natural person'. The term 'personal data' is interpreted broadly by the CJEU. The CJEU has considered that the concept of personal data is not limited to sensitive or personal information but potentially extends to any type of information, both objective and subjective, in the form of opinions or assessments, provided that it relates to the data subject. The latter condition is fulfilled when the information is related to a particular person by virtue of its content, purpose or effect and that person is reasonably identifiable to another person (CJEU 20 December 2017,<br />
C-434/16, ECLI:EU:C:2017:994).<br />
4.6.<br />
<br />
The judgment of the CJEU of 17 July 2014 (ECLI:EU:C:2014:2081) is also relevant to the assessment of the application. In this case, the CJEU considered - in summary - that although a legal analysis may contain personal data, it does not in itself constitute such data within the meaning of Article 2(a) of the Personal Data Protection Directive. Unlike the data which may constitute the factual basis for the legal analysis, such an analysis cannot itself be checked and corrected by the data subject. That is not what the Data Protection Directive provides for. In its judgment of 16 March 2018 (ECLI:NL:HR:2018:365), the Supreme Court - with reference to the considerations of the CJEU in this judgment - considered that the Personal Data Protection Directive implemented by the Wbp enables the data subject to check that his or her personal data are accurate and have been processed lawfully, in order to protect the data subject's right to respect for his or her privacy. This control could then lead to the rectification, erasure or blocking of the data. The purpose of the action in those proceedings was to obtain information for the purposes of legal proceedings and not the purpose for which the Data Protection Directive was intended, so that, according to the Supreme Court, no personal data within the meaning of the Data Protection Directive were involved.<br />
4.7.<br />
<br />
In application of the aforementioned rules and jurisprudence, the court will rule as follows. It follows from the judgment of the CJEU referred to under 4.6. above that the legal analysis relating to personal data cannot be qualified as personal data. Although it can be assumed that the published decision may contain personal data of [the applicant] (see below under 4.8.), in view of the considerations of the CJEU and the Supreme Court referred to above under 4.6., the decision as such cannot be qualified as personal data within the meaning of Article 4.1 of the AVG. This is also apparent from the fact that the content of the court decision does not lend itself to verification of its correctness or to correction. The decision therefore does not fall within the scope of the AVG. The request for removal of the entire decision of www.rechtspraak.nl will therefore already be rejected.<br />
4.8.<br />
<br />
The request by [the applicant] to remove the parts of the published decision referred to in production 1 of the revised application will also be rejected. The reasons for this are as follows. The main argument is that a court decision may contain personal data within the meaning of Article 4(1) of the AVG. After all, in the judgment referred to under 4.6 above, the CJEU considered that the data constituting the factual basis for the legal analysis may be personal data within the meaning of the Personal Data Directive. The fact that those factual data are established by a court decision in accordance with the rules of procedural law does not mean that personal data no longer exist.<br />
4.9.<br />
<br />
The vast majority of the parts of the decision referred to by [the applicant] in the first part of the revised application do not relate to data which can be traced back to it, but to considerations which concern the content of the judicial decision and with which [the applicant] manifestly disagrees. The request for those parts of the decision to be erased is not consistent with the purpose and purpose of the AVG, which is to ensure the protection of the right to privacy with regard to the processing of personal data (see Article 1 of the AVG). The AVG and the right provided therein to obtain erasure of personal data under certain conditions is not intended to allow control, rectification, erasure or blocking of judicial decisions. The [applicant] is free to raise its objections to the relevant considerations in the appeal proceedings brought by it.<br />
4.10.<br />
<br />
At the oral hearing, [the applicant] claimed that the description of her person in the published decision is traceable back to her, because few AVG lawyers combine the functions referred to therein. That description reads as follows:<br />
<br />
"The applicant is a doctorate in law and a social sciences researcher. She works as an independent entrepreneur as a lecturer, author and adviser, specialising in constitutional and administrative law, including privacy law and public administration".<br />
<br />
The State has disputed that an outsider can use this description to establish that the decision concerns [the applicant]. In addition, it argued that the consideration referred to in the decision is relevant to the assessment of whether [the applicant] is a public figure and therefore forms an essential part of the decision.<br />
4.11.<br />
<br />
In so far as [the applicant] is reasonably identifiable to any other person by means of the aforementioned recital, [the applicant] cannot obtain the erasure of the data referred to in Article 17 of the AVG by relying on Article 17 of the AVG, because the provisions of Article 17(3)(b) of the AVG preclude that erasure. By publishing the decision, the District Court of The Hague fulfils its treaty and constitutional duty that judicial decisions must be made in public (Article 6(1) ECHR, Article 14(1) International Covenant on Civil and Political Rights, Article 21 Gw and Article 5(1) of the Judiciary Organisation Act). As a result, [the applicant] does not have at its disposal the right to erroneous information laid down in Article 17(1) of the AVG.<br />
4.12.<br />
<br />
The foregoing does not alter the fact that any data processing operation must comply with the principles of proportionality and subsidiarity (see recital 39 of the AVG). The interference with the interests of the data subject must not be disproportionate to the purposes of the processing and must not reasonably be capable of being achieved by other means which are less harmful to the data subject. This balancing of interests must take account of the circumstances of the case (HR 9 September 2011, ECLI:NL:HR:2011:BQ8097).<br />
4.13.<br />
<br />
In this case, the District Court of The Hague may reasonably publish the relevant consideration after weighing up the interests involved. According to established case law of the European Court of Human Rights (ECHR), the rationale of the obligation to render a judgment in public is the control of the judiciary by the public and the guarantee of the right to a fair trial. Publication of court rulings via www.rechtspraak.nl is obvious as it allows decisions to be made public to a wide audience in an easily accessible way. The interest of [the applicant] in obtaining knowledge of the decision is less important than the interest of society at large. The purpose of the data processing and publication could not have been achieved in a manner less damaging to [the applicant]. The decision was rendered anonymous and published in accordance with the anonymisation guidelines applicable to publication on rechtspraak.nl. It cannot be said that the District Court of The Hague should have gone further than that directive requires. As the State has argued, the data included in the recital are necessary for answering the legal question of whether [the applicant] is a public figure and therefore has more tolerance than the average citizen with regard to an infringement of its right to privacy. In addition, [the applicant] stated at the oral hearing that so far no one has been able to trace the decision back to her. The conclusion is therefore that the requirements of proportionality and subsidiarity have been met. There is no longer any need for an assessment of the parties' other points of view.<br />
4.14.<br />
<br />
The above means that the requests will be rejected.<br />
4.15.<br />
<br />
4.15. With reference to the decision of the Court of Appeal of Den Bosch of 1 February 2018 (ECLI:NL:GHSHE:2018:363), [the applicant] took the view that an order as to costs was contrary to European law. In this judgment, the Court (in summary) refrained from ordering the applicant to pay the costs of proceedings if he exercised his rights under the Wbp (Old Data Protection Act) and the Personal Data Protection Directive because, in view of the extent of those costs, that was considered to be an obstacle and therefore contrary to Article 47 of the Charter of Fundamental Rights of the European Union ('the Charter'). Article 47 of the Charter provides that everyone whose rights and freedoms guaranteed by Union law have been violated has the right to an effective remedy before a tribunal in compliance with the conditions laid down in that Article.<br />
4.16.<br />
<br />
In the opinion of the court or tribunal, the possibility of obtaining an order to pay costs in the context of an application under the AVG does not in itself constitute an obstacle to the right to an effective remedy guaranteed by Article 47 of the Charter. In so far as such an obstacle may already be found to exist, the judgment of the CJEU of 27 September 2017 (C-73/16, ECLI:EU:C:2017:725) is relevant, considering, inter alia, that, although Member States are, in principle, free to determine appropriate compensation for bringing an action before an administrative authority, that compensation must not be at a level which is liable to obstruct the exercise of the right to an effective remedy guaranteed by Article 47 of the Charter. In that case, the system of flat-rate costs of proceedings provides for appropriate compensation and does not entail excessively high costs. As a result, there is no reason to dispense with an order to pay costs under Article 47 of the Charter.<br />
4.17.<br />
<br />
In the light of the foregoing, [the applicant] shall be ordered to pay the costs. The costs on the part of the State are estimated to date:<br />
<br />
- court registry fee € 639<br />
<br />
- lawyer's salary € 1,086 (2 points × rate € 543)<br />
<br />
total € 1,725<br />
5 The decision<br />
<br />
The court<br />
5.1.<br />
<br />
Reject the requests,<br />
5.2.<br />
<br />
orders [the applicant] to pay the costs of the proceedings, assessed to date by the State at EUR 1 725,<br />
5.3.<br />
<br />
declares the order for costs enforceable on a provisional basis.<br />
<br />
This order was issued by M.C.H. Broesterhuizen and pronounced in public on 2 April 2020.<br />
<br />
</pre></div>MLhttps://gdprhub.eu/index.php?title=OVG_Berlin_-_OVG_3_S_24/20&diff=11346OVG Berlin - OVG 3 S 24/202020-09-15T14:48:02Z<p>ML: Created page with "{{COURTdecisionBOX |Jurisdiction=Germany |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=OVG Berlin |Court_With_Country=OVG Berlin (Germany) |Case_Number_Nam..."</p>
<hr />
<div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=Germany<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=OVG Berlin<br />
|Court_With_Country=OVG Berlin (Germany)<br />
<br />
|Case_Number_Name=OVG 3 S 24/20<br />
|ECLI=ECLI:DE:OVGBEBB:2020:0701.3S24.20.00<br />
<br />
|Original_Source_Name_1=Entscheidungen der gerichte in Berlin und Brandenburg<br />
|Original_Source_Link_1=http://www.gerichtsentscheidungen.berlin-brandenburg.de/jportal/portal/t/ha0/bs/10/page/sammlung.psml?pid=Dokumentanzeige&showdoccase=1&js_peid=Trefferliste&documentnumber=2&numberofresults=17&fromdoctodoc=yes&doc.id=MWRE200002589&doc.part=L&doc.price=0.0&doc.hl=1#focuspoint<br />
|Original_Source_Language_1=German<br />
|Original_Source_Language__Code_1=DE<br />
<br />
|Date_Decided=01.07.2020<br />
|Date_Published=<br />
|Year=2020<br />
<br />
<br />
|EU_Law_Name_1=Article 16 TEU - Treaty of the European Union<br />
|EU_Law_Link_1=https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A12012M%2FTXT<br />
|EU_Law_Name_2=Article 17 (1) (a) (d) TEU - Treaty of the European Union<br />
|EU_Law_Link_2=https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A12012M%2FTXT<br />
|EU_Law_Name_3=Article 17 (1) (a) TEU - Treaty of the European Union<br />
|EU_Law_Link_3=https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A12012M%2FTXT<br />
<br />
|National_Law_Name_1=§ 4 (1) School Law of Berlin (Schulgesetz Berlin - SchulG BE)<br />
|National_Law_Link_1=http://gesetze.berlin.de/jportal/?quelle=jlink&query=SchulG+BE&psml=bsbeprod.psml&max=true&aiz=true<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_From_Body=Verwaltungsgerichts Berlin<br />
|Appeal_From_Case_Number_Name=<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
|<br />
}}<br />
<br />
The right to erasure (Art. 17 (1) GDPR) has been denied for documents which are part of a student´s file.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
A student, his/her parents and the school authority communicated a lot, this communication was requested to be deleted from the student´s file, as well as a copy of one report card.<br />
<br />
=== Dispute ===<br />
The school and authority refused to take out these documents, although the claimant claimed that they do not correspond with the reality.<br />
<br />
=== Holding ===<br />
An obligation to remove that document, which formed the basis for the written reprimand issued on 11 October 2018, cannot be required in a claim for interim injuction. In any event, there is no need for legal remedy in this regard in view of the appeals brought against the school regulation measure, which also open a review of the decision taken in the class conference.<br />
<br />
The argument that pages 51 to 54 contain clearly incomplete copies of notices of opposition is not comprehensible. <br />
<br />
Insofar as the applicants request the removal of the copy of the report card dated 1 February 2019 (page 2), a serious and unreasonable disadvantage, which could no longer be remedied by a decision in the main proceedings, is in any event not recognisable, in view of the undisputed failure to assess the individual subjects and the fact that an assessment of the applicant's conduct in the second place for the first half of the school year 2018/2019 can no longer be inferred from the school record.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the German original. Please refer to the German original for more details.<br />
<br />
<pre><br />
Court: Higher Administrative Court Berlin-Brandenburg 3rd Senate<br />
Decision date: 01.07.2020<br />
File number: OVG 3 S 24/20<br />
ECLI: ECLI:DE:OVGBEBB:2020:0701.3S24.20.00<br />
Document type: Decision<br />
<br />
Source: <br />
standards: Article 17(1) TEU 2016/679, Article 17(1)(a) TEU 2016/679, Article 17(1)(d) TEU 2016/679, Article 16 S 1 TEU 2016/679, § 4(1) SchulG BE<br />
<br />
No right to "clean up" a pupil's sheet<br />
<br />
Tenor<br />
<br />
The applicants' appeal against the order of the Berlin Administrative Court of 28 February 2020 is dismissed.<br />
<br />
The applicants shall bear the costs of the appeal.<br />
<br />
The value of the subject of the appeal is set at EUR 2,500.00.<br />
<br />
Reasons<br />
<br />
1<br />
<br />
The complaint was unsuccessful. The submission of the appeal, which is the sole subject-matter of the examination by the Higher Administrative Court (Paragraph 146(4), sixth sentence, of the VwGO), does not justify amending the order under appeal, by which the Administrative Court rejected the application for the third partial file of the pupils' sheet relating to the applicant in 2.<br />
<br />
2<br />
<br />
To the extent that the applicants claim that they were not given the opportunity to adjust their applications before the resolution was adopted in response to the defendant's written statement of 21 February 2020, in which the removal of sheet 61 of the schoolchildren's sheet was promised, this does not help the appeal to succeed, because no relevance of this circumstance is apparent - not least with regard to § 155.1 sentence 3 of the German Rules of the Administrative Courts (VwGO).<br />
<br />
3<br />
<br />
The statements of the applicants do not thoroughly question the assessment of the Administrative Court that the requirements for a claim for cancellation under Art. 17 (1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 June 2016/679 on the protection of public health and safety at work in the internal market are met. April 2016 on the protection of individuals with regard to the processing of personal data, on the free movement of such data and repealing Directive 95/46/EC (the Basic Data Protection Regulation) do not apply to the documents cited by the applicants, since neither a loss of purpose within the meaning of Article 17(1)(a) of the Basic Data Protection Regulation nor unlawful processing under Article 17(1)(d) of the Basic Data Protection Regulation has been established. In so far as they claim that unlawful processing is the result of the fact that the file was "created for the purposes of the current procedure" and that the principles of record keeping were thus infringed, they do not provide any conclusive evidence. A formal objection to the keeping of a file does not automatically mean that a data processing operation is substantively unlawful. Irrespective of that, a non-chronological stapling, incomplete pagination or the duplication of some letters does not in itself justify the assumption of manipulation of the pupils' sheets, as alleged by the applicants. It remains both unclear for which "procedure" this is being carried out and with what motivation it is supposed to have been carried out. The argument that "the school" had tried to "put the applicant in a bad light" is speculative, since it ignores the fact that the documents in question are from two school years (2018/2019 and 2019/2020) during which the applicant attended two different schools. There is no other conclusion with regard to sheet 61 of the school record, because a single document, the removal of which the respondent has already agreed to, does not support such further-reaching assumptions.<br />
<br />
4<br />
<br />
The fact that, as the applicants claim in their pleadings of 30 March 2020, the pupil's form does not include various letters (such as letters from the applicants on 1 and 3, certificates and apologies for a missed class, applications for leave of absence and change of compulsory elective subject) does not allow for a reliable conclusion to be drawn that the pupil's form was subsequently changed, nor does it establish that the documents currently contained in the pupil's form need to be removed. Should the applicants consider the data on the pupil's application form to be incomplete in view of this, they are free to seek completion of the file in accordance with Art. 16 sentence 2 DSGVO. Moreover, correspondence between the applicants and the school supervisory authority in Spandau or the Senate Administration for Education, Youth and Family Affairs can, by its very nature, only be taken into account for the pupils' form if it has reached the persons responsible for keeping the pupils' form pursuant to Article 2(5) of the Regulation on the Processing of Personal Data in the School System (Schuldatenverordnung - SchuldatenV).<br />
<br />
5<br />
<br />
The complaint's argument that the correspondence between the parents and the school and the school inspectorate had no place in the pupils' record does not provide sufficient grounds for an adequate examination of the contested order. In this respect, the Administrative Court based its decision on the express provision in § 2.4 sentence 2 of the Pupils' Data Protection Ordinance, according to which the correspondence concerning the pupil is collected in the pupils' questionnaire. According to the assessment of the Administrative Court, which the applicants do not substantiate in question, this also covers correspondence with third parties. The applicants do not sufficiently explain what the requirement they have set out that correspondence with third parties cannot be included in the school questionnaire if it has any connection whatsoever with school matters, but only if it has a direct impact on the school relationship itself. The pupil's record is an instrument for recording information about a pupil and the lessons, which is required at school over a longer period of time for teaching and educational work and the necessary administrative work (§ 1 Para. 1 SchuldatenV), and, in accordance with the specific purpose of § 2 Para. 1 Sentence 1 SchuldatenV, serves on the one hand to improve understanding of the pupil's personality and at the same time as a document for cooperation between school and parents. It can only do justice to this if it covers the various aspects of the school relationship in its breadth. Both an accurate assessment of the pupil's individuality and targeted communication and cooperation with the parents (cf. § 4 subsection 1 SchulG) justify, in the pupil's interests, the measures described in § 2 subsection 1 SchulatenV in the interests of the pupil throughout his or her school career - especially in the event of a change of school (cf. § 10 subsection 3 SchuldatenV). 4 sentence 2 of the School Data Ordinance (SchuldatenV) - the broad understanding expressed in § 2 subsection 4 sentence 2 of the School Data Ordinance of the documentation task of the pupil's record, which also includes notes on incidents in everyday school life and the school reactions to them, as well as contacts with the parents or guardians, which substantiate their view of the child's school development. The complaint does not substantiate the fact that, contrary to the differentiating assessment of the first instance decision, the individual documents in question here do not meet these requirements, but rather, with regard to pages 17, 18, 19, 20, 21 to 25, 26, 27, 28, 29 to 30, they do not show that the child's school development has been taken into account, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 44, 47 to 50, 55, 56 to 60, 62, 64 to 66, 67 to 69, 71, 73, 75, 76, 77, 78, 79 to 80, 81 to 84.85, 87 to 89 and 90 to 112 of the pupils' questionnaire, they were "not necessary from the outset" for the purpose of collecting data.<br />
<br />
6<br />
<br />
Nor is there any justification for amending the contested decision in the light of the minutes of the class conference of 10 October 2018 (sheet 5). An obligation to remove that document, which formed the basis for the written reprimand issued on 11 October 2018, cannot be required in summary proceedings. In any event, there is no need for legal remedy in that regard, in view of the appeals brought against the school regulation measure, which include a review of the decision taken in the class conference. The applicants have not exhausted these possibilities, as the notice of appeal of 10 September 2019 has obviously become final. Apart from that, the applicants do not conclusively show that this letter does not correspond to reality and is therefore factually incorrect. A mere presumption that it is not clear whether the minutes of the class conference in the file are correct in terms of content is not sufficient to satisfy the burden of substantiation incumbent on the applicants for the existence of the grounds for cancellation (see Kamann/Braun, in: Ehmann/Selmayr, DSGVO, 2nd ed., Article 17 marginal no. 19). This also applies in consideration of the lack of a signature, as this alone does not support the assumption that the minutes are incorrect in content.<br />
<br />
7<br />
<br />
The argument that pages 51 to 54 contain clearly incomplete copies of opposition notices cannot be accepted. As the Administrative Court has already stated, these sheets are the complete duplicates of the opposition notices of 10 September 2019, which are printed on the front and back, with page numbers throughout.<br />
<br />
8<br />
<br />
In so far as the applicants request the removal of the copy of the report card of 1 February 2019 (Schedule 2), a serious and unreasonable disadvantage, which could no longer be eliminated by a decision in the main proceedings, is in any event not recognisable in view of the undisputed failure to assess the individual subjects and the fact that an assessment of the applicant's employment and social conduct in the first half of the school year 2018/2019 can no longer be inferred from the school record.<br />
<br />
9<br />
<br />
The decision on costs is based on Paragraph 154(2) of the VwGO. The determination of the amount in dispute is based on § 47 (1), § 53 (2) No. 1, § 52 (2) GKG.<br />
<br />
10<br />
<br />
This decision is unappealable (§ 152 (1) VwGO, § 68 (1) sentence 5 in conjunction with § 66 (3) sentence 3 GKG).<br />
</pre></div>MLhttps://gdprhub.eu/index.php?title=Norges_H%C3%B8yesterett_-_2019-1226-A&diff=11332Norges Høyesterett - 2019-1226-A2020-09-15T09:17:51Z<p>ML: Created page with "{{COURTdecisionBOX |Jurisdiction=Norway |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=Norges Høyesterett |Court_With_Country=Norges Høyesterett (Norway)..."</p>
<hr />
<div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=Norway<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=Norges Høyesterett<br />
|Court_With_Country=Norges Høyesterett (Norway)<br />
<br />
|Case_Number_Name=19-014740SIV-HRET<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Norges Høyesterett<br />
|Original_Source_Link_1=https://www.domstol.no/globalassets/upload/hret/avgjorelser/2019/juni-2019/hr-2019-1226-a.pdf<br />
|Original_Source_Language_1=Norwegian<br />
|Original_Source_Language__Code_1=NO<br />
<br />
|Date_Decided=26.06.2019<br />
|Date_Published=<br />
|Year=2019<br />
<br />
<br />
|EU_Law_Name_1=Article 8 European Convention of Human Rights (ECHR)<br />
|EU_Law_Link_1=https://www.echr.coe.int/Documents/Convention_Eng.pdf<br />
<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_From_Body=<br />
|Appeal_From_Case_Number_Name=<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
|<br />
}}<br />
<br />
The case concerns the validity of a decision to register the DNA profile of a person convicted of tax evasion and whether this is a disproportionate infringement of his/her privacy according to Article 8 ECHR.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The person was sent to prison for tax evasion in the years 2001 to 2006. The district court has assumed that A withheld share gains together about NOK 4.7 million and assets of just over NOK 4.5 million from<br />
taxation. The tax benefit is stated in the judgment to be approximately NOK 1.5 million reduced<br />
income tax and NOK 53 000 in reduced wealth tax. A was further convicted of complicity<br />
to the fact that a partner in an investment partnership evaded more than NOK 700 000 in tax<br />
in the years 2003 to 2006. Finally, the person was convicted of having contributed to a total of three employees in the Eltek Group evading NOK 425 000 in tax in 2002.<br />
<br />
On 31 October 2013, Økokrim decided that the person's DNA profile should be «registered in the identity register (DNA register), cf. the Attorney General's guidelines of 1 October 2013 ».<br />
<br />
The person did not receive the decision until April 2016, and he then complained to the Attorney General. <br />
<br />
=== Dispute ===<br />
The Attorney General also discussed the relationship of Article 8 ECHR and the DNA registration.<br />
The guidelines of 15 August 2008 provided a threshold for registration which he did not consider to be in<br />
contrary to Article 8 ECHR. The person who´s DNA was registered claimed that his right to privacy has been infringed.<br />
<br />
=== Holding ===<br />
The registration of the person´s DNA is disproportionate. Although the conviction of him applies to serious matters, the probability that DNA registration in this type of offense will help to clarify later offenses, is small. There are doubts left that the registration is sufficiently relevant and necessary for the purpose. When in addition access is given to use the DNA register for purely civilian purposes, the limits of it are disproportionate and exceeded.<br />
On this basis, the registration should be deleted, and the person should be awarded legal costs for all instances. The DNA registration must therefore at all times be relevant and necessary based on the purpose<br />
with the registration. The use of the information for other purposes may also be important<br />
for the proportionality assessment.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.<br />
<br />
<pre><br />
<br />
Page 1<br />
DOM<br />
handed down on 26 June 2019 by the Supreme Court in department with<br />
Judge Bergljot Webster<br />
Judge Wilhelm Matheson<br />
judge Per Erik Bergsjø<br />
Judge Wenche Elizabeth Arntzen<br />
Judge Sven-Jørgen Lindsetmo<br />
HR-2019-1226-A, (case no. 19-014740SIV-HRET)<br />
Appeal against the judgment of the Borgarting Court of Appeal on 14 November 2018<br />
A<br />
(Attorney John Christian Elden)<br />
against<br />
The State v / Ministry of Justice and Emergency Preparedness (Government Advocate - for trial<br />
v / lawyer Knut-Fredrik Haug-Hustad)<br />
Page 2<br />
2<br />
HR-2019-1226-A, (case no. 19-014740SIV-HRET)<br />
VOTING<br />
(1)<br />
Judge Bergsjø: The case concerns the validity of a decision to register the DNA profile<br />
a person convicted of tax evasion. The question is whether the registration is a<br />
disproportionate encroachment on his privacy, cf. the European Convention on Human Rights<br />
(ECHR) Article 8.<br />
(2)<br />
On 13 November 2012, A was sentenced to one year and six months in prison, of which six months<br />
conditional, for violations of the Tax Assessment Act. He was also sentenced to pay a fine<br />
225,000 kroner. Both A and the prosecution appealed, but the verdict became final after that<br />
And withdrew his appeal.<br />
(3)<br />
The conviction first applied to tax evasion in the years 2001 to 2006. I<br />
the sentencing premises, the district court has assumed that A withheld share gains<br />
together about NOK 4.7 million and assets of just over NOK 4.5 million from<br />
taxation. The tax benefit is stated in the judgment to be approximately NOK 1.5 million reduced<br />
income tax and NOK 53,000 in reduced wealth tax. A was further convicted of complicity<br />
to the fact that a partner in an investment partnership evaded more than NOK 700,000 in tax<br />
in the years 2003 to 2006. Because the companion made voluntary correction and therefore did not become<br />
punished, this amount was not taken into account in the sentencing of A. Finally, A<br />
convicted of having contributed to a total of three employees in the Eltek Group evading<br />
NOK 425,000 in tax in 2002.<br />
(4)<br />
On 31 October 2013, Økokrim decided that A's DNA profile should be «registered in<br />
the identity register (DNA register), cf. the Attorney General's guidelines of 1 October 2013 ».<br />
A did not receive the decision until April 2016, and he then complained to the Attorney General. The complaint did not lead<br />
forward. In the decision of 21 June 2016, which is being tried in this case, the Attorney General justifies<br />
rejected as follows:<br />
"The verdict against A was handed down in 2012 and was final the same year. The assessment of whether he<br />
shall be registered in the DNA register shall be made in accordance with the guidelines in force at the time<br />
(given in letter 15 August 2008), see guidelines in letter 17 October 2013 point I last paragraph.<br />
The threshold for registration according to the previous guidelines was somewhat higher than according to them<br />
valid, but so that all who were sentenced to unconditional imprisonment for more than 60 days should<br />
registered, see section III.2.2. A has been sentenced to one year unconditional imprisonment, and it follows from both<br />
current and current guidelines that he must be registered. "<br />
(5)<br />
In the decision, the Attorney General also discussed the relationship to Article 8 of the ECHR<br />
The guidelines of 15 August 2008 provided a threshold for registration which he did not consider to be in<br />
contrary to Article 8. Furthermore, he made the following comment in connection with the European<br />
Human Rights Court (EMD) Grand Chamber Decision 4 December 2008 S. and Marper v<br />
United Kingdom :<br />
The «decision… provides guidance on factors and considerations that must be weighed against each other in<br />
the assessment of whether intervention is considered 'necessary in a democratic society'. These are<br />
taken into account in the assessment of the Norwegian regulations. The said case concerns the registration of<br />
fingerprints and DNA profile, as well as storage of biological material, afterwards<br />
criminal cases that were decided with acquittal and suspension, respectively, and the specific<br />
the balance that was made thus has limited significance for the norwegian rules on<br />
registration in the DNA identity register. In the Attorney General's assessment does not imply<br />
statements in this Decision that it is contrary to Article 8 of the ECHR to register in the DNA<br />
registered persons who have been sentenced to imprisonment, regardless of the nature of the offense. "<br />
Page 3<br />
3<br />
HR-2019-1226-A, (case no. 19-014740SIV-HRET)<br />
(6)<br />
The Attorney General found that there were no special reasons which suggested that registration should not<br />
happen. He specifically mentioned that the long time that had passed since the conviction could not<br />
considered as such a special reason.<br />
(7)<br />
Biological material was obtained from A on 12 September 2016. He then appeared before the police<br />
and had a smear taken in the oral cavity. Kripos registered the DNA profile on September 26, 2016.<br />
(8)<br />
At the summons on 21 September 2016, A sued the state, claiming that<br />
The Attorney General's decision of 21 June 2016 was invalid. He argued that the decision was a<br />
disproportionate encroachment on his private life, cf. ECHR article 8 no. 2. Oslo District Court concluded that<br />
the intervention was not disproportionate and acquitted the state by judgment of 7 June 2017. A was sentenced to<br />
cover the state's legal costs.<br />
(9)<br />
A appealed to the Borgarting Court of Appeal over the district court's application of the law. In addition to that he<br />
maintained the allegation of disproportion, he also argued that<br />
The DNA registration did not have a sufficient legal basis. After written consideration declined<br />
Court of Appeal 14 November 2018 judgment with the following conclusion:<br />
«1.<br />
The appeal is rejected as far as the district court's judgment is concerned, the verdict in point 1.<br />
2.<br />
Each of the parties shall bear its own costs before the district court and the court of appeal. "<br />
(10)<br />
The Court of Appeal ruled that the DNA registration had sufficient legal authority. When it<br />
applies to the proportionality of the intervention, the Court of Appeal expressed doubts, but came to the same<br />
result as the district court.<br />
(11)<br />
A has appealed to the Supreme Court against the Court of Appeal's application of the law. He has asserted<br />
that the DNA registration does not have sufficient legal authority, and that the intervention is not<br />
proportionate to Article 8 (2) of the ECHR.<br />
(12)<br />
The Supreme Court Appeals Committee made a decision on 21 February 2019 with the following conclusion:<br />
"The appeal is being considered in the Supreme Court with regard to the question of<br />
the registration of A's DNA profile in the DNA register (identity register) is<br />
disproportionate, cf. Article 8 of the ECHR. Otherwise, the appeal is not permitted to be advanced. "<br />
(13)<br />
The appellant - A - has briefly stated :<br />
(14)<br />
DNA registration is disproportionate and involves a violation after<br />
ECHR Article 8 no. 2. The Attorney General's decision of 21 June 2016 must be known on that basis<br />
void.<br />
(15)<br />
This is an encroachment on a fundamental right, and the states' margin of discretion is in such<br />
cases limited. The regulations on DNA registration in reality allow for unlimited time<br />
storage of DNA, without the possibility of deletion and individual assessments of convicts<br />
personal relationships. As the Attorney General is the appellate body, the right of appeal is not real.<br />
The access to justice is also in many cases illusory in that civil lawsuit<br />
- with the risk of own and the other party's legal costs - is the only alternative.<br />
Registration can take place regardless of whether the conviction concerns an offense that results in an increase<br />
probability of recidivism to "DNA-relevant" crime. With this is the access to<br />
registration "blanket and indiscriminate" and thus contrary to Article 8 (2) of the ECHR.<br />
Page 4<br />
4<br />
HR-2019-1226-A, (case no. 19-014740SIV-HRET)<br />
(16)<br />
Specifically, the intervention does not serve any sensible purpose and is not effective and necessary<br />
instrument for the state. Furthermore, the Attorney General has not made an individual assessment of<br />
the need for registration. An overall assessment of the opposing considerations indicates that<br />
the registration is a disproportionate interference.<br />
(17)<br />
A has filed such a claim:<br />
«The Attorney General's decision of 21/6/16 is invalid.<br />
A is ordered to pay the costs. "<br />
(18)<br />
The respondent - the state at the Ministry of Justice and Emergency Preparedness - has in short<br />
current:<br />
(19)<br />
The registration of A's DNA profile is not disproportionate and does not violate his rights<br />
pursuant to Article 8 of the ECHR. There are thus no grounds for invalidity on the part of the Attorney General<br />
decision.<br />
(20)<br />
The EMD's practice shows that DNA registration is in principle a proportionate intervention<br />
to convicts. However, there are requirements for the delimitation of<br />
the registration access - the intervention threshold - and that the privacy of the registered person must<br />
effectively protected. The regulations in Norway meet these requirements.<br />
(21)<br />
In the specific proportionality assessment, it must be emphasized that<br />
DNA registration is a modest procedure. The delimitation of the registration access is<br />
thoroughly assessed by the legislature and meets the requirement for «appropriate safeguards against blanket and<br />
indiscriminate taking and retention of DNA-samples ». A's privacy is also protected on<br />
an effective way, among other things in that he can request deletion, appeal the decision and<br />
bring it before the courts for review. It is of central importance that he is convicted<br />
for a serious offense, and it is not essential that DNA is not relevant to detect<br />
tax evasion.<br />
(22)<br />
The state at the Ministry of Justice and Emergency Preparedness has filed the following claim:<br />
«1.<br />
The appeal is rejected.<br />
2.<br />
The State v / the Ministry of Justice and Emergency Preparedness is awarded the costs of the case<br />
for the District Court, the Court of Appeal and the Supreme Court. "<br />
(23)<br />
My view on the matter<br />
(24)<br />
The question is, as mentioned, whether registration of A's DNA profile is a disproportionate intervention<br />
which violates his rights under Article 8 of the ECHR. The Supreme Court has full jurisdiction,<br />
cf. HR-2018-2133-A section 46.<br />
(25)<br />
Before I go into the legal issues that the case raises, I find reason to give one<br />
a more detailed description of the DNA profiles to which the case relates.<br />
(26)<br />
More about the DNA profiles used in criminal justice<br />
Page 5<br />
5<br />
HR-2019-1226-A, (case no. 19-014740SIV-HRET)<br />
(27)<br />
Section 45-2 no. 1 of the Police Register Regulations defines a DNA profile in the following way:<br />
«DNA profile: the result of an analysis of biological material to determine a person<br />
identity. The DNA profile is expressed by a number combination. Profiles registered in<br />
The DNA register is referred to as identity profiles, investigation profiles and trace profiles. "<br />
(28)<br />
In NOU 2005: 19 Act on DNA registers for use in criminal justice , the so-called<br />
The DNA sample in Chapter 3 for what DNA is and how the profiles are analyzed and used. I<br />
generally refers to the manufacture there. The Ministry passes on in Ot.prp. No. 19 (2006−2007)<br />
section 3.1.1 on page 10 a brief description of the DNA profiles used in Norwegian<br />
criminal justice. Here it is stated, among other things, that the chosen analysis method «is not suitable for<br />
other than identification », and that information about, for example, character traits and<br />
health conditions are not revealed in the analysis.<br />
(29)<br />
The National Institute of Public Health has in an article called «Questions and answers about DNA analyzes in<br />
criminal cases »stated that a DNA profile is a series of numbers based on genetic analysis of biological<br />
material, such as skin cells and blood. The department further states that the profiles consist of a set of<br />
markers that are unique to that person. It is stated that we in Norway - as in those<br />
most other countries in Europe - operate with 17 different markers. These markers give<br />
no information about the person other than gender. In the article compares<br />
The National Institute of Public Health combines the numbers in a DNA profile with “an expanded and more secure<br />
social security number ». Regarding the application, the department states:<br />
«By comparing a DNA profile from a biological trace with a DNA profile from one<br />
reference sample, it is possible to say whether the two profiles have the same origin. This is<br />
the principle that underlies all identification work in connection with<br />
criminal cases, paternity cases and disasters. "<br />
(30)<br />
In the article, the National Institute of Public Health also emphasizes that these DNA profiles do not say anything about<br />
hereditary traits and health risks. I perceive the presentation in the article as undisputed<br />
in the case and builds on it in the sequel. Against this background, I note that<br />
The DNA profile used in Norwegian criminal justice does not provide information about either<br />
skin color, eye color, height and physique. From what is stated, I also understand that<br />
it can clarify kinship with a significant degree of certainty. The key, however, is that<br />
the profile can establish a person's identity.<br />
(31)<br />
I conclude by mentioning under this point that it is stated in the counter before the Supreme Court that<br />
The DNA profiles are in a closed database where only 13 employees in Kripos have access. Name<br />
and other personal information is in another database. The link between the databases<br />
takes place using a unique number linked to the DNA profile.<br />
(32)<br />
Overview of the Norwegian regulations and legal history<br />
(33)<br />
As a background for the further discussion, I find it appropriate to give an overview of<br />
the regulations for DNA registration and the history behind it. I will come back in more detail<br />
to the most central provisions in the specific proportionality discussion.<br />
(34)<br />
By Act no. 79 of 22 December 1995, provisions were made on access to<br />
DNA registration in the Criminal Procedure Act § 160 a. According to the first paragraph, a<br />
central DNA register with DNA profiles «of persons convicted of violation of<br />
Chapter 14, 19, 22 or 25 of the Penal Code, or for attempts at such a crime ».<br />
Page 6<br />
6<br />
HR-2019-1226-A, (case no. 19-014740SIV-HRET)<br />
The registration access was thus limited to persons who had been convicted<br />
provisions in the chapters on general crimes, sexual offenses, crimes against<br />
life, body and health as well as extortion and robbery.<br />
(35)<br />
In 2004, a committee was appointed to assess changes in these rules - the DNA committee.<br />
The mandate was, among other things, to assess whether it should be possible to register a DNA profile in<br />
several types of cases, and whether the charge should be a sufficient condition for registration. The selection<br />
submitted in November 2005 the report NOU 2005: 19, which I have already referred to. In draft<br />
a new law on DNA register for use in criminal justice § 3, it was planned that it should<br />
be allowed to register the DNA profile of persons who «have been charged with a criminal offense<br />
reaction or has been granted a failure to prosecute pursuant to the Criminal Procedure Act § 69 for an act which<br />
according to the law may result in a custodial sentence », see page 73 in the report.<br />
(36)<br />
The Ministry of Justice and the Police went in Ot.prp. No. 19 (2006−2007) to expand access<br />
to DNA registration in line with the DNA Committee's proposal, but so that this should continue<br />
is regulated in the Criminal Procedure Act § 160 a. In the proposition, the Ministry considered, among other things<br />
whether the charge should be sufficient for registration and what criminal offenses<br />
should qualify for this. The relationship to human rights was discussed in section 3.1.4. I<br />
comes back to the assessments that the ministry made here, but finds already now<br />
reason to quote the following from pages 19 to 20 of the proposition:<br />
"Against this background, the ministry sees a need for more precise and targeted regulation<br />
of what should and should not qualify for registration - in line with the current legal situation<br />
where it is both a 'must-rule' and a 'can-rule', cf. the prosecution instruction § 11a – 2.<br />
The Ministry therefore believes that the most appropriate thing would be to open up to an extensive<br />
registration in the law, but that access is made optional. With such an approach it is given<br />
room for the registration access to be restricted and made more concise in regulations.<br />
The approach also takes into account that the expansion can take place gradually. In light of<br />
the statements of the consultative bodies, it may, for example, be relevant to cut off the smaller ones<br />
serious violations, such as minor violations of the Road Traffic Act and<br />
violations of police statutes. For other violations, the registration access may<br />
made optional. However, a not insignificant extension is planned in the regulations<br />
compared with current rules, so that the register has sufficient effect. The closer<br />
the delimitation will stand for the work with the prosecution instruction. "<br />
(37)<br />
The Ministry proposed that section 160 a of the Criminal Procedure Act should provide access to DNA registration<br />
of all those who were "punished for an act which by law may result in a custodial sentence".<br />
The proposal was adopted without changes on this point, see Inst. O. No. 23 (2007−2008) page<br />
10.<br />
(38)<br />
When A was convicted in 2012, access to DNA registration was still regulated in<br />
Section 160 a of the Criminal Procedure Act. The first paragraph had this wording:<br />
"Whoever is punished for an act that according to the law may result in a custodial sentence, can<br />
registered in the identity register. Registration in the identity register can only take place when<br />
the decision is final or the case is finally settled. Before this time can try<br />
obtained pursuant to section 158 is registered in the investigation register. Action as it is<br />
issued a simplified fine for, does not provide a basis for registration. "<br />
(39)<br />
The provision thus set out the right to register DNA on certain conditions, but no obligation.<br />
Furthermore, registration could only take place by conviction for offenses of a certain seriousness.<br />
Anyone who was only a suspect, accused or accused could not be registered in the identity register.<br />
Page 7<br />
7<br />
HR-2019-1226-A, (case no. 19-014740SIV-HRET)<br />
(40)<br />
Section 160 a, sixth paragraph, stated that the information in the DNA register could only be used in<br />
criminal justice, but so that regulations could be issued on use for research purposes. Seventh<br />
paragraph provided a general authority to issue further provisions, including on storage,<br />
deletion and right of appeal.<br />
(41)<br />
Through the prosecution instructions, Chapter 11 a, the Ministry issued further provisions on<br />
DNA registration. Access to registration was regulated in §11a-1. The third of the provision<br />
paragraph provided a framework for the registration access that coincided with the conditions in<br />
The Criminal Procedure Act § 160 a. The competence to provide supplementary guidelines was in<br />
§ 11a-12 delegated to the Attorney General.<br />
(42)<br />
Pursuant to this legal basis, the Attorney General issued new guidelines in circulars<br />
August 15, 2008 - RA-2007-569. Chapter III of the circular provides for<br />
registration in the identity register, and in chapter no. 2 it is initially stated in the first paragraph:<br />
"The guidelines apply to persons who have been legally convicted as of 1 September<br />
2008. For judgments handed down before this time, the previous rules and guidelines apply.<br />
Flg. persons must from the said time be registered in the identity register, unless it<br />
there are very special circumstances:<br />
1.<br />
Everyone who, as of 1 September 2008, has been sentenced by a Norwegian court has a final judgment<br />
unconditional imprisonment or detention for more than 60 days. Registration must take place<br />
regardless of which offense the sentence applies to. … »<br />
(43)<br />
In the second paragraph, the Attorney General states that registration "only in very exceptional cases" should be omitted<br />
«If a person falls within the guidelines», and that the reservation «completely peculiar<br />
circumstances "are intended to capture" atypical situations that will occur infrequently and<br />
where registration is clearly not expedient ». This is justified by a desire to avoid<br />
"A difficult assessment of the specific need for registration of the individual offender".<br />
(44)<br />
The Police Register Act was passed in 2010, but § 12 - which is central in this case - was first<br />
entered into force in September 2013. The Criminal Procedure Act § 160 a first to fourth paragraphs was continued<br />
without amendments to the Police Register Act § 12 second paragraph, see the special remarks to<br />
the provision in Ot.prp. no. 108 (2008−2009) page 299. Also sixth paragraph that<br />
the information can only be used in criminal justice, was retained. The Ministry is discussing in<br />
the proposition point 4.3.1 the relationship to the ECHR article 8, something I will return to.<br />
(45)<br />
Section 4 of the Police Register Act states that information may be «processed for the purpose for which it is intended<br />
obtained for or for other police purposes ", unless otherwise provided by law or in<br />
pursuant to law. Paragraph 5 states that information can only be processed when it is<br />
«Necessary for purposes as mentioned in § 4». In our context, "information" means<br />
personal information about natural persons, cf. § 2 no. 1 and the special remarks to<br />
the provision on page 291 of the proposition.<br />
(46)<br />
Pursuant to various provisions in the Police Register Act, including section 12, was<br />
the Police Register Regulations adopted in September 2013. Chapter 45 provides for<br />
The DNA register. Pursuant to section 45-1, a DNA register consisting of a<br />
identity register, an investigation register and a trace register. The stated purpose is to<br />
«Help to solve crime by facilitating the comparison of DNA profiles<br />
for identification purposes in criminal justice ». Section 45-6 contains further provisions on<br />
what information can be registered in the various registers. Here it appears that in<br />
the identity register, DNA profiles can be registered from persons as mentioned in<br />
Page 8<br />
8<br />
HR-2019-1226-A, (case no. 19-014740SIV-HRET)<br />
the Police Register Act § 12 second paragraph. There are otherwise detailed rules on, among other things<br />
processing of the information, access and disclosure, access and right of appeal. I find<br />
reason to cite the provision on deletion of information in § 45-17 first paragraph:<br />
«Information in the identity register shall be deleted if the registered person is legally acquitted<br />
after reopening. Otherwise, the identity profile must be deleted no later than 5 years after the person in question<br />
is dead or earlier if continued registration obviously will no longer be<br />
appropriate. … »<br />
(47)<br />
I also mention § 45-18, where it appears that biological material that has been<br />
analytical basis for DNA profiles, shall be destroyed «as soon as registration of the profile has<br />
took place or the purpose of the investigation has been achieved ». This also follows from<br />
Criminal Procedure Act § 158 second paragraph. The right of appeal is regulated in § 45-20.<br />
(48)<br />
The Attorney General issued new guidelines for the registration of DNA in a circular on 17 October<br />
2013 - RA-2012-2261. The introduction to the circular states that the Attorney General has<br />
decided to lower the threshold for registration in the identity register "considerably". It appears<br />
further that the circular is the result of a balance of cross-cutting considerations:<br />
«The guidelines below are determined after a balance of various considerations, where desired<br />
to combat and solve criminal offenses, privacy concerns and capacity stands<br />
central. DNA is undoubtedly a useful contribution in combating and clarifying<br />
breach of integrity and serious crime. As of today, the Norwegian authorities do not have<br />
research-based and accurate data on the number of repeat offenders<br />
different nature and about details regarding the identity register's direct significance for clarification<br />
of cases, unfortunately. Based on experience and feedback from the police, it is still<br />
there is no doubt that a number of serious offenses are committed by persons who have already been punished<br />
for actions of varying severity. Also preliminary findings in the evaluation of<br />
The DNA reform initiated by the Norwegian Police Directorate shows that DNA is a useful tool<br />
aid in cases where traces are secured. "<br />
(49)<br />
Point II, first paragraph, No. 1, stipulates that the following persons must be registered in<br />
the identity register:<br />
«A)<br />
Everyone who in this country has been sentenced to detention, unconditional imprisonment (including sentencing),<br />
juvenile punishment or community punishment. Registration must take place regardless of which<br />
offense the judgment applies.<br />
The same applies to anyone who has been sentenced to transfer to compulsory psychiatry<br />
health care or compulsory care .<br />
b)<br />
Anyone who has been sentenced to conditional imprisonment for a violation or attempted violation<br />
of the Penal Code 2005 §§ 231-232, provisions in Chapter 26, §§ 282-283,<br />
§§ 271-275, § 322 cf. § 321 or § 328 cf. § 327. The same applies correspondingly<br />
provisions of the Penal Code 1902 (ie § 162, Chapter 19, § 219, §§ 228-233,<br />
§ 258 (cf. § 257 or § 268 (§ 267).<br />
c)<br />
Anyone who has been fined or has adopted a fine issued by Norwegian<br />
prosecuting authority for violation or attempted violation of provisions in<br />
Penal Code 2005 Chapter 26, § 322 cf. § 321 or § 328 cf. § 327. The same<br />
applies corresponding provisions in the Penal Code 1902 (ie Chapter 19,<br />
§ 258 (cf. § 257 or § 268 (cf. § 267). "<br />
(50)<br />
This is a provision that in principle does not leave room for discretion. Of the third<br />
paragraph states, however, that registration may be omitted 'if there are very special ones<br />
circumstances in the individual case that make registration clearly not expedient ».<br />
Page 9<br />
9<br />
HR-2019-1226-A, (case no. 19-014740SIV-HRET)<br />
(51)<br />
The circular stipulates that this applies to persons whose case has been finally decided<br />
as of 1 October 2013, and that the previous guidelines apply to judgments handed down before<br />
this time. This basically means that the validity of the decision in A's case must<br />
assessed according to the circular from 2008. At the same time, it is agreed that the provisions of the new<br />
the circular must be applied to the extent that these are more favorable to him. The same must<br />
apply to the choice between the rules in the prosecution instructions and the police register regulations. I<br />
relates to the Police Register Regulations, unless there is a reason for the above<br />
something else. Because the Police Register Act § 12 coincides with the Criminal Procedure Act<br />
§ 160 a as it read in 2013, I refer in the continuation only to the former.<br />
(52)<br />
Article 8 of the ECHR and the proportionality assessment when registering DNA etc.<br />
(53)<br />
Article 8 of the ECHR has this wording in Norwegian translation:<br />
«1.<br />
Everyone has the right to respect for his private and family life, his home and his own<br />
correspondence.<br />
2.<br />
There shall be no interference by public authority in the exercise of this<br />
right except when this is in accordance with the law and is necessary in a<br />
democratic society for the sake of national security, public safety<br />
or the country's economic welfare, to prevent disorder or crime, for<br />
to protect health or morals, or to protect the rights and freedoms of others. "<br />
(54)<br />
Registering a person's DNA profile is an invasion of privacy. According to Article 8 of the ECHR<br />
such an intervention only takes place if the decision has legal authority, it is justified by a legitimate<br />
purpose and is proportionate, cf. for example HR-2017-1130-A section 42. In this case<br />
it is undisputed that the registration serves a legitimate purpose in that it can contribute to<br />
fight crime. By the judgment of the Court of Appeal, it is further legally decided that<br />
the legal basis satisfies the quality requirements that have been set. The validity of the Attorney General<br />
decisions therefore depend solely on whether the registration of A's DNA profile is a<br />
disproportionate interference with him.<br />
(55)<br />
The requirement of proportionality is expressed through the wording «necessary in a<br />
democratic society »-« necessary in a democratic society ». In HR-2015-206-A section<br />
60, the first voter states that the proportionality assessment «must have the balance in mind<br />
between the protected individual interests on the one hand and the legitimate ones<br />
the societal needs that justify the measure on the other ». Of particular interest in this<br />
the point is that the condition of necessity is, among other things, linked to the consideration of «prevention<br />
disorder or crime ».<br />
(56)<br />
I also take as my starting point the description of the proportionality requirement given in<br />
EMD's Grand Chamber Decision 4 December 2008 S. and Marper v. UK section<br />
101 et seq. The case concerned precisely the proportionality of registration of DNA profiles from two<br />
complainants. Complainant S. was an eleven-year-old boy who was arrested and charged with robbery. He was<br />
later acquitted. The other complainant - Marper - was charged with ill-treatment of his partner,<br />
but the case was dropped after they were reconciled. In section 101, the EMD begins the presentation of<br />
the proportionality requirement as follows:<br />
«An interference will be considered 'necessary in a democratic society' for a legitimate<br />
aim if it answers a 'pressing social need' and, in particular, if it is proportionate to the<br />
Page 10<br />
10<br />
HR-2019-1226-A, (case no. 19-014740SIV-HRET)<br />
legitimate aim pursued and if the reasons adduced by the national authorities to justify it<br />
are 'relevant and sufficient'. »<br />
(57)<br />
The need for the procedure must then be included in the balance, and it must be investigated whether<br />
legislator's assessments are relevant and adequate. The EMD further emphasizes in section 103 that<br />
the national rules must provide guarantees - «appropriate safeguards» - against the use of<br />
personal data incompatible with Article 8. Legislation must ensure that storage<br />
of such information is «relevant and not excessive in relation to the purposes for which<br />
they are stored ». In the same place, the EMD also points out that the states' regulations must be effective<br />
protection against misuse of the information.<br />
(58)<br />
On the other hand, in section 104, the EMD states that the consideration of crime prevention<br />
can have a decisive weight in the balance. The discussion of the general starting points<br />
ends as follows in the section:<br />
«The interests of the data subjects and the community as a whole in protecting the<br />
personal data, including fingerprint and DNA information, may be outweighed by the<br />
legitimate interest in the prevention of crime (see Article 9 of the Data Protection<br />
Convention). However, the intrinsically private character of this information calls for the<br />
Court to exercise careful scrutiny of any State measure authorizing its retention and use<br />
by the authorities without the consent of the person concerned (see, mutatis mutandis, Z v.<br />
Finland , cited above, § 96). »<br />
(59)<br />
The states' margin of discretion seems to be limited in this area. In the S. and Marper judgment<br />
section 102, the EMD emphasizes that the margin of discretion «will tend to be narrower where the right<br />
at stake is crucial to the individual's effective enjoyment of intimate or key rights ». I<br />
perceives it so that our case precisely concerns such fundamental rights as EMD here<br />
reviews. Similarly, in its judgment of 22 June 2017, the EMD states Aycaguer v. France ,<br />
which also concerned the registration of DNA profile, that the margin of discretion is usually limited when<br />
a particularly important aspect of the person or identity of a person is at stake, see section<br />
37. I also refer on this point to the judgment of 18 September 2014 Brunet v. France<br />
section 34. It concerned personal data other than DNA profiles, but still has<br />
interest in this context.<br />
(60)<br />
Based on these general starting points, I turn to look more specifically at EMDs<br />
view on the proportionality of registration of DNA profiles. I first mention that EMD<br />
Recognizes the important role that DNA plays in the fight against crime . In S. and Marper-<br />
the judgment states the EMD in paragraph 105 that it finds it «beyond dispute that the fight against<br />
crime, and in particular against organized crime and terrorism, which is one of the<br />
challenges faced by today's European societies, depends to a great extent on the use of<br />
modern scientific techniques of investigation and identification ». The court follows up<br />
this in section 106 by acknowledging the importance of DNA profiles in the work of uncovering<br />
crime.<br />
(61)<br />
Corresponding statements have been made in other decisions. I will confine myself to mentioning Aycaguer-<br />
the judgment, where this is commented on in section 34. In accordance with the EMD's excerpt in English<br />
states the court here that it «fully realizes that in order to protect their population as<br />
required, the national authorities can legitimately set up databases as an effective means of<br />
helping to punish and prevent certain offenses,… ».<br />
(62)<br />
However, the EMD stipulates that the registration access must be limited . I find<br />
it again natural to take as a starting point the Grand Chamber judgment S. and Marper. In section<br />
Page 11<br />
11<br />
HR-2019-1226-A, (case no. 19-014740SIV-HRET)<br />
110 The EMD points out that England, Wales and Northern Ireland seemed to be the only ones<br />
the jurisdictions that allowed the indefinite storage of fingerprints and DNA material<br />
til «any person of any age suspected of any recordable offense». The court follows up<br />
this in paragraph 119, where it states that it is «struck by the blanket and indiscriminate<br />
nature of the power of retention in England and Wales ».<br />
(63)<br />
The term "blanket and indiscriminate" is also referred to in other decisions from the EMD. IN<br />
the rejection decision 4 June 2013 Peruzzo and Martens v Germany section 43 takes EMD<br />
starting point in this criterion when it holds the specific case up against S. and<br />
Marper judgments. I also refer to the Brunet judgment section 36. This must be understood so that<br />
national regulations must set barriers to registration access based on precise<br />
criteria.<br />
(64)<br />
The EMD's practice also emphasizes that the national rules must offer sufficient<br />
legal security and privacy guarantees . The court formulates the general<br />
the principle as follows in Peruzzo and the Martens Decision, paragraph 42:<br />
«The Court has specified in this connection that domestic law must afford appropriate<br />
safeguards to prevent any such use of personal data as may be inconsistent with the<br />
guarantees of this Article. »<br />
(65)<br />
The EMD's decisions provide guidance on aspects and assessment topics that are relevant in<br />
the proportionality assessment. Firstly, the Court seems to attach great importance to this<br />
is the registration of the DNA profile of a person who has been convicted . In S. and<br />
As mentioned, the Marper judgment did not convict the complainants of a crime. EMD highlights in paragraph<br />
122 that DNA registration in such cases has a side to the presumption of innocence and implies<br />
a risk of stigma:<br />
«Of particular concern in the present context is the risk of stigmatisation, stemming from<br />
the fact that persons in the position of the applicants, who have not been convicted of any<br />
offense and are entitled to the presumption of innocence, are treated in the same way as<br />
convicted persons. In this respect, the Court must bear in mind that the right of every<br />
person under the Convention to be presumed innocent includes the general rule that no<br />
suspicion regarding an accused's innocence may be voiced after his acquittal… »<br />
(66)<br />
In Peruzzo and Martens' decision, section 43 et seq., The EMD argues why the result<br />
must be different from that in the S. and Marper judgment. Here it is first emphasized that both Peruzzo and<br />
Martens was convicted, see section 44. At this point, I also refer to the judgment of 18 April<br />
2013 MK v France section 42 and Brunet judgment section 37.<br />
(67)<br />
In its decisions, the EMD further emphasizes the seriousness of the offense . In S. and<br />
The Marper judgment points out to the court that the regulations in England and Wales allowed for<br />
registration of DNA «irrespective of the nature or gravity of the offense with which the<br />
individual was originally suspected ", see section 119. Similarly, the court states in<br />
the rejection decision of 7 December 2006 van der Velden v. the Netherlands in paragraph 2 that it<br />
it is not unreasonable to require DNA testing of persons convicted of offenses «of a<br />
certain severity ». And in the rejection decision of January 20, 2009 W. against the Netherlands is used<br />
the term "certain gravity" during the discussion of Article 8.<br />
(68)<br />
The appellant has emphasized that A has not been convicted of an offense to which DNA can contribute<br />
clarification. This raises the question of whether the nature of the offense is significant in<br />
the proportionality assessment.<br />
Page 12<br />
12<br />
HR-2019-1226-A, (case no. 19-014740SIV-HRET)<br />
(69)<br />
As I just mentioned, in the S. and Marper judgment paragraph 119, the EMD emphasized that<br />
national regulations opened for registration regardless of «the nature or gravity of the<br />
offense ». A similar wording is used in Aycaguer judgment paragraph 43, while I do not<br />
finds references to the nature of the offense in the other decisions to which the parties have referred. I<br />
is not aware of any decision that requires the registration of a DNA profile<br />
should only be able to take place after conviction for offenses where DNA can contribute to clarification -<br />
"DNA-relevant" offenses. On the other hand, the EMD has not had any appeal either<br />
to make such a claim. Here I refer to all the decisions about DNA registration<br />
seems to apply to crime where DNA can contribute to clarification, such as violence, robbery,<br />
drug offenses and sexual offenses.<br />
(70)<br />
As I interpret the EMD's practice, the nature of the offense is a factor that may be<br />
relevant in the overall proportionality assessment. At the same time, there are no clues<br />
for the "DNA relevance" of the offense alone to be given decisive importance.<br />
(71)<br />
Deletion access and deletion routines have a central place in many of the EMD's decisions. IN<br />
the Grand Chamber judgment S. and Marper emphasized to the EMD that the national rules allowed for<br />
"Indefinite retention" of, among other things, DNA profiles, see section 110. I also refer to<br />
judgment of 17 December 2009 Gardel v. France . The case concerned the registration of<br />
personal information in what is called "The Sex Offenders Register". The French<br />
the regulations stipulated that deletion should take place no later than after 30 years for the most serious crimes,<br />
at the same time as it was possible to appeal the registration decision, see sections 17 and 68.<br />
The complainant was sentenced to 15 years in prison for sexual intercourse with a minor. EMD came into being<br />
that the complainant's rights under Article 8 of the ECHR had not been violated and appear in paragraph 69 to have added<br />
significant emphasis on deletion routines. Here it says, among other things:<br />
«The Court considers that this judicial procedure for the removal of data provides for<br />
independent review of the justification for retention of the information according to<br />
defined criteria (see S. and Marper, cited above, § 119) and affords adequate and<br />
effective safeguards of the right to respect for private life,… »<br />
(72)<br />
At this point, I also refer to the Brunet judgment, section 41.<br />
(73)<br />
Practice from the EMD shows that the storage of the profiles, access to the data and<br />
confidentiality are elements that must be included in the proportionality assessment.<br />
The Court emphasized this in the judgment in S. and Marper, see paragraph 103. In the same way, it drew<br />
EMD this factor into the assessment in the rejection decision W. against the Netherlands. IN<br />
the decision on page 7, the courts emphasize that the DNA material was stored «anonymously<br />
and encoded ».<br />
(74)<br />
The parties seem to agree that complain opportunities and access to judicial review is also<br />
elements that are included in the proportionality assessment. I agree with that. This is behind<br />
my view is implicit in the EMD's discussions of deletion routines in several cases, see among other things<br />
cited paragraph 69 of the Gardel judgment.<br />
(75)<br />
In general, there is no doubt that the intensity of the intervention has a central place in the trade-offs.<br />
In the van der Velden decision, the EMD stated on page 7 that “the interference at issue was<br />
relatively slight ». The Brunet decision section 39 can be understood differently, but it applied<br />
other types of personal information than DNA and are not completely unambiguous. I find it for mine<br />
There is little doubt that the storage of personal data is taken more seriously today<br />
Page 13<br />
13<br />
HR-2019-1226-A, (case no. 19-014740SIV-HRET)<br />
than just a few years ago. Another issue is that the way the samples are taken cannot be characterized<br />
as stressful. I'll come back to this.<br />
(76)<br />
Finally, under this point, I mention that the appellant has compared the Norwegian rules<br />
with the regulations in other European countries. I see it as the legal situation in other states<br />
is not without interest in a case like this. But the importance of state practice lies first and foremost<br />
primarily in that the EMD takes this into account in its decisions, so that legal opinions that have<br />
broad support among the states that have joined the ECHR affects the legal situation. On this<br />
background, I do not see a need to provide a presentation of the regulations in other countries.<br />
(77)<br />
The legislator's considerations<br />
(78)<br />
As I have mentioned, the legislator's assessments and considerations are central<br />
the proportionality assessment, see for example section 101 of the S. and Marper judgment. On<br />
Against this background, I find it appropriate to give an overall presentation of them<br />
the preparatory statements addressing the relationship to Article 8 of the ECHR.<br />
(79)<br />
The DNA Committee assessed in NOU 2005: 19 point 4.5 restrictions under international law<br />
the right of registration, including the relationship to Article 8 of the ECHR<br />
the committee that the registration of a person's DNA profile was an invasion of privacy after<br />
the provision. The selection found - based on the limitations and barriers that<br />
then - that such registration was proportionate, see page 37.<br />
(80)<br />
As mentioned, the Ministry of Justice and the Police submitted a proposal to extend access to<br />
DNA registration in Ot.prp. No. 19 (2006−2007). In section 3.1.4, the Ministry assesses<br />
the relationship to Article 8 of the ECHR. It is stated at the outset that some consultative bodies had<br />
called for a more thorough assessment of this issue, in particular of proportionality.<br />
The Ministry then states that the registration is an interference within the meaning of the provision.<br />
Then it is called:<br />
"When it comes to obtaining DNA, the procedure must be to iron a cotton swab on the inside<br />
oral cavity - could be characterized as modest for the person concerned. The very<br />
DNA registration also constitutes a minor intervention: First, the register is pure<br />
identity register, where no information has been registered that can reveal characteristics<br />
beyond gender. The registration therefore has limited privacy implications,<br />
which is reinforced by the fact that the DNA samples (the actual DNA material) after the ministry<br />
proposals should not be kept after the DNA profile (number code) has been registered. True<br />
the DNA profile is registered together with information about the basis for the registration<br />
(a final decision stating that the person has committed a criminal act),<br />
but this personal information is stored securely and is subject to strict control.<br />
Only the registrar (the manager of Kripos) or the person he authorizes has access to<br />
the register, and the register shall at all times be protected from access and kept<br />
inaccessible to unauthorized persons, cf. the Prosecution Instructions § 11a – 6 second paragraph. In addition,<br />
the person who has been registered is notified immediately, and anyone can request information about it<br />
the register contains information about him / her and what this information is about.<br />
The right of access and adversarial proceedings and extradition restrictions have been central when<br />
The EMD has assessed whether public registers with personal data are compatible with the ECHR<br />
Article 8. »<br />
(81)<br />
The Ministry then maintains the intervention against the purpose of increasing the clearance rate. About<br />
this is what the ministry states:<br />
"On the other hand, the use of DNA is considered necessary and very suitable in terms of<br />
light of what is desired to be achieved - to increase the clearance rate in criminal cases. The DNA profile<br />
Page 14<br />
14<br />
HR-2019-1226-A, (case no. 19-014740SIV-HRET)<br />
is an important (and sometimes crucial) piece of evidence in criminal cases where it exists<br />
biological traces, as it provides a reliable identification of the perpetrator. That is why<br />
good reason to believe that the number of confessions is increasing where searches against the registers yield DNA hits,<br />
while innocents can be excluded from a case. In this way, the DNA evidence in a<br />
to some extent counteract incorrect charges and convictions. A not insignificantly extended access<br />
to registration with opportunities to search the identity and trace register, will lead to<br />
that the duration and scope of the investigation be reduced and police resources released. "<br />
(82)<br />
By extension, the Ministry also points out that the necessity assessment must be taken into account<br />
for that «the crime picture has changed in a negative direction in recent times, and that this<br />
the development may intensify in the years to come ». Also others<br />
development features are highlighted in support of extended access to DNA profile registration,<br />
such as criminal groups becoming increasingly better organized, cooperation between criminals<br />
networking, internationalization, greater brutality and professionalization as well as specialization of<br />
criminals. The Ministry states that there is «a clear need for effective instruments such as<br />
combats this development », and that« an extended DNA register will lead to more cases<br />
clarified ». The discussion ends as follows:<br />
"Against this background, the modest encroachment on privacy is -<br />
in the Ministry's view - reasonably in relation to the goals that public authorities want<br />
achieve by the procedure. The intervention is therefore considered 'necessary in a democratic society'.<br />
The Ministry will also note that the proportionality assessment will also be made when<br />
the detailed threshold for registration shall be laid down in regulations. "<br />
(83)<br />
I also refer to the discussion of which criminal offenses should qualify for<br />
registration in section 3.4.4.2 on pages 19−20, which I have also touched on earlier. Here highlights<br />
the Ministry that it is “crucial to find a good balance between the consideration of an effective<br />
exploiting the potential of DNA registration for better and faster resolution<br />
of criminal offenses, a sensible use of resources, and consideration for the individual<br />
privacy ». Furthermore, it is pointed out that the rules should be easy to apply, and not too extensive<br />
degree invite to discretionary assessments.<br />
(84)<br />
The relationship to Article 8 of the ECHR was also considered when the Police Register Act was introduced. IN<br />
Ot.prp. No. 108 (2008−2009), the discussion of proportionality has been expanded and nuanced<br />
compared to the one I just referred to. In section 4.3.1 on page 39 states<br />
Ministry:<br />
«The police's registration and other information processing contribute significantly to this<br />
the fight against crime, not least in connection with police prevention<br />
business. The proportionality requirement must nevertheless be an important clue<br />
the formulation of the rules that form the basis for police information processing.<br />
It must be a basic principle that the powers of attorney are not extended beyond what is<br />
necessary in relation to the purpose the intervention is to serve. Since<br />
Fighting crime is a fairly broad purpose, there may be a need to undertake one<br />
proportionality assessment even if the treatment itself is necessary to<br />
fight crime. For example, it may be appropriate to adapt the police<br />
authorizations to the severity of the crime, so that the authorizations are further in the event of seriousness<br />
crime. Although all forms of crime are basically a threat to it<br />
democratic society, society is not served by too extensive monitoring from<br />
police side. "<br />
(85)<br />
I see it as the Ministry in these preparatory statements has made thorough<br />
assessments of the proportionality of DNA registration. Relevant considerations have been drawn<br />
forward and weighed. The Ministry has intended that the registration must not be more<br />
comprehensive than necessary to fulfill the purpose of combating crime, and in it<br />
Page 15<br />
15<br />
HR-2019-1226-A, (case no. 19-014740SIV-HRET)<br />
In this connection, it is suggested that the severity of the crime must be taken into account. I can<br />
on the other hand, do not find evidence that the registration should be reserved for offenses by one<br />
certain character, if the crime first has the required severity.<br />
(86)<br />
In my view, these assessments must have weight in the assessment of the intervention vis-à-vis A. På<br />
against this background, I turn to the more specific proportionality assessment.<br />
(87)<br />
More about the proportionality assessment<br />
(88)<br />
The decisive factor for the validity of the decision on registration is the proportionality of it<br />
concrete intervention against A, see S. and Marper judgment section 106. At the same time, I have shown<br />
that the counters and guarantees in the national regulations must be given a central place in<br />
the assessments. I will therefore also abide by the Norwegian rules - which I have already given one<br />
overview of - up to the requirements derived from EMD's practice.<br />
(89)<br />
The starting point is that it is a matter of registering a DNA profile that shows it<br />
the sex of the data subject, but which is otherwise «not suitable for anything other than identification»,<br />
cf. Ot.prp. No. 19 (2006−2007) page 10. It does not say anything about hereditary traits,<br />
health risk, appearance or physique. I remind you in this context that<br />
the biological material shall be destroyed as soon as the registration of the profile has been made or<br />
the purpose of the investigation has been achieved, see the Criminal Procedure Act § 158 second paragraph and<br />
the Police Register Regulations § 45-18. In this lies a guarantee against later abuse and<br />
dissemination of sensitive information. The biological material obtained from A is in<br />
thread with this destroyed. The actual sampling cannot be considered intrusive - it has been taken<br />
a swab from A's oral cavity with a swab or mouth fungus.<br />
(90)<br />
Furthermore, there seems to be a widely accepted view that registration of DNA profiles is<br />
an effective means of increasing the clearance rate and fighting crime. This is<br />
emphasized with weight in draft legislation, at the same time as it is assumed that the use of DNA in<br />
the administration of justice only becomes more important as the crime picture changes. EMD has in a number<br />
Decisions recognized the important role that DNA plays in the fight against crime. In S. and<br />
Section 104 of the Marper judgment, the Court has held that the consideration of<br />
crime prevention can have a decisive weight in the proportionality assessment,<br />
see also sections 105 and 106.<br />
(91)<br />
At the counter, this point is illustrated through references to relapse statistics from<br />
Statistics Norway - «Accused persons in base year, by main crime group by<br />
recent recidivism and main crime group ». The statistics show a significant<br />
recidivism risk in all major crime groups. Here it is of particular interest to<br />
the risk of relapse is as high as 39.3 per cent also in the group that has been convicted<br />
White collar crime. It is further worth noting that the convicts in this group in<br />
to some extent falls back to other crime, including crime where DNA can<br />
contribute to clarification, such as other crimes of profit, violence, sexual offenses and<br />
drug offenses. Although the risk of relapse into such crime is relative<br />
modest, the figures show that the fight against crime does not only affect cases<br />
where the conviction concerns what in the case is called "DNA-relevant" crime.<br />
(92)<br />
The review of the EMD's practice in this area has shown that the national regulations<br />
must set precise limits on registration access and offer legal certainty and<br />
privacy guarantees. At this point, I first point out that the Police Register Act § 12 second<br />
Page 16<br />
16<br />
HR-2019-1226-A, (case no. 19-014740SIV-HRET)<br />
paragraph no. 1 only allows for the registration of DNA profiles of persons who "have been sentenced".<br />
In other words, suspicion or accusation is not sufficient. A is sentenced to punishment by<br />
the district court's final judgment. The case is thus in a different position than what was the case<br />
in the EMD's judgments in, for example, the S. and Marper case and the Brunet case.<br />
(93)<br />
The Norwegian rules further stipulate that punishment must be imposed for a crime by one<br />
some severity. The requirement under the Police Register Act § 12 second paragraph no. 1 is that the person in question<br />
must be punished "for an act which according to the law may result in a custodial sentence".<br />
The registration of A's DNA profile followed the guidelines in the Attorney General's circular from<br />
2008, where the condition as mentioned was a sentence of unconditional imprisonment or detention for more than<br />
60 days. A has been sentenced to prison for one year and six months, of which six months conditional.<br />
(94)<br />
I believe that our rules meet the requirements set out in the EMD's practice on this point.<br />
And it must in my view be clear that A is convicted of a relationship that is serious enough to that<br />
registration in principle can take place. To use the terminology in the EMD's decision in the van<br />
In the Velden case, it is a matter of an offense "of a certain severity"<br />
that the legislature has thoroughly assessed which criminal offenses should qualify for<br />
registration, see Ot.prp. No 19 (2006-2007) point 3.4.4.2.<br />
(95)<br />
Admittedly, A has not been convicted of a type of offense where DNA normally contributes to clarification.<br />
But as I have mentioned in my review of the EMD's practice, this can be heightened<br />
not be more than one element in a broad assessment. Moreover, Statistical suggests<br />
central agency's statistics that persons convicted of financial crime have a<br />
higher risk of committing a new crime than previously unpunished. This increased risk<br />
also applies to recidivism to "DNA-relevant" crime.<br />
(96)<br />
According to the Police Register Regulations § 45-17 first paragraph, DNA profiles must first be deleted automatically<br />
five years after the death of the data subject. No provisions have been made for a reassessment<br />
of the need at certain time intervals. I assume that the storage with this in practice is<br />
indefinite, see for example the EMD's judgment in the MK case section 45. Basically is<br />
this is a moment that clearly points in the direction of disproportion.<br />
(97)<br />
When this in my view still can not be decisive, it is due to the opportunity to<br />
require deletion contained in § 45-17. According to the provision, deletion shall be made «if<br />
continued registration will obviously no longer be appropriate ». Among other things on<br />
Based on the state's procedure, I understand this so that it registered pursuant to<br />
the provision may request deletion and receive an individual assessment of its case. The terms<br />
to achieve deletion appears to be restrictive, but here lies still one<br />
safety valve that must have weight in the overall assessment.<br />
(98)<br />
In this context, I would also like to remind you that decisions on registration can be appealed to<br />
superior prosecuting authority pursuant to the Police Register Regulations § 45-20, an opportunity that A has<br />
took advantage of. The Attorney General is the appellate authority. A has argued that the right of appeal<br />
with this is not real, in that the Attorney General has also given the guidelines for<br />
registration of DNA profiles. I do not agree with this. It is not unusual that<br />
the appellate body also has a responsibility for the regulations against which the appeal is assessed. I<br />
assumes that the right of appeal is practiced so that it is a real guarantee of legal certainty.<br />
Page 17<br />
17<br />
HR-2019-1226-A, (case no. 19-014740SIV-HRET)<br />
(99)<br />
Access to justice comes in as an additional guarantee, which this case is one<br />
example of. In my view, it is not a conclusive objection that the data subject is<br />
referred to civil action.<br />
(100) When weighing, I also place considerable emphasis on the privacy guarantees that are embedded in<br />
the regulations. I have already mentioned that a very limited number of people actually have<br />
access to the DNA profiles. As mentioned, the Police Register Act § 12 sixth paragraph states that<br />
the information in the DNA register should only be used in criminal justice. After<br />
Section 45-11 of the Police Register Regulations, access to the DNA register's profile database must be restricted<br />
to «a small number of persons who have been specifically authorized to search the database by<br />
service needs ». Chapter 45 of the regulations provides further detailed provisions on, among other things<br />
other processing responsibilities, processing of information, access and disclosure,<br />
duty of information and access as well as blocking, deletion and storage.<br />
(101) A has objected that the guarantees in the police register regulations have been eroded by the Supreme Court<br />
decision of the Appeals Committee in HR-2018-2241-U. The case concerned the question of denying paternity.<br />
The registered father had previously given a DNA sample in a criminal case, and the profile was<br />
registered in the DNA register. The majority of the Appeals Committee came to the conclusion that section 24 of the Children's Act had to take precedence<br />
Section 12, sixth paragraph, of the Police Register Act, so that information could be obtained from the police<br />
DNA register in the paternity case, see section 26.<br />
(102) I see it as the possibility that information from the DNA register can also be used in<br />
paternity cases, probably entails an additional burden for the registered person. This can still<br />
not be given decisive importance in the proportionality assessment. This is a narrow<br />
exception to the rule that DNA profiles should only be used in criminal justice. In this<br />
connection, I also point out that there will systematically be no contradiction between<br />
the child's and the possible father's interest in having the paternity clarified, see section 25 in<br />
the appeal committee decision.<br />
(103) After an overall balancing of the intersecting considerations, I have come to the conclusion that<br />
A's DNA profile is not a disproportionate intervention against him, cf. Article 8 (2) of the ECHR<br />
In the assessment, I place considerable emphasis on the fact that he has been convicted of a serious offense, which<br />
statistically increases the risk of recidivism, also to "DNA-relevant" crime.<br />
The registration access is limited in the regulations in a sufficiently precise manner and is not<br />
«Blanket and indiscriminate». In my view, it is also important that the Norwegian rules open up<br />
for deletion after a specific assessment, at the same time as detailed provisions on among<br />
other access, blocking, access and storage provide the necessary privacy guarantees.<br />
The appeal will then be rejected.<br />
(104) Legal costs, etc.<br />
(105) The state has won the case and is in principle entitled to legal costs according to the main rule in<br />
the Disputes Act § 20-2 first paragraph. However, the case has raised questions of principle and unresolved,<br />
at the same time as I also emphasize the balance of power between the parties. Legal costs<br />
is therefore not awarded to any instance, cf. the Disputes Act § 20-2 third paragraph.<br />
Page 18<br />
18<br />
HR-2019-1226-A, (case no. 19-014740SIV-HRET)<br />
(106) I am voting in favor of this<br />
JUDGMENT:<br />
1.<br />
The appeal is rejected.<br />
2.<br />
Legal costs are not awarded to any instance.<br />
(107) Judge Arntzen: I have come to the appeal.<br />
(108) I agree with the first voter's thorough review of the Norwegian regulations and of<br />
Article 8 of the ECHR, but has a different view than him on the specific<br />
the proportionality assessment.<br />
(109) In a number of decisions, the EMD has summarized the proportionality assessment by<br />
DNA records, most recently in the judgment of 22 June 2017 Aycaguer v France section 38:<br />
«38.<br />
Personal data protection plays a primordial role in the exercise of a person's<br />
right to respect for his private life enshrined in Article 8 of the Convention.<br />
Domestic law must afford appropriate safeguards to prevent any such use of<br />
personal data as may be inconsistent with the guarantees of that Article. The<br />
need for such safeguards is all the greater where the protection of personal data<br />
undergoing automatic processing is concerned, not least when such data are<br />
used for police purposes. The domestic law should, in particular, ensure that<br />
such data are relevant and not excessive in relation to the purposes for which<br />
they are stored, and preserved in a form which permits identification of the<br />
data subjects for no longer than is required for the purpose for which those<br />
data are stored. The domestic law should also comprise safeguards capable of<br />
effectively protecting the personal data recorded against inappropriate and<br />
wrongful use (see BB, cited above, § 61), while providing a practical means of<br />
lodging a request for the deletion of the data stored (see BB, cited above,<br />
§ 88 and Brunet ,… »<br />
(110) The DNA registration must therefore at all times be relevant and necessary based on the purpose<br />
with the registration. The use of the information for other purposes may also be important<br />
for the proportionality assessment.<br />
(111) In our case, the controversial DNA registration is due to a conviction for gross misconduct<br />
tax evasion in the period 2001 to 2006. Although the conviction concerns serious offenses, it is<br />
however, do not talk about offenses that DNA can help solve (DNA-relevant<br />
offense). A main question in the case is what significance the type of offense should be given<br />
in the proportionality assessment pursuant to Article 8 of the ECHR.<br />
(112) I point out at the outset that the legislature has not considered the types of criminal offenses<br />
which shall provide a basis for registration. In Ot.prp. No. 19 (2006–2007) section 3.4.4.2 states<br />
the department at:<br />
«Extensive registration [will] be very resource intensive and expensive. The registration must<br />
have a clear utility function. Both the Attorney General and the Oslo Police District emphasize that it<br />
extended registration provided by both the majority and (to a lesser extent) the minority,<br />
will also lead to people who are hardly in any risk group for committing a new crime,<br />
will be registered ».<br />
Page 19<br />
19<br />
HR-2019-1226-A, (case no. 19-014740SIV-HRET)<br />
(113) This is the reason why the Ministry in the following paragraph points out the need «for one more<br />
precise and targeted regulation of what should and should not qualify for registration ». The<br />
it is assumed that the registration access is "narrowed and made more concise in regulations", but out<br />
over a few examples, no further guidelines are given for this narrowing.<br />
(114) The guidelines for which criminal offenses are to provide a basis for registration are set out<br />
of the Attorney General's circular. It says that those who have been sentenced to unconditional imprisonment must<br />
registered in the DNA register «regardless of which offense the judgment applies to».<br />
(115) That the nature of the offense shall be irrelevant where the person in question has been sentenced to unconditional imprisonment,<br />
miss in my view a further justification. When the DNA register was established in 1995,<br />
assessed the so-called DNA sample whether the registration access should be based on type<br />
offense, the penal framework of the law or the sentence imposed. A delimitation based on the last two<br />
the alternatives were rejected as "not very useful" because such factors do not say anything about<br />
the possibility of finding clues in connection with the offense that are suitable for the commission of<br />
DNA analysis », cf. NOU 1993: 33 page 30. The Ministry, for its part, found« of principle<br />
reasons that the crime categories should be stated directly in the text of the law », cf. No. 55<br />
(1994–1995) page 10. This is the reason why the registration access in<br />
the Criminal Procedure Act § 160 a until the amendment in 2008 was limited to apply to<br />
conviction for certain categories of DNA-relevant crimes.<br />
(116) It is unclear what usefulness it has to register all persons who have been sentenced unconditionally<br />
prison. As stated in the introduction to the Attorney General's latest circular of October<br />
2013, there was no “research-based and accurate data on how many people commit<br />
repeated crime of various kinds and about details regarding the identity register's directly<br />
importance for clarification of cases, unfortunately ». First-time voters have referred to a statistic from<br />
Statistics Norway with recidivism figures from 2009. It seems to me that the recidivism percentage is<br />
DNA-relevant crime is low for people who have previously been convicted of financial crimes<br />
crime. In our case, the Court of Appeal assumes that «the probability that<br />
registration of the person's DNA will help to solve later offenses is small »by<br />
tax evasion. The state has not objected to this assessment.<br />
(117) There is no EMD practice that directly addresses the significance of this<br />
the nature of the criminal offense shall be attributed to the proportionality assessment. Except<br />
general statements about the meaning of "the nature or gravity of the offense" as well<br />
first-time voters point out, the 2017 Aycaguer ruling is probably the closest we get<br />
the situation in our case. The question was about the complainant after being sentenced to two months<br />
conditional imprisonment for beating police officers during a trade union rally could be imposed<br />
to submit biological material for the purpose of registration in the DNA register. Section 43 states:<br />
«Thus, the Court notes that no differentiation is currently provided for according to the<br />
nature and / or seriousness of the offense committed, notwithstanding the significant<br />
disparity in the situations potentially arising under Article 706-55 CPP. The applicant's<br />
situation bears witness to this, with events occurring in a political / trade-union context,<br />
concerning mere blows with an umbrella directed at gendarmes who have not even been<br />
identified (…), contrasting with the seriousness of the acts liable to constitute the very<br />
serious offenses set out in Article 706-55 CPP, such as sex offenses, terrorism, crimes<br />
against humanity and trafficking in human beeings, to mention but a few. To that extent<br />
the instant case is very different from those specifically relating to such serious offenses<br />
as organized crime (see S. and Marper…) or sexual assault (see Gardel, BB and MB<br />
…). »<br />
Page 20<br />
20<br />
HR-2019-1226-A, (case no. 19-014740SIV-HRET)<br />
(118) As regards the possibility of deletion, the EMD states in paragraph 44 that<br />
«Convicted persons should also be given a practical means of lodging a request for the<br />
deletion of registered data (…). That remedy should be made available order in order to<br />
ensure that the data storage period is proportionate to the nature of the offenses and the<br />
aims of the restrictions ”(in Article 8 of the Convention).<br />
(119) With reference to the duration of the storage period of 40 years and the lack of possibility for<br />
deletion, the EMD found in paragraph 45 that the registration scheme did not maintain a fair balance<br />
between the competing public and private interests at stake.<br />
(120) I deduce from this that the nature of the offense is a factor in<br />
the proportionality assessment, which harmonizes best with the necessity criterion in<br />
Article 8 of the ECHR.<br />
(121) A problem with the Norwegian registration scheme is that the nature of the offense is without<br />
significance in cases such as As, both for the question of registration to take place and by<br />
the assessment of a possible later request for deletion. Only if the registered becomes<br />
unable to commit offenses - typically due to illness or old age - will<br />
the registration after the information could be deleted. This implies the duty to delete<br />
the information in the DNA register "no later than 5 years after the person's death",<br />
cf. the Police Register Regulations § 45-17 first paragraph, will by far function «as a norm rather<br />
than a maximum », to use the wording in, inter alia, Aycaguer judgment paragraph 42 .<br />
The rejection of A's complaint - ten years after the criminal offenses were terminated - is in that sense<br />
illustrative.<br />
(122) In the proportionality assessment, I place further emphasis on the Supreme Court's Appeals Committee<br />
ruling HR-2018-2241-U, which as of today means that the right of access under the Children's Act<br />
§ 24 takes precedence over the requirement in the Police Register Act § 12 sixth paragraph that the information in<br />
The DNA register can only be used in criminal justice.<br />
(123) Ever since the DNA register was established in 1995, the law has prohibited its use<br />
the information for purposes outside the criminal justice system. That the ban has been a key premise<br />
for the legislature, appears from the preparatory work for the law. Already in NOU 1993: 31 page 29 assessed<br />
The DNA sample the "theoretical possibility" for finding kinship via the DNA<br />
registered. In NOU 2005: 19 page 47, it is briefly and well assumed that<br />
The DNA register is a "pure identity register" which "should only be used in criminal justice".<br />
To this end, the Ministry notes in Ot.prp. No. 19 (2006–2007) page 19 that no one sees<br />
privacy concerns with the committee majority's proposal «as the register is intended<br />
used today - namely exclusively as an identity register ».<br />
(124) When the registration authority in 2010 was transferred from the Criminal Procedure Act § 160 a to<br />
§ 12 of the Police Register Act, became secondary use of the information - that is, use for others<br />
purpose - discussed in light of the principle of purposefulness in privacy law and in the ECHR<br />
Article 8, cf. Ot.prp. No. 108 (2008–2009) page 51 the following. Worth noting in this<br />
connection is that the general provision on purposefulness in section 4 of the Act opens<br />
so that information obtained for police purposes can also be processed for other purposes<br />
where this is authorized by law. The special provision in § 12 sixth paragraph that the information in<br />
The DNA register "only [shall] be used in criminal justice", is a tightening in relation to § 4.<br />
This tightening shows in my view that the purpose statement in connection with the use of<br />
The DNA register was supposed to be absolute.<br />
Page 21<br />
21<br />
HR-2019-1226-A, (case no. 19-014740SIV-HRET)<br />
(125) The legislature has therefore not assessed - and consequently not chosen - a registration scheme<br />
which shall also be available for use for civil purposes. This page knows<br />
the legislative process may in itself have an impact on the proportionality assessment,<br />
cf. the Grand Chamber decision of 22 April 2013 Animal defenders international against the United Kingdom<br />
section 108. In addition, the right to use the DNA register also for civilian purposes<br />
makes registration more intrusive. I refer in this context to<br />
Grand Chamber decision of 4 December 2008 S. and Marper v. United Kingdom where the EMD in<br />
section 75 states the following about the use of<br />
DNA register for mapping relationships:<br />
«The Court notes in this regard that the Government accepted that DNA profiles could<br />
be, and indeed had in some cases been, used for familial searching with a view to<br />
identifying a possible genetic relationship between individuals. They also accepted the<br />
highly sensitive nature of such searching and the need for very strict controls in this<br />
respect. In the Court's view, the DNA profiles' capacity to provide a means of identifying<br />
genetic relationships between individuals (see paragraph 39 above) is in itself sufficient to<br />
conclude that their retention interferes with the right to the private life of the individuals<br />
concerned. The frequency of familial searches, the safeguards attached thereto and the<br />
likelihood of detriment in a particular case are immaterial in this respect . »<br />
(126) Section 39, to which the EMD refers here, deals with kinship searches in criminal justice :<br />
«Familial searching is the process of comparing a DNA profile from a crime scene with<br />
profiles stored on the national database, and prioritizing them in terms of 'closeness' to a<br />
match. This allows possible genetic relatives of an offender to be identified. Familial<br />
searching might thus lead to revealing previously unknown or concealed genetic<br />
relationships. »<br />
(127) The possibility of searching the DNA register for purely civilian purposes, more specifically for mapping<br />
of paternity according to the Children Act § 24, is in addition to and goes in principle also further than<br />
kinship search to use criminal justice.<br />
(128) The circumstances I have now pointed out, in my view, mean that the registration of A is<br />
disproportionate. Although the conviction of him applies to serious matters, is<br />
the probability that DNA registration in this type of offense will help to clarify<br />
later offenses, small. As long as the nature of the offense has no bearing on the initial<br />
the registration or for the possibility of having the registration deleted, doubts are left<br />
the registration is sufficiently relevant and necessary for the purpose. When in addition it is<br />
opened access to use the DNA register for purely civilian purposes, I find that the limits of it<br />
disproportionate is exceeded.<br />
(129) On this basis, my conclusion is that the registration should be deleted, and that A be awarded<br />
legal costs for all instances.<br />
Page 22<br />
22<br />
HR-2019-1226-A, (case no. 19-014740SIV-HRET)<br />
(130) Judge Lindsetmo:<br />
I essentially and in the result agree with<br />
first voter, judge Bergsjø.<br />
(131) Judge Matheson:<br />
Likewise.<br />
(132) Judge Webster:<br />
Likewise.<br />
(133) Following the vote, the Supreme Court dismissed this<br />
JUDGMENT:<br />
1.<br />
The appeal is rejected.<br />
2.<br />
Legal costs are not awarded for any instance.<br />
</pre></div>MLhttps://gdprhub.eu/index.php?title=VGH_M%C3%BCnchen_-_7_CE_20.1822&diff=11324VGH München - 7 CE 20.18222020-09-15T08:02:42Z<p>ML: Created page with "{{COURTdecisionBOX |Jurisdiction=Germany |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=Verwaltungsgerichtshof Bayern |Court_With_Country=Verwaltungsgerichts..."</p>
<hr />
<div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=Germany<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=Verwaltungsgerichtshof Bayern<br />
|Court_With_Country=Verwaltungsgerichtshof Bayern (Germany)<br />
<br />
|Case_Number_Name=VGH 7 CE 20.1822<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Bayerische Staatskanzlei<br />
|Original_Source_Link_1=https://www.gesetze-bayern.de/Content/Document/Y-300-Z-BECKRS-B-2020-N-20467?hl=true<br />
|Original_Source_Language_1=German<br />
|Original_Source_Language__Code_1=DE<br />
<br />
|Date_Decided=19.08.2020<br />
|Date_Published=<br />
|Year=2020<br />
<br />
|GDPR_Article_1=Article 4(1) GDPR<br />
|GDPR_Article_Link_1=Article 4 GDPR#1<br />
<br />
<br />
|National_Law_Name_1=Article 4 (1) Bavarian Press Law (Bayerisches Pressegesetz - BayPrG)<br />
|National_Law_Link_1=https://www.gesetze-bayern.de/Content/Document/BayPrG/true<br />
|National_Law_Name_2=Article 5 (1) Basic Law for the Federal Republic of Germany (Grundgesetz - GG)<br />
|National_Law_Link_2=https://www.gesetze-im-internet.de/englisch_gg/index.html<br />
|National_Law_Name_3=Article 11 BayPrG<br />
|National_Law_Link_3=https://www.gesetze-bayern.de/Content/Document/BayPrG/true<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_From_Body=VG Ansbach<br />
|Appeal_From_Case_Number_Name=AN 14 E 20.1446<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
|<br />
}}<br />
<br />
Request for information on the cumulative total number of COVID-19 infections in a county of Bavaria does not interfere with data protection law and Article 11 BayPrG is not applicable.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
As a freelance editor of the daily newspaper "Main-Post", the applicant asserts a right to information under press law by way of interim relief.<br />
The defendant challenges that decision by lodging an appeal. He submits that the cumulative total of COVID-19 cases in the individual administrative district communities since the outbreak of the infection in Germany, as requested by the applicant, does not justify a far-reaching public interest in information, nor does it allow a conclusion to be drawn on health risks which could justify a particular urgency in providing information. The decision does not provide any information on the public interest in information to be weighed up. <br />
<br />
=== Dispute ===<br />
A journalist of the "MainPost" requested the cumulative total of COVID 19 cases in county municipalities of county N. in Bavaria since the outbreak of the pandemic in Germany.<br />
The district of N. consisted of 38 municipalities, some of which had fewer than 1,000 inhabitants. The defendant argues that due to the small-scale and village character alone, it can be expected that a reconstruction of personal references is easily possible. He makes a reference to the statements of the Bavarian State Commissioner for Data Protection in his Current Information 31 "Statistical data on COVID-19 diseases accurate to the community? (as of 1.7.2020), that only in municipalities with at least 10,000 inhabitants do not generally raise any data protection-related objections to the disclosure of daily total numbers of diseases since the beginning of the SARS Cov-2 pandemic.<br />
<br />
=== Holding ===<br />
Article 11 BayPrG is not applicable. This rule applies to situations of further processing of data by press companies. However, it cannot be inferred from the statements made by the Bavarian Commissioner for Data Protection that the information requested by the applicant, relating to those municipalities in the district of N. in which fewer than 10 000 people live, makes it possible to draw conclusions about persons specifically affected. The applicant is not requesting information on the daily infection figures, but only on the cumulative total number of infections documented to date in the individual municipalities. On the basis of these flat-rate figures over a period of several months (since January 2020), it cannot be assumed - even in small communities with low infection rates - that it is possible to draw conclusions about specific persons at reasonable expense without further facts.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the German original. Please refer to the German original for more details.<br />
<br />
<pre><br />
<br />
Title:<br />
Request for information on the cumulative total number of COVID-19 infections in a county<br />
Standard chains:<br />
BayPrG Art. 4 para. 1<br />
VwGO § 123 (1) sentence 2, § 146, § 152, § 154 (2)<br />
ZPO § 920<br />
Basic Law Article 5(1)<br />
GKG § 47, § 52 (2), § 53 (2) No. 1<br />
Keywords:<br />
Press law information request, SARS Cov-2 pandemic, community-specific infection figures, claim, order, injunction, emergency legal protection, reporting, SARS Cov-2, information, information request, COVID-19, interest in information, health data, pandemic<br />
lower court:<br />
VG Ansbach, decision of 03.08.2020 - AN 14 E 20.1446<br />
Place of discovery:<br />
BeckRS 2020, 20467<br />
<br />
Tenor<br />
I. The appeal is dismissed.<br />
II. order the defendant to pay the costs of the appeal proceedings.<br />
III. the amount in dispute for the appeal proceedings is set at EUR 2,500.<br />
Grounds<br />
I.<br />
1<br />
As a freelance editor of the daily newspaper "Main-Post", the applicant asserts a claim for information under press law by way of interim relief.<br />
2<br />
By order of 3 August 2020, the Ansbach Administrative Court granted the applicant's application for a temporary injunction pursuant to Section 123 (1) sentence 2 of the German Rules of the Administrative Courts (VwGO) and obliged the defendant to provide the applicant with information on how many confirmed COVID-19 cases there are to date in District N., broken down by the individual municipalities in the district.<br />
3<br />
That decision is challenged by the defendant in his appeal. He submits that the cumulative total figures of COVID 19 cases in the individual rural district communities since the outbreak of the infection in Germany, as requested by the applicant, do not establish a far-reaching public interest in information, nor do they allow conclusions to be drawn about health risks which could justify a particular urgency in providing information. The decision does not provide any information on the public interest in information to be weighed up. The rate of infection in the district concerned is very low. The figures at district level are reported daily, so that the public's interest in information is taken into account. The Court of First Instance failed to take account of the private rights or fundamental rights of third parties. The administrative district is extremely small, the majority of the municipalities are village-based. Therefore, information about the municipalities concerned was an essential starting point for locating the persons affected. Since "everybody knows everybody", it is possible to quickly reconstruct the personal data. This leads - as past cases have shown - to the identification of affected persons and the impairment of personal rights. Furthermore, the information requested by the applicant did not have sufficient topicality to justify a temporary injunction. The requested numerical material does not show any rate of increase in the number of persons currently tested positive for COVID-19. However, a possibly still recognisable reference to the present lacked the necessary weight due to the lack of up-to-date information.<br />
4<br />
The defendant claims that the Court should<br />
5<br />
reject the applicant's application, amending the order of the Ansbach Administrative Court of 3 August 2020<br />
6<br />
The applicant claims that the Court should<br />
7<br />
dismiss the appeal.<br />
8<br />
In support of his claims, he essentially submits that rights to information under press law are regularly urgent. It falls within the right of self-determination of the press to decide whether there should be timely reporting. The Administrative Court had rightly denied that the right of personality of persons who are ill had been infringed, since without additional information such as name, age or sex, the incidence figures alone do not allow any conclusion to be drawn as to identity even in the case of municipalities with a small number of inhabitants. The reported case of a family from O. does not change this assessment. For in this case, in addition to the place name and the acute infection, the fact that the family had returned from a skiing holiday in South Tyrol in February was also reported. The information provided by the Bavarian State Commissioner for Data Protection is irrelevant here because neither the Bavarian Data Protection Act nor the Basic Data Protection Regulation (DGSVO) applies because of Article 11 BayPrG.<br />
9<br />
For further details of the state of facts and of the dispute, reference is made to the contents of the court files of both instances.<br />
II.<br />
10<br />
The admissible complaint is unsuccessful on the merits. For the reasons given in the appeal proceedings, which the Senate is limited to examining (Paragraph 146(4), first and sixth sentences, of the VwGO), it does not follow that the decision of the administrative court must be amended.<br />
11<br />
1 The Administrative Court rightly assumes that the applicant has substantiated a claim for an injunction (§ 123 (3) VwGO, § 920 ZPO). The defendant's obligation, which the administrative court tends to deny, to notify the applicant of the cumulative total infection figures broken down by the municipalities in the district of N. since the beginning of the SARS Cov-2 pandemic does not - this is to be admitted by the defendant - constitute a provisional arrangement but a definitive anticipation of the main proceedings. With the provision of information, the applicant's claim under Article 4(1) BayPrG is fulfilled and any substantive issues are settled. This is because the applicant is requesting one-off information in the present proceedings. It is therefore not important that the infection figures possibly change during the course of the (judicial) proceedings. The Administrative Court initially assumed that there was no anticipation of the main proceedings. However, in the alternative, it justified its decision by stating that in the present individual case the more stringent requirements for an anticipation of the main proceedings by a final decision were also met. This is not objectionable.<br />
12<br />
The prohibition of anticipating the main proceedings does not preclude an order under Paragraph 123 of the German Rules of the Administrative Courts (VwGO) if this is necessary to grant effective legal protection and a high degree of probability indicates that the claim pursued in the main proceedings is well-founded (BVerwG, U.v. 18 April 2013 - 10 C 9.12 - NVwZ 2013, 1344 marginal no. 22; BayVGH, B.v. 18 March 2020 - 7 CE 19.2143 - juris marginal no. 16). In this context, stricter requirements must be imposed on the presentation of both the asserted reason for the order and the claim for the order. The stronger the reason for the order, the more likely it is that an anticipation at the expense of the authority will be considered (stRspr, cf. e.g. BayVGH, B.v. 24 January 2017 - 7 CE 16.2056 - juris marginal no. 9; Happ in Eyermann, VwGO, 15th edition 2019, § 123 marginal no. 66a).<br />
13<br />
These conditions are met here. The defendant does not succeed in its argument that the applicant's request for information lacks the necessary topicality. It must be borne in mind in this connection that, in principle, the press itself decides, within the limits of the law, whether and how it reports on a particular subject. The "whether" and "how" of reporting is part of the right of self-determination of the press, which also protects the manner in which it procures information directed at it under fundamental rights. The right of self-determination in terms of time also includes the freedom of the press to decide whether reporting should be timely. In this context, however, it is sufficient if urgent legal protection is only granted if there is an increased public interest and the reporting has a strong relevance to the present (cf. BVerfG, B.v. 8 September 2014 - 1 BvR 23/14 - juris para. 30), so that the issue of a temporary injunction is necessary to avert substantial disadvantages. In order for the press to be able to exercise its control and mediation function, no excessive requirements may be imposed, particularly with regard to the topicality of a report. Therefore, an increased public interest and a strong reference to the present cannot be denied in principle simply because the reporting is not aimed at reports that cannot be postponed, such as the discovery of serious breaches of the law by state decisions, and it remains possible at a later date (BVerfG, B.v. 8.9.2014 loc. cit. para. 30). In the present case, the applicant has sufficiently demonstrated why it needs the requested information immediately and that the temporary injunction applied for is still necessary for this purpose even at the time of the appeal decision. The applicant's argumentation, which the Administrative Court rightly follows, that it is currently of high public interest to report on the development of the SARS Cov-2 pandemic, also in relation to specific areas, is not objectionable. The reporting intended by the applicant has sufficient topicality. Irrespective of the fact that it is questionable whether he could even claim this in the present case, it is currently not necessary for the applicant to know daily infection figures in order to be sufficiently up-to-date. The press must remain free to decide for itself which data basis it will use for its reporting. An evaluation and weighting of the press' interest in information is generally not possible. It is not compatible with the constitutional protection of the press (Article 5 (1) sentence 2 of the Basic Law) to make the enforcement of its interest in information dependent on a state assessment of the content of the information request. The press decides for itself what it considers to be in the public interest and what not. It is therefore up to the press itself to assess what information it needs in order to prepare a specific topic for the purpose of possible reporting (see BVerwG, U.v. 16.3.2016 - 6 C 65.14 - juris nos. 18 f.).<br />
14<br />
2 The Administrative Court also rightly assumes that the applicant can in principle base the claim for information asserted by him (claim for an injunction) on Art. 4 BayPrG. According to this, the press has a right to information vis-à-vis authorities which it can exercise through its editors (Art. 4 Para. 1 Sentences 1 and 2 BayPrG).<br />
15<br />
a) The District Office, as the authority obliged to provide information, may only refuse to provide information if there is a duty of confidentiality based on civil service law or other legal provisions (Art. 4 para. 2 sentence 2 BayPrG). The Bavarian Press Act does not provide for a right to refuse to provide information beyond the aforementioned confidentiality obligations. However, the Administrative Court rightly assumes that duties of confidentiality not only follow from (general) "secrecy regulations", but that limits may also arise to the right to information under press law if the answer to an enquiry affects the fundamental rights of third parties, such as the right to informational self-determination as a special expression of the general right of personality (cf. e.g. BayVGH, U.v. 7 August 2006 - 7 BV 05.2582 - juris marg. 48). The protection of individuals against unauthorised disclosure of their personal data is covered by the right to informational self-determination as a characteristic of the general right of personality (Art. 1(1) and Article 2(1) of the Basic Law; Articles 100, 101 of the Federal Constitution) (fundamentally BVerfG, U.v. 15 December 1983 - 1 BvR 209/83 and others - BVerfGE 65, 1/43; BayVGH, U.v. 7 August 2006 - 7 BV 05.2582 - VGH as amended 59, 196/204). This fundamental right guarantees the individual's right to decide when and within what limits personal life facts, including health data such as COVID-19 infections, are disclosed.<br />
16<br />
b) If fundamental rights positions oppose each other, they are to be brought into an appropriate balance and it is to be weighed in particular whether this is constitutionally justified on the basis of the freedom of the press (Article 5.1 of the Basic Law). (Article 5.1 sentence 2 of the Basic Law) or the interest in secrecy, which is also constitutionally protected, of the district residents infected or sick with COVID-19 is to be given preference (see BVerwG, U.v. 27 September 2018 - 7 C 5/17 - juris marginal no. 29; BayVGH, U.v. 24 November 2016 - 7 B 16,454 - juris marginal no. 17). The requested information on the cumulative total number of persons who have fallen ill with COVID-19 since the beginning of the pandemic in relation to the respective area of the 38 rural district communities in the district of N. does not constitute an encroachment on the scope of protection of the fundamental right to informational self-determination. In the end, it is therefore no longer necessary to weigh up the various options.<br />
17<br />
c) The Administrative Court rightly assumed that an infringement of the personal rights of private individuals is not to be feared and consequently affirmed the applicant's right to information regarding the question asked. The defendant did not succeed in its argument that the general right of personality of the persons concerned was also affected if they could be individualised or identified without being named.<br />
18<br />
aa) The information requested by the applicant is already not personal data. According to Art. 4 No. 1 Half. 1 DSGVO, personal data is all information relating to an identified or identifiable natural person.<br />
19<br />
The desired information (community-specific cumulative infection figures since the beginning of the SARS Cov-2 pandemic) clearly does not refer to concrete, named persons, but only to the abstract total number of COVID-19 infections in the individual district communities.<br />
20<br />
Nor is it information whose personal reference is not evident from the desired concrete data set, but which can be established with the help of otherwise known information and thus with the help of so-called additional knowledge. According to the case law of the Federal Administrative Court (U.v. 27.11.2014 - 7 C 20.12 - juris marg. no. 41), it must be decided on a case-by-case basis whether a deanonymisation of data and thus a subsequent individual assignment to a person can be expected with sufficient probability. This is not the case in the present case, contrary to the statements in the grounds of appeal.<br />
21<br />
The applicant's request for information extends, without demanding further differentiation, to the cumulative total number of COVID-19 infections in District N. broken down by the individual district communities since the beginning of the pandemic. A further differentiation, e.g. according to the number of patients recovered, hospitalised or deceased, or according to the number of currently "active" cases, or according to the gender or age of the affected persons, is not requested. Particularly against the background that the reporting period of the requested information covers the total duration of the SARS Cov-2 pandemic since January 2020 and no further differentiations are queried apart from the community-specific breakdown, the information content of the requested information is reduced to such an extent that it offers too few starting points for further research aimed at obtaining additional knowledge, on the basis of which it would be possible to draw conclusions about a specific person. In particular, the Senate is of the opinion that the requested information does not allow conclusions to be drawn about persons currently acutely infected or ill with COVID-19.<br />
22<br />
bb) This applies irrespective of the fact, which the defendant has put forward in the statement of grounds of appeal, that the district of N. consists of 38 municipalities, some of which have fewer than 1,000 inhabitants. The defendant does not get away with the argument that, due to the small-scale and village character alone, it can be expected that a reconstruction of personal references is easily possible. Nor does the reference to the statements of the Bavarian State Commissioner for Data Protection in his Current Information 31 "Statistical data on COVID-19 diseases accurate to the community? (as of 1.7.2020), that only in municipalities with at least 10,000 inhabitants does he not generally raise any data protection-related objections to the disclosure of daily total numbers of diseases since the beginning of the SARS Cov-2 pandemic, does not help the defendant to succeed.<br />
23<br />
It is true that, contrary to what the applicant claims, data protection requirements must be observed in the present case, as stated above. For in the present constellation it must be examined whether the defendant is obliged to hand over the requested data to the applicant. In the context of this examination, data protection aspects must be taken into account. Art. 11 BayPrG is not applicable in this relationship. This provision applies to the perspective of further processing of data by press companies, which must be distinguished from the present one. However, the reverse conclusion cannot be drawn from the statements made by the Bavarian Commissioner for Data Protection that the information requested by the applicant in this case with regard to those administrative district communities in the District of N. in which fewer than 10,000 people live makes it possible to draw conclusions about those specifically affected. This is because the applicant is not requesting information on the daily infection figures, but only on the cumulative total number of infections documented to date in the individual municipalities. On the basis of these flat-rate figures over a period of several months (since January 2020), it cannot be assumed - even in small communities with low infection rates - that it is possible to draw conclusions about specific persons at reasonable expense without further facts. The Senate does not ignore the fact that it is generally easier to reconstruct personal data in very small municipalities than in larger ones. However, there is a lack of other data categories (e.g. time of infection, number of patients recovered, hospitalised and deceased, number of "active" cases) or other location-related and concrete indications in individual cases (cf. the example of the BayLfD, Aktuelle Kurzinformation 31, p. 2 box) which could be used to produce an individualisation with reasonable (research) effort.<br />
24<br />
This also applies with regard to the case of a family from the district municipality O., named by the defendant, which had partially fallen ill with COVID-19 in February 2020 and was under considerable social pressure due to press reports in which the municipality O. was named. This situation cannot be compared with the present constellation. Notwithstanding the fact that the pandemic was still in its early stages in the Federal Republic of Germany at that time and that there was therefore a great deal of media interest in the first people to fall ill with COVID-19, the fact that the infection was "active" and the immediate return of the family from a skiing holiday in South Tyrol were published at that time in addition to the data "COVID-19 infection" and "name of the municipality". Such additional facts are missing in the present case. The applicant seeks only information on the total number of infections without demanding further differentiation. A reconstruction of the personal reference is not to be feared - without additional knowledge of at least the respective infection dates since January 2020 - at any rate with reasonable effort. In particular, it cannot be assumed that currently infected or sick persons can be identified. For even if the applicant and, if applicable, the public obtains knowledge of the spatial distribution of the occurrence of infections in the district through the requested information, this does not allow any conclusion to be drawn as to when the infections were present there and thus no reliable indication for further investigations and subsequently the reconstruction of a reference to a person.<br />
25<br />
As a result, the requested information on the cumulative infection figures in the individual district communities does not lead to the reconstruction, at reasonable expense, of which natural persons there were or are infected with COVID-19. The information requested is therefore not personal data. This means that the scope of protection of the basic right to informational self-determination is not violated.<br />
26<br />
It is therefore no longer necessary in the present case to weigh this against the applicant's interest in information, which is constitutionally guaranteed by the freedom of the press.<br />
27<br />
The decision on costs is based on § 154 (2) VwGO. The determination of the amount in dispute results from sec. 47, sec. 53 para. 2 no. 1, sec. 52 para. 2 GKG in conjunction with No. 1.5 of the Catalogue of Disputed Values for Administrative Jurisdiction (printed by Eyermann, VwGO, 15th edition 2019) and corresponds to the amount in dispute in first instance proceedings.<br />
28<br />
This decision is not subject to further appeal (§ 152 (1) VwGO).<br />
<br />
</pre></div>MLhttps://gdprhub.eu/index.php?title=BGH_-_BGH_VI_ZR_405/18&diff=11285BGH - BGH VI ZR 405/182020-09-08T13:36:10Z<p>ML: ML moved page BGH - BGH VI ZR 405/18 to BGH - VI ZR 405/18</p>
<hr />
<div>#REDIRECT [[BGH - VI ZR 405/18]]</div>MLhttps://gdprhub.eu/index.php?title=BGH_-_VI_ZR_405/18&diff=11284BGH - VI ZR 405/182020-09-08T13:36:10Z<p>ML: ML moved page BGH - BGH VI ZR 405/18 to BGH - VI ZR 405/18</p>
<hr />
<div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=Germany<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=BGH<br />
|Court_With_Country=BGH (Germany)<br />
<br />
|Case_Number_Name=BGH VI ZR 405/18<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Bundesgerichtshof -Pressemitteilungen - Nr. 095/2020<br />
|Original_Source_Link_1=https://www.bundesgerichtshof.de/SharedDocs/Pressemitteilungen/DE/2020/2020095.html<br />
|Original_Source_Language_1=German<br />
|Original_Source_Language__Code_1=DE<br />
<br />
|Date_Decided=27.07.2020<br />
|Date_Published=<br />
|Year=2020<br />
<br />
|GDPR_Article_1=Article 17(1) GDPR<br />
|GDPR_Article_Link_1=Article 17 GDPR#1<br />
<br />
<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_From_Body=LG Frankfurt am Main <br />
|Appeal_From_Case_Number_Name=LG Frankfurt am Main 2-03 O 190/16 <br />
|Appeal_From_Status=<br />
|Appeal_From_Link=<br />
|Appeal_To_Body=OLG Frankfurt am Main <br />
|Appeal_To_Case_Number_Name=OLG Frankfurt am Main VI ZR 405/18<br />
|Appeal_To_Status=Appealed - Overturned<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
|<br />
}}<br />
<br />
The BGH dismissed the plaintiff's appeal regarding the right to be forgotten (Article 17 GDPR) on the grounds that his interests do not outweigh those of internet users and press organs.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The plaintiff was the managing director of a regional association of a charitable organisation. In 2011, this regional association had a financial deficit of almost one million euros. At the time, both of these events were reported in the regional daily press, mentioning the plaintiff's full name. The plaintiff now requests the defendant, as the person responsible for the internet search engine "Google", to refrain from including these press articles in a search for his name in the results list. The Regional Court dismissed the action. The plaintiff's appeal was unsuccessful.<br />
<br />
=== Dispute ===<br />
The question was whether Google has to delist press articles of the plaintiff according to Article 17 GDPR.<br />
<br />
=== Holding ===<br />
The court hold that the basic rights of the plaintiff does not outweigh the interests of the search engine and the interest of its users, the public and the press organs for the linked newspaper articles, also taking into account the time that has passed by, this is why he cannot base his claim on Art. 17 GDPR.<br />
<br />
<br />
== Comment ==<br />
This summary is based on the press release of the BGH, the judgment is not yet available.<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the German original. Please refer to the German original for more details.<br />
<br />
<pre><br />
The plaintiff was the managing director of a regional association of a charitable organisation. In 2011, this regional association had a financial deficit of almost one million euros; shortly before that, the plaintiff called in sick. At the time, both of these events were reported in the regional daily press, mentioning the plaintiff's full name. The plaintiff now requests the defendant, as the person responsible for the internet search engine "Google", to refrain from including these press articles in a search for his name in the results list. The Regional Court dismissed the action. The plaintiff's appeal was unsuccessful.<br />
<br />
The VI. Zivilsenat of the Bundesgerichtshof (Federal Court of Justice) dismissed the plaintiff's appeal allowed by the Court of Appeal. The plaintiff's asserted claim for listing of the result links in dispute does not arise from Art. 17 (1) GDPR. According to the case-law of the European Court of Justice and the order of the First Senate of the Federal Constitutional Court of 6 November 2019 (1 BvR 276/17 - Recht auf Vergessen II), the claim for listing under Article 17(1) GDPR requires a comprehensive weighing of fundamental rights which, on the basis of all relevant circumstances of the individual case and taking into account the seriousness of the encroachment on the fundamental rights of the person concerned on the one hand (Article 17(1) GDPR), requires a comprehensive weighing of fundamental rights on the other hand (Article 17(1) GDPR). 7, 8 CFR), the fundamental rights of the defendant, the interests of its users and the public, and the fundamental rights of the providers of the contents proven in the objected result links on the other hand (Art. 11, 16 CFR). As the freedom of opinion of the content providers burdened by the decision is to be included in the weighing as a directly affected fundamental right, there is no presumption that the protection interests of the person concerned take precedence, but the conflicting fundamental rights are to be weighed up equally. However, it also follows from this requirement of equal consideration that the person responsible for a search engine does not have to take action only when he/she becomes aware of an obvious and at first glance clearly recognisable infringement of the rights of the person concerned. In this respect, the Senate does not uphold its contrary case law on the legal situation before the GDPR came into force (Senate ruling of 27 February 2018 - VI ZR 489/16, BGHZ 217, 350, 363 marginal no. 36 in conjunction with 370 f. marginal no. 52).<br />
<br />
According to these principles, the basic rights of the plaintiff, also taking into account the passage of time in the specific case, must take second place to the interests of the defendant and the interests of its users, the public and the press organs responsible for the linked newspaper articles, which are to be weighed in the defendant's balance.<br />
<br />
In view of the primacy of the application of the data protection law which has been conclusively harmonised throughout the European Union in the present case and the comprehensive weighing of fundamental rights to be carried out when examining a request for discontinuation under Article 17 GDPR, the plaintiff cannot base its claim on provisions of national German law either. <br />
</pre></div>MLhttps://gdprhub.eu/index.php?title=BGH_-_BGH_VI_ZR_476/18&diff=11283BGH - BGH VI ZR 476/182020-09-08T13:33:34Z<p>ML: ML moved page BGH - BGH VI ZR 476/18 to BGH - VI ZR 476/18</p>
<hr />
<div>#REDIRECT [[BGH - VI ZR 476/18]]</div>MLhttps://gdprhub.eu/index.php?title=BGH_-_VI_ZR_476/18&diff=11282BGH - VI ZR 476/182020-09-08T13:33:34Z<p>ML: ML moved page BGH - BGH VI ZR 476/18 to BGH - VI ZR 476/18</p>
<hr />
<div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=Germany<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=BGH<br />
|Court_With_Country=BGH (Germany)<br />
<br />
|Case_Number_Name=BGH VI ZR 476/18<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Bundesgerichtshof - Pressemitteilungen<br />
|Original_Source_Link_1=https://www.bundesgerichtshof.de/SharedDocs/Pressemitteilungen/DE/2020/2020095.html<br />
|Original_Source_Language_1=German<br />
|Original_Source_Language__Code_1=DE<br />
<br />
|Date_Decided=22.07.2020<br />
|Date_Published=<br />
|Year=2020<br />
<br />
|GDPR_Article_1=Article 17(3)(a) GDPR<br />
|GDPR_Article_Link_1=Article 17 GDPR#3a<br />
<br />
|EU_Law_Name_1=Article 7, 8, 11, 16 Charter of Fundamental Rights of the European Union<br />
|EU_Law_Link_1=http://data.europa.eu/eli/treaty/char_2012/oj<br />
<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_From_Body=OLG Köln<br />
|Appeal_From_Case_Number_Name=OLG Köln 15 U 178/17 <br />
|Appeal_From_Status=<br />
|Appeal_From_Link=<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
|<br />
}}<br />
<br />
The Bundesgerichtshof stayed proceedings and referred two questions to the Court of Justice of the European Union for a preliminary ruling.<br />
<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The applicant was an authorised officer of one of those companies. In 2015, several articles appeared on the website of a US-American company, whose objective, according to its own statements, is "to make a lasting contribution to fraud prevention in the economy and society through active education and transparency", by critically examining these companies. One of these articles was illustrated with photos of the plaintiffs. The business model of the website's operator was in turn critically reported, among other things with the accusation that she was trying to blackmail companies by first publishing negative reports and then offering to delete the reports or prevent negative reporting for a so-called protection fee. Google was asked to delete the thumbnails.<br />
<br />
=== Dispute ===<br />
<br />
<br />
=== Holding ===<br />
The Bundesgerichtshof stayed proceedings and referred two questions to the Court of Justice of the European Union for a preliminary ruling:<br />
- Is it compatible with the rights of the data subject in Article 7,8 CFR to weigh up the possibility to file an interim injunction as legal protection and receive a preliminary clarification on the right to get delisted<br />
as a decisive factor in the decision on conflicting rights and interests arising from Article 17(3)(a) GDPR?<br />
<br />
- Can the BGH oblige the defendant to pay the costs if third parties placed photos which are shown as a thumbnail in the search engine of the defendant, even if the third party's website is linked but not specifically named when the thumbnail is displayed by the search engine and the resulting context is not displayed by the internet search service?<br />
<br />
== Comment ==<br />
This summary is based on a press release, because the judgment is not yet available.<br />
The Bundesgerichtshof paused proceedings and referred two questions to the Court of Justice of the European Union for a preliminary ruling, this will be followed-up.<br />
<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the German original. Please refer to the German original for more details.<br />
<br />
<pre><br />
The applicant holds positions of responsibility for or participates in various companies providing financial services. The applicant is his partner and was an authorised officer of one of those companies. In 2015, several articles appeared on the website of a US-American company, whose objective, according to its own statements, is "to make a lasting contribution to fraud prevention in the economy and society through active education and transparency", which critically examined the investment model of some of these companies. One of these articles was illustrated with photos of the plaintiffs. The business model of the website's operator was in turn critically reported, among other things with the accusation that she was trying to blackmail companies by first publishing negative reports and then offering to delete the reports or prevent negative reporting for a so-called protection fee. The plaintiffs claim to have also been blackmailed. They request that the defendant, as the person responsible for the internet search engine "Google", refrain from showing the articles in question in the results list when searching for their names and the names of various companies and from displaying the photos of them as so-called "thumbnails". The defendant stated that it was unable to assess the truth of the claims made in the linked content. The Regional Court has dismissed the action. The plaintiffs' appeal was unsuccessful.<br />
<br />
The Bundesgerichtshof stayed proceedings and referred two questions to the Court of Justice of the European Union for a preliminary ruling.<br />
<br />
First, the Court of Justice of the European Union must determine whether it is compatible with the rights of the person concerned to respect for his or her private life (Article 7 CFR) and to protection of the personal data relating to him or her (Article 8 CFR) to weigh up the conflicting rights and interests arising from Article 17(3)(a) General Data Protection Regulation against the person responsible for an internet search service in the context of the examination of his or her request for a listing. 7, 8, 11 and 16 CFR, if the link whose listing is applied for leads to content which contains factual claims and value judgments based on factual claims, the truth of which the person concerned denies, and the legality of which stands and falls with the question of the truthfulness of the factual claims contained therein, the decisive factor to be taken into account is also whether the person concerned can reasonably be expected to accept the content of the link. e.g. by means of an interim injunction - could obtain legal protection against the content provider and thus bring about at least a preliminary clarification of the question of the truth of the content proven by the person responsible for the search engine.<br />
<br />
Second, the Bundesgerichtshof asks for an answer to the question whether, in the case of a request for a listing against the person responsible for an internet search service who, in a name search, searches for photographs of natural persons who have been placed on the internet by third parties in connection with the person's name, and who shows the photographs he has found in his results overview as thumbnails, the Federal Court of Justice is entitled, in the context of the rules laid down in Article 12(b) and Article 12(1)(b) Federal Basic Law, to order the defendant to pay the costs. 14(1)(a) DS-RL / Article 17(3)(a) DS-GVO, the context of the third party's original publication must be taken into account to a decisive extent, even if the third party's website is linked but not specifically named when the thumbnail is displayed by the search engine and the resulting context is not displayed by the internet search service. <br />
</pre></div>MLhttps://gdprhub.eu/index.php?title=BGH_-_VI_ZR_476/18&diff=11281BGH - VI ZR 476/182020-09-08T13:32:53Z<p>ML: Created page with "{{COURTdecisionBOX |Jurisdiction=Germany |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=BGH |Court_With_Country=BGH (Germany) |Case_Number_Name=BGH VI ZR 47..."</p>
<hr />
<div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=Germany<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=BGH<br />
|Court_With_Country=BGH (Germany)<br />
<br />
|Case_Number_Name=BGH VI ZR 476/18<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Bundesgerichtshof - Pressemitteilungen<br />
|Original_Source_Link_1=https://www.bundesgerichtshof.de/SharedDocs/Pressemitteilungen/DE/2020/2020095.html<br />
|Original_Source_Language_1=German<br />
|Original_Source_Language__Code_1=DE<br />
<br />
|Date_Decided=22.07.2020<br />
|Date_Published=<br />
|Year=2020<br />
<br />
|GDPR_Article_1=Article 17(3)(a) GDPR<br />
|GDPR_Article_Link_1=Article 17 GDPR#3a<br />
<br />
|EU_Law_Name_1=Article 7, 8, 11, 16 Charter of Fundamental Rights of the European Union<br />
|EU_Law_Link_1=http://data.europa.eu/eli/treaty/char_2012/oj<br />
<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_From_Body=OLG Köln<br />
|Appeal_From_Case_Number_Name=OLG Köln 15 U 178/17 <br />
|Appeal_From_Status=<br />
|Appeal_From_Link=<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
|<br />
}}<br />
<br />
The Bundesgerichtshof stayed proceedings and referred two questions to the Court of Justice of the European Union for a preliminary ruling.<br />
<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The applicant was an authorised officer of one of those companies. In 2015, several articles appeared on the website of a US-American company, whose objective, according to its own statements, is "to make a lasting contribution to fraud prevention in the economy and society through active education and transparency", by critically examining these companies. One of these articles was illustrated with photos of the plaintiffs. The business model of the website's operator was in turn critically reported, among other things with the accusation that she was trying to blackmail companies by first publishing negative reports and then offering to delete the reports or prevent negative reporting for a so-called protection fee. Google was asked to delete the thumbnails.<br />
<br />
=== Dispute ===<br />
<br />
<br />
=== Holding ===<br />
The Bundesgerichtshof stayed proceedings and referred two questions to the Court of Justice of the European Union for a preliminary ruling:<br />
- Is it compatible with the rights of the data subject in Article 7,8 CFR to weigh up the possibility to file an interim injunction as legal protection and receive a preliminary clarification on the right to get delisted<br />
as a decisive factor in the decision on conflicting rights and interests arising from Article 17(3)(a) GDPR?<br />
<br />
- Can the BGH oblige the defendant to pay the costs if third parties placed photos which are shown as a thumbnail in the search engine of the defendant, even if the third party's website is linked but not specifically named when the thumbnail is displayed by the search engine and the resulting context is not displayed by the internet search service?<br />
<br />
== Comment ==<br />
This summary is based on a press release, because the judgment is not yet available.<br />
The Bundesgerichtshof paused proceedings and referred two questions to the Court of Justice of the European Union for a preliminary ruling, this will be followed-up.<br />
<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the German original. Please refer to the German original for more details.<br />
<br />
<pre><br />
The applicant holds positions of responsibility for or participates in various companies providing financial services. The applicant is his partner and was an authorised officer of one of those companies. In 2015, several articles appeared on the website of a US-American company, whose objective, according to its own statements, is "to make a lasting contribution to fraud prevention in the economy and society through active education and transparency", which critically examined the investment model of some of these companies. One of these articles was illustrated with photos of the plaintiffs. The business model of the website's operator was in turn critically reported, among other things with the accusation that she was trying to blackmail companies by first publishing negative reports and then offering to delete the reports or prevent negative reporting for a so-called protection fee. The plaintiffs claim to have also been blackmailed. They request that the defendant, as the person responsible for the internet search engine "Google", refrain from showing the articles in question in the results list when searching for their names and the names of various companies and from displaying the photos of them as so-called "thumbnails". The defendant stated that it was unable to assess the truth of the claims made in the linked content. The Regional Court has dismissed the action. The plaintiffs' appeal was unsuccessful.<br />
<br />
The Bundesgerichtshof stayed proceedings and referred two questions to the Court of Justice of the European Union for a preliminary ruling.<br />
<br />
First, the Court of Justice of the European Union must determine whether it is compatible with the rights of the person concerned to respect for his or her private life (Article 7 CFR) and to protection of the personal data relating to him or her (Article 8 CFR) to weigh up the conflicting rights and interests arising from Article 17(3)(a) General Data Protection Regulation against the person responsible for an internet search service in the context of the examination of his or her request for a listing. 7, 8, 11 and 16 CFR, if the link whose listing is applied for leads to content which contains factual claims and value judgments based on factual claims, the truth of which the person concerned denies, and the legality of which stands and falls with the question of the truthfulness of the factual claims contained therein, the decisive factor to be taken into account is also whether the person concerned can reasonably be expected to accept the content of the link. e.g. by means of an interim injunction - could obtain legal protection against the content provider and thus bring about at least a preliminary clarification of the question of the truth of the content proven by the person responsible for the search engine.<br />
<br />
Second, the Bundesgerichtshof asks for an answer to the question whether, in the case of a request for a listing against the person responsible for an internet search service who, in a name search, searches for photographs of natural persons who have been placed on the internet by third parties in connection with the person's name, and who shows the photographs he has found in his results overview as thumbnails, the Federal Court of Justice is entitled, in the context of the rules laid down in Article 12(b) and Article 12(1)(b) Federal Basic Law, to order the defendant to pay the costs. 14(1)(a) DS-RL / Article 17(3)(a) DS-GVO, the context of the third party's original publication must be taken into account to a decisive extent, even if the third party's website is linked but not specifically named when the thumbnail is displayed by the search engine and the resulting context is not displayed by the internet search service. <br />
</pre></div>MLhttps://gdprhub.eu/index.php?title=BGH_-_VI_ZR_405/18&diff=11275BGH - VI ZR 405/182020-09-08T11:02:44Z<p>ML: Created page with "{{COURTdecisionBOX |Jurisdiction=Germany |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=BGH |Court_With_Country=BGH (Germany) |Case_Number_Name=BGH VI ZR 40..."</p>
<hr />
<div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=Germany<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=BGH<br />
|Court_With_Country=BGH (Germany)<br />
<br />
|Case_Number_Name=BGH VI ZR 405/18<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Bundesgerichtshof -Pressemitteilungen - Nr. 095/2020<br />
|Original_Source_Link_1=https://www.bundesgerichtshof.de/SharedDocs/Pressemitteilungen/DE/2020/2020095.html<br />
|Original_Source_Language_1=German<br />
|Original_Source_Language__Code_1=DE<br />
<br />
|Date_Decided=27.07.2020<br />
|Date_Published=<br />
|Year=2020<br />
<br />
|GDPR_Article_1=Article 17(1) GDPR<br />
|GDPR_Article_Link_1=Article 17 GDPR#1<br />
<br />
<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_From_Body=LG Frankfurt am Main <br />
|Appeal_From_Case_Number_Name=LG Frankfurt am Main 2-03 O 190/16 <br />
|Appeal_From_Status=<br />
|Appeal_From_Link=<br />
|Appeal_To_Body=OLG Frankfurt am Main <br />
|Appeal_To_Case_Number_Name=OLG Frankfurt am Main VI ZR 405/18<br />
|Appeal_To_Status=Appealed - Overturned<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
|<br />
}}<br />
<br />
The BGH dismissed the plaintiff's appeal regarding the right to be forgotten (Article 17 GDPR) on the grounds that his interests do not outweigh those of internet users and press organs.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The plaintiff was the managing director of a regional association of a charitable organisation. In 2011, this regional association had a financial deficit of almost one million euros. At the time, both of these events were reported in the regional daily press, mentioning the plaintiff's full name. The plaintiff now requests the defendant, as the person responsible for the internet search engine "Google", to refrain from including these press articles in a search for his name in the results list. The Regional Court dismissed the action. The plaintiff's appeal was unsuccessful.<br />
<br />
=== Dispute ===<br />
The question was whether Google has to delist press articles of the plaintiff according to Article 17 GDPR.<br />
<br />
=== Holding ===<br />
The court hold that the basic rights of the plaintiff does not outweigh the interests of the search engine and the interest of its users, the public and the press organs for the linked newspaper articles, also taking into account the time that has passed by, this is why he cannot base his claim on Art. 17 GDPR.<br />
<br />
<br />
== Comment ==<br />
This summary is based on the press release of the BGH, the judgment is not yet available.<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the German original. Please refer to the German original for more details.<br />
<br />
<pre><br />
The plaintiff was the managing director of a regional association of a charitable organisation. In 2011, this regional association had a financial deficit of almost one million euros; shortly before that, the plaintiff called in sick. At the time, both of these events were reported in the regional daily press, mentioning the plaintiff's full name. The plaintiff now requests the defendant, as the person responsible for the internet search engine "Google", to refrain from including these press articles in a search for his name in the results list. The Regional Court dismissed the action. The plaintiff's appeal was unsuccessful.<br />
<br />
The VI. Zivilsenat of the Bundesgerichtshof (Federal Court of Justice) dismissed the plaintiff's appeal allowed by the Court of Appeal. The plaintiff's asserted claim for listing of the result links in dispute does not arise from Art. 17 (1) GDPR. According to the case-law of the European Court of Justice and the order of the First Senate of the Federal Constitutional Court of 6 November 2019 (1 BvR 276/17 - Recht auf Vergessen II), the claim for listing under Article 17(1) GDPR requires a comprehensive weighing of fundamental rights which, on the basis of all relevant circumstances of the individual case and taking into account the seriousness of the encroachment on the fundamental rights of the person concerned on the one hand (Article 17(1) GDPR), requires a comprehensive weighing of fundamental rights on the other hand (Article 17(1) GDPR). 7, 8 CFR), the fundamental rights of the defendant, the interests of its users and the public, and the fundamental rights of the providers of the contents proven in the objected result links on the other hand (Art. 11, 16 CFR). As the freedom of opinion of the content providers burdened by the decision is to be included in the weighing as a directly affected fundamental right, there is no presumption that the protection interests of the person concerned take precedence, but the conflicting fundamental rights are to be weighed up equally. However, it also follows from this requirement of equal consideration that the person responsible for a search engine does not have to take action only when he/she becomes aware of an obvious and at first glance clearly recognisable infringement of the rights of the person concerned. In this respect, the Senate does not uphold its contrary case law on the legal situation before the DS Block Exemption Regulation came into force (Senate ruling of 27 February 2018 - VI ZR 489/16, BGHZ 217, 350, 363 marginal no. 36 in conjunction with 370 f. marginal no. 52).<br />
<br />
According to these principles, the basic rights of the plaintiff, also taking into account the passage of time in the specific case, must take second place to the interests of the defendant and the interests of its users, the public and the press organs responsible for the linked newspaper articles, which are to be weighed in the defendant's balance.<br />
<br />
In view of the primacy of the application of the data protection law which has been conclusively harmonised throughout the European Union in the present case and the comprehensive weighing of fundamental rights to be carried out when examining a request for discontinuation under Article 17 GDPR, the plaintiff cannot base its claim on provisions of national German law either. <br />
</pre></div>MLhttps://gdprhub.eu/index.php?title=OVG_L%C3%BC_-_OVG_L%C3%BCneburg_11_LA_104/19&diff=11270OVG Lü - OVG Lüneburg 11 LA 104/192020-09-08T10:00:42Z<p>ML: ML moved page OVG Lü - OVG Lüneburg 11 LA 104/19 to OVG Lüneburg - 11 LA 104/19: "OVG Lü" does not exist as abbreviation, the same name twice is also not a good style</p>
<hr />
<div>#REDIRECT [[OVG Lüneburg - 11 LA 104/19]]</div>MLhttps://gdprhub.eu/index.php?title=OVG_L%C3%BCneburg_-_11_LA_104/19&diff=11269OVG Lüneburg - 11 LA 104/192020-09-08T10:00:42Z<p>ML: ML moved page OVG Lü - OVG Lüneburg 11 LA 104/19 to OVG Lüneburg - 11 LA 104/19: "OVG Lü" does not exist as abbreviation, the same name twice is also not a good style</p>
<hr />
<div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=Germany<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=OVG Lü<br />
|Court_With_Country=OVG Lü (Germany)<br />
<br />
|Case_Number_Name=OVG Lüneburg 11 LA 104/19<br />
|ECLI=ECLI:DE:OVGNI:2020:0722.11LA104.19.00<br />
<br />
|Original_Source_Name_1=Niedersachsens Landesjustizportal<br />
|Original_Source_Link_1=http://www.dbovg.niedersachsen.de/jportal/?quelle=jlink&docid=MWRE200002923&psml=bsndprod.psml&max=true<br />
|Original_Source_Language_1=German<br />
|Original_Source_Language__Code_1=DE<br />
|Original_Source_Name_2=Niedersachsens Landesjustizportal<br />
|Original_Source_Link_2=http://www.dbovg.niedersachsen.de/jportal/?quelle=jlink&docid=MWRE200002923&psml=bsndprod.psml&max=true<br />
|Original_Source_Language_2=German<br />
|Original_Source_Language__Code_2=DE<br />
<br />
|Date_Decided=22.07.2020<br />
|Date_Published=<br />
|Year=2020<br />
<br />
<br />
<br />
|National_Law_Name_1=Article 1 (1) GG - Grundgesetz (Basic Law for the Federal Republic of Germany)<br />
|National_Law_Link_1=https://www.gesetze-im-internet.de/englisch_gg/index.html<br />
|National_Law_Name_2=§ 41(2) of the Straßenverkehrsgesetz - StVG (Law on Road Traffic)<br />
|National_Law_Link_2=https://www.gesetze-im-internet.de/englisch_stvg/index.html<br />
|National_Law_Name_3=§ 7 des Niedersächsischen Datenschutzgesetzes a.F.- NDSG a.F. (Data Protection Act of Lower Saxonia in the old version)<br />
|National_Law_Link_3=http://www.nds-voris.de/jportal/?quelle=jlink&query=DSG+ND&psml=bsvorisprod.psml&max=true&aiz=true<br />
|National_Law_Name_4=Article 2 (1) GG<br />
|National_Law_Link_4=https://www.gesetze-im-internet.de/englisch_gg/index.html<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_From_Body=VG Osnabrück<br />
|Appeal_From_Case_Number_Name=VG Osnabrück 6 A 211/17<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
|<br />
}}<br />
<br />
The court held that the transmission of personal data by a public authority by fax is unlawful.<br />
<br />
==English Summary==<br />
<br />
===Facts===<br />
The applicant is the owner of a company [handling prohibited substances] and of two vehicles for which the defendant ordered transmission blocks in accordance with § 41(2) of the Straßenverkehrsgesetz - StVG (Law on Road Traffic) - in the register of vehicles. With regard to restrictions in those orders, the plaintiff brought proceedings before the Verwaltungsgericht (Administrative Court). The defendant confirmed that it complies with the current data protection regulations and does not carry out an unencrypted transmission of his personal data by electronic means. In the context of the proceedings, the defendant sent to its lawyer, by fax the decision ordering the blocking of transmission of the applicant's vehicle. That decision contains, inter alia, the name and address of the applicant, the vehicle identification number and the registration number of the vehicle. The notice was sent unencrypted without anonymisation of the personal data. <br />
<br />
===Dispute===<br />
It is disputed<br />
1) Whether the transmission by the authority by fax of a decision containing personal data was unlawful<br />
2) Whether personal data are transmitted by fax, the authority must take precautionary measures to guarantee the fundamental right to informational self-determination of the person concerned and which level of protection needs to be complied with.<br />
<br />
===Holding===<br />
The court held that the transmission by the authority by fax of a decision containing personal data was unlawful. The level of protection needs to be complied with depends on the sensitivity and importance of the data to be transmitted, the potential risks involved in fax transmission, the degree to which the data subject is in need of protection and the effort required for the security measures. <br />
<br />
It is also irrelevant that the decision was not sent by fax to any third party but to the defendant's representative, who, like his employees, is subject to the obligation of confidentiality. There is a risk of abuse by unauthorised third parties, which may occur at any time. <br />
==Comment==<br />
''Share your comments here!''<br />
<br />
==Further Resources==<br />
''Share blogs or news articles here!''<br />
<br />
==English Machine Translation of the Decision==<br />
The decision below is a machine translation of the German original. Please refer to the German original for more details.<br />
<br />
<pre><br />
Case law of the Lower Saxony judiciary<br />
Document view<br />
<br />
finding that the transmission of personal data by a public authority by fax is unlawful<br />
<br />
1) Whether the transmission by the authority by fax of a decision containing personal data was unlawful may be reviewed by way of an action for a declaratory judgment if there is an interest in a declaratory judgment.<br />
(2) Where personal data are transmitted by fax, the authority must take precautionary measures to guarantee the fundamental right to informational self-determination of the person concerned. The level of protection to be complied with depends on the sensitivity and importance of the data to be transmitted, the potential risks involved in fax transmission, the degree to which the data subject is in need of protection and the effort required for the security measures. <br />
<br />
OVG Lüneburg 11th Senate, decision of 22.07.2020, 11 LA 104/19, ECLI:DE:OVGNI:2020:0722.11LA104.19.00<br />
<br />
Article 1 (1) GG, Article 2 (1) GG, § 7aF DSG ND, § 43 VwGO<br />
Proceedings<br />
VG Osnabrück, 30 January 2019, Ref: 6 A 211/17, judgement<br />
<br />
<br />
Tenor<br />
<br />
The defendant's application for leave to appeal against the judgment of the Administrative Court of Osnabrück - 6th Chamber - of 30 January 2019 is rejected.<br />
<br />
Orders the defendant to pay the costs of the admission procedure.<br />
<br />
The value of the subject of the dispute for the admission procedure is set at EUR 5,000.<br />
<br />
Reasons<br />
<br />
1<br />
<br />
By his action, the applicant seeks a declaration that the unencrypted transmission of a fax from the defendant to his lawyer was unlawful.<br />
<br />
2<br />
<br />
The applicant is the owner of a company [handling prohibited substances]. He is the owner of two vehicles for which the defendant ordered transmission blocks in accordance with Paragraph 41(2) of the Straßenverkehrsgesetz - StVG (Law on Road Traffic) - in the register of vehicles. With regard to restrictions in those orders, the plaintiff brought proceedings before the Verwaltungsgericht (Administrative Court) under reference numbers E. and F. In the run-up to the court proceedings E., the defendant confirmed to the plaintiff in writing that it complies with the current data protection regulations and does not carry out an unencrypted transmission of his personal data by electronic means. In the context of the F. proceedings, the defendant sent to its lawyer, by fax of [...] 2017, the decision of 3 February 2017 ordering the blocking of transmission of the applicant's G. vehicle. That decision contains, inter alia, the name and address of the applicant, the vehicle identification number and the registration number of the vehicle. The notice was sent unencrypted without anonymisation of the personal data. The plaintiff complained about this procedure to the defendant's data protection officer by letter dated 20 March 2017. After a reply from the data protection officer, further correspondence followed. The defendant did not respond to a request by the plaintiff to establish that the transmission of the notification of 3 February 2017 was unlawful.<br />
<br />
3<br />
<br />
In response to an action brought by the applicant on 20 July 2017, the Administrative Court held, by judgment of 30 January 2019, that the unencrypted transmission of the decision of 3 February 2017 by fax by the defendant to its representative was unlawful at about 18:00 on [...] 2017. In support of its arguments, it stated<br />
<br />
4<br />
<br />
The action is admissible as an action for a declaratory judgment. The unlawfulness in question of the fax transmission on 7 February 2017 constitutes a legal relationship. There is also a legitimate interest of the applicant because of the risk of repetition. The defendant had repeatedly forwarded personal data of the applicant in unencrypted form in letters. The legitimate interest was also based on the fact that a measure had been taken in the short term which, in view of the fact that the plaintiff had handled explosives, was associated with a far-reaching infringement of a fundamental right.<br />
<br />
5<br />
<br />
The action is also well founded. By sending an unencrypted fax on 7 February 2017, the defendant failed to ensure the level of protection required under data protection law for the applicant, who is exposed to particular risks. The transmission of the fax was therefore unlawful in the existing legal relationship. In the context of data processing, the defendant had not observed the level of protection which Paragraph 7 of the Lower Saxony Data Protection Law in the version applicable at the time of the fax transmission - NDSG old version - requires for the activities of a public authority acting as a public body under private sector contracts. It is true that Paragraph 7 of the old version of the NDSG does not confer any right to the implementation of certain protective measures. However, an appropriate level of protection must be achieved. The plaintiff is particularly dependent on the protection of his personal data because of the considerable risks to which he is exposed in the event of identification. In view of the abstract risks associated with unencrypted fax transmission, the defendant should not, in accordance with the state of the art, have transmitted the fax without encryption. It must also be borne in mind that the transmission process itself involves numerous other risks and that it should therefore not have been sent by fax.<br />
<br />
6<br />
<br />
The defendant's application for authorisation is unfounded.<br />
<br />
7<br />
<br />
The statement of reasons for the application for admission is not suitable to show serious doubts as to the correctness of the contested judgment within the meaning of Section 124 (2) no. 1 VwGO. Serious doubts as to the correctness of the first-instance decision are to be answered in the affirmative if the appellant challenges a single fundamental legal sentence or a single substantial finding of fact with conclusive counter-arguments (BVerfG, Order of 8 December 2009 - 2 BvR 758/07 -, BVerfGE 125, 104, juris, marginal no. 96). The doubts of correctness must also relate to the result of the decision; it must therefore be possible to assume with sufficient probability that the appeal will lead to an amendment of the contested decision (BVerwG, decision of 10.3.2004 - 7 AV 4/03 -, NVwZ-RR 2004, 542, juris, marginal no. 7 et seq.) § Section 124 (2) no. 1 of the German Rules of the Administrative Courts (VwGO) thus provides access to a substantive review of the contested judgment in appeal proceedings only in those cases in which the correctness of the contested judgment requires further examination. On the other hand, it is not sufficient if there are doubts only about the correctness of individual legal principles or factual findings of the judgment, but the judgment is correct in its result (cf. BVerwG, decision of 10 March 2004 - 7 AV 4/03 -, loc. cit.) An explanation of this reason for admission that satisfies the requirements of § 124 a (4) sentence 4 VwGO requires that it be explained in detail, with a concrete discussion of the administrative court decision, that and why there should be doubts about the correctness of the opinion of the recognising administrative court. This requires regularly qualified, detailed, case-related and understandable explanations which deal with the contested decision on the basis of an independent review and penetration of the subject matter of the proceedings (Niedersächsisches OVG, decision of 17 June 2015 - 8 LA 16/15 -, NdsRPfl. 2015, 244, juris, marginal no. 10). Measured against this, the defendant's objections do not justify the assumption of serious doubts as to the correctness of the contested judgment.<br />
<br />
8<br />
<br />
The plaintiff's request is admissible as a general declaratory action pursuant to § 43 (1) VwGO. According to this provision, an action for a declaratory judgement may be brought to establish the existence or non-existence of a legal relationship if the plaintiff has a legitimate interest in a speedy determination. A determinable legal relationship is understood to be the legal relationship resulting from a concrete factual situation based on a public law norm for the relationship of (natural or legal) persons among each other or of a person to a matter, by virtue of which one of the persons involved must, can or may or need not do something specific. Legal relationships have only become a legal relationship within the meaning of § 43 (1) VwGO if the application of a particular public-law provision to a factual situation which is already foreseeable is in dispute (BVerwG, judgment of 26 January 1996 - 8 C 19/94 -, BVerwGE 100, 262, juris, marginal 10). The parties' dispute concerns the meaning and scope of a provision of public law in relation to a specific set of facts.<br />
<br />
9<br />
<br />
This is a situation that can be assigned to a standard. The subject-matter of the dispute is the transmission of the decision of 3 February 2017 by fax from the defendant to its legal representative on [...] 2017. Contrary to the view of the defendant, the plaintiff is not only concerned with the legal qualification of the defendant's actions as unlawful or lawful - such a request, as a legal question which cannot be determined, would not be subject to an action for a declaratory judgment within the meaning of Paragraph 43 of the German Rules of the Administrative Courts (Bayerischer VGH, Urt. v. 9.4.2003 - 24 B 02.646 -, juris, paragraph 22, Sodan, in: Sodan/Ziekow, VwGO, 5th edition 2018, § 43, paragraph 35) - but on its legal position, which may be affected by the disclosure of its personal data.<br />
<br />
10<br />
<br />
The plaintiff also has an interest in a declaratory judgment because of the risk of repetition. A risk of recurrence constitutes a legitimate interest within the meaning of Article 43(1) of the German Rules of the Administrative Courts (VwGO) if there are sufficiently concrete indications that the sovereign measure complained of will be taken again (Bayerischer VGH, judgement of 15 February 2012 - 1 B 09.2157 -, juris, para. 31). The defendant asserts that it has in the meantime lifted the ordered transmission blocks in a manner that is immediately enforceable. The transmission blocks could therefore not be used to justify a particularly high level of protection. Nor is the plaintiff exposed to particular risks. The defendant does not succeed in this argument.<br />
<br />
11<br />
<br />
The Administrative Court justified the risk of repetition by stating that the defendant had repeatedly sent faxes without encryption. In this regard, the Administrative Court refers, in addition to the fax transmission in dispute, to two letters dated 22 June 2016 and 19 August 2016 in court proceedings, both of which were transmitted unencrypted with personal data of the plaintiff to the Administrative Court and the Higher Administrative Court respectively. The court of first instance rightly concludes from this that the danger described above will continue to exist in the future.<br />
<br />
12<br />
<br />
Whether the plaintiff is exposed to particular or substantial risks and therefore whether a certain level of protection must be guaranteed in the transfer of his personal data is a question of the merits of the action. It must also be borne in mind that, in a judgment of [...], the 12th Senate of the Higher Administrative Court of Lower Saxony upheld a judgment of the Administrative Court which obliged the defendant to grant the plaintiff a transmission block under Paragraph 41(2) of the StVG for a vehicle held by him without a general exception to requests from the police and administrative authorities imposing fines and without a time-limit of five years. The Senate stated that § 41, Subsection 2 StVG presupposes a credibly demonstrated impairment of the interests of the person concerned worthy of protection by the transmission of the keeper data. The plaintiff had substantiated that he was generally exposed to a significantly higher risk of attack for professional reasons [...]. The applicant's handling of [prohibited substances] [...] leads to a significantly increased likelihood of impairment of his rights compared with the average vehicle owner. This applies in particular to the risk of becoming the victim of a crime.<br />
<br />
13<br />
<br />
In so far as the Administrative Court also affirmed the applicant's interest in a declaratory judgment because of the possibility that the unencrypted fax transmission, an event limited to a period of time during which legal protection can hardly be obtained, constituted a profound infringement of a fundamental right, that assumption is not called into question by the defendant in its statement of reasons for the authorisation.<br />
<br />
14<br />
<br />
In its observations on the merits of the action, the defendant has not shown that the view of the Administrative Court that the fax transmission on [...] 2017 is unlawful and infringes the rights of the plaintiff is subject to serious doubts.<br />
<br />
15<br />
<br />
The plaintiff may rely on the fact that, in order to guarantee his fundamental right to informational self-determination in the transmission of personal data, the defendant takes protective measures to ensure that his personal data do not reach third parties without authorisation. The right of access provided for in Article 2(1) in conjunction with The fundamental right to informational self-determination, which is rooted in Article 1 (1) of the Basic Law, obliges the legislature to take the necessary precautions (BVerfG, Urt. v. 15 December 1983 - 1 BvR 209/83 and others -, BVerfGE 65, 1, juris, marginal no. 191, "Census ruling"). In particular, the data concerned must be protected against unauthorised access by third parties and against improper use (Senatsurt. v. 14.1.2020 - 11 LC 191/17 -, juris, marginal no. 49). The legislator of Lower Saxony has in § 7 paragraph 1 of the Lower Saxony Data Protection Act of 29 January 2002 (Nds. GVBl. 2002, 22, as amended on 12.12.2012, Nds. GVBl. 2012, 589 - NDSG old version -) stipulates that public bodies must take the technical and organisational measures to ensure that personal data are processed in accordance with the provisions of this Act (first sentence). The cost of the measures must be in reasonable proportion to the intended purpose, taking into account the state of the art (sentence 2). These design rules are addressed to the defendant as a public body (Section 2 (1) sentence 1 no. 2 NDSG old version) and also relate to the transmission of personal data. § Section 7 (2) NDSG old version regulates eleven control measures for the automated processing of personal data. According to Section 7 (2) NDSG old version, measures must be taken which, depending on the type of data and its use, are suitable for ensuring, according to No. 10, that during the transmission of data as well as during the transport of data carriers, the data cannot be read, copied, changed or deleted by unauthorised persons (transport control), and according to No. 11, the internal administrative or internal company organisation must be designed in such a way that it meets the special requirements of data protection (organisational control). The scope of the control is to be determined by weighing up the sensitivity and significance of the data, the potential dangers, the degree of need for protection and the expense associated with the security measures (Der Landesbeauftragte für den Datenschutz Niedersachsen, Erläuterungen zur Anwendung des NDSG, 3rd ed. 2008, § 7, to para. 2). In the light of the foregoing, the defendant, by transmitting the non-encrypted notification of 3 February 2017 to its representative by fax without encryption, failed to ensure the necessary protection and thereby infringed the plaintiff's fundamental right.<br />
<br />
16<br />
<br />
The plaintiff is particularly in need of protection. The plaintiff is exposed to considerable risks because of his occupational exposure to [prohibited substances]. As has already been pointed out in relation to the admissibility of the action for a declaratory judgment, the plaintiff is thus exposed to a significantly increased risk of attack [...], [...], [...].<br />
<br />
17<br />
<br />
The personal data contained in the transmitted notice (name and address of the claimant, vehicle identification number and the registration number of the vehicle) are particularly sensitive. The Senate shares the view expressed by the 12th Senate in its judgment of [...] that knowledge of such personal data significantly increases the plaintiff's risk of becoming a victim of crime.<br />
<br />
18<br />
<br />
It follows that the defendant must ensure an adequate level of protection when transmitting the personal data of the claimant. In so far as the defendant claims that the applicant disclosed personal data in faxes sent to it and that it agreed to this form of communication, that objection is not convincing. The defendant refers to fax documents from the years 2011 and 2012 (letters of 10 February 2011 and 9 September 2012). The plaintiff has already objected to the unencrypted transmission of personal data by letter dated 9 December 2015 to the defendant. The plaintiff's submission that he had not consented to transmission by fax, at least for the period after 9 December 2015, remained unopposed. In addition, by letter dated 25 February 2016, the defendant confirmed to the plaintiff that the handling of personal data in the competent department was in accordance with the applicable data protection regulations and that personal data would not be transmitted by unencrypted electronic means.<br />
<br />
19<br />
<br />
In view of the special need for protection of the plaintiff and his personal data, a higher level of protection must be observed in the processing in question with the aid of a data processing system. An unencrypted transmission of the plaintiff's personal data by fax falls below the level of protection to be observed. The Administrative Court rightly points out that there is no obstacle to the perception of the data by unauthorised persons in the case of transmission by fax. This assessment of the court of first instance is confirmed by information provided by the State Commissioner for Data Protection and Information Security of North Rhine-Westphalia on his website (https://www.ldi.nrw.de/mainmenu_Datenschutz/submenu_Technik/Inhalt/Kommunikation/Inhalt/070402_Datensicherheit_beim_Telefaxverkehr/Datensicherheit_beim_Telefaxverkehr.php). According to that information, fax transmission is a service which, as a rule, does not include data security measures. The information is transmitted "open" (unencrypted). A fax transmission is therefore comparable to sending an open postcard. The defendant's data protection officer arrives at a comparable assessment in his information to the plaintiff of 11 April 2017. In his opinion, sensitive personal data may not be faxed without safeguards (e.g. encryption devices). He notes that sensitive personal data in the defendant's case must be sent exclusively by post. According to the defendant, the unencrypted transmission of the notice of 3 February 2017 by fax posed a risk that unauthorised third parties might obtain access to the plaintiff's personal data.<br />
<br />
20<br />
<br />
The defendant should have countered the risk described above by taking precautionary measures at the time of the notification of the decision of 3 February 2017. Such measures were available and could have been applied without great effort. In the present case, the defendant could have sent the decision by post or sent it by messenger to the office of its lawyer, which is only 150 metres away. The use of fax machines for transmission, which is limited to exceptional cases, must be carried out using the safeguards mentioned by the defendant's data protection officer (e.g. encryption devices). Whether the use of a fax machine corresponds to the state of the art is irrelevant. It is relevant to the decision whether the security measures are available and correspond to the state of the art. This can be assumed here.<br />
<br />
21<br />
<br />
It is also irrelevant that the decision was not sent by fax to any third party but to the defendant's representative, who, like his employees, is subject to the obligation of confidentiality. There is a risk of abuse by unauthorised third parties, which may occur at any time. In addition, there are also risks outside the immediate transmission process, e.g. due to addressing errors or misdirected calls due to outdated line numbers or activated call forwarding or transfer (cf. the information provided by the State Commissioner for Data Protection and Information Security of North Rhine-Westphalia on the designated Internet site).<br />
<br />
22<br />
<br />
The decision on costs is based on § 154 (2) VwGO.<br />
<br />
The determination of the amount in dispute is based on Sections 47(1) and (3) and 52(2) of the GKG.<br />
<br />
This decision is final (§§ 152 (1) VwGO, 68 (1) sentence 5, 66 (3) sentence 3 GKG).<br />
</pre></div>MLhttps://gdprhub.eu/index.php?title=OVG_L%C3%BCneburg_-_11_LA_104/19&diff=11267OVG Lüneburg - 11 LA 104/192020-09-08T08:39:10Z<p>ML: Created page with "{{COURTdecisionBOX |Jurisdiction=Germany |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=OVG Lü |Court_With_Country=OVG Lü (Germany) |Case_Number_Name=OVG..."</p>
<hr />
<div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=Germany<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=OVG Lü<br />
|Court_With_Country=OVG Lü (Germany)<br />
<br />
|Case_Number_Name=OVG Lüneburg 11 LA 104/19<br />
|ECLI=ECLI:DE:OVGNI:2020:0722.11LA104.19.00<br />
<br />
|Original_Source_Name_1=Niedersachsens Landesjustizportal<br />
|Original_Source_Link_1=http://www.dbovg.niedersachsen.de/jportal/?quelle=jlink&docid=MWRE200002923&psml=bsndprod.psml&max=true<br />
|Original_Source_Language_1=German<br />
|Original_Source_Language__Code_1=DE<br />
|Original_Source_Name_2=Niedersachsens Landesjustizportal<br />
|Original_Source_Link_2=http://www.dbovg.niedersachsen.de/jportal/?quelle=jlink&docid=MWRE200002923&psml=bsndprod.psml&max=true<br />
|Original_Source_Language_2=German<br />
|Original_Source_Language__Code_2=DE<br />
<br />
|Date_Decided=22.07.2020<br />
|Date_Published=<br />
|Year=2020<br />
<br />
<br />
<br />
|National_Law_Name_1=Article 1 (1) GG - Grundgesetz (Basic Law for the Federal Republic of Germany)<br />
|National_Law_Link_1=https://www.gesetze-im-internet.de/englisch_gg/index.html<br />
|National_Law_Name_2=§ 41(2) of the Straßenverkehrsgesetz - StVG (Law on Road Traffic)<br />
|National_Law_Link_2=https://www.gesetze-im-internet.de/englisch_stvg/index.html<br />
|National_Law_Name_3=§ 7 des Niedersächsischen Datenschutzgesetzes a.F.- NDSG a.F. (Data Protection Act of Lower Saxonia in the old version)<br />
|National_Law_Link_3=http://www.nds-voris.de/jportal/?quelle=jlink&query=DSG+ND&psml=bsvorisprod.psml&max=true&aiz=true<br />
|National_Law_Name_4=Article 2 (1) GG<br />
|National_Law_Link_4=https://www.gesetze-im-internet.de/englisch_gg/index.html<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_From_Body=VG Osnabrück<br />
|Appeal_From_Case_Number_Name=VG Osnabrück 6 A 211/17<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
|<br />
}}<br />
<br />
The court held that the transmission of personal data by a public authority by fax is unlawful.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The applicant is the owner of a company [handling prohibited substances] and of two vehicles for which the defendant ordered transmission blocks in accordance with § 41(2) of the Straßenverkehrsgesetz - StVG (Law on Road Traffic) - in the register of vehicles. With regard to restrictions in those orders, the plaintiff brought proceedings before the Verwaltungsgericht (Administrative Court). The defendant confirmed that it complies with the current data protection regulations and does not carry out an unencrypted transmission of his personal data by electronic means. In the context of the proceedings, the defendant sent to its lawyer, by fax the decision ordering the blocking of transmission of the applicant's vehicle. That decision contains, inter alia, the name and address of the applicant, the vehicle identification number and the registration number of the vehicle. The notice was sent unencrypted without anonymisation of the personal data. <br />
<br />
=== Dispute ===<br />
It is disputed<br />
1) Whether the transmission by the authority by fax of a decision containing personal data was unlawful<br />
2) Whether personal data are transmitted by fax, the authority must take precautionary measures to guarantee the fundamental right to informational self-determination of the person concerned and which level of protection needs to be complied with.<br />
<br />
=== Holding ===<br />
The court held that the transmission by the authority by fax of a decision containing personal data was unlawful. The level of protection needs to be complied with depends on the sensitivity and importance of the data to be transmitted, the potential risks involved in fax transmission, the degree to which the data subject is in need of protection and the effort required for the security measures. <br />
<br />
It is also irrelevant that the decision was not sent by fax to any third party but to the defendant's representative, who, like his employees, is subject to the obligation of confidentiality. There is a risk of abuse by unauthorised third parties, which may occur at any time. <br />
<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the German original. Please refer to the German original for more details.<br />
<br />
<pre><br />
Case law of the Lower Saxony judiciary<br />
Document view<br />
<br />
finding that the transmission of personal data by a public authority by fax is unlawful<br />
<br />
1) Whether the transmission by the authority by fax of a decision containing personal data was unlawful may be reviewed by way of an action for a declaratory judgment if there is an interest in a declaratory judgment.<br />
(2) Where personal data are transmitted by fax, the authority must take precautionary measures to guarantee the fundamental right to informational self-determination of the person concerned. The level of protection to be complied with depends on the sensitivity and importance of the data to be transmitted, the potential risks involved in fax transmission, the degree to which the data subject is in need of protection and the effort required for the security measures. <br />
<br />
OVG Lüneburg 11th Senate, decision of 22.07.2020, 11 LA 104/19, ECLI:DE:OVGNI:2020:0722.11LA104.19.00<br />
<br />
Article 1 (1) GG, Article 2 (1) GG, § 7aF DSG ND, § 43 VwGO<br />
Proceedings<br />
VG Osnabrück, 30 January 2019, Ref: 6 A 211/17, judgement<br />
<br />
<br />
Tenor<br />
<br />
The defendant's application for leave to appeal against the judgment of the Administrative Court of Osnabrück - 6th Chamber - of 30 January 2019 is rejected.<br />
<br />
Orders the defendant to pay the costs of the admission procedure.<br />
<br />
The value of the subject of the dispute for the admission procedure is set at EUR 5,000.<br />
<br />
Reasons<br />
<br />
1<br />
<br />
By his action, the applicant seeks a declaration that the unencrypted transmission of a fax from the defendant to his lawyer was unlawful.<br />
<br />
2<br />
<br />
The applicant is the owner of a company [handling prohibited substances]. He is the owner of two vehicles for which the defendant ordered transmission blocks in accordance with Paragraph 41(2) of the Straßenverkehrsgesetz - StVG (Law on Road Traffic) - in the register of vehicles. With regard to restrictions in those orders, the plaintiff brought proceedings before the Verwaltungsgericht (Administrative Court) under reference numbers E. and F. In the run-up to the court proceedings E., the defendant confirmed to the plaintiff in writing that it complies with the current data protection regulations and does not carry out an unencrypted transmission of his personal data by electronic means. In the context of the F. proceedings, the defendant sent to its lawyer, by fax of [...] 2017, the decision of 3 February 2017 ordering the blocking of transmission of the applicant's G. vehicle. That decision contains, inter alia, the name and address of the applicant, the vehicle identification number and the registration number of the vehicle. The notice was sent unencrypted without anonymisation of the personal data. The plaintiff complained about this procedure to the defendant's data protection officer by letter dated 20 March 2017. After a reply from the data protection officer, further correspondence followed. The defendant did not respond to a request by the plaintiff to establish that the transmission of the notification of 3 February 2017 was unlawful.<br />
<br />
3<br />
<br />
In response to an action brought by the applicant on 20 July 2017, the Administrative Court held, by judgment of 30 January 2019, that the unencrypted transmission of the decision of 3 February 2017 by fax by the defendant to its representative was unlawful at about 18:00 on [...] 2017. In support of its arguments, it stated<br />
<br />
4<br />
<br />
The action is admissible as an action for a declaratory judgment. The unlawfulness in question of the fax transmission on 7 February 2017 constitutes a legal relationship. There is also a legitimate interest of the applicant because of the risk of repetition. The defendant had repeatedly forwarded personal data of the applicant in unencrypted form in letters. The legitimate interest was also based on the fact that a measure had been taken in the short term which, in view of the fact that the plaintiff had handled explosives, was associated with a far-reaching infringement of a fundamental right.<br />
<br />
5<br />
<br />
The action is also well founded. By sending an unencrypted fax on 7 February 2017, the defendant failed to ensure the level of protection required under data protection law for the applicant, who is exposed to particular risks. The transmission of the fax was therefore unlawful in the existing legal relationship. In the context of data processing, the defendant had not observed the level of protection which Paragraph 7 of the Lower Saxony Data Protection Law in the version applicable at the time of the fax transmission - NDSG old version - requires for the activities of a public authority acting as a public body under private sector contracts. It is true that Paragraph 7 of the old version of the NDSG does not confer any right to the implementation of certain protective measures. However, an appropriate level of protection must be achieved. The plaintiff is particularly dependent on the protection of his personal data because of the considerable risks to which he is exposed in the event of identification. In view of the abstract risks associated with unencrypted fax transmission, the defendant should not, in accordance with the state of the art, have transmitted the fax without encryption. It must also be borne in mind that the transmission process itself involves numerous other risks and that it should therefore not have been sent by fax.<br />
<br />
6<br />
<br />
The defendant's application for authorisation is unfounded.<br />
<br />
7<br />
<br />
The statement of reasons for the application for admission is not suitable to show serious doubts as to the correctness of the contested judgment within the meaning of Section 124 (2) no. 1 VwGO. Serious doubts as to the correctness of the first-instance decision are to be answered in the affirmative if the appellant challenges a single fundamental legal sentence or a single substantial finding of fact with conclusive counter-arguments (BVerfG, Order of 8 December 2009 - 2 BvR 758/07 -, BVerfGE 125, 104, juris, marginal no. 96). The doubts of correctness must also relate to the result of the decision; it must therefore be possible to assume with sufficient probability that the appeal will lead to an amendment of the contested decision (BVerwG, decision of 10.3.2004 - 7 AV 4/03 -, NVwZ-RR 2004, 542, juris, marginal no. 7 et seq.) § Section 124 (2) no. 1 of the German Rules of the Administrative Courts (VwGO) thus provides access to a substantive review of the contested judgment in appeal proceedings only in those cases in which the correctness of the contested judgment requires further examination. On the other hand, it is not sufficient if there are doubts only about the correctness of individual legal principles or factual findings of the judgment, but the judgment is correct in its result (cf. BVerwG, decision of 10 March 2004 - 7 AV 4/03 -, loc. cit.) An explanation of this reason for admission that satisfies the requirements of § 124 a (4) sentence 4 VwGO requires that it be explained in detail, with a concrete discussion of the administrative court decision, that and why there should be doubts about the correctness of the opinion of the recognising administrative court. This requires regularly qualified, detailed, case-related and understandable explanations which deal with the contested decision on the basis of an independent review and penetration of the subject matter of the proceedings (Niedersächsisches OVG, decision of 17 June 2015 - 8 LA 16/15 -, NdsRPfl. 2015, 244, juris, marginal no. 10). Measured against this, the defendant's objections do not justify the assumption of serious doubts as to the correctness of the contested judgment.<br />
<br />
8<br />
<br />
The plaintiff's request is admissible as a general declaratory action pursuant to § 43 (1) VwGO. According to this provision, an action for a declaratory judgement may be brought to establish the existence or non-existence of a legal relationship if the plaintiff has a legitimate interest in a speedy determination. A determinable legal relationship is understood to be the legal relationship resulting from a concrete factual situation based on a public law norm for the relationship of (natural or legal) persons among each other or of a person to a matter, by virtue of which one of the persons involved must, can or may or need not do something specific. Legal relationships have only become a legal relationship within the meaning of § 43 (1) VwGO if the application of a particular public-law provision to a factual situation which is already foreseeable is in dispute (BVerwG, judgment of 26 January 1996 - 8 C 19/94 -, BVerwGE 100, 262, juris, marginal 10). The parties' dispute concerns the meaning and scope of a provision of public law in relation to a specific set of facts.<br />
<br />
9<br />
<br />
This is a situation that can be assigned to a standard. The subject-matter of the dispute is the transmission of the decision of 3 February 2017 by fax from the defendant to its legal representative on [...] 2017. Contrary to the view of the defendant, the plaintiff is not only concerned with the legal qualification of the defendant's actions as unlawful or lawful - such a request, as a legal question which cannot be determined, would not be subject to an action for a declaratory judgment within the meaning of Paragraph 43 of the German Rules of the Administrative Courts (Bayerischer VGH, Urt. v. 9.4.2003 - 24 B 02.646 -, juris, paragraph 22, Sodan, in: Sodan/Ziekow, VwGO, 5th edition 2018, § 43, paragraph 35) - but on its legal position, which may be affected by the disclosure of its personal data.<br />
<br />
10<br />
<br />
The plaintiff also has an interest in a declaratory judgment because of the risk of repetition. A risk of recurrence constitutes a legitimate interest within the meaning of Article 43(1) of the German Rules of the Administrative Courts (VwGO) if there are sufficiently concrete indications that the sovereign measure complained of will be taken again (Bayerischer VGH, judgement of 15 February 2012 - 1 B 09.2157 -, juris, para. 31). The defendant asserts that it has in the meantime lifted the ordered transmission blocks in a manner that is immediately enforceable. The transmission blocks could therefore not be used to justify a particularly high level of protection. Nor is the plaintiff exposed to particular risks. The defendant does not succeed in this argument.<br />
<br />
11<br />
<br />
The Administrative Court justified the risk of repetition by stating that the defendant had repeatedly sent faxes without encryption. In this regard, the Administrative Court refers, in addition to the fax transmission in dispute, to two letters dated 22 June 2016 and 19 August 2016 in court proceedings, both of which were transmitted unencrypted with personal data of the plaintiff to the Administrative Court and the Higher Administrative Court respectively. The court of first instance rightly concludes from this that the danger described above will continue to exist in the future.<br />
<br />
12<br />
<br />
Whether the plaintiff is exposed to particular or substantial risks and therefore whether a certain level of protection must be guaranteed in the transfer of his personal data is a question of the merits of the action. It must also be borne in mind that, in a judgment of [...], the 12th Senate of the Higher Administrative Court of Lower Saxony upheld a judgment of the Administrative Court which obliged the defendant to grant the plaintiff a transmission block under Paragraph 41(2) of the StVG for a vehicle held by him without a general exception to requests from the police and administrative authorities imposing fines and without a time-limit of five years. The Senate stated that § 41, Subsection 2 StVG presupposes a credibly demonstrated impairment of the interests of the person concerned worthy of protection by the transmission of the keeper data. The plaintiff had substantiated that he was generally exposed to a significantly higher risk of attack for professional reasons [...]. The applicant's handling of [prohibited substances] [...] leads to a significantly increased likelihood of impairment of his rights compared with the average vehicle owner. This applies in particular to the risk of becoming the victim of a crime.<br />
<br />
13<br />
<br />
In so far as the Administrative Court also affirmed the applicant's interest in a declaratory judgment because of the possibility that the unencrypted fax transmission, an event limited to a period of time during which legal protection can hardly be obtained, constituted a profound infringement of a fundamental right, that assumption is not called into question by the defendant in its statement of reasons for the authorisation.<br />
<br />
14<br />
<br />
In its observations on the merits of the action, the defendant has not shown that the view of the Administrative Court that the fax transmission on [...] 2017 is unlawful and infringes the rights of the plaintiff is subject to serious doubts.<br />
<br />
15<br />
<br />
The plaintiff may rely on the fact that, in order to guarantee his fundamental right to informational self-determination in the transmission of personal data, the defendant takes protective measures to ensure that his personal data do not reach third parties without authorisation. The right of access provided for in Article 2(1) in conjunction with The fundamental right to informational self-determination, which is rooted in Article 1 (1) of the Basic Law, obliges the legislature to take the necessary precautions (BVerfG, Urt. v. 15 December 1983 - 1 BvR 209/83 and others -, BVerfGE 65, 1, juris, marginal no. 191, "Census ruling"). In particular, the data concerned must be protected against unauthorised access by third parties and against improper use (Senatsurt. v. 14.1.2020 - 11 LC 191/17 -, juris, marginal no. 49). The legislator of Lower Saxony has in § 7 paragraph 1 of the Lower Saxony Data Protection Act of 29 January 2002 (Nds. GVBl. 2002, 22, as amended on 12.12.2012, Nds. GVBl. 2012, 589 - NDSG old version -) stipulates that public bodies must take the technical and organisational measures to ensure that personal data are processed in accordance with the provisions of this Act (first sentence). The cost of the measures must be in reasonable proportion to the intended purpose, taking into account the state of the art (sentence 2). These design rules are addressed to the defendant as a public body (Section 2 (1) sentence 1 no. 2 NDSG old version) and also relate to the transmission of personal data. § Section 7 (2) NDSG old version regulates eleven control measures for the automated processing of personal data. According to Section 7 (2) NDSG old version, measures must be taken which, depending on the type of data and its use, are suitable for ensuring, according to No. 10, that during the transmission of data as well as during the transport of data carriers, the data cannot be read, copied, changed or deleted by unauthorised persons (transport control), and according to No. 11, the internal administrative or internal company organisation must be designed in such a way that it meets the special requirements of data protection (organisational control). The scope of the control is to be determined by weighing up the sensitivity and significance of the data, the potential dangers, the degree of need for protection and the expense associated with the security measures (Der Landesbeauftragte für den Datenschutz Niedersachsen, Erläuterungen zur Anwendung des NDSG, 3rd ed. 2008, § 7, to para. 2). In the light of the foregoing, the defendant, by transmitting the non-encrypted notification of 3 February 2017 to its representative by fax without encryption, failed to ensure the necessary protection and thereby infringed the plaintiff's fundamental right.<br />
<br />
16<br />
<br />
The plaintiff is particularly in need of protection. The plaintiff is exposed to considerable risks because of his occupational exposure to [prohibited substances]. As has already been pointed out in relation to the admissibility of the action for a declaratory judgment, the plaintiff is thus exposed to a significantly increased risk of attack [...], [...], [...].<br />
<br />
17<br />
<br />
The personal data contained in the transmitted notice (name and address of the claimant, vehicle identification number and the registration number of the vehicle) are particularly sensitive. The Senate shares the view expressed by the 12th Senate in its judgment of [...] that knowledge of such personal data significantly increases the plaintiff's risk of becoming a victim of crime.<br />
<br />
18<br />
<br />
It follows that the defendant must ensure an adequate level of protection when transmitting the personal data of the claimant. In so far as the defendant claims that the applicant disclosed personal data in faxes sent to it and that it agreed to this form of communication, that objection is not convincing. The defendant refers to fax documents from the years 2011 and 2012 (letters of 10 February 2011 and 9 September 2012). The plaintiff has already objected to the unencrypted transmission of personal data by letter dated 9 December 2015 to the defendant. The plaintiff's submission that he had not consented to transmission by fax, at least for the period after 9 December 2015, remained unopposed. In addition, by letter dated 25 February 2016, the defendant confirmed to the plaintiff that the handling of personal data in the competent department was in accordance with the applicable data protection regulations and that personal data would not be transmitted by unencrypted electronic means.<br />
<br />
19<br />
<br />
In view of the special need for protection of the plaintiff and his personal data, a higher level of protection must be observed in the processing in question with the aid of a data processing system. An unencrypted transmission of the plaintiff's personal data by fax falls below the level of protection to be observed. The Administrative Court rightly points out that there is no obstacle to the perception of the data by unauthorised persons in the case of transmission by fax. This assessment of the court of first instance is confirmed by information provided by the State Commissioner for Data Protection and Information Security of North Rhine-Westphalia on his website (https://www.ldi.nrw.de/mainmenu_Datenschutz/submenu_Technik/Inhalt/Kommunikation/Inhalt/070402_Datensicherheit_beim_Telefaxverkehr/Datensicherheit_beim_Telefaxverkehr.php). According to that information, fax transmission is a service which, as a rule, does not include data security measures. The information is transmitted "open" (unencrypted). A fax transmission is therefore comparable to sending an open postcard. The defendant's data protection officer arrives at a comparable assessment in his information to the plaintiff of 11 April 2017. In his opinion, sensitive personal data may not be faxed without safeguards (e.g. encryption devices). He notes that sensitive personal data in the defendant's case must be sent exclusively by post. According to the defendant, the unencrypted transmission of the notice of 3 February 2017 by fax posed a risk that unauthorised third parties might obtain access to the plaintiff's personal data.<br />
<br />
20<br />
<br />
The defendant should have countered the risk described above by taking precautionary measures at the time of the notification of the decision of 3 February 2017. Such measures were available and could have been applied without great effort. In the present case, the defendant could have sent the decision by post or sent it by messenger to the office of its lawyer, which is only 150 metres away. The use of fax machines for transmission, which is limited to exceptional cases, must be carried out using the safeguards mentioned by the defendant's data protection officer (e.g. encryption devices). Whether the use of a fax machine corresponds to the state of the art is irrelevant. It is relevant to the decision whether the security measures are available and correspond to the state of the art. This can be assumed here.<br />
<br />
21<br />
<br />
It is also irrelevant that the decision was not sent by fax to any third party but to the defendant's representative, who, like his employees, is subject to the obligation of confidentiality. There is a risk of abuse by unauthorised third parties, which may occur at any time. In addition, there are also risks outside the immediate transmission process, e.g. due to addressing errors or misdirected calls due to outdated line numbers or activated call forwarding or transfer (cf. the information provided by the State Commissioner for Data Protection and Information Security of North Rhine-Westphalia on the designated Internet site).<br />
<br />
22<br />
<br />
The decision on costs is based on § 154 (2) VwGO.<br />
<br />
The determination of the amount in dispute is based on Sections 47(1) and (3) and 52(2) of the GKG.<br />
<br />
This decision is final (§§ 152 (1) VwGO, 68 (1) sentence 5, 66 (3) sentence 3 GKG).<br />
</pre></div>MLhttps://gdprhub.eu/index.php?title=VerfGH_Saarland_-_VerfGH_Lv_15/20&diff=11265VerfGH Saarland - VerfGH Lv 15/202020-09-08T08:13:46Z<p>ML: Created page with "{{COURTdecisionBOX |Jurisdiction=Germany |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=VerfGH Saarland |Court_With_Country=VerfGH Saarland (Germany) |Case_..."</p>
<hr />
<div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=Germany<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=VerfGH Saarland<br />
|Court_With_Country=VerfGH Saarland (Germany)<br />
<br />
|Case_Number_Name=VerfGH Lv 15/20<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Verfassungsgerichtshof des Saarlandes<br />
|Original_Source_Link_1=https://www.verfassungsgerichtshof-saarland.de/verfghsaar/dboutput.php?id=359<br />
|Original_Source_Language_1=German<br />
|Original_Source_Language__Code_1=DE<br />
<br />
|Date_Decided=28.08.2020<br />
|Date_Published=<br />
|Year=2020<br />
<br />
|GDPR_Article_1=Article 6(1)(a) GDPR<br />
|GDPR_Article_Link_1=Article 6 GDPR#1a<br />
|GDPR_Article_2=Article 6(1)(c) GDPR<br />
|GDPR_Article_Link_2=Article 6 GDPR#1c<br />
|GDPR_Article_3=Article 6(1)(d) GDPR<br />
|GDPR_Article_Link_3=Article 6 GDPR#1d<br />
|GDPR_Article_4=Article 6(1)(e) GDPR<br />
|GDPR_Article_Link_4=Article 6 GDPR#1e<br />
|GDPR_Article_5=Article 6(3) GDPR<br />
|GDPR_Article_Link_5=Article 6 GDPR#3<br />
<br />
<br />
|National_Law_Name_1=Art. 2 § 3 CP-VO (Verordnung zur Änderung infektionsrechtlicher Verordnungen zur Bekämpfung der Corona-Pandemie vom 8. August 2020)<br />
|National_Law_Link_1=https://corona.saarland.de/DE/service/massnahmen/verordnung-stand-2020-08-08.html<br />
|National_Law_Name_2=§ 32 IfSG in conjunction with § 28 IfSG (Gesetz zur Verhütung und Bekämpfung von Infektionskrankheiten beim Menschen)<br />
|National_Law_Link_2=https://www.gesetze-im-internet.de/ifsg/<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_From_Body=Oberverwaltungsgericht des Saarlandes<br />
|Appeal_From_Case_Number_Name=OVG 2 B 175/20<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
|<br />
}}<br />
<br />
The Constitutional Court of the Saarland holds that the obligation to guarantee contact tracing by means of collection of personal data by private individuals is interfering with the fundamental right to data protection . There is no defintion of a reason, type, scope and use of the personal information to be collected. The government decree is unconstitutional, it needs a parliamentary law.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
In the Saarland, Art. 2 § 3 CP-VO regulated contact tracing. This tracing serves to interrupt chains of infection. The aim is to find out who may have had close contact with an infected person so that he/she can be placed in (self-)quarantine and tested in order to avoid infecting other people unintentionally.<br />
<br />
Those responsible for catering, cultural facilities and events, indoor playgrounds, church services and funerals, sports and other related events according to Art. 2 § 6 CP-VO, hotels and other accommodation providers as well as prostitution businesses are obliged to do so,<br />
<br />
- First name and surname,<br />
- Place of residence<br />
- Accessibility<br />
- and the arrival time of one representative of each household present<br />
<br />
and to keep the information. They must be handed over to the health authorities on request. It is also provided that these data are to be deleted within one month.<br />
<br />
=== Dispute ===<br />
The standard does not lay down any requirements for the organisation of the collection of contact data. In the field of gastronomy, in particular, this often leads to the fact that subsequent guests can recognise and remember who has visited the company before them and how they can be reached via telephone number, e-mail address or postal address. This is a significant interference in the right to data protection.<br />
By recording, storing and possibly also passing on address and contact data, citizens - holders of fundamental rights - could be indirectly deterred from attending certain events or places. Indeed, the idea can be frightening if it is precisely documented and, if necessary, the state is informed from when to when one has visited which restaurant, political, religious or cultural event.<br />
<br />
=== Holding ===<br />
<br />
According to the Constitutional Court of the Saarland, such a far-reaching, serious interference with the fundamental right to data protection cannot be decided by government decree. A parliamentary law is also necessary, because it is not (any longer) a short-term emergency situation, but a regulation which in all probability should apply for longer.<br />
<br />
Furthermore, the Court held that data processing arising in the context of contact tracing could not be based on the legal basis of consent, Article 6 (1) (a) GDPR. In particular, Article 6 (1) (c) (legal obligation of the controller and Article 6 (1) (e) GDPR (public interest) do not themselves constitute a legal basis for data processing, but require it. This is already apparent from the wording of Article 6 (3) GDPR. <br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the German original. Please refer to the German original for more details.<br />
<br />
<pre><br />
Lv 15/20 OF THE CONSTITUTIONAL COURT OF JUSTICE OF THE SAARLANDESB E S C H L U S S IN THE NAME OF THE PEOPLE In the constitutional complaint proceedings brought by Mr M. C., Verfassungsbeschwerdeführer (appellant), interested parties: Ministerium für Soziales, Gesundheit, Frauen und Familie (Ministry of Social Affairs, Health, Women and Family), represented by Ms Monika Bachmann, Minister, Franz-Josef-Röder-Strasse 23, 66119 Saar-Brücken, Germany, represented by M. C., Rechtsanwalt, with an address for service in Luxembourg at the office of Carlos M., lawyer, concerning the order of the Oberverwaltungsgericht des Saarlandes (Higher Administrative Court of Saarland) of 13 December 2003 in Case T-149/02 05.2020 - 2 B 175/20 - the Constitutional Court of Saarland, assisted by the President of the Constitutional Court, Prof. Dr Roland Rixecker, the Vice-President of the Constitutional Court, Prof. Dr Rudolf Wendt, the Constitutional Judge, Prof. Dr Roberto Bartone <br />
2of Constitutional Judge Thomas Caspar of Constitutional Judge Stefan Crauser of Constitutional Judge Daniela Flasche of Constitutional Judge Michaela Müller of Constitutional Judge RenateTrenz on 28 August 2020: Article 2 § 3 of the Ordinance of 21 August 2020 amending Ordinances on infection control measures to combat the corona pandemic (Official Gazette 2020 p. 768) is incompatible with Article 2 sentence 2 of the Constitution of Saarland. The provision - and a provision which repeats the provision of Art. 2 § 3 of the Ordinance on Combating the Corona Pandemic of 21 August 2020 (Official Gazette 2020 p. 768) in the same wording or in the same spirit - shall apply with the following proviso until a new regulation is passed by the Saarland state parliament - provided that the federal legislator does not in the meantime pass a regulation on data collection for contact tracing purposes - at the latest until 30 August 2020 (Official Gazette 2020 p. 768). Personal data collected on the basis of these provisions are to be surrendered to the health authorities by the authorities collecting the data - unless there is imminent danger - exclusively on the basis of a court decision for the purpose of preventing the spread of the infection - unless surrender should be permissible on the basis of federal law - upon justified request. The person concerned shall be informed of the request for surrender. He must be granted a prior hearing. <br />
3 In cases of surrender in the event of imminent danger, the person concerned must be informed immediately afterwards. Otherwise, the constitutional complaint is dismissed. The Saarland shall reimburse the complainant one quarter of his expenses. The value of the object is set at € 20,000. This decision is to be published in the Official Journal of the Saarland. <br />
<br />
grounds: <br />
<br />
I. 1 In his constitutional complaint lodged on 5 June 2020 - and the associated application for a temporary injunction - the complainant, a lawyer, challenges an order of the Higher Administrative Court of the Saarland of 13 May 2020 - 2 B 175/20 - which rejected his application for suspension of the implementation of provisions of earlier orders of the Government of the Saarland to combat the Corona Pandemic. In the administrative court proceedings, the complainant first applied - before the administrative court - for an order that an action still to be brought by him against a general ruling of the Government of the Saarland to combat the corona pandemic of 18 March 2020 have suspensive effect. The Administrative Court of the Saarland interpreted this application as an application for suspension of the execution of various provisions of the Ordinance of the Government of the Saarland on Combating the Corona Pandemic of 30 March 2020 (Official Gazette 2020, 196), which supersedes this general ruling, and the <br />
4proceedings were referred to the Higher Administrative Court of the Saarland. The Higher Administrative Court of the Saarland interpreted the application - most recently after hearing the complainant - as a request for non-enforcement of provisions - § 2, § 3, § 3a, § 4, § 7 - of the Ordinance on Combating Corona Pandemic of 2 May 2020 (Official Gazette 2020, 284). This regulation regulated in its § 2 the obligation to wear a mouth and nose cover. It corresponded to the currently applicable § 2 of Art. 2 of the Ordinance on the Amendment of Ordinances on the Control of Corona Pandemic Infections of 21.08.2020 (Official Gazette p. 768) (CP-VO). Furthermore, it contained provisions on the restriction of contacts in public and private areas (§§ 3, 3a, 4) and on bans on operation and closures of facilities (§ 7), but not always a requirement to ensure contact tracing. In the proceedings before the Higher Administrative Court of the Saarland, the complainant complained of the infringement of his fundamental rights of general freedom of action, the right of personality, the integrity of his person and the freedom to call. The infringements of fundamental rights lack a constitutionally sound legal basis. The prohibitions of contact deprived him of the possibility of social interaction and distraction to a large extent. The obligation to wear a mouth-nose cover is harmful rather than beneficial; there is no evidence whatsoever of any effect in preventing the spread of the pandemic and protection against infection. Nor does the Saarland Government pursue a consistent concept of protection because it treats the coming together of large numbers of people in different situations differently without epidemiologically viable reasons. 2 The provisions of the Ordinance of 2 May 2020 (Official Gazette p. 284), the core of which was originally challenged by the complainant, are now contained - in parts amended - in Article 2 § 2 and § 6 of the Ordinance of 8 August 2020 (Official Gazette p. 738) and - in the meantime - of 21 August 2020 (Official Gazette p. 768) (CP-VO), amending Ordinances under infection law to combat the corona pandemic. <br />
5Art. 2 § 6 CP-VO regulates the prohibition of gatherings of more than 10 persons and quantitatively different contact restrictions for meetings, events and assemblies. Art. 2 § 2 CP-VO regulates the obligation to wear a covering for the mouth and nose. According to this provision, a mouth-nose covering "shall" be worn in public places; it must be worn when using public transport, at markets and in shops, when receiving body-related services and in health care facilities (Art. 2 § 2 para. 1, para. 2 CP-VO). Violations of the obligation by those in a position of responsibility are not subject to a fine. However, responsible operators of some of the facilities affected by the obligation may be sanctioned if they fail to enforce the obligation. Art. 2 § 3 CP-VO regulates contact tracing. According to this provision, those responsible for restaurants and other catering establishments, cultural facilities and events, indoor playgrounds, church services and funerals, sports and other events referred to in Art. 2 § 6 CP-VO, hotels and other accommodation providers as well as prostitution businesses are obliged to record the first name and surname, place of residence and accessibility as well as the time of arrival of a representative of each of the households present, to keep the information and to hand it over to the health authorities on request. It is also provided that these data will be deleted within one month. (3) The Higher Administrative Court of the Saarland rejected the application for annulment of the provisions of the regulation on combating corona pan-demia. In support of its application, the Court stated that the decision was not "urgent" in order to avoid serious disadvantages or for other important reasons. The rules on the obligation to wear a mouth-nose cover are - for the time being - based on a sufficient <br />
6authorisation in §§ 28, 32 IfSG. These provisions of the IfSG also permit protective measures whose affected persons are "non-infectious", i.e. not infectious themselves. In view of the dynamics of the infection, the order to wear a mouth and nose cover is a suitable, necessary and proportionate accompanying measure to combat the pandemic and its possible effects on the burden on the health system and the health of everyone. In a situation characterised by uncertainties and constantly changing knowledge, the legislator should also be given scope to assess the chosen measure at the current stage of development. This also applies to the contact restrictions of - at that time - § 3 CP-VO. (4) The complainant objects to this in his constitutional complaint, with which he combines an application for a temporary injunction. First, he alleges infringement of his right to justice and of the fundamental right to an arbitrary decision. Although the Higher Administrative Court indicates that it has doubts as to whether the challenged provisions do not require parliamentary authorisation, it ignores these concerns. The provisions of the IfSG do not permit action against "non-disturbers". Furthermore, the Higher Administrative Court had completely ignored its submissions - including its submissions of evidence - on the unsuitability and ineffectiveness, indeed harmfulness, of the obligation to wear a mouth and nose cover. In addition to his general freedom of action - as he stated in the grounds of his application to the Constitutional Court for the non-execution of Article 2 § 3 of the Regulation - the regulations on the restriction and follow-up of contact also affect his "right to informational self-determination". <br />
5. The party concerned considers the constitutional complaint to be inadmissible, but in any case unfounded. The complainant could reasonably be expected to seek redress for his fundamental rights complaint in the proceedings before the Higher Administrative Court on the substance of the case. For there the actual, above all virological and epidemiological bases of the course taken by the legislature could be clarified. Moreover, the constitutional complaint is also unfounded - for the correct reasons of the challenged decision. The obligation to wear a mouth-nose cover was - not least in view of the legislature's scope for assessment - constitutional. Authoritative scientists have confirmed its usefulness, as has the WHO, which has since abandoned its originally critical position. To the extent that the complainant contested the provisions on contact tracing, he had not lodged any constitutional complaint. Article 2(3) of the CP-VO finds a sufficient legal basis in Paragraph 32 of the IfSG in conjunction with Paragraph 32 of the CP-VO. § Paragraph 28 of the IfSG. The provision is a sufficient legal basis within the meaning of the DSGVO - in particular Paragraph 6(1)(c), (d) and (e) of the DSGVO - for the collection and processing of contact data. No parliamentary authorisation is required. 6 The Constitutional Court has given the Independent Data Protection Centre of the Saarland - State Commissioner for Data Protection and Freedom of Information - the opportunity to submit its comments. The Land Commissioner stated, with transmission of a discussion among the data protection commissioners of the Federal Government and the Länder In view of the urgency of the regulations, the data protection commissioners had limited themselves to calling for a data protection-friendly arrangement for the collection and transmission of personal information for contact tracing purposes. There was no uniform opinion of the data protection officers on the question of sufficient legal authorisation for the collection and processing of contact data. However, there would be <br />
8Doubt whether § 32 IfSG in conjunction § 28 IfSG contains a constitutionally sufficient power to issue regulations because the content, purpose and extent of the power to legislate with regard to the collection of contact data cannot be inferred from these provisions. The current wording of Article 2(3) of the CP Regulation is also inadequate, since it does not contain sufficiently clear rules on the handling of the data, in particular as regards their retrieval by the health authorities. 7 The constitutional complaint procedure was suspended from its beginning until 26 July 2020 pursuant to Article 61 (4) of the Constitutional Act because the complainant had lodged a constitutional complaint with the Federal Constitutional Court and withdrawn it in a written statement of 26 July 2020 sent to the Federal Constitutional Court. Subsequently, on 12 August 2020, he extended his constitutional complaint to a complaint of unconstitutionality of Article 2, section 2, subsection 2, nos. 1 to 4, section 3, subsection 1, nos. 1 to 7 and section 6 of the CP-VO (Ordinance of 24 July 2020, Official Journal 678). 8. Following the replacement of the Ordinance of 8 August 2020 by the Ordinance of 21 August 2020, the complainant stated that his constitutional complaint was now directed against the provisions of this currently applicable standard which are identical in content. II. A. The constitutional complaint is only partially admissible. 1 The constitutional review procedure is opened pursuant to § 9 no. 13 of the Constitutional Act. 2 The complainant may lodge a complaint as a holder of fundamental rights. <br />
3. the constitutional complaint is - directly - about the challenged decision of the Saarland Higher Administrative Court of 13 May 2020, which is an act of sovereign authority, on the refusal of interim legal protection through the non-execution of Article 2 § 2 Nos. 1 to 4, § 3 para. 1 Nos. 1 to 7 and § 6 of the Ordinance of 2 May 2020. At the same time, however, the complainant indirectly objects - as can be seen from a prudent interpretation of his action, taking into account the amendments to the Ordinances, including the change in the numerical designation of their individual provisions in the course of the proceedings conducted by the complainant - to the provisions of Article 2 of the Ordinance of 8 August 2020 amending Ordinances on infection control measures to combat the corona pandemic (Official Gazette p. 738), some of which are new and some of which are repetitive. 4 The complainant, who, according to the interpretation of his request for interim relief against the refusal to grant interim relief - namely the non-implementation of Article 2 § 2 Nos. 1 to 4, § 3 (1) Nos. 1 to 7 and § 6 of the Ordinance in the version of 2 May 2020 (Official Gazette p. 738) - is not in a position to rely on the provisions of Article 2 of the Ordinance. 2020 - as well as against the provisions of the applicable CP-VO itself, has plausibly claimed - unless his constitutional complaint is inadmissible for lack of sufficient grounds - that his fundamental rights guaranteed by the Constitution of the Saarland, namely general freedom of action (Article 2 sentence 1 of the Basic Constitutional Law), data protection (Article 2 sentence 2 of the Basic Constitutional Law) and his right of personality (Article 2 sentence 1 in conjunction with Article 1 sentence 1 of the Basic Constitutional Law) have been violated. Such a violation cannot be ruled out If he claims that the Higher Administrative Court of the Saarland has violated his right to justice, the fundamental right to effective legal protection and the prohibition of arbitrariness, he is not entitled to file a complaint. The question whether the measures which he <br />
10 contested encroachments on fundamental rights required a parliamentary legal basis, the Higher Administrative Court was allowed to leave open the procedure for interim relief in view of the applicable standards of review. For the same reason, it did not have to pursue the complainant's submissions of evidence regarding the effect of a mouth-nose cover. 5) The legal remedy of interim relief has been exhausted. 6) The constitutional complaint does not conflict with the principle of subsidiarity either. Contrary to the view of the parties involved, the constitutional complaint also extends to Article 2 § 3 of the CP Regulation in the currently applicable version of the provision. In his constitutional complaint, the complainant himself only attacked the provisions on contact restrictions. However, in his written statement of 11 August 2020, received on 12 August 2020, he extended his constitutional complaint to newly worded standards and raised further fundamental rights complaints. Moreover, the following applies: Completely irrespective of whether the fundamental rights complaint could be remedied by a decision of the Higher Administrative Court of the Saarland on the application for review of the standards - which the complainant has not yet filed, as far as can be seen - the complainant is affected by the refusal of interim relief himself - "day by day" so to speak - without this being affected by a subsequent decision on <br />
11 a request for review of a standard could be reversed. The - alleged - infringement of its fundamental rights is therefore already based on the rejection of interim relief under Section 47(6) VwGO. However, constitutional legal protection is in principle also denied if a complainant has not made the fundamental right he claims to have violated the subject of the examination in the specialised court proceedings. This applies to the "right to informational self-determination", to which he only referred in the constitutional court proceedings with regard to Article 2 § 3 CP-VO. Initially, the regulations on contact restrictions and closures of businesses under the then regulations were already the subject of the proceedings before the Higher Administrative Court of the Saarland in their entirety from the point of view of the infringement of general freedom of action. Since the Higher Administrative Court of the Saarland, in the contested decision, left aside the complainant's complaint from the outset that the provisions of the various ordinances lacked a viable formal legal basis in interim legal protection proceedings - understandably and in accordance with the case-law of other Higher Administrative Courts - despite obviously considerable reservations, the complainant cannot reasonably be expected to seek interim legal protection under Paragraph 47(1) again solely on the grounds of the lack of parliamentary authorisation. 6 VwGO. However, the Higher Administrative Court of the Saarland was unable to deal with the requirement of contact tracing in view of the legal situation existing at the time of its decision. Even in this respect, however, the complainant cannot be expected to apply again for legal protection - at least for interim relief - in the first instance. The requirements of substantive subsidiarity may be waived if the constitutional court decision of <br />
12dependent on no further factual and legal clarification and if it is of general significance or if the complainant were to suffer a serious and irreversible disadvantage, he would first be referred to the specialised courts (BVerfGE 79, 275, 279; 86, 14, 22; Lenz/Hansel, § 90 marginal no. 492). <br />
This is the case. The constitutionality of Article 2 § 3 CP-VO does not require any clarification of factual or legal circumstances determining its interpretation and application. Their examination may provide clarity in a large number of similar cases beyond the individual case - also in view of current discussions on the scope of access to contact data. 6 The constitutional complaint is inadmissible to the extent that it challenges the denial of urgent legal protection against Art. 2 § 6 CP-VO - and thus the constitutionality of this provision itself. In this respect, it lacks the necessary justification (§ 16.1 sentence 2 of the Constitutional Act). However, this does not result from the fact that the complainant refers primarily to fundamental rights of the Basic Law, which are not subject to review by the Constitutional Court (see, however, VerfGH Beschl. v. 10 January 2008 Lv 4/07). For it follows from a summary of his observations on the constitutional complaint and on the application for a temporary injunction that he essentially wishes to censure the infringement of fundamental rights of the constitution of the Saarland. The statement of grounds for a constitutional complaint which is directed against a judicial decision may not, however, be satisfied with a repetition of the content of the challenged judicial decisions and a general critique of it. Rather, it must deal with the constitutional assessment of the facts and demonstrate in a sufficiently substantiated manner that a violation of fundamental rights appears possible (BVerfG Order of 10 September 2019 1 BvR 1905/14 with further references). The simple assertion of a <br />
13 No infringement of fundamental rights. Rather, there is a need for a specific argumentative debate on the question of the reasons for which the fundamental rights requirements are to be infringed. Art. 2 § 6 CP-VO contains, in addition to the general prohibition of "gatherings" of more than 10 persons without a fine, provisions on events, meetings and assemblies. They deviate considerably from § 3a of the regulation applicable from 2 May 2020, which the complainant made the original object of his request for urgent legal protection before the Higher Administrative Court. In this respect, the following applies to the procedure of abstract review of a statute: If the content of the statute changes during the procedure, the provision nevertheless remains subject to review by the constitutional court if the change is not substantial or if the applicant extends his request for review to the new version (BVerfGE 110, 33 (45) = NJW 2004, 2213; BVerfGE 6, 104 (110) = NJW 1957, 379; BeckOK-BVerfGG/Karpenstein, § 72 marginal no. 37; Hörnig/Wolf in HK-BVerfGG § 72 marginal 6). Nothing else can apply - albeit in compliance with the principle of subsidiarity - if the essential subject of a constitutional complaint is the validity of a norm. Otherwise, it would not be difficult for the legislator to continue to deprive the legal protection possibilities affected by the content of a legal provision of its substance by making even slight changes to a legal provision or, as in the present case, by timing the temporal validity of ordinances - as such, quite understandable and compatible with fundamental rights. However, this does not exempt a complainant from the need to give reasons relating to changed regulations. In view of the large number of different "meetings" of people covered by Article 2 § 6 of the CP Regulation, it is therefore not sufficient for the complainant to complain that the legislator's concept of protection is inconsistent. On the contrary, he should have put forward reasons for this which are related to the various fundamental rights affected by Article 2 § 6 of the CP Regulation - general freedom of action, freedom of belief and religion and freedom of assembly -, the intensity of the interference and <br />
14 the weight of the protection interest pursued in each case. This has not been done. Nor has the complainant provided any further details of a - not unimaginable - violation of the principle of equality, which could, for example, raise the question of why participation in funerals is more severely restricted than participation in a preceding funeral service. Insofar as the complainant deals with the obligation to follow up contacts at such meetings and events, his constitutional complaint is sufficiently well-founded, but refers to Art. 2 § 3 CP-VO.<br />
7 The constitutional complaint has been lodged in due time - also to the extent that it now - under 12 August 2020 - complains of a violation of Art. 2 § 2, § 3 and § 6 CP-VO. However, a constitutional complaint against a judicial decision pursuant to § 56 (1) of the Constitutional Act must be lodged within a period of one month from the notification or announcement of the challenged decision. If the deadline for lodging the constitutional complaint was between 14 and 21 May from the date of notification or announcement of the challenged decision of the Higher Administrative Court - this deadline could also have expired for the complaints lodged on 12 August 2020 (cf. Lenz/Hansel, BVerfGG § 93 paras 11 to 13, loc. cit. BVerfGE 124, 235, 242). However, this is not the point. Since the constitutional dispute proceedings had been suspended by law (§ 61.4 of the Constitutional Act), the one-month period did not (re)begin until 26 July 2020. It is true that the Constitutional Act itself - just as little as the BVerfGG - does not regulate the legal effects of the suspension of the constitutional complaint procedure on the course of time limits. Therefore, general principles of procedural law must be applied. They provide in § 249.1 of the Code of Civil Procedure that a statutory period of time shall once again run in full after the end of the suspension of the proceedings. <br />
15 The extension of the constitutional complaint to the complaints now being pursued is therefore within the prescribed period. B. 1. a. The order in § 2.2 of the CP-VO to wear a mouth and nose cover when using local public transport, in certain parts of public space and in medical treatment facilities affects the complainant's general freedom of action under Article 2 sentence 1 of the SVerf. Although the provision is not subject to a fine (Article 2 § 15 CP-VO), it contains an obligation under infection protection law, compliance with which can be enforced by regulatory means and which deprives the complainant of free and unencumbered participation in numerous goods and services. By requiring the covering of part of his face and - even if only minimal - changes to his voice, it also encroaches on the scope of protection of the right to privacy guaranteed by Article 2 sentence 1 in conjunction with Article 2 sentence 1 of the Basic Law. Art. 1 sentence 1 of the Basic Constitutional Law. b. The restrictions of fundamental rights in Article 2 § 2 CP-VO are based on a - to that extent - constitutional law. The legal basis of Art. 2 § 2 CP-VO is §§ 28, 32 IfSG. They allow the legislator to take the necessary protective measures in cases where a sick person, suspected or infected person or a person who has been eliminated - of a notifiable pathogen such as the Sars-CoV-2 virus - is identified, insofar and for as long as this is necessary to prevent the spread of transmissible diseases. Contrary to the opinion of the complainant, the Higher Administrative Court of the Saarland rightly assumed that the protective measures permitted by §§ 28, 32 IfSG should also be applicable against "non-disturbing persons", <br />
16also against even those who are not ill, suspected or infected and those who are eliminated. The very wording of the law does not limit the powers of intervention to a potentially "dangerous" group of persons. The system of § 28 para. 1 IfSG shows (as do other provisions of the IfSG, such as § 33 IfSG) that the protective measures taken, for example at events or in institutions, necessarily include persons who are not themselves ill or suspected of being ill or infected. This is also in line with the purpose of the standards, which are intended to prevent the further spread of transmissible diseases to previously uninfected persons. Measures under infection protection law must therefore - even typically - cover "non-infected persons" (as Lindner convincingly states in Schmidt, Covid-19, § 16 marginal no. 60 with further details). Whether the power of § 32 IfSG to issue ordinances pursuant to Art. 80 para. 1 GG authorises all measures taken by the Saarland's legislature (and those of other federal states), or whether regulations which, over and above a temporary restriction of fundamental rights of a particular rank - such as freedom of belief and religion, freedom of assembly, freedom of movement, freedom of movement or freedom of occupation - allow fundamental rights to be encroached upon with weight for months on end, require a formal - parliamentary - statutory regulation, is open to question (cf. in this respect, the decisions of the Constitutional Court of Brandenburg 3 June 2020 VfGBbg 9/20eA BeckRS 2020, 11248 marginal no. 41; VGH Mannheim 5 June 2020 1 p. 1623/20 BeckRS 2020, 11786 marginal no. 35, playfully addressing the question). In this respect, the regulation is not permissibly challenged. In view of the principle of the rule of law and the requirement of democracy, the reservation of the law requires that the legislator has to take all essential decisions in fundamental normative areas itself and may not leave them to the action and decision-making power of the executive. The obligation to regulate by parliament does not only concern the question of whether a certain subject matter must be regulated by law at all, but also the extent to which these regulations must go into detail. This depends on the respective subject area and the nature of the subject matter concerned <br />
17(see only inter alia BVerfG, 27 November 1990 - 1 BvR 402/87 -, juris, recital 39; 24 September 2003 - 2 BvR 1436/02 -, juris, recital 67 et seq. N.). Laws which empower to issue statutory orders and statutes may also satisfy the requirements of the reservation of the right to legislate. However, the essential decisions must be taken by the parliamentary legislator itself (cf. Münster Higher Administrative Court on the nationwide operating ban on retail outlets CoVuR 2020, 423). The complainant - in so far as he challenges the obligation to wear a mouth-nose covering - objects to a comparatively minor restriction of his general freedom of action under fundamental rights and his right of personality, which is temporary in the course of the day and does not require any significant effort and which the Higher Administrative Court rightly described as "inconvenience". The encroachment on a fundamental right thus concerns a burden limited in time to a small fraction of a day in certain situations which do not even necessarily occur on an everyday basis. The material, form and price of an "everyday mask" can be determined by each person concerned. The same applies to the duration of the exposure. The fundamental right complaint is therefore not of such weight that its imposition would be so "essential" for the exercise of general freedom of action and personal rights that it would require detailed formal legal regulation. c. The Higher Administrative Court of the Saarland has stated unreservedly correctly and with a statement of reasons which carefully and accurately takes account of the constitutional requirements, that the encroachment on the fundamental right of general freedom of action and the right of personality associated with the "duty to wear a mask" is proportionate, since the regulation is limited in time, it does not extend to the private sphere and only imposes minor burdens on the wearer in a few short-term everyday situations. <br />
18aa. The obligation to wear a mouth-nose cover pursues a legitimate aim, namely the protection of third parties from the possible viral load of the obligated person when breathing out, sneezing or coughing, and the protection of society as a whole from the consequences of an expansion of the pandemic. Insofar as the complainant appears to have doubts as to whether Sars-Cov-2 is a serious threat to public health at all, which is not comparable to the annual waves of virus infection, the following applies: On the one hand, it is constitutionally completely irrelevant whether there are also other dangers which pose a lasting threat to public health and which lead to less burdensome state measures or have led to them in the past. Obligations of the state to protect against a certain health hazard do not cease to apply if at some point in time it was unable to comply with them in respect of other or even all health hazards for reasons of fact or law, or cannot comply with them all at present. It is also subject to the fundamental prerogative of the state bodies responsible for this under the constitution - the parliament and the government - to decide which threat is of a special weight requiring special measures. Apart from this, however, it is obvious that, if one takes a reasonable view of global events, Sars-Cov-2 is not comparable with other viral campaigns due to the lack of instruments for prevention, alleviation or even cure. The commitment represents a fundamentally appropriate measure to achieve this goal. Although the complainant argues, citing sources whose scientific reliability has not been proven, that the wearing of a mouth and nose cover is unsuitable for reducing the risk of infection, it may even be detrimental to his own health. <br />
19 Insofar as scepticism about the order to wear a mouth-and-nose covering could be inferred from individual fundamentally valid voices - for example that of the virological advisor to the government of the Kingdom of Sweden, Tegnell (cf. various reports in the media of 9/10 August 2020), a closer look at the actual explanations is required: It goes without saying that wearing a mouth-nose-cover is not "the solution to the problem" (Tegnell), and that a false sense of security must be counteracted simply by wearing a mask. However, this also applies to hand hygiene, which the complainant himself declared to be important. The only decisive factor is whether such a measure can make a - possibly small - contribution to containing or preventing infectious devastation. In so far as the complainant claims that the material of the mouth-nose-coverings may itself contain harmful contents, that the mask itself is harmful if used improperly over a long period of time and that it is counterproductive if enriched with harmful substances, his arguments are not supported from the outset. It is up to each person to procure suitable mouth-nose-coverings and use them properly. Art. 2 § 2 CP-VO does not prescribe any specific material for the mask; detailed instructions, accessible to everyone, explain correct use. In so far as specific health reasons urgently advise the complainant, from an ob-jective medical - to be certified - point of view, to refrain from even temporary wearing of a mouth-nose cover, he is in any case released from the obligation under Art. 2 § 2 CP-VO. Moreover, the - serious - scientific community is very largely of the opinion that although the wearing of a mouth-nose-cover does not prevent infections with corona viruses and direct self-protection has not been proven, it is nevertheless suitable for containing the spread of the pandemic, so that the institutions of the state and society, especially the health system, are able to cope with it.<br />
20tem, to protect others and thus indirectly also the wearer himself, thus helping to prevent the need for future restrictions on fundamental rights. This follows first of all from statements by the Robert Koch Institute as the national authority established by the legislator for the prevention of transmissible diseases and for the early detection and prevention of the further spread of infections (§ 4 para. 1 IfSchG). In a statement of 15 July (https://www.rki.de/SharedDocs/FAQ/NCOV2019/FAQ_Mund_Nasen_Schutz.html), it is stated: "The Robert Koch Institute (RKI) recommends the general wearing of a mouth-nail cover (MNB) in certain situations in public spaces as a further element in order to protect risk groups and to reduce the pressure of infection and thus the speed of spread of COVID-19 in the population. This recommendation is based on studies showing that a certain proportion of SARS-CoV-2 transmissions go unnoticed, i.e. at a time before the first signs of the disease appear. A partial reduction of unnoticed transmission of infectious droplets by carrying MSNB could contribute to a further slowing down of the spread at population level. This concerns transmission in public places where several people meet and stay for a longer period of time (e.g. workplace) or where the physical distance of at least 1.5 m cannot always be maintained (e.g. shopping situation, public transport). The wearing of MNBs in public spaces can be effective in reducing transmissions, especially if as many people as possible participate. Wearing an MNB helps to protect other people from fine droplets and particles that are ejected, e.g. when speaking, coughing or sneezing (foreign protection). The first scientific evidence of this protection by MNBs has now become available". This corresponds to the second ad-hoc statement of the National Academy Leo-poldina of 03.04.2020 (available at www.leopoldina.org Publications), in which it is stated <br />
21"1.1.mouth-nose protection reduces the transmission of viruses, above all by re-inducing the droplet infection. 2 Since a large number of undetected patients move around in public places without symptoms, mouth-nose protection protects other people, thus reducing the spread of the infection and indirectly lowering the risk of self-infection. Mouth and nose protectors are also used for self-protection to a limited extent. A gradual relaxation of restrictions should therefore be accompanied by the widespread use of mouth-nose protection. This applies to the entire public space, including in businesses, educational institutions and in local and long-distance public transport...". This also corresponds to international scientific findings and recommendations. The centres of disease control and prevention of the United States Supreme Health Authority have pointed this out - with numerous other references to scientific publications and research results (https://www.cdc.gov/coronavirus/2019-ncov/prevent-get-ting-sick/cloth-face-cover-guidance.html - with numerous other references from the scientific literature under "recent studies"): In an editorial published today in the Journal of the American Medical Association (JAMA), CDC reviewed the latest science and affirms that cloth face coverings are a critical tool in the fight against COVID-19 that could reduce the spread of the disease, especially when used universally within communities. There is increasing evidence that cloth face coverings help prevent people who have COVID-19 from spreading the virus to others. "We are not defenseless against COVID-19," said CDC Director Dr. Robert R. Redfield. "Cloth face coverings are one of the most powerful weapons we have to slow and stop the spread of the virus - especially when used universally within a community setting. All Americans have a responsibility to protect themselves, their families, and their communities. (https://www.cdc.gov/media/releases/2020/p0714-americans-to-wear-masks.html) <br />
22In view of these comments, the regulation affected by Art. 2 § 2 para. 2 CP-VO - the suitability of which is in any case subject to the government's prerogative of assessment, which can only be controlled to a limited extent by the courts - is a suitable measure to combat the spread of the pandemic and the consideration owed to each other in social coexistence. <br />
cc. The obligation to wear a mouth-nose cover is also a necessary means of combating the spread of the pandemic. An equally effective milder means is not evident - taking into account the government's prerogative of assessment in this respect. In view of the conflicting interests, the imposition of the duty is also appropriate. The fundamental right of appeal is low. The wearing of a mouth-nose cover is not suitable to decisively deter the person obliged from exercising fundamental freedoms. The obligation is strictly limited in time, requires little effort and can essentially be regarded as annoying and unpleasant, but does not lead to significant restrictions on freedom of movement and development. On the other hand, it contributes to averting significant threats to the life, health and freedom of all as well as the functioning of state and social institutions. 2 Insofar as the complainant objects, with still sufficient justification, to the obligation to guarantee contact tracing under Art. 2 § 3 CP-VO, the following applies: The norm is not compatible with Art. 2 sentence 2 of the constitution of the Saarland. <br />
23a. Admittedly, the provisions on contact restrictions, which also include those on contact tracing, do not lead, as the Higher Administrative Court has quite rightly recognised, to an (indirect) encroachment on physical and psychological integrity in the sense of health well-being and thus not to an encroachment on the fundamental right to physical integrity - not expressly guaranteed by the constitution of the Saarland but arising from Article 1, first and second sentences of the Basic Constitutional Law. For the constitution protects the physical - physical as well as psychological - integrity. It does not protect the general well-being in the sense of happiness, satisfaction and quality of life. However, the provision does affect the scope of protection of the fundamental right to data protection under Article 2 sentence 2 of the Basic Constitutional Law. The fundamental right guarantees the individual's right to decide for himself or herself whether, when, to what extent and to whom he or she discloses his or her personal data or permits their processing, because individual self-determination as a guarantee of the right to free development of the personality, which is also based on the guarantee of human dignity, presupposes that the individual has freedom of decision on the attribution of behaviour and events to his or her person, not only under the conditions of modern information processing. Anyone who is not able to oversee with sufficient certainty which information concerning him/her will become known in certain areas of his/her social environment and who is not able to assess the knowledge of possible communication partners to a certain extent, can be considerably inhibited in his/her freedom to plan or decide on the basis of his/her own self-determination. At the same time, the fundamental right is intended to counteract any intimidation effects (Constitutional Court, judgement of 21 January 2020 rev. 15/19 with further references; cf. above all BVerfGE 115, 320 (341 f.); BVerfGE 113, 29 (46); basic BVerfGE 65, 1 (42 f.)). The obligation to state name, address, availability (by telephone or other means), and the obligation to be available for the purpose of contact tracing <br />
24Personal data is collected and processed at the time of visiting the named facilities and events. b. However, the regulation does not oblige the complainant - and other holders of fundamental rights - to do so themselves, and thus does not directly interfere with the fundamental right to data protection. However, the requirement that the persons responsible referred to in Art. 2 § 3 (1) CP-VO to "obligingly guarantee" contact tracing by collecting and storing personal data for a limited period of time may indirectly prevent holders of fundamental rights from visiting these facilities and events - above all restaurants, hotels, church services, sporting and cultural events. An encroachment relevant to fundamental rights must also be assumed if regulations are able to indirectly influence the behaviour of a person entitled to fundamental rights in such a way that he or she can be deterred from exercising the fundamental right, if the "influencing effect" of the regulation (Kloepfer, Verfassungsrecht, Volume II, § 51 marginal no. 27) is thus the functional equivalent of an imperative intervention (BVerfGE 116, 202/222 with further references; cf. general Jarass/Pieroth, GG, 16th ed. 2020, prev. before Article 1 marginal 27 et seq.) This applies to Art. 2 § 3 CP-VO. This provision affects the fundamental rights of general freedom of action (Art. 2 sentence 1 of the Basic Constitutional Law) and, above all, the protection of personal data (Art. 2 sentence 2 of the Basic Constitutional Law) in a way that amounts to a final encroachment. The legislator uses the responsible persons named in Art. 2 § 3 CP-VO as tools to meet the - legitimate - purpose of combating the pandemic by identifying possible infection chains and courses of infection and warning persons who may be affected. It wants to record - in an understandable and comprehensible manner - the personal contact data of visitors to facilities and events in order to warn them and to be able to take measures for their protection and the protection of third parties. Those responsible must collect and store the information of the persons concerned and hand it over to the health authorities on request if they want to <br />
25 avoid a fine (or even interference with commercial law). As a result, the persons concerned are in fact only able to refrain from visiting - for example - restaurants or church services or to disclose precisely this visit in relation to the person and time and not only to provide the name, address and (telephone or electronic) availability to the person responsible, but also to make this data available to the state. The collection of personal information has a considerable weight. Irrespective of the purpose which can only be deduced by interpretation (the regulation does not explicitly state the reasons which may entitle the health authorities to demand surrender of the data), those entitled to fundamental rights are obliged not only to disclose their contact data in the area of visiting restaurants, but also to document when they attended - for example - which church services and which other events and meetings they attended at a certain time. According to current practice, this not only means that those responsible and health authorities can have access to such data. The lack of a normative structure for the collection of contact data makes it much more possible - especially in the area of gastronomy - that subsequent guests can recognise and remember who has visited the company before them and how they can be reached via telephone number, e-mail or address. Art. 2 § 3 of the CP-VO, in its current open form, thus indirectly forces private third parties to disclose their own contact data and conduct, without the slightest indication of a purpose under infection protection law. Art. 2 § 3 (3) CP-VO thus also contains a lower level of protection which the state must grant to affected persons vis-à-vis third parties if it has a <br />
26contact data collection. This obligation to "data protection" also includes normative precautions to keep the disclosure of personal information that may be required under infection protection law secret from the eyes of third parties. This also contributes to the weight of the indirect intervention. Furthermore, it is also important to note that the blanket reference in Art. 2 § 3 CP-VO to "events" under Art. 2 § 6 CP-VO is unclear and does not make it clear to those responsible or to those affected by fundamental rights whether contact tracing is also meant at meetings (which can also be included under the term "event" referred to in Art. 2 § 3 CP-VO) or when visiting legislative bodies or courts. According to Art. 2 § 6 CP-VO, the latter are excluded from the scope of this provision only to the extent that it concerns their "right to organise themselves". This, however, initially only means that their deliberations, negotiations and decisions are themselves covered by the regulatory area which is not accessible to the executive by regulation anyway. A government is not entitled to regulate (even negatively) how a parliament organises itself by regulation. It is at least unclear whether the "public" is also exempted from the regulation - i.e. whether there are no quantitative limits and no contact details are collected - which may be the starting point for the practice of the courts in particular. This in turn could lead to a situation where parliaments and courts would be obliged to collect contact details of the participating public. In this way, the public could - de facto - be affected by negotiations of statutory bodies or courts, and thus a central element of a transparent liberal democracy and a constitutional state. This may not be meant or intended, but the wording and possibly also the purpose of the provision do not exclude it. Nothing else applies to the exception for certain political events, which is regulated in Art. 2 § 6 CP-VO. It is true that Art. 2 § 6 (6) sentence 2 CP-VO stipulates that <br />
27 the regulations of Art. 2 § 6 CP-VO exclude the "activity of parties and groups of voters". However, this does not change the fact that these are "events" within the meaning of Art. 2 § 3 CP-VO, which refers to Art. 2 § 6 CP-VO in a general sense. On the other hand, political and ideological events of a religious nature are conceivable which do not constitute an "activity" of a political party or group of voters. The obligation to provide data can therefore also result in citizens staying away from such events. This also underlines the functional equivalence of the provision to an imperative intervention, irrespective of why only political parties and groups of voters are excluded from the regime of Art. 2 § 3 and § 6 CP-VO in the political sphere. In any case, the provision also harbours the danger - even if this may certainly not be the intention - that profiles of the movements and personalities of holders of fundamental rights can be drawn up without procedural regulations being made at the same time to prevent abuse. The collection and tracing of contact data makes it possible, as difficult as it may be to find out where and when the persons concerned have been, if and how often they have visited restaurants and bars, if and how often they have attended church services and which social or political meetings they have attended. There is therefore no question that Art. 2 § 3 CP-VO thus encroaches on the fundamental rights of citizens. c. The interference is not justified - on the basis of the current regulation. It lacks a viable legal basis. aa. Any encroachment on the fundamental right to protection of personal data requires a generally formal, parliamentary (cf. most recently VerfGH 21.01.2020 <br />
28Lv 15/19 under B 3 c) Authorisation, which regulates the personal data to be collected as such, the reason and the specific purpose of the collection, the type and duration of the storage as well as its deletion in a clear and defined manner and observes the principle of proportionality (see most recently BVerfG 27.05.2020 1 BvR 1873/13 and others; BVerfGE 65, 1ff (44 ff., 151 ff.). This alone is missing.<br />
<br />
bb. the IfSG does not contain any such authorisation. The power to "take the necessary protective measures" resulting from § 28, § 32 IfSG alone is too vague - in any case for the general-abstract encroachment on the right to informational self-determination. Art. 2 § 3 CP-VO is - apart from the fact that the provision contains only rudimentary regulations on the purpose of data collection and the handling of data - only executive law. cc. An exception to the formal requirements for an encroachment on the fundamental right to data protection is not required because they have been developed on the basis of the risks of automated data processing. The development of digitisation does indeed show a particular risk potential of encroachment on the fundamental right to data protection. However, it does not exempt the parliamentary legislator from making sufficiently specific regulations for the procurement and use of personal information in cases of data collection in the "analogue" world. Art. 2 sentence 2 SVerf does not differentiate between automatically processed and non-automatically processed data. Moreover, it cannot be denied that information initially documented by hand can be digitised at any time - as the innovative development of an app for guest lists by a Saarland company (Saarbrücker Zeitung of 21 August 2020 A 7) shows - and can thus also be made accessible to the dangers of automated data processing without the data subject being aware of this or being able to counteract it. <br />
29dd. The requirement of a parliamentary legal basis is also not a dispensable mere formality. Whereas regulations such as those for combating the corona pandemic are drawn up, discussed and adopted essentially internally by the executive until they are published, and citizens are thus confronted with the completed and applicable regulation, a parliamentary law ensures that the pros and cons are debated before the public forum and is thus an essential element of representative democracy. Therefore, in an emergency situation, where short-term action by a government appears imperative, the regulation on the basis of a sufficiently specific authorisation may be a necessary and important instrument of governance. However, the longer the fundamental rights of citizens are encumbered, the more important it becomes to leave the regulation of their foundations and limits to the parliamentary legislator, who is in any case originally responsible. ee. The collection of data is not justified by the "consent" of those concerned. Even if one were to assume in each case that those concerned should formally agree to the provision of their contact details in the interest of the matter, such consent does not justify the collection of data because it could only be refused at the price of denying them the opportunity to participate in social, political and religious life. For this reason, the constitutional court has clearly denied the constitutionally not dissimilar question of whether the general prohibition of smoking in restaurants and bars is opposed to the fact that guests voluntarily visit "smoking restaurants and bars", with the justification - also in the case of dispute - that such a view would lead to the de facto exclusion of citizens from participation in social interaction. Contrary to the view of the parties involved, Art. 6 DSGVO does not constitute sufficient authorisation. <br />
30 That follows, first of all, simply from the fact that the regulation does not even mention Article 6 of the DSGVO as the legal basis for its adoption. However, under Article 104 SVerf, which corresponds to the second sentence of Article 80(1) of the Basic Law, the legal basis of a statutory regulation must be stated in the regulation itself as a precondition for its validity. This is already missing. Moreover, it would constitute a fundamental misunderstanding of Article 6 of the DSGVO if one were to regard it as an arbitrary power, independent of legal form, to collect data under the conditions specified therein. Article 6 of the DSGVO limits the power to collect data; it does not grant it.Article 6 DSGVO regulates the lawfulness of the processing of data. The first sentence of Article 6(1) lays down seven different conditions under which it is permitted. In addition to the existence of the consent of data subjects (lit. a), other important conditions in the event of a dispute are the fulfilment of a legal obligation to which the controller is subject (lit. c), the need to protect the vital interests of data subjects or third parties (lit. d) or the need to perform a task in the public interest (lit. e). However, these conditions of legality, mentioned by way of example, do not at the same time constitute the basis for intervention, but require a special norm under Union law or membership law which provides for or permits the collection of data as such - within the limits of Art. 6 DSGVO (cf. only Kühling/Bucher, DSGVO, Art. 6 marginal no. 78; BeckOK-DSGVO/Wolff/Brinck Art. 6 DSGVO marginal no. 14). This can be inferred first of all from Article 6(3) DSGVO itself, which, precisely with regard to the conditions of lawfulness in letters c and e of paragraph 1, refers to the sources which may determine the "legal basis" for the processing and provides further details on them. If the legal basis were Article 6(1), first sentence, (c) and (e) themselves, there would be no need for that provision or it would have to be formulated as an additional condition of lawfulness. It follows - for example - further from recital 45 of the DSGVO. According to this recital, the processing of data for the performance of a task in the public interest is subject to the following conditions<br />
31 It is in the interest of the data subject not only to ensure that these conditions are substantively met, but also that there is a legal basis in Union law or in the law of the Member States for processing - which must then comply with the limitations of Article 6 of the DSGVO. Even if recital 41 of the DSGVO points out that the Member States are free to regulate the specific form of legal bases for the collection of personal data, this shows first of all that such legal bases are needed as standards of authority for the collection of data itself. At the same time, recital 41 of the DSGVO makes it clear that the form of the authorisation - formal law or regulation - is determined by the constitutional law of the Member States (cf. inter alia Eh-mann/Selmayr, DSGVO Art. 6 para. 40). This also applies insofar as Article 6 (1) sentence 1 lit. d DSGVO and Recital 46 of the DSGVO declare the processing of personal data in cases of epidemic developments to be lawful. Nor can it be argued against all this that Art. 2 § 3 (3) 2nd paragraph of the CP-VO orders the deletion of the data "in accordance with the applicable basic data protection regulation". On the one hand, the provision refers exclusively to the deletion, but not to the collection and use of the data. On the other hand, the Basic Data Protection Regulation "applies" only to the fully or partially automated processing of personal data and to the non-automated processing of personal data which is stored or is to be stored in a file system. The contact details when visiting the facilities and events mentioned in Art. 2 § 6 CP-VO are - as far as is apparent and in the absence of any other legal order - currently provided in handwritten form and are collected and stored in this form. There is therefore no automated processing of data, nor is there any processing of data whose storage in a file system is intended (Art. 2 para. 1 DSGVO). The provision is therefore additionally suitable for trivialising and obscuring the intensity of the intervention. <br />
32gg. Whether the formal requirement of a parliamentary regulation of data processing also applies if data subjects are not themselves obliged to disclose their personal data for a temporary period in a situation of catastrophic proportions and, if necessary, cannot be forced to do so, but are instead given the choice, for a limited period of time, between participating in certain offers leading to the disclosure of their data or waiving this right to use the data, remains open. Regardless of the foreseeable time limitation of the guarantee of contact tracing by the regulations to combat the pandemic, it cannot be ignored that the intervention made possible by Art. 2 § 3 CP-VO has already been in place for a long time and, in view of the infection situation, would probably last for further months on the basis of a mere legal regulation. Thus, the indirect interference with the fundamental right to data protection is now in any case of such intensity that only a parliamentary law could justify it and its conditions and limits. hh. Finally, to the extent that it could be argued that the instrument of the regulation allows greater flexibility in the defence against risks in times of catastrophic events, which is necessary in view of the possibly rapidly changing infection situation, the Constitutional Court could not share this view. For even on the basis of a sufficiently clear and sufficiently specific legal authorisation to process personal data, the necessary flexibility of executive reactions could - with appropriate use of the instruments of constitutional law - easily be maintained, i.e. the necessary short-term reaction to new, stronger or lesser courses of infection could be permitted at any time. d. However, since Art. 2 § 3 CP-VO serves an unrestrictedly legitimate objective and the previous - nationwide - case law has repeatedly addressed the problem of sufficient legal authorisation, this is not the case in the <br />
33By leaving aside the decisions on applications for temporary non-execution of provisions of statutory law in the framework of decisions on applications for temporary non-execution, the Constitutional Court makes use of the possibility to allow the provision which is incompatible with the Constitution to remain in force temporarily, with procedural safeguards for fundamental rights, and to set the Landtag of the Saarland a reasonable period within which to remedy the situation. The mere declaration of incompatibility, combined with an order for the temporary continuation of the unconstitutional provision, is permissible because the immediate invalidity of the challenged provision of Art. 2 § 3 CP-VO would in part deprive the protection of overriding goods of the public interest of its basis and a weighing against the fundamental rights concerned shows that the encroachment is acceptable for a transitional period; the legislature thus has the opportunity to make a statutory provision (cf. BVerfGE 109, 190 [235 et seq.]; also already BVerfGE 33, 1 [13]; 33, 303 [347 et seq.]; 40, 276 [283]; 41, 251 [266 et seq.]; 51, 268 [290 et seq.) The obligation laid down in Article 2 § 3 of the CPVO contributes to combating the spread of the pandemic and thus to averting significant threats to the life, health and freedom of all and to the functioning of state and social institutions. It therefore serves an overriding Community interest. It is the responsibility of the State to ensure this protection. Despite the lack of sufficient parliamentary authorisation, the balance with the fundamental right to data protection shows that the indirect interference with this fundamental right must be accepted by the persons concerned for a transitional period. The Federal Constitutional Court, too, had already developed such a declaration of incompatibility in its case law when it was not yet provided for in the BVerfGG (§ 31.2 sentences 2 and 3). <br />
<br />
The temporary acceptance of standards which are incompatible with the constitution per se also applies - in corresponding application of § 61 (1) sentence 2 Ver-fGHG - to regulations which were to be issued after the expiry of the regulation of 21 August 2020. signed: Prof. Dr. Rixecker Prof. Dr. Wendt Prof. Dr. Bartone Caspar Crauser Flasche Müller Trenz (Ernst) Inspector of the Judicial Office as clerk of the office <br />
</pre></div>MLhttps://gdprhub.eu/index.php?title=VSL_-_VSL_Sodba_PRp_345/2019&diff=11238VSL - VSL Sodba PRp 345/20192020-09-01T08:39:56Z<p>ML: Created page with "{{COURTdecisionBOX |Jurisdiction=Slovenia |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=VSL |Court_With_Country=VSL (Slovenia) |Case_Number_Name=VSL Sodba..."</p>
<hr />
<div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=Slovenia<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=VSL<br />
|Court_With_Country=VSL (Slovenia)<br />
<br />
|Case_Number_Name=VSL Sodba PRp 345/2019<br />
|ECLI=ECLI:SI:VSLJ:2020:PRP.345.2019<br />
<br />
|Original_Source_Name_1=Sodna Praksa<br />
|Original_Source_Link_1=http://www.sodnapraksa.si/search.php?q=Splo%C5%A1na%20uredba%20o%20varstvu%20podatkov&database[SOVS]=SOVS&database[IESP]=IESP&database[UPRS]=UPRS&database[NEGM]=NEGM&_submit=i%C5%A1%C4%8Di&rowsPerPage=20&page=0&id=2015081111438757<br />
|Original_Source_Language_1=Slovenian<br />
|Original_Source_Language__Code_1=SL<br />
<br />
|Date_Decided=18.06.2020<br />
|Date_Published=<br />
|Year=2020<br />
<br />
|GDPR_Article_1=Article 6(1)(c) GDPR<br />
|GDPR_Article_Link_1=Article 6 GDPR#1c<br />
|GDPR_Article_2=Article 6(2) GDPR<br />
|GDPR_Article_Link_2=Article 6 GDPR#2<br />
|GDPR_Article_3=Article 83(5)(a) GDPR<br />
|GDPR_Article_Link_3=Article 83 GDPR#5a<br />
<br />
<br />
|National_Law_Name_1=Article 10 of ZOdv<br />
|National_Law_Link_1=http://pisrs.si/Pis.web/pregledPredpisa?id=ZAKO3906<br />
|National_Law_Name_2=Article 2, 2/2, 136, 136/1, 136 / 1-1<br />
|National_Law_Link_2=http://pisrs.si/Pis.web/pregledPredpisa?id=ZAKO2537<br />
|National_Law_Name_3=Article 8 of ZVOP-1<br />
|National_Law_Link_3=http://pisrs.si/Pis.web/pregledPredpisa?id=ZAKO3906<br />
|National_Law_Name_4=Articles 8, 91, 91/1, 91 / 1-1, 91/2. <br />
|National_Law_Link_4=http://pisrs.si/Pis.web/pregledPredpisa?id=ZAKO3906<br />
|National_Law_Name_5=Article 10, 10/1<br />
|National_Law_Link_5=http://pisrs.si/Pis.web/pregledPredpisa?id=ZAKO265<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_From_Body=<br />
|Appeal_From_Case_Number_Name=<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
|<br />
}}<br />
<br />
The imposition of administrative fines, as prescribed by the GDPR, has not been transposed into the national legal order of the Republic of Slovenia, as ZP-1 as well as the misdemeanor regulation do not regulate the manner of imposing administrative fines in misdemeanor proceedings. The GDPR prescribes a significantly higher administrative fine than the prescribed fine in ZVOP-1. It depends on the circumstances of the specific case, whether Article 8 of ZVOP-1 can be retained in force.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The controller is accused of violating the provision of Article 8 of ZVOP-1 because the responsible person obtained personal data of vehicle owners or users in contravention of Article 10 of ZOdv.<br />
<br />
=== Dispute ===<br />
Is Slovenian law still applicable if it is more detailed than the GDPR or does the GDPR prevail anyway.<br />
<br />
=== Holding ===<br />
The Court of Appeal agrees with the Court of First Instance's finding that the direct application of the GDPR does not constitute a violation of Article 6 (1) (c) as a misdemeanor, with the result that the GDPR from the point of view of misdemeanor law, as part of criminal law, is more lenient for the perpetrator and the court is justified in applying the principle of legality from the second paragraph of Article 2 of ZP-1 on the basis of point 1 of the first paragraph of Article 136. <br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Slovenian original. Please refer to the Slovenian original for more details.<br />
<br />
<pre><br />
Higher Court in Ljubljana<br />
Misdemeanor Department<br />
<br />
VSL Judgment PRp 345/2019<br />
ECLI: SI: VSLJ: 2020: PRP.345.2019<br />
Registration number: VSL00035084<br />
Date of decision: 18.06.2020<br />
Senate, single judge: Živa Bukovac (president), Boštjan Kovič (report), Anton Panjan<br />
Area: OFFENSES - PROTECTION OF PERSONAL DATA<br />
Institute: existence of a misdemeanor - principle of legality - milder regulation - request for judicial protection - appeal of a misdemeanor authority - processing of personal data - transmission of personal data to a lawyer - duty to provide data<br />
Sail<br />
<br />
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC, which is to be applied directly, c) the first paragraph of Article 6 replaces Article 8 of ZVOP-1.<br />
<br />
The provision of the first paragraph of Article 10 of the ZOdv regulates when the obligation to provide personal data to a lawyer applies and when it is legal for a lawyer to obtain personal data; if the controller and the processor act in accordance with that provision, then such conduct shall be in accordance with the lawfulness of the processing referred to in point (c) of Article 6 (1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC; contrary conduct means a violation of this provision, which in the circumstances of a specific case must be applied directly and for the violation of which the Decree in point a) of the fifth paragraph of Article 83 prescribes administrative and not punitive sanctioning.<br />
Theorem<br />
<br />
The appeal is dismissed as unfounded and the judgment of the court of first instance is upheld.<br />
Justification<br />
<br />
1. By the impugned judgment, the District Court in Ljubljana granted the request for judicial protection of the lawyer of the responsible person of the legal entity and amended the decision on misdemeanor so that the procedure on misdemeanor against the responsible person of the legal entity for 51 misdemeanors under Article 91 (2) personal data (ZVOP-1) in connection with point 1 of the first paragraph of Article 91 of ZVOP-1, as described in point 1 of the decision on misdemeanors, on the basis of point 1 of the first paragraph of Article 136 of the Misdemeanors Act (ZP-1) stopped (point I of the operative part), granted the request for judicial protection of the legal entity's defense counsel and changed the decision on the misdemeanor so that the misdemeanor proceedings against the legal entity, due to 51 misdemeanors under point 1 of the first paragraph of Article 91 ZVOP-1, as are described in point 2 of the decision on a misdemeanor, on the basis of point 1 of the first paragraph of Article 136 of ZP-1 stopped (point II of the operative part). It also decided on the costs of the misdemeanor proceedings, which it imposed on the budget (point III of the operative part).<br />
<br />
2. The misdemeanor authority appeals against the judgment for violating the substantive provisions of the law regarding the question whether the act for which the proceedings were initiated is a misdemeanor, which is the ground of appeal under point 2 of Article 154 in connection with point 1 of Article 156 ZP -1. He claims that the High Court should uphold the appeal and set aside or amend the judgment under appeal.<br />
<br />
3. The lawyer of the legal and responsible person opposes the appeal and proposes its rejection and confirmation of the judgment of the court of first instance.<br />
<br />
4. The appeal is unfounded.<br />
<br />
5. The misdemeanor body found the legal and responsible person responsible for the services of 51 misdemeanors under point 1 of the first paragraph of Article 91 of ZVOP-1, which he allegedly committed by being the responsible person of the legal person who was authorized as a legal person. to perform the work of a lawyer, in the period between April 2016 and 18 January 2017, pursuant to Article 10 of the Law on Advocacy (ZOdv) as a representative of A. plc, obtained personal data, ie names, surnames, addresses of residence, EMŠO and weight of motor vehicles , on 51 owners of motor vehicles registered in the Republic of Slovenia, and forwarded the data thus obtained to A. plc to send reminders for the payment of receivables to these owners or users of motor vehicles, thus obtaining personal data of owners or users of vehicles contrary to Article 10 of the ZOdv, as he did not acquire them for the purpose of practicing law in individual cases, but acquired them only for the purpose of forwarding them to A. plc, as to him and the legal person by an individual other creditor or company A. plc, apart from obtaining personal data, was not ordered to perform any act of the legal profession in an individual case for which he would need the obtained personal data.<br />
<br />
6. The Court of First Instance considered that the conclusion of the proceedings on 25 May 2018 that Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (hereinafter the General Regulation), which replaced Article 8 of the first paragraph of Article 6 of ZVOP-1 by the provision of point c) of the first paragraph of Article 6. several misdemeanors under point 1 of the first paragraph of Article 91 of ZVOP-1, as the General Decree for violation of point c) of the first paragraph of Article 6 provides for the imposition of an administrative fine and does not define such an act as a misdemeanor. 2 of ZP-1 used the General Regulation as a regulation that is more lenient for the perpetrator because it excludes a misdemeanor.<br />
<br />
7. The Information Commissioner does not agree with the court's assessment and considers that the General Regulation did not replace the provision of Article 8 of ZVOP-1, which is still applicable and whose violation constitutes an offense under point 1 of the first paragraph of Article 91 of ZVOP-1. stipulates that a fine of EUR 4,170 to 12,510 shall be imposed on a legal person, sole proprietor or self-employed person if he processes personal data without having a basis in law or with the personal consent of the individual. In the complaint, the Information Commissioner refers to the non-binding opinion of the Ministry of Justice in the First System Explanatory Notes at the beginning of the development of the application of the new European legislation on personal data protection (General Data Protection Regulation - GDPR and related Directive) of 28 May 2018. assessment that most of the provisions of ZVOP-1 on the processing of personal data cease to apply, except for the provisions of articles which are not regulated by the General Data Protection Regulation or which the Republic of Slovenia may still regulate otherwise, among which the Ministry also includes Article 8 of ZVOP-1. 1, which stipulates in the first paragraph that personal data may be processed only if the processing of personal data and personal data being processed is stipulated by law or if the personal consent of the individual is given for the processing of certain personal data, and the second paragraph stipulates that the purpose of the processing of personal data must be determined by law, and in the case of processing on the basis of the personal consent of the individual, the the subject is informed in advance in writing or in another appropriate manner of the purpose of the processing of personal data.<br />
<br />
<br />
<br />
3989/5000<br />
Zeichenbeschränkung: 5000<br />
8. A general regulation is a legally binding act and must be fully applied in all EU countries. National authorities must ensure its proper use. Article 6 of the General Regulation regulates the lawfulness of processing and stipulates in point c) of the first paragraph that processing is lawful only insofar as the condition that the processing is necessary to fulfill the legal obligation applicable to the controller is met. The general regulation in Article 6 (2) does provide that Member States may maintain or introduce more detailed provisions in order to adapt the application of the rules of this regulation concerning the processing of personal data to ensure compliance (inter alia) with point (c) of the first paragraph. to further specify the specific processing requirements and other measures to ensure lawful and fair processing. However, this does not mean that a Member State may otherwise regulate the lawfulness of the processing referred to in Article 6 (1) (c) of the General Regulation indefinitely, as it requires that it maintain or introduce more detailed provisions to adapt the application of the rules of this Regulation. In view of the above, it is not possible to follow the position that Article 8 of ZVOP-1 has been retained in force in each case, but this depends on the circumstances of the specific case. In the specific case, the legal and responsible person is accused of violating the provision of Article 8 of ZVOP-1 because the responsible person obtained personal data of vehicle owners or users in contravention of Article 10 of ZOdv. In the first paragraph, it determines when the controller is considered to be required to fulfill a legal obligation, as it stipulates that state bodies, bodies of self-governing local communities and holders of public authority are obliged to give free of charge to a lawyer without the consent of the data subject. the information he needs in the practice of the legal profession in an individual case. That provision therefore regulates when the obligation to provide personal data to a lawyer applies and when it is lawful for a lawyer to obtain personal data and if the controller and processor act in accordance with that provision, then such conduct is in accordance with the lawfulness of processing in point c) of the first paragraph 6. Article 2 of the General Regulation, and acting contrary means a violation of this provision, which in the circumstances of a specific case must be applied directly and for the violation of which the General Regulation in point a) of the fifth paragraph of Article 83 prescribes administrative and not punitive sanctions. The imposition of administrative fines, as prescribed by the General Regulation, has not been transposed into the national legal order of the Republic of Slovenia, as ZP-1 as well as the misdemeanor regulation do not regulate the manner of imposing administrative fines in misdemeanor proceedings, which is unfounded. that it should take into account the fact that the General Regulation prescribes a significantly higher administrative fine than the prescribed fine in ZVOP-1 and that for this reason the court of first instance incorrectly applied the provision of the second paragraph of Article 2 of ZP-1.<br />
<br />
9. For the foregoing reasons, the Court of Appeal agrees with the Court of First Instance's finding that the General Regulation, to be applied directly, does not constitute a violation of Article 6 § 1 (c) as a misdemeanor, with the result that the General Regulation from the point of view of misdemeanor law, which is part of criminal law, is more lenient for the perpetrator and the court is justified in applying the principle of legality from the second paragraph of Article 2 of ZP-1 on the basis of point 1 of the first paragraph of Article 136. Therefore, on the basis of the third paragraph of Article 163 of ZP-1, the High Court rejected the appeal as unfounded and upheld the judgment of the court of first instance.<br />
<br />
<br />
Relationship:<br />
<br />
ZVOP-1 Articles 8, 91, 91/1, 91 / 1-1, 91/2. ZP-1 Article 2, 2/2, 136, 136/1, 136 / 1-1. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC Art. 6, 6/1, 6/1-c , 6/2. ZOdv Article 10, 10/1<br />
<br />
Date of last change:<br />
07/30/2020<br />
<br />
</pre></div>MLhttps://gdprhub.eu/index.php?title=Datatilsynet_(Denmark)_-_2019-41-0043&diff=11234Datatilsynet (Denmark) - 2019-41-00432020-09-01T07:50:23Z<p>ML: Created page with "{{DPAdecisionBOX |Jurisdiction=Denmark |DPA-BG-Color= |DPAlogo=LogoDK.png |DPA_Abbrevation=Datatilsynet |DPA_With_Country=Datatilsynet (Denmark) |Case_Number_Name=2019-41-00..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Denmark<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoDK.png<br />
|DPA_Abbrevation=Datatilsynet<br />
|DPA_With_Country=Datatilsynet (Denmark)<br />
<br />
|Case_Number_Name=2019-41-0043<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Datatilsynet<br />
|Original_Source_Link_1=https://www.datatilsynet.dk/tilsyn-og-afgoerelser/afgoerelser/2020/aug/tilsyn-med-sif-gruppen-a/s<br />
|Original_Source_Language_1=Danish<br />
|Original_Source_Language__Code_1=DA<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Decided=<br />
|Date_Published=07.08.2020<br />
|Year=<br />
|Fine=None<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 5(1)(a) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1a<br />
|GDPR_Article_2=Article 5(2) GDPR<br />
|GDPR_Article_Link_2=Article 5 GDPR#2<br />
|GDPR_Article_3=Article 12(1) GDPR<br />
|GDPR_Article_Link_3=Article 12 GDPR#1<br />
|GDPR_Article_4=Article 12(2) GDPR<br />
|GDPR_Article_Link_4=Article 12 GDPR#2<br />
|GDPR_Article_5=Article 13 GDPR<br />
|GDPR_Article_Link_5=Article 13 GDPR<br />
|GDPR_Article_6=Article 13(1)(c) GDPR<br />
|GDPR_Article_Link_6=Article 13 GDPR#1c<br />
|GDPR_Article_7=Article 13(2)(d) GDPR<br />
|GDPR_Article_Link_7=Article 13 GDPR#2d<br />
|GDPR_Article_8=Article 14 GDPR<br />
|GDPR_Article_Link_8=Article 14 GDPR<br />
<br />
<br />
<br />
|Party_Name_1=SIF Gruppen A/S<br />
|Party_Link_1=https://www.sif.dk/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
|<br />
}}<br />
<br />
The Danish DPA hold that SIF Gruppen A / S ' compliance with the duty to provide information pursuant to Articles 13 and 14 has been deficient, including in that the company has not provided employees with sufficient information about the legal basis for processing personal data, the data subject's rights and the right to lodge a complaint with the DPA in connection with the use of GPS surveillance, and that the company has not informed the employees about the processing of personal data that takes place in connection with CCTV surveillance.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
In August 2020, the Danish Data Protection Agency completed a planned written inspection at SIF Gruppen A / S. The audit focused on the company's compliance with the rules on disclosure by using control measures towards employees. The audit also focused on whether SIF Gruppen A / S 'observance of the duty to provide information complied with the regulation's basic principle of transparency.<br />
<br />
SIF Gruppen A / S has informed the Danish Data Protection Agency that the company makes use of the following control measures towards employees:<br />
<br />
CCTV surveillance in connection with employees' stays at the company's address.<br />
GPS monitoring in service cars.<br />
"Find me" function in mobile phones and tablets.<br />
<br />
SIF Gruppen A / S has stated that the company's employees are informed about the TV surveillance via signs at the company. Based on the information provided, the Danish Data Protection Agency assumes that the signs constitutes the information that the employees are given about TV surveillance, and that the signs are not supplemented by additional written information to the employees.<br />
<br />
SIF Gruppen A / S has stated that employees are notified of the processing of personal data in connection with the use of GPS monitoring as a control measure in the company's local agreements. In this connection, SIF Gruppen A / S has sent a template for such a local agreement, just as the company has sent copies of a number of signed local agreements as documentation of the company's compliance with the duty to provide information in practice.<br />
<br />
It appears from the example provided that the overall purpose of GPS monitoring of the service vehicles is to collect data regarding driving history, driving behavior and technical data about the service vehicle. In this connection, a number of more specific purposes have been stated for which the information collected will be used.<br />
<br />
Regarding the storage period, it appears that the collected information - for reasons of accounting, documentation and analytical purposes - is stored for up to 5 years, after which the information is deleted. However, individual information on the individual employee may not be used in employment law after 4 months.<br />
<br />
Regarding any recipients of the information, it appears, among other things, that relevant administrative persons and managers will have access to individual information regarding vehicles within their own area of responsibility and work. An updated list of user rights will be available in the system at all times.<br />
<br />
=== Dispute ===<br />
Has the SIF Gruppen A / S complied with its data protection obligations regarding CCTV surveillance in connection with employees' stays at the company's address and GPS monitoring in service cars?<br />
<br />
=== Holding ===<br />
<br />
The Danish Data Protection Agency finds that SIF Gruppen A / S ’notification of the processing of personal data in connection with GPS monitoring in the service vehicles does not meet the requirements of Article 13 (1) (c) (2) (d) GDPR.<br />
<br />
Regarding the storage period, it appears that the collected information - for reasons of accounting, documentation and analytical purposes - is stored for up to 5 years, after which the information is deleted. However, individual information on the individual employee may not be used in employment law after 4 months.<br />
<br />
Based on the submitted images, the Danish Data Protection Agency can conclude that the signage regarding CCTV only contains information about the fact that CCTV surveillance is carried out. In addition, a telephone number is indicated on the doorman, just as the company name is indicated on the sign. This is not enough information.<br />
<br />
<br />
<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.<br />
<br />
<pre><br />
Supervision of SIF Gruppen A / S<br />
Published 07-08-2020<br />
Decision Private companies<br />
<br />
Journal number: 2019-41-0043<br />
Summary<br />
<br />
In August 2020, the Danish Data Protection Agency completed a planned written inspection at SIF Gruppen A / S. The audit focused on the company's compliance with the rules on disclosure by using control measures towards employees. The audit also focused on whether SIF Gruppen A / S 'observance of the duty to provide information complied with the regulation's basic principle of transparency, which, among other things, implies that the data controller must provide employees with easily accessible and prior information about the control measures applied.<br />
<br />
On the basis of the audit carried out, the Danish Data Protection Agency has had occasion to express serious criticism of SIF Gruppen A / S 'processing of personal data.<br />
<br />
The Danish Data Protection Agency's concluding statement states, among other things, that SIF Gruppen A / S 'compliance with the duty to provide information in connection with the use of GPS monitoring has been deficient, including in that the company has not provided employees with sufficient information on the legal basis for processing personal data. data subjects' rights and the right to lodge a complaint with the Danish Data Protection Agency.<br />
<br />
In addition, it appears that SIF Gruppen A / S 'has not informed the employees about the processing of personal data that takes place in connection with TV surveillance, which is why it has not been sufficiently transparent for the employees that the TV surveillance can be used for control purposes. <br />
<br />
You can read the Danish Data Protection Agency's guidelines on data protection in connection with employment relationships here.<br />
<br />
You can read the Danish Data Protection Agency's guide on data subjects' rights here.<br />
<br />
Decision<br />
1. Written supervision of SIF Gruppen A / S 'processing of personal data<br />
<br />
SIF Gruppen A / S was among the companies that the Danish Data Protection Agency in the autumn of 2019 had chosen to supervise in accordance with the Data Protection Ordinance [1] and the Data Protection Act [2].<br />
<br />
The Danish Data Protection Agency's audit was a written audit which focused on SIF Gruppen A / S 'compliance with the duty to provide information in connection with control measures towards employees, cf. Articles 13 and 14 GDPR complied with the principle of transparency in Article 5 (2) (1) (a) GDPR, which according to the Authority's assessment i.a. implies that the data controller must provide employees with easily accessible - prior - information about the control measures applied.<br />
<br />
By letter dated 10 September 2019, the Danish Data Protection Agency notified the Authority of SIF Gruppen A / S and in this connection requested the company for an opinion.<br />
<br />
SIF Gruppen A / S has then by letter of 7 October 2019 issued a statement for use in the case.<br />
<br />
Following the audit of SIF Gruppen A / S, the Danish Data Protection Agency finds reason to conclude in summary:<br />
<br />
That SIF Gruppen A / S 'compliance with the duty to provide information pursuant to Articles 13 and 14 has been deficient, including in that the company has not provided employees with sufficient information about the legal basis for processing personal data, the data subject's rights and the right to lodge a complaint with the Data Inspectorate. in connection with the use of GPS surveillance, and that the company has not informed the employees about the processing of personal data that takes place in connection with TV surveillance, which is why it has not been sufficiently transparent for the employees that the TV surveillance can be used for control purposes. <br />
<br />
In relation to pkt. 1 basis for expressing serious criticism that SIF Gruppen A / S 'processing of personal data has not taken place in accordance with Articles 13 and 14 of the Data Protection Regulation. As regards the lack of information about the control purpose in relation to the use of television surveillance, The Danish Data Protection Agency further states that SIF Gruppen A / S 'processing of personal data has not taken place in accordance with the basic principle of transparency in Article 5 (1) of the Regulation. 1, letter a.<br />
<br />
Below is a more detailed review of the information that has emerged in connection with the written inspection and a justification for the Data Inspectorate's decision.<br />
2. SIF Gruppen A / S ’use of control measures towards employees<br />
<br />
SIF Gruppen A / S has informed the Danish Data Protection Agency that the company makes use of the following control measures towards employees:<br />
<br />
TV surveillance in connection with employees' stays at the company's address.<br />
GPS monitoring in service cars.<br />
"Find me" function in mobile phones and tablets.<br />
<br />
In this connection, SIF Gruppen A / S has stated that 400 employees are affected by TV surveillance at the company's address, and that 200 employees are affected by GPS in the service cars.<br />
<br />
In addition, SIF Gruppen A / S ’has stated that the“ Find me ”function in mobile phones and tablets affects approximately 100 employees, but that the function is only used in connection with the loss of devices.<br />
<br />
Based on the information, the Danish Data Protection Agency assumes that the "Find me" function in mobile phones and tablets is not used for control purposes against the company's employees, but that the function only serves a security purpose. The company's fulfillment of the disclosure obligation in relation to the "Find me" function will therefore not be reviewed further in this statement. If SIF Gruppen A / S at any time wishes to use the "Find me" function in mobile phones for control purposes vis-à-vis the company's employees, the Danish Data Protection Agency must point out that it is a prerequisite for the use of control measures that the employees - before establishment of the control measures - be informed of the purpose and scope of the measures and of the use of the information collected in accordance with Articles 13 and 14 of the Regulation. [3]<br />
<br />
SIF Gruppen A / S has further stated that the company's employees - through the work of the company's customers - may be exposed to control measures over which SIF Gruppen A / S has no knowledge or influence.<br />
<br />
In this connection, the Danish Data Protection Agency assumes that SIF Gruppen A / S is not controller for any information collected about the company's employees in connection with control measures at the company's customers.<br />
<br />
3. Procedures, etc. in relation to the fulfillment of the duty to provide information and prior information on control measures<br />
<br />
SIF Gruppen A / S has stated that the company has not prepared procedures etc. for the company's compliance with the data protection regulation's rules on the duty to provide information and the requirement for prior information in connection with the use of control measures towards employees.<br />
<br />
The Danish Data Protection Agency must recommend that SIF Gruppen A / S prepare procedures, etc. for the company's compliance with the rules on disclosure and prior information in connection with control measures towards employees, where it i.a. should state how and at what time employees must be informed of the processing of personal data that takes place in connection with the individual control measures.<br />
<br />
<br />
<br />
3676/5000<br />
Review of SIF Gruppen A / S ’notification of the processing of personal data concerning the use of GPS in service vehicles and television surveillance<br />
4.1. Regarding information on TV surveillance<br />
<br />
SIF Gruppen A / S has stated [4] that the company uses TV surveillance at the company's address as a control measure. The Danish Data Protection Agency is of the opinion that television surveillance can be used for both security and control purposes. As the Danish Data Protection Agency cannot rule out that the TV surveillance is used for control purposes against SIF Gruppen A / S 'employees, this is the basis for the review of the company's information to the employees regarding TV surveillance.<br />
<br />
SIF Gruppen A / S has stated that the company's employees are informed about the TV surveillance via signage at the company. In this connection, SIF Gruppen A / S has sent pictures of the signage at the various entrances to the company's address. Based on the information provided, the Danish Data Protection Agency assumes that the signage constitutes the information that the employees are given about TV surveillance, and that the signage is not supplemented by additional written information to the employees.<br />
<br />
Private and public authorities that carry out television surveillance of places or premises where there is general access to, or of workplaces, must, according to the Television Surveillance Act [5], provide information about the surveillance by means of signs or other clear means. In addition to the requirement for signage, the rules of the Data Protection Ordinance and the Data Protection Act on the duty to provide information to data subjects apply.<br />
<br />
It thus follows from section 3 b of the Television Surveillance Act that the provision in Article 14 of the Data Protection Ordinance applies regardless of any signage pursuant to sections 3 and 3 a of the Act. to the requirements of Article 14 of the Data Protection Regulation.<br />
<br />
Based on the submitted images, the Danish Data Protection Agency can conclude that the signage only contains information about the fact that television surveillance is carried out. The sign consists of an image of a surveillance camera with a caption that says "TV surveillance". In addition, a telephone number is indicated on the doorman, just as the company name is indicated on the sign.<br />
<br />
After a review of the submitted images of the signage regarding television surveillance, it is thus the Data Inspectorate's assessment that SIF Gruppen A / S has not provided the employees with the information that follows from Article 14 of the Data Protection Ordinance. has not been sufficiently transparent to the employees that the TV surveillance can be used for control purposes towards the employees.<br />
<br />
In view of the fact that the purpose of the control, in the opinion of the Danish Data Protection Agency, has not been sufficiently transparent for the employees, the Authority also finds that SIF Gruppen A / S 'information about TV surveillance for the music school's employees has not lived up to the basic principle of transparency in Article 5 para. . 1, letter a.<br />
<br />
Given that TV surveillance is an intrusive form of processing of personal data, the Danish Data Protection Agency must emphasize the importance of SIF Gruppen A / S 'employees being informed of the processing of personal data that takes place in connection with the use of TV surveillance as a control measure in in accordance with Article 14 of the Regulation. In addition, the Authority must emphasize the importance of SIF Gruppen A / S - in accordance with the principle of transparency in Article 5 (1) of the Regulation. 1, letter a, provides employees with easily accessible - prior - information about the control measures used, including in particular about the control purpose.<br />
<br />
<br />
<br />
3605/5000<br />
4.2. Regarding information on GPS monitoring in service vehicles<br />
<br />
SIF Gruppen A / S has stated that employees are notified of the processing of personal data in connection with the use of GPS monitoring as a control measure in the company's local agreements. In this connection, SIF Gruppen A / S has sent a template for such a local agreement, just as the company has sent copies of a number of signed local agreements as documentation of the company's compliance with the duty to provide information in practice.<br />
<br />
It appears from the example provided that the overall purpose of GPS monitoring of the service vehicles is to collect data regarding driving history, driving behavior and technical data about the service vehicle. In this connection, a number of more specific purposes have been stated for which the information collected will be used, including:<br />
<br />
Reports and analyzes of the overall use of the fleet.<br />
Reduce driving costs through more appropriate driving behavior.<br />
Relevant and effective redirection for urgent tasks.<br />
Optimize and streamline the use of the fleet by e.g. to avoid star driving or unnecessary driving time.<br />
Reduce operating and service costs on the car fleet.<br />
Increase safety by alerting the driver of the car to inappropriate driving behavior.<br />
Anti-theft protection.<br />
Big data analysis of patterns and contexts across the company, which can lead to smarter use of the company's resources.<br />
Streamlining the work of the work environment representative.<br />
Documentation of the efficient working hours and hourly consumption to the customers.<br />
Compliance with traffic rules.<br />
<br />
It also states that a GPS committee - at least represented by a management representative and the shop steward - will continuously evaluate the use of the system and address any inconveniences. Inadequacies include over strong acceleration, hard braking and violation of the speed limit.<br />
<br />
In addition, it appears that if data from the system gives rise to an interview, this will take place between the general manager and the employee, and that the employee in this connection has the right to convene the union representative.<br />
<br />
Regarding the storage period, it appears that the collected information - for reasons of accounting, documentation and analytical purposes - is stored for up to 5 years, after which the information is deleted. However, individual information on the individual employee may not be used in employment law after 4 months.<br />
<br />
Regarding any recipients of the information, it appears, among other things, that relevant administrative persons and managers will have access to individual information regarding vehicles within their own area of responsibility and work. An updated list of user rights will be available in the system at all times.<br />
<br />
Finally, the employee is made aware of his or her rights under the Data Protection Regulation. It thus appears that the employee has the right to seek access to the information collected and processed about him in accordance with Article 15 of the Data Protection Regulation. In addition, it appears that the employee has rights under Articles 16, 17 and 21 of the Regulation, according to which inserted a link to the regulation itself. However, these rights are not further elaborated in the local agreement.<br />
<br />
As the Danish Data Protection Agency's personal data is collected from the employee himself when the employee drives a service car, the Authority's assessment is that notification of processing of personal data in connection with GPS monitoring in the service cars must meet the requirements of Article 13 of the Data Protection Regulation [6].<br />
<br />
<br />
<br />
2853/5000<br />
The Data Protection Regulation contains an overarching obligation of transparency regarding the processing of personal data, which is intended to ensure that data subjects have the ability to hold data controllers accountable and exercise control over their personal data.<br />
<br />
The obligation for transparency follows i.a. Article 5 (1) of the Data Protection Regulation 1 (a), which states that personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject ('legality, reasonableness and transparency').<br />
<br />
In relation to the data controller's observance of data subjects' rights, including compliance with the rules on the obligation to provide information, there is also a requirement for transparency in Article 12 (1) of the Data Protection Regulation. 1, of which i.a. it appears that the controller takes appropriate measures to provide any information referred to in Articles 13 and 14 on processing to the data subject in a concise, transparent, easily understandable and easily accessible form and in clear and simple language.<br />
<br />
After a review of the submitted examples, it is the Data Inspectorate's assessment that the employees are not given information about the legal basis for the processing. In addition, the Authority's assessment is that the employees are not given sufficient information about the right to request the data controller to correct or delete personal data or restriction of processing regarding the data subject or to object to processing, and that the employees are not given information about the right. to lodge a complaint with the Danish Data Protection Agency.<br />
<br />
In this connection, the Danish Data Protection Agency has emphasized that this information - in the Authority's view - is necessary to ensure fair and transparent processing as far as the employees are concerned.<br />
<br />
In addition, the Danish Data Protection Agency has emphasized that the principle of transparency in the Authority's view, e.g. implies that the data controller - in connection with the fulfillment of the duty to provide information - should specify what the data subject's rights are, so that the data subject can easily understand which rights he / she has under the data protection rules and thereby better safeguard his or her interests in relation to to exercise control over his personal data.<br />
<br />
On this basis, the Danish Data Protection Agency finds that SIF Gruppen A / S ’notification of the processing of personal data in connection with GPS monitoring in the service vehicles does not meet the requirements of Article 13 (1) of the Data Protection Regulation. 1, letter c and para. 2, letter d.<br />
<br />
Furthermore, the Danish Data Protection Agency finds that SIF Gruppen A / S 'notification of the processing of personal data in connection with GPS monitoring in the service vehicles does not live up to the requirement in Article 13 (1) of the Data Protection Ordinance. Article 12 (2) (b) in conjunction with the requirement of Article 12 (2) of the Regulation. 1.<br />
<br />
<br />
<br />
2276/5000<br />
5. Conclusion<br />
<br />
Following the audit of SIF Gruppen A / S, the Danish Data Protection Agency finds reason to conclude in summary:<br />
<br />
That SIF Gruppen A / S 'compliance with the duty to provide information pursuant to Articles 13 and 14 has been deficient, including in that the company has not provided employees with sufficient information about the legal basis for processing personal data, the data subject's rights and the right to lodge a complaint with the Data Inspectorate. in connection with the use of GPS surveillance, and that the company has not informed the employees about the processing of personal data that takes place in connection with TV surveillance, which is why it has not been sufficiently transparent for the employees that the TV surveillance can be used for control purposes. ..<br />
<br />
In relation to pkt. 1 basis for expressing serious criticism that SIF Gruppen A / S 'processing of personal data has not taken place in accordance with Articles 13 and 14 of the Data Protection Regulation. As regards the lack of information about the control purpose in relation to the use of television surveillance, The Danish Data Protection Agency further states that SIF Gruppen A / S 'processing of personal data has not taken place in accordance with the basic principle of transparency in Article 5 (1) of the Regulation. 1, letter a.<br />
<br />
<br />
<br />
[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to<br />
<br />
on the processing of personal data and on the free movement of such data and on the repeal of Directive 95/46 / EC (General Data Protection Regulation).<br />
<br />
[2] Act No. 502 of 23 May 2018 on additional provisions to the Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the Data Protection Act).<br />
<br />
[3] Reference is made to section 7 of the Danish Data Protection Agency's guidelines on data protection in connection with employment relationships.<br />
<br />
[4] See Section 2 of the Decision<br />
<br />
[5] Statutory Order no. 1190 of 11 October 2007 on television surveillance, as amended<br />
<br />
[6] Reference is made to the Danish Data Protection Agency's guidelines on data protection in connection with employment relationships, section 7, which can be accessed on the Authority's website: https://www.datatilsynet.dk/generelt-om-databeskyttelse/vejledninger/<br />
<br />
<br />
<br />
</pre></div>MLhttps://gdprhub.eu/index.php?title=VG_Regensburg_-_RN_9_K_19.1061&diff=11203VG Regensburg - RN 9 K 19.10612020-08-25T09:09:28Z<p>ML: Created page with "{{COURTdecisionBOX |Jurisdiction=Germany |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=VG Regensburg |Court_With_Country=VG Regensburg (Germany) |Case_Nu..."</p>
<hr />
<div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=Germany<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=VG Regensburg <br />
|Court_With_Country=VG Regensburg (Germany)<br />
<br />
|Case_Number_Name=RN 9 K 19.1061<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Bayern.Recht - bayerische Staatskanzlei<br />
|Original_Source_Link_1=https://www.gesetze-bayern.de/Content/Document/Y-300-Z-BECKRS-B-2020-N-19361?hl=true<br />
|Original_Source_Language_1=German<br />
|Original_Source_Language__Code_1=DE<br />
<br />
|Date_Decided=06.08.2020<br />
|Date_Published=<br />
|Year=2020<br />
<br />
|GDPR_Article_1=Article 2 GDPR<br />
|GDPR_Article_Link_1=Article 2 GDPR<br />
|GDPR_Article_2=Article 12 GDPR<br />
|GDPR_Article_Link_2=Article 12 GDPR<br />
|GDPR_Article_3=Article 21 GDPR<br />
|GDPR_Article_Link_3=Article 21 GDPR<br />
|GDPR_Article_4=Article 77(1) GDPR<br />
|GDPR_Article_Link_4=Article 77 GDPR#1<br />
|GDPR_Article_5=Article 78(1) GDPR<br />
|GDPR_Article_Link_5=Article 78 GDPR#1<br />
<br />
<br />
|National_Law_Name_1=Article 2, 20, 24 Bavarian Data protection Act (Bayrisches Datenschutzgesetz - BayDSG)<br />
|National_Law_Link_1=https://www.gesetze-bayern.de/Content/Document/BayDSG/<br />
|National_Law_Name_2=§ 823 (2) German Civil Code (Bürgerliches Gesetzbuch - BGB)<br />
|National_Law_Link_2=https://www.gesetze-im-internet.de/englisch_bgb/index.html<br />
|National_Law_Name_3=§ 1004 (1) German Civil Code (Bürgerliches Gesetzbuch - BGB)<br />
|National_Law_Link_3=https://www.gesetze-im-internet.de/englisch_bgb/index.html<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_From_Body=<br />
|Appeal_From_Case_Number_Name=<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
|<br />
}}<br />
<br />
The VG Regensburg holds that Article 79 GDPR excludes further judicial remedies against controllers and processors. Therefore, actions for injunctive relief under §§ 1004 (1), 823 (2) German Civil Code (BGB) in the area of data protection should in principle no longer be possible.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The applicant seeks an order that the City of P. refrain from video surveillance of the "P.er K.-garten" and from recording it.<br />
<br />
In a letter dated 23 November 2017, the Police Inspectorate P. provided the defendant with information on the "P.er K.-garten" as a basis for possible political initiatives for municipal video surveillance. In this letter it is stated that the K.-garten has been a police focus for years, especially during the warm months (April to October). On 14 May 2018, the defendant's city council decided to install video surveillance.<br />
<br />
Signs were missing at other entrances to the K.-garten and in some places they were installed in an area that was already covered by the cameras. Because of its open design, the K.-garten could be entered without being able to see the signs. A detailed note on the modalities of the video surveillance was only attached to the surveillance house. The operating hours of the video surveillance were between 6:00 and 1:00 am.<br />
<br />
=== Dispute ===<br />
The claimant argued that the installed video surveillance in a park is not necessary to prevent a.o. drug-related crimes. Moreover, the surveillance should not only be turned off entirely on market days, but also during other events which he would like to initiate.<br />
<br />
=== Holding ===<br />
1. Article 79 GDPR precludes further judicial remedies against controllers and processors, so that a general action for performance in the form of an action for an injunction pursuant to §§ 1004 (1) and 823 (2) of the German Civil Code is not permissible within the scope of the GDPR.<br />
<br />
2. A distinction must be made between data processing that is (merely) contrary to the Regulation and a possible infringement of a person's rights with regard to the personal data relating exclusively to that person.<br />
<br />
3. In the case of a mere unlawful data processing without any infringement of rights, the data subject has the right of appeal under Article 77(1) GDPR and subsequently the right of judicial remedy against the supervisory authority under Article 78(1) GDPR. Article 79 (1) GDPR provides for an individual right of injunction with regard to the violation of data subjects' rights (Article 13 to 20 GDPR).<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the German original. Please refer to the German original for more details.<br />
<br />
<pre><br />
VG Regensburg, court order of 06.08.2020 - RN 9 K 19.1061<br />
Titles:<br />
Video surveillance of a garden<br />
Standard chains:<br />
GDPR Art. 2, Art. 12, Art. 21, Art. 77 para. 1, Art. 78 para. 1<br />
Bavarian Data Protection Act (Bayerisches Datenschutzgestz – BayDSG) Art. 2, 20, 24<br />
German Civil Code (Bürgerliches Gesetzbuch – BGB) § 823 para. 2, § 1004 para. 1<br />
Guiding principles:<br />
1) Article 79 GDPR excludes further judicial remedies against persons responsible and processors, so that a general action for performance in the form of an action for an injunction pursuant to §§ 1004 (1), 823 (2) of the German Civil Code is not permitted within the scope of the basic data protection regulation.<br />
2. a distinction must be made between data processing that is (merely) contrary to the Regulation and a possible infringement of a person's rights with regard to personal data relating exclusively to that person.<br />
3. in the case of a mere unlawful data processing operation without any breach of law, the data subject shall have the right of appeal under Article 77(1) GDPR and subsequently the right to judicial remedy against the supervisory authority under Article 78(1) GDPR Art. 79 Para. 1 GDPR provides for an individual's right to injunctive relief with regard to the violation of the rights of the person concerned (Art. 13 to 20 GDPR).<br />
Buzzwords:<br />
On the question of the admissibility of a general action for damages based on the omission of a public video surveillance based on a public law claim for the elimination of consequences (§§ 1004 para. 1, 823 para. 2 BGB) after the entry into force of the Basic Data Protection Regulation, On the question of the legality of a public video surveillance based on Art. 24 BayDSG, right to injunction, general action for damages, complaint, data processing, infringement of rights, informational self-determination, video surveillance<br />
Place where it was found:<br />
BeckRS 2020, 19361<br />
<br />
Tenor<br />
I. The action is dismissed.<br />
II. orders the applicant to pay the costs.<br />
III. the court order is provisionally enforceable as regards costs.<br />
IV. The appeal is allowed.<br />
Facts<br />
1<br />
The plaintiff seeks an order that the City of P. refrain from video surveillance of the "P.er K.-garten" and from recording it.<br />
2<br />
The plaintiff resides and works in P. Among other things, he uses the municipal facility "P.er K.-garten" (hereinafter referred to as: K.-garten) in connection with professional and political activities. He is also frequently in the K.-garten for private activities.<br />
3<br />
By letter dated 23 November 2017, the Police Inspectorate P. provided the defendant with information on the K.-garten as a basis for possible political initiatives for municipal video surveillance. In this letter it is stated that the K.-garten has been a police focus for years, especially during the warm months (April to October). The adjacent central bus station is naturally the starting and finishing point of the entire public transport system in P. Due to its attractive location and design, the K.-garten is used by many citizens as a place of rest and relaxation. Both locations are also popular meeting points and places where young people and socially marginalised groups such as alcoholics, BtM consumers and, since 2015, increasingly migrants, can stay. Due to numerous disturbances of order and security, both locations have been the subject of a comprehensive police security concept for years, which was last modified in March 2016 and has been implemented intensively since then. In the sense of a holistic approach consisting of informal social controls, intensive police checks and social work on the part of the defendant, a decrease in offences of bodily injury and insulting behaviour has recently been recorded. A significant fight or suppression of the drug trade (ant trade), which could be observed at the K.-garten, has not yet been successful. The number of seizures is in the single-digit or low double-digit range. With regard to known darkfield investigations, these figures point to a lively drug turnover, whereby this assessment is supported by information from the population as well as by the regular finding of drug paraphernalia in the nearby public toilets. While the offences took place mainly in the summer months, the other types of offences, especially drug-related crime, were spread over the whole year. The time window between 10:00 and 22:00 hours had emerged as the relevant time of day (90% of all cases). Due to the objective security situation in the city area, there is no legal basis for the establishment of police video surveillance in accordance with Article 32 PAG, but Article 21a BayDSG opens up this possibility in public institutions in the context of the fulfilment of public duties, and this is somewhat lower-threshold. From the point of view of the police inspectorate, a video recording in the area of the K.-garten would therefore be conceivable.<br />
4<br />
On May 14, 2018, the defendant's city council decided to install video surveillance and an extension to the existing toilet facilities in the K.-garten, which is temporarily manned by supervisory personnel from 8:00 to 22:00 hours. Together with the installation of street lighting on the Innpromenade, over- or unbudgeted budget funds in the amount of 385,000 euros were provided for this purpose. The installation of video surveillance and the construction of the extension accounted for 200,000 euros. The K.-garten is a centrally located public square in the immediate vicinity of the central bus station and the university. It is accessible from four sides and is bordered by the ...-Straße in the northwest, the Straße ... in the southwest and southeast and the ...-platz in the northeast. On Tuesdays and Fridays, the square is the venue for a weekly market, the annual "Oide Dult" festival and, with some regularity, political and cultural events. Furthermore, the K.-garten is mainly crossed by passers-by. In the summer months it also serves as a recreational area. There are seats and lawns as well as two large seesaws as a playground for children. The K.-garten is almost flat, mostly finely gravelled, visible from all sides and manageable for those present. The view is not impaired by vegetation. There are very low beds and at the edges of the site there are trees with treetops arranged in rows only from a height of about three metres. In the dark, the K.-garten is mainly illuminated by spotlights embedded in the ground. The area monitored in the K.-garten is rectangular in size of 60 m x 80 m. A total of ten cameras are installed there. Eight of them are permanently installed and adjusted. There are two in each of the four corners on masts. Two more so-called "dome cameras" are installed on poles on the long sides opposite each other. The latter allow the camera operator to zoom and pan. According to the defendant, they are also fixed to certain areas where a particularly high crime rate is expected.<br />
5<br />
On 13 June 2019, the plaintiff filed a complaint with the Administrative Court Regensburg against the city of P. In support of the complaint, it is essentially stated that according to the police inspection P., the previous police incident documentation was not sufficient to make a reliable statement on the main areas of crime within the K.-Garten. In times of the weekly market the video surveillance system is automatically switched off. Passers-by could not see whether the cameras were switched on. The defendant had issued instructions for video surveillance. At the four central entrances to the K.-garten, signs had been put up which pointed to the video surveillance. These were hung at a height of approximately 2 m and were covered with a honeycomb patterned reflector foil. Signs were missing at other entrances to the K.-garten and in some places they were attached in an area that was already covered by the cameras. Because of its open design, the K.-garten could also be entered without being able to see the signs. A detailed note on the modalities of the video surveillance was only attached to the surveillance house. The operating hours of the video surveillance were between 6:00 and 1:00 o'clock. During other events, they should also be exhibited and, if the event is registered, they should also be hung up. The deactivation of the video surveillance was not consistently observed during the weekly market. On 7 and 11 June 2019 at any rate, the signs provided for this purpose were not hung up (K12 and K13). It was not comprehensible how the amount of 25,000 euros for the removal of vandalism would be collected. The crime rate in P. was low and had been declining in recent years (grounds K14 and K15). The development of crime in the K.-garten corresponds to the city-wide trend. Neither in absolute terms nor in comparison with the rest of the city is the K.-garten a crime focus. According to the police security report for the city of P. from 2017, the total crime rate - excluding violations of the law on foreigners - was roughly the same between 2008 and 2017. For 2017, a slight decrease could be observed. For 2017, the fewest cases since 2008 had been registered. A similar picture emerges if one considers the violent, street and theft crime that is listed separately (Security Report, pp. 7 et seq.). In contrast, the development of drug-related crime has been fluctuating since 2008, and after a significant decline in 2013 it has recently been on the rise again. The majority of the offences recorded are related to cannabis and its forms of preparation. The current safety report shows that the total crime figures for the city were below average in 2018 as well, and that they continue to decline (Safety Report 2018, p. 58, Anl. K17). In 2017, according to police statistics on criminal and administrative offences, three simple bodily injuries and one serious bodily injury were recorded in K.-garten. In addition, four insults and 15 incidents of drug-related crime were recorded in 2017, the only category in which an increase was recorded. It was obvious that this was due to the increased implementation of police measures, as reported by P.er Neue Presse on 8 April 2016 and 22 March 2017 (annex K18) in its online edition. Thus, the K.-garten does not show any particular deviations from the development of crime in the city. It was not known how many of the suspicious cases recorded by the police had actually become criminally relevant. The police criminal and administrative offence statistics for 2017 show that 34 administrative offences under the LStVG (in particular violations of the green area statutes, especially alcohol consumption, waste disposal, emergency services and noise) have been recorded. In 2015 and 2016, 73 cases were registered in the same category. The plaintiff was entitled to injunctive relief against the defendant because the video surveillance in the K.-garten, which was carried out on the basis of Article 24 para. 1 BayDSG, was unjustifiably encroached upon his fundamental right to informational self-determination under Article 2 para. 1 in conjunction with Article 2 para. 1 BayDSG. Art. 1 para. 1 German Basic Law (Grundgestz – GG). On the one hand, the video recording as part of the precautionary measures under criminal law was removed from the legislative competence of the Land, and on the other hand the requirements of the legal basis were not fulfilled because video surveillance was not necessary and there were indications that the interests of the persons concerned that were worthy of protection outweighed those of the persons concerned. Finally, video surveillance was also unlawful because obligations of identification and transparency under data protection law were not fulfilled. Article 24(1) BayDSG was the only legal basis in question. § Article 4(1) Federal Data protection Act (bundesdatenschutzgestz – BDSG) was manifestly not applicable under Article 1(1)(2) BDSG. Nor could a legal basis be inferred from EU law. The Basic Data Protection Regulation was demonstrably not applicable under Article 2.2(d) of the GDPR in connection with averting danger and criminal prosecution. The more specific Data Protection Directive for Police and Justice (Directive 2016/680/EU) did not contain a directly applicable legal basis. If Article 24.1 BayDSG was interpreted restrictively in view of constitutional considerations, video surveillance was only permissible for the avoidance of criminal offences, but not already for the avoidance of administrative offences. In the present case, the suitability and necessity of video surveillance to combat crime must already be doubted. Video surveillance and subsequent recording encroached upon the plaintiff's informational self-determination. This interference was not only to be seen in the information obtained by video surveillance, but also in its effect on the behaviour of the persons concerned. In the present case, the video surveillance was intended to prevent persons in the K.-garten from engaging in undesirable conduct, in particular conduct that is relevant under criminal or administrative law, and to prepare or enable any possible prosecution measures. In fact, however, the cameras would also influence the behaviour of the plaintiff, who would then avoid the K.-garten or feel uncomfortable and observed there. The mere video observation alone constitutes an intervention. The intensity of the video surveillance in the K.-garten is extraordinarily high. The standards of the Federal Constitutional Court in its case law on dragnet searches and automatic number plate recognition are to be applied in the present case. According to this, the significance of the intervention results from the fact that it is a measure without suspicion and with a wide range of consequences. In particular, the lack of cause caused the considerable weight of the intervention by such surveillance. Moreover, the secrecy of the dragnet search contributes to the significance of the intervention. The duties to provide information were also insufficiently fulfilled in the present case. On the other hand, the physical absence of the person carrying out the surveillance also required a certain degree of secrecy. Even the mere video surveillance constituted an encroachment on fundamental rights. Since the behaviour of citizens is and should be controlled by this, an encroachment on fundamental rights was also to be assumed in the case of camera dummies. This was particularly problematic during the weekly market and events; even if the cameras were switched off as planned, they would encroach on fundamental rights in a manner comparable to a dummy. In the context of secrecy, the requirement for transparency was also considerable. Knowledge of data processing is a sine qua non condition for the possibility to exercise informational self-determination. In the present case, it is possible to enter the square without taking notice of the video surveillance because the signs are missing at the appropriate place. If available, it is obvious that the information is not perceived when entering the square because the signs are too small, difficult to read and too high. The freedom of decision to cross the K.-garten also had to be doubted. The prevention of mere administrative offences was not a legitimate purpose for video surveillance, and it was also not a suitable means of preventing administrative offences. Most offences in this area are not committed after careful consideration, but typically spontaneously and affectively. Particularly in the case of offences caused by noise, it could therefore not be assumed that video surveillance would have an effect. The same applies to the use of video surveillance to relieve oneself, noise and the leaving of rubbish behind; the costs incurred by vandalism cannot therefore be prevented by video surveillance. According to studies, the same applies to offences of bodily injury and insult. In the case of drug-related crime, an increase in video-monitored areas outside operating hours was more likely to be expected than a shift to non-monitored areas. In general, video surveillance was not suitable for combating planned crime. Planned crimes would at best be postponed, but not prevented. It could be assumed that potential perpetrators would adapt to video surveillance. In addition, many offences would not be noticed by the supervisors and thus not be prevented preventively. The attention of the supervisors to what is happening on the monitors is already decreasing rapidly after a short time. Observation without cause promotes discrimination against certain social groups, because the monitors are guided by their ideas and prejudices, especially when taking measures without suspicion. In the case of the violations observed, selection by the monitors can be established, so that selective criminalisation is possible. Video surveillance was also not necessary because of the good manageability of the K.-garten, and the presence of a municipal employee was equally suitable for achieving the purpose. The employment of social workers/street workers as well as the establishment of a contact shop as a contact point for addicted people would be more suitable. Video surveillance was disproportionate in the narrower sense in view of the associated encroachment upon fundamental rights. The defendant encroaches daily to a considerable extent on the right to informational self-determination of several hundred people, who would not have given any reason for video surveillance by their own behaviour. In addition, the K.-garten was not a crime hotspot. On the whole, the video surveillance in its chosen form was inappropriate. Most of the registered offences occurred in the summer months, so that video surveillance could not be justified across seasons. It was also hardly conceivable that surveillance would be necessary in the period from 6 to 1:00 a.m., i.e. 19 hours. Rather, it is more likely that alcohol-related crimes or violations of the Narcotics Law are more likely to occur in the evening, at weekends or before public holidays. Under no circumstances could the storage without cause for 72 hours be justified. It would be possible to simply observe the video by setting up a short-term memory. This could compensate for the human reaction time. If a supervisor noticed a criminal offence or an administrative offence of considerable importance, he had to become active in order to arrange for the permanent recording for later exploitation. This procedure would do more justice to data protection law requirements in the form of data protection-friendly presettings and data minimisation (§ 25.2 sentence 1, Article 5.1 letter. c GDPR in conjunction with Article 2 sentence 1 BayDSG). Video surveillance violates transparency obligations under Article 24.2 BayDSG in conjunction with Articles 12, 13 JHA Directive and Article 2 sentence 1 BayDSG and is therefore partly unlawful. The applicability of Article 13.1 letter d in conjunction with Article 2(1) and Article 1(1) of the JHA Directive is to be accepted without compulsion (ECJ, U.v. 26.2.2013 - C-617/10 -, NJW 2013, 1415). The defendant does not sufficiently comply with the resulting information obligations. The signs at the entrances to the square are decisive for the completeness of the information, not the detailed appendix at the monitoring centre, as this can only be taken note of after entering the square. Due to the lack of easy access, the presentation on the various signs at the entrances did not meet the requirements of Article 12 para. 1 sentence 1 of the JHA Directive in conjunction with Art. 2 sentence 1 BayDSG, whereby accessibility also concerns the external form in which the information is presented. The honeycomb pattern of the signs partially overlaps with the writing. Here, letters and words are difficult to recognise, and the lighting conditions can also have a massive effect. The height of the signs also means that the information is not easily accessible. This already leads to the signs being easily overlooked. Moreover, reference is made to the content of the pleading of 13 June 2019.<br />
6<br />
The applicant claims that the Court should<br />
order the defendant to refrain from observing the P.er K.-garten by means of image transmission and recording of the images<br />
7<br />
The defendant claims that the Court should<br />
dismiss the action.<br />
8<br />
The defendant carried out a preliminary examination of data protection law for the meeting of the city council on 14 May 2018 on the basis of critical voices regarding video surveillance. According to the assessment of the data protection department of the defendant, this had revealed the possibility of implementing the security concept in compliance with data protection law while complying with various conditions. During the examination for the introduction of video surveillance, the Defendant had adhered to the specifications of the Bavarian State Data Protection Commissioner, in particular had used the documents and templates issued there to ensure video surveillance in conformity with data protection law. Following the decision of May 14, 2018, P.er Neue Presse conducted surveys at K.-garten and several passers-by expressed the opinion that they would welcome video surveillance and that it would contribute to increasing the feeling of security. This survey had also been repeated recently and had led to the same opinion. The City Councilor Karl S. had raised doubts as to the legality of the measure with the Bavarian State Data Protection Commissioner and the Government of Lower Bavaria, but neither of the supervisory authorities had intervened. The mounted signs were located outside the monitored area. The detailed data protection notices in accordance with Art. 12, 13 GDPR were only attached to the monitoring house, however, the pictograms were used to indicate this. Moreover, the data protection notices could also be found on the defendant's website. The surveillance room with the attached data protection notices and the camera plan was located outside the monitored area. The plaintiff did not have to expose himself to video surveillance because he could easily and safely walk around the video-monitored area without any major detours. At weekly market hours, the video surveillance is inactive. This is indicated by the pictograms. As the weekly market is a regularly recurring event, the cameras could have been programmed in advance so that they would always switch off automatically at these times. The reference to the pictograms makes it unnecessary to attach additional signs or cover the cameras. Employees of the defendant are required to check the inactivity at times of the weekly market on a random basis. On 7 and 11 June 2019, the video surveillance system was inactive (protocol sheets of these two days). At registered events, the cameras of employees were visibly covered by hoods and additional signs were attached to the pictograms to illustrate the inactivity. These procedures would also be carried out and recorded conscientiously. Through intensive public relations work and numerous press reports, as well as by making all relevant documents available for inspection on the Internet, the defendant has left no stone unturned in its efforts to create transparency in the public sphere with regard to video surveillance. Video surveillance is very strictly regulated. In addition to the instructions for employees, there are also various protocol sheets which have to be filled in and are checked regularly. This not only serves the purpose of control, but also clarifies the importance of the procedures for the employees. Furthermore, the video surveillance had been developed in close cooperation with the police inspection P. (agreement on the use of the video surveillance system in the K.-garten between the police inspection and the defendant). The exact steps of the surveillance and any evaluation of the data had been regulated in detail (instructions for video surveillance). The technical system was a strictly isolated, closed system which could not be attacked from the outside due to the lack of an Internet connection. Therefore, it could not be said that "excessive storage possibilities" opened up the possibility of merging data and that "various options for using the data pool" were available. It is also a false assertion that "the mass of information that is generated by the surveillance ... a profile of the plaintiff's behaviour in public space ... allows conclusions to be drawn about working hours, social contacts (and) private habits". The plaintiff is aware of the diametrically opposed security concept and should therefore explain how the defendant's employees should be able to do so in view of the defined security features. Precautions were also taken to prevent accidental data breaches. It was hardly comprehensible why the plaintiff saw himself deterred in the future by the video surveillance to hold events in the K.-garten, if he himself at the same time stated that the surveillance system was deactivated at events and this was additionally made clear to the outside world by covers. It was only necessary to register the event with the defendant, since otherwise the employees could not know when they should take the steps required by the instructions. At no time did the defendant claim that the K.-garten was a poorly visible area or dark corner. It goes without saying that crime statistics can only reflect offences that have become known, but according to the police, there are indications that, particularly in the area of drug-related crime, a much larger number of offences must be expected than is statistically recorded. The extensive crime statistics presented by the plaintiffs are not decisive. Whether the total crime in P.er Land is declining is not the decisive criterion for the crime that is localised at K.-garten. Neither is it the case whether the defendant as a whole is not perceived by the police headquarters of Lower Bavaria as a locality of above-average crime. Instead, the decisive factor is that the statistics for the K.-garten show an increased incidence of crimes and administrative offences in comparison to other locations in the city area and are described by the Police Inspectorate as a "focal point". The annual expenditure of the municipal nursery for the removal of damage caused by vandalism is estimated at approximately 25,000 euros. This expenditure includes daily damages in the area of wells and green spaces (broken glass and bottles as well as rubbish in the wells and green spaces, urinating and performing the emergency urge - also during the day, tearing out plants) as well as damages that occur several times a year (damaged and torn out granite slabs at the wells, larger amounts of gravel in the wells, damaged and torn out metal letters of the street signs, graffiti on the metal troughs, damage to the benches and overturned large plant pots). The expenditure of the city nursery could not be put in relation to the procurement costs for the video surveillance system. This does not only serve to prevent the aforementioned damage, but also to prevent other criminal offences and administrative offences in the area of the K.-garten. For example, the costs of the video surveillance system in the case of bodily injury could not be set in relation to the value of the physical integrity. Furthermore, the purpose of the K.-garten as a public facility and local recreation area was to be emphasized. Administrative offences or even criminal offences that made it difficult to achieve this purpose had to be prevented. The legal basis of video surveillance was Article 6 of the GDPR in conjunction with Art. 24 para. 1 BayDSG. Article 24 BayDSG had been enacted within the legislative competence of the Free State for the area of averting danger under Article 70.1 of the Basic Law. The open observation of public places serves the prevention of criminal offences. Potential offenders should be deterred from committing an offence and in this way it should be prevented. Picture recording was also part of deterrence. The potential perpetrator had to expect that his or her act would be recorded and that the recording would be available not only for identification purposes but also as evidence in criminal proceedings (BVerwG, U.v. 25.1.2012 - 6 C 9.11). It was to be noted that the wording "prosecution of administrative offences or criminal offences" was merely a repressive secondary purpose, which in individual cases was only applicable in the form of video recording, namely if the recording gave rise to the initial suspicion of a criminal offence. It was not suitable to suppress or superimpose the primary purpose of crime prevention pursued by the overall measure (VGH Baden-Württemberg, U.v. 21 July 2003 - 1 S 377/02). However, even this secondary purpose in itself would fall within the legislative competence of the Free State, since this is a case of concurrent legislation pursuant to Article 74.1 No. 1 of the Basic Law. The securing of evidence for future criminal proceedings would then be assigned to "judicial proceedings". However, the Federal Government had not yet made conclusive use of this provision. Consequently, the Free State also has legislative competence in this area under Article 72.1 of the Basic Law. The Federal Government's regulations in the field of precautionary measures for criminal prosecution were not so dense that they had a conclusive effect in the sense of a codifying regulation. This pension scheme was not in fact measures that required an initial suspicion (BVerwG, loc. cit.). The video surveillance of the k.-garden was at least suitable to promote the purpose of preventing criminal offences. Studies and security reports have shown that video surveillance in public spaces has actually led to a reduction in crime. It may be true that video surveillance is not the rule for the prevention of offences outside of road traffic. However, Art. 24 para. 3 BayDSG already makes it clear that video surveillance, at least in the opinion of the legislator, can also be used to prosecute and thus also to prevent administrative offences. A study has been able to establish a connection between the decline of regulatory offences in particular and video surveillance (Gill et al., Assessing the impact of CCTV, the South City Case Study, Home Office Online Report, 2005). Video surveillance is also not unsuitable for the prevention of bodily harm. Art. 24 para. 3 BayDSG assumes that video surveillance is fundamentally suitable for the prevention of crimes. Furthermore, there are - apart from all studies - concrete empirical values, for example from Duisburg. Irrespective of this, there is at least one study which expressly concludes that video surveillance in public spaces is suitable for preventing bodily injury offences (Lucien Müller, Videoüberwachung in öffentlich zugänglichen Räumen - insbesondere zur Verhütung und Strahung von Straftaten, 2011, pp. 241-248). Rational Choice Theory states that all action is conditioned by goals, desires and needs and by the human attempt to realize these goals to the greatest possible extent. Accordingly, the smaller the personal benefit and the greater the personal cost of an action, the less likely it is that an action will be committed. Thus, an attempt is made to increase the costs of illegal action by increasing the severity of the sanction or the risk of sanctions, so that the offence is perceived as less worthwhile. In this way, video surveillance can increase the theoretical probability of the perpetrator being apprehended - i.e. the risk of sanctions - and thus prevent crimes if the perpetrator is already aware of the possibility of observation before the act is committed. The plaintiff's view that most offences are not committed after careful consideration, but typically spontaneously and affectively, appears doubtful, because then all attempts at crime prevention would be fruitless. It may well be true that individual acts of bodily injury are, in retrospect, acts of passion, but these acts are not amenable to a generalisation in the K.-garten. Also, although it is possible that alcohol consumption in individual cases might not be able to deter a perpetrator from committing a crime despite video surveillance, it cannot be concluded from individual cases that video surveillance cannot have a deterrent effect on a majority of potential offenders (even under the influence of alcohol or drugs). The surveillance measure of the K.-garten was not primarily aimed at preventing insults, but it was not true that video surveillance was completely unsuitable for this purpose. According to the police's criminal and administrative offence statistics for the K.-garten, it is clear that from 2012 to 2018 (with the exception of 2017) insults could have been recorded in the K.-garten several times a year. Apart from verbal insults, gesticular insults in particular could be observed by the cameras. One of the main objectives was to prevent drug offences in the K.-garten. A study had shown that the video surveillance systems installed in the northern city centre of Heilbronn as well as at the railway station in Böblingen had significantly contributed to the decrease in narcotics offences. According to this study, the decrease was 60 and 70% respectively (Daniela Brandt, Wirkungen situativer Kriminalprävention - eine Evaluationsstudie zur Videoüberwachung in der Bundesrepublik Deutschland, Diplomarbeit an der Universität Bielefeld, 2003/04, p. 56). The shift of crimes to times outside of video surveillance can be countered by the fact that video surveillance is only one part of the defendant's overall security concept and that this is precisely where the other components come in. According to the above-mentioned study, in many cases no shift had been observed. The plaintiff completely failed to mention that the positive spillover effects were in contrast to the displacement effects. Positive spillover effects often arise in the surrounding areas of the actual target area of video surveillance, in which the crime rate has already been reduced and ensure that such a result is also achieved in the surrounding areas (Gill et al., loc. cit.). The plaintiff also disregards the fact that the defendant and the police would react to any displacement effects that might be observed in the medium term with their concepts and in a manner appropriate to the situation, so that the feared displacement is unlikely to have any major negative effects. Furthermore, video surveillance is also suitable for the prevention of property offences, especially property damage. Florian Glatzner, quoted by the plaintiffs in connection with the suitability of video surveillance, comes to the conclusion in his work "Die staatliche Videoüberwachung des öffentlichen Raumes als Instrument der Kriminalitätsbekämpfung" ("The State Video Surveillance of Public Spaces as an Instrument for Combating Crime") from 2006 (pp. 48, 80), with reference to other studies, that property offences could be prevented by video surveillance. The Criminological Research Institute of Lower Saxony (Kriminologisches Forschungsinstitut Niedersachsen e.V.), which was further quoted by the plaintiffs, also came to the same conclusion (p. 15 f.), which was further quoted by the plaintiffs, also stated in its evaluation of the police video surveillance in North Rhine-Westphalia from 2018 that a reduction in property offences could be ascertained. Therefore, video surveillance also appeared to be suitable with regard to the prevention of vandalism. It was not true that the persons designated for surveillance were not able to simultaneously keep an eye on the images provided by the cameras. They were trained personnel who had been trained to keep a constant overview of the area under surveillance. It was not the case that such personnel were constantly in the surveillance area. Rather, surveillance work is carried out daily, for example to check whether the signage is still undamaged or whether the cameras are covered with hoods. The city employees also have other duties outside of video surveillance. The reference to the labelling approach of the employees was also misplaced. They are specially trained video surveillance personnel, who are informed before they are deployed about typical crime patterns that could help to identify them as quickly as possible. Neither specific persons nor specific target groups were placed under permanent observation. In particular, the training material made available on the defendant's website did not provide any indications that only certain persons or target groups should be observed. Such indications would not be given in the training courses themselves either. Furthermore, the staff was instructed to take action only when an act had actually been observed or when the commission of the act was imminent. Under no circumstances could discrimination or stigmatisation of observed persons be assumed. The attempt of perpetrators to evade prosecution by masking was not known to the K.-garten. Moreover, such masking, regardless of the time of day, would a fortiori lead to unwanted attention being drawn and the competent authorities being called into action. In addition, the municipal employees were required to immediately notify the police in the event of an incident, by which further measures were to be taken. Only the public order office, in cooperation with the official data protection officer, decides on the evaluation of the video material in compliance with strict regulations. Video surveillance was also appropriate. The defendant had made considerable efforts to make it possible to balance the conflicting interests. In the view of the police inspectorate P., which could be regarded as expert in this respect, the K.-garten was a focal point of crime in P. The defendant had neither reason nor corresponding figures to refute this view. In this respect, the plaintiff did not consider the settlement reached within the town to be decisive and it demanded that an absolute crime threshold be exceeded. However, such a demand was neither proven nor indicated. The relative comparison - in this case with the rest of the city - should always be decisive. Where an absolute crime threshold is to be located remains in the dark. The concrete video surveillance measure was also appropriate in its scope. The video surveillance across seasons is based on the police's assessment. The period of video surveillance was also coordinated with the police. From the defendant's point of view, it would not do justice to the prohibition of excessive surveillance to extend the surveillance periods for suspicious cases. In this respect the defendant relied on police expertise. A six-monthly review of the necessity of the reorganisation of the surveillance as well as of the surveillance periods was planned and carried out. Consequences would be derived from any new findings. The storage period of 72 hours was intended to ensure that, in addition to the surveillance personnel, those in charge of the public order office who could order the storage of data for a longer period of time for criminal prosecution were on duty. It would not be in accordance with the prohibition of overkill if the defendant stored data uselessly, the data stocks had long since been overwritten or deleted when the police or the public order office learned of an offence. The defendant had made considerable efforts to achieve a balance between the conflicting interests. This includes switching off the video surveillance system at times when the police experience shows that no significant offences occur, at weekly market times as well as at meetings and other events, the strict limitation of access to the swivel and zoom cameras, monitoring only by trained staff of the defendant and not by a commissioned monitoring service, control of the necessity every six months, a close network of documentation obligations in order to avoid misuse or errors, strict control of the handling of the system by both the public order office and the official data protection officer. Video surveillance will make the K.-garten recreation area fully accessible to the public again. The citizens should again be given a feeling of security. There is no parallel to the principles of dragnet investigation. The prerequisites are already different, in particular there is no secrecy, instead the video surveillance is designed in a particularly transparent way. The entire concept of video surveillance was regulated restrictively and the rights of citizens were taken into account as far as possible. It was incorrect that the data protection information under Articles 12 and 13 GDPR could only be perceived if the person was already in the area under surveillance. The circumvention of the monitored area was apparent from the site plan, which the plaintiff had submitted as Annex K2. The surveillance room, on the outside of which the data protection notices were affixed, was located outside the video-monitored area. Thus, if a person - by means of the pictograms referring to the video surveillance - wishes to take note of the data protection notices before entering the video-monitored area, he or she can do so informally by looking at the notice on the surveillance room and does not have to take a step into the video-monitored area. The assertion that the honeycomb pattern of the signs constituted a breach of the duty of transparency was unfounded because the latter served precisely to ensure that the sign remained self-reflecting and perceptible even at dusk or in other poor lighting conditions. The location of the signs had been agreed with the local data protection officer. The signs were clearly visible and legible. It would not lead to lack of transparency if the head position had to be changed in order to read the signs. For the rest, reference is made to the statement of defence of 1 August 2019.<br />
9<br />
The parties agreed to a decision without an oral hearing.<br />
10<br />
For the details, reference is made to the court and administrative files and to the minutes of the hearing of 13 July 2020.<br />
Reasons for the decision<br />
11<br />
Under the conditions of § 84, Subsection 1, Sentence 1, Code of Administrative Court Procedure (Verwaltungsgerichtsordnung - VwGO), the court was able to decide by means of a court order without an oral hearing.<br />
12<br />
The general action for performance in the form of an action for an injunction is already inadmissible for lack of admissibility.<br />
13<br />
The court is of the opinion - as will be explained below - that the right under customary public law to have the consequences removed, which is generally aimed at the complete cessation of data processing in the form of video surveillance, which also includes other data subjects, on the basis of present and future individual data subjects, is no longer considered admissible in its scope of application after the change in the legal situation due to the entry into force of the Basic Data Protection Regulation on 25 May 2018 (Art. 99 GDPR), irrespective of whether the plaintiff can assert a violation of rights and thus the right to bring an action.<br />
14<br />
First of all, it should be noted that the material scope of application of the basic data protection regulation is open. In particular, the exceptions to the scope of application of the Basic Data Protection Regulation for the processing of personal data mentioned in Article 2 (2) GDPR are not relevant. Contrary to the plaintiff's view, Article 2(2)(d) GDPR does not apply in the present case. The processing of personal data by the competent authorities for the purpose of the prevention, investigation, detection or prosecution of criminal offences or the execution of sentences, including the protection against and prevention of threats to public security, falls within the scope of the second legal instrument in the data protection reform package, the so-called "Police Directive" (Article 1(2)(d) GDPR). 1 Directive 2016/680/EU of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data by the competent authorities for the purpose of the prevention, investigation, detection or prosecution of criminal offences or the execution of sentences and on the free movement of such data and repealing Council Framework Decision 2008/977/JHA, OJ 2016 L 119, 89). Both legal instruments (the basic data protection regulation and the "Police Directive") are closely coordinated and therefore complement each other. The exception in Article 2(2)(d) GDPR covers data processing for both preventive and repressive purposes. An offence within the meaning of the exception in Article 2(2)(d) GDPR and with regard to the application of the "Police Directive" must be understood as an independent concept of Union law which cannot be defined unilaterally by the Member States. It does not include the prevention, investigation, detection or prosecution of purely administrative offences. It is intended to cover police activities in cases where it is not known in advance whether or not criminal offences are involved, as well as the exercise of official authority by the use of coercive measures, such as police activities during demonstrations, major sporting events and riots. They also include the maintenance of public order as a task assigned to the police or other law enforcement authorities - but not to purely law enforcement authorities - insofar as this is necessary for the purpose of protecting against and averting threats to public security and threats to the fundamental interests of society protected by law which may lead to a criminal offence (see Recital 12 of Directive 2016/680/EU and Recital 19 of the Basic Data Protection Regulation; Ehmann/Selmayr, Datenschutz-Grundverordnung, 2018, 2nd ed, Art. 2 margin no. 12; Schwartmann/Jaspers/Thüsing/Kugelmann, DS-GVO/BDSG, 2018, Art. 2 GDPR margin no. 44 et seq.) However, personal data processed by public authorities under the Basic Data Protection Regulation should be subject to Directive (EU) 2016/680 if they are used for the above purposes (Recital 19 op. cit.). In the present case, the defendant acts primarily as a public order or security authority under Article 6 of the LStVG with the task of maintaining public safety and order by preventing threats and by preventing and remedying disturbances, and thus on the basis of the basic data protection regulation. In addition, the exercise of the domiciliary right for the public institution K.-garten by the defendant as the performance of a task in the public interest or the fulfilment of a legal obligation (Article 6 para. 1 letters c and e GDPR).<br />
15<br />
The legal protection system regarding the processing of personal data therefore also has its starting point in the basic data protection regulation.<br />
16<br />
Art. 79 GDPR excludes further judicial remedies against responsible persons and processors, so that actions for injunctions under Sections 1004 (1), 823 (2) of the German Civil Code (BGB) in the area of data protection are in principle no longer possible. According to the wording of Art. 79 (1) GDPR, only other administrative or extrajudicial remedies remain "unaffected", but not judicial remedies (see Bernhard/Kreße/Sydow, Europäische Datenschutzgrundverordnung, 2nd edition 2018, Art. 79 marginal 30; BeckOK, Datenschutzrecht, Wolff/Brink, 29th edition, Art. 79 marginal 11). The rights of data subjects are laid down in Chapter III of the Basic Data Protection Regulation (Articles 12 to 22 GDPR). These are, on the one hand, rights of information, correction and deletion and the right to restrict the processing of personal data. It also covers the right not to be subject to a decision based solely on automated processing. The obligations mentioned in Art. 13 et seq., 19 GDPR correspond to individual subjective rights of the persons concerned, which can be enforced in court pursuant to Art. 79 GDPR under its further conditions. The same applies to the obligations of the controller for the processing of personal data formulated in Art. 12 GDPR.<br />
17<br />
Beyond the above-mentioned norms, the basic data protection regulation does not grant any rights for the enforcement of which an effective legal remedy must be provided under Art. 79 GDPR. In particular, a claim to cease and desist from processing of personal data contrary to the Regulation could be considered, since according to Art. 8 (1) EU-CRCh, Art. 16 (1) TFEU, every natural person has the right to the protection of personal data concerning him or her, whereby the content of the protection is also the requirement of lawfulness of the processing. In such a case, it should therefore be possible to prevent such processing for the future, otherwise the protection of fundamental rights and the principle of effectiveness under European law under Article 4 (3) TEU would be impaired. However, the right to stop unlawful data processing is not as such enshrined in the Basic Data Protection Regulation. Although the Basic Data Protection Regulation does concretise the right to the protection of personal data guaranteed by primary law, it does so only to the extent that it lays down the characteristics of this right. This argues against the assumption of a right to injunctive relief based on the Basic Data Protection Regulation with regard to the processing of personal data contrary to the Regulation. The right of cancellation under Art. 17 (1) (d) GDPR only helps to a limited extent because Art. 6 GDPR, to which reference is made, only deals with the requirement of a permissible reason for data processing.<br />
18<br />
The assumption of a general right to prohibit the processing of personal data in breach of the Regulation on the basis of the General Data Protection Regulation is also contradicted by its history and its system. Article 76(5) of the Commission proposal for the basic data protection regulation reads as follows: "Member States shall ensure that the legal remedies available under national law are capable of securing rapid action, including provisional measures, to put an end to alleged infringements and to prevent further damage to the data subject. "This provision, formulated in a preventive manner, was deleted without replacement in the general approach adopted by the Council of the European Union on 15 June 2015. However, the wording, which is now contained in Art. 77 (1) GDPR, which links the right of appeal to the fact that the processing of personal data violates the basic data protection regulation, has not changed in any significant way. The difference in the wording of Art. 77 (1) and Art. 79 (1) GDPR Regulation also shows that the mere processing of data contrary to the Regulation does not constitute a violation of the law, but that a distinction must be made between unlawful data processing and violation of the law. In the case of a mere unlawful data processing without a legal violation, the data subject has the right of appeal under Article 77 paragraph 1 GDPR and subsequently the right to judicial remedy against the supervisory authority under Article 78 paragraph 1 GDPR, which removes the primary legal concerns. It should be noted that this violation of the Data Processing Regulation is seen as an independent feature of data processing in addition to the violation of rights in Art. 79 para. 1 GDPR: In the opinion of the data subject, the infringement of rights should only occur as a result of the processing in breach of the Regulation, i.e. it should not be identical to it. The rights of the data subject are infringed if the person or institution against whom they exist does not comply with the obligations corresponding to them. In order to establish this, the more specific provisions of Article 12 (2), (3) and (5) to (7) GDPR must also be observed. For example, in the cases mentioned in Art. 12, para. 3 GDPR, there is no infringement of rights before the expiry of the periods specified in this provision. There is also no infringement of rights in the cases of Art. 12 para. 5 sentence 1 letter b and para. 6 GDPR.<br />
19<br />
This legal situation described above is also not modified by the Bavarian Data Protection Act. According to Art. 1 BayDSG, the Bavarian Data Protection Act initially applies to data processing by all Bavarian authorities, i.e. also by judicial and police authorities, unless special regulations exist in the respective specialist law (e.g. the right to register or the police task law) (Art. 1 para. 5 BayDSG). Because of this very comprehensive scope of application, Art. 2 BayDSG is also valid for all Bavarian authorities. The Bavarian legislator has thus decided that the Basic Data Protection Regulation should also apply in those areas which - due to a lack of EU competence - are not (or should not be) covered by the Basic Data Protection Regulation and where there is (actually) room for an independent national data protection law. However, the Bavarian legislator had recognised that it is not possible to solve all implementation tasks formulated by Directive 2016/680/EU in a proper manner by a blanket reference to the Basic Data Protection Regulation. For this reason, Art. 28 para. 2 and 3 BayDSG was created, which create isolated special provisions for the "Directive Authorities" mentioned in Art. 28 para. 1 BayDSG. By means of an exhaustive list, Art. 28 para. 2 BayDSG orders that only certain provisions of the Basic Data Protection Regulation apply to data processing which is subject to Directive 2016/680/EU. Other provisions of the Basic Data Protection Regulation do apply in principle, but they are replaced by Art. 29 et seq. BayDSG. Furthermore, not all provisions of the Bavarian Data Protection Act are to apply to data processing pursuant to Directive 2016/680/EU. Therefore, Art. 28 para. 3 BayDSG stipulates that certain provisions of the Bavarian Data Protection Act shall not apply to data processing operations which are subject to the Directive. In addition to the specific purpose (processing of personal data by the competent authorities for the purpose of preventing, investigating, detecting, prosecuting or punishing criminal offences or administrative offences, including the protection against and prevention of threats to public security), a basic allocation of tasks and powers of the processing authority is also (always) necessary for the prevention, investigation, detection or prosecution of criminal offences or criminal proceedings as well as for police security. Art. 28 para. 1 sentence 1 BayDSG contains a non-exhaustive list ("unless otherwise specified") of those authorities which may be assigned such tasks and powers within the meaning of the Directive. These competent authorities are subject to the provisions of the eighth chapter only insofar as the specific data processing serves the purposes mentioned in Art. 28 para. 1 sentence 1 BayDSG. According to this, the area of security will, in view of the constellations relevant to practice, be assigned to the scope of application of Directive 2016/680/EU and thus to Chapter 8 of the Bavarian Data Protection Act. Even if the prevention of criminal offences is not clearly established as the purpose or result of police action to avert danger, there is almost always at least the possibility that the danger situation may lead to a criminal offence or that this is not excluded. However, in contrast to this, according to the self-understanding of Directive 2016/680/EU, data processing for averting danger by non-police security authorities (e.g. district offices as security authorities according to Art. 6 LStVG) is to be assessed in principle in accordance with the provisions of the Basic Data Protection Regulation. The eighth chapter of the Bavarian Data Protection Act is only applicable to them insofar as these non-police security authorities "prosecute or punish criminal offences or administrative offences". The provisions of the eighth chapter therefore apply as soon as data are processed within the scope of a concrete, documented administrative offence procedure that has been initiated (cf. Wilde/Ehmann/Niese/Knoblauch, Datenschutz im Bayern, 29 AL June 2018, Art. 28 BayDSG nr. 20).<br />
20<br />
For legal protection, Art. 20 BayDSG provides exclusively for the invocation of the supervisory authorities by affected parties. This is to be seen as a concretisation of the right of appeal guaranteed directly in the Basic Data Protection Regulation in accordance with Art. 77 GDPR. The provision thus contains a Member State's procedural regulation on the basis of Art. 58 para. 4 GDPR. Supervisory authorities within the meaning of Art. 20 BayDSG include the Bavarian State Commissioner for Data Protection (Art. 15 BayDSG) and the Bavarian State Office for Data Protection Supervision (Art. 18 BayDSG). Art. 77 para. 1 GDPR in conjunction with Art. 20 para. 1 sentence 1 BayDSG determines the right of the data subject to contact the data protection supervisory authorities with the argument that his rights have been violated in the processing of his personal data. This appeal to the supervisory authority is an informal legal remedy similar to the general right of petition (Art. 115 BV, Art. 17 GG). It gives the person concerned - irrespective of other legal remedies - the independent right to appeal to a supervisory authority with the argument that his rights have been violated in the processing of his personal data. The right of appeal guaranteed by the EU Charter of Fundamental Rights (Article 8 (1) in conjunction with Article 8 (3) CFR) is protected by Article 77 (1) GDPR in conjunction with Article 77 (1) CFR. Art. 20.1 sentence 1 BayDSG, whereby Art. 20.1 sentence 1 BayDSG - unlike the right of appeal in Art. 77.1 GDPR - requires not only the assertion of a violation of the Basic Data Protection Regulation, but also an assertion that the complainant has committed a violation of his or her own rights (Data Protection in Bavaria, 29 AL June 2018, Art. 20 BayDSG nos. 4 and 5). This gives rise to a legal claim on the part of the data subject that the supervisory authority receives the submission, examines it from a factual and legal point of view and informs the submitting party in writing of how the submission was dealt with. In this respect, Article 57 (1) (f) GDPR provides that the "subject matter of the complaint shall be investigated to an appropriate extent". If a supervisory authority has not dealt with a complaint or has not informed the person concerned within three months of the status or outcome of the complaint lodged, the person concerned may, under Article 78(2) and (3) GDPR, bring a general action for performance before the administrative courts for information on the status or outcome of the complaint. The period of three months is derived from Art. 78, para. 2 GDPR. The individual powers of the supervisory authorities derive from Art. 58 GDPR, including remedial powers which, among other things, allow them to impose temporary or permanent restrictions on processing, including a ban (paragraph 2(f)), or to order the rectification or deletion of personal data or the restriction of processing in accordance with Art. 16, 17 and 18 DGSVO and the notification of the recipients to whom such personal data have been disclosed in accordance with Art. 17(2) GDPR and Art. 19 GDPR. This right of appeal or complaint under Art. 20 BayDSG does not require a prior application to the responsible authority. If, however, a data subject wishes to take direct action against a controller or to assert the data subject rights of the Basic Data Protection Regulation (Art. 16 et seq. GDPR), these rights of rectification, deletion and notification in connection with the rectification or deletion of personal data or the restriction of processing, as well as the prior right of access under Art. 15 GDPR, require a "request" by the data subject to the controller. In the event of refusal, the data subject is entitled to all the legal remedies provided by the Basic Data Protection Regulation (Art. 77, 78 GDPR). In addition, the data subject has the right to an effective judicial remedy directly against the data controller (Art. 79 GDPR). If the person responsible is a public authority and the latter rejects an application for restriction, the rejection is an administrative act which is subject to the relevant administrative remedies and is regularly subject to an action for an obligation pursuant to Articles 42, 68 et seq. VwGO (Ehmann/Selmayr, General Data Protection Regulation, 2018, 2nd ed., Art. 18 marginal 30). Thus, even within the scope of application of the Bavarian Data Protection Act, the exclusive right of a data subject to bring an action against the responsible party pursuant to Article 79 GDPR.<br />
21<br />
The aforementioned data subject rights of the basic data protection regulation (with Art. 20 BayDSG) have replaced - as already explained above - any data subject rights under national law since 25 May 2018 (loc.cit., Art. 18 marginal 38; OVG Lüneburg, U.v. 20.6.2019 - 11 LC 121/17 - para 43; VG Stade, B.v. 9.10.2018 - 1 B 1918/18 - para 30). A common feature of these data subject rights is that a data subject can only object to the personal data concerning him/her (Becker in Plath, GDPR/BDSG, 3rd ed. 2018, Art. 79 marginal no. 2). Art. 79 GDPR only conveys a right of injunction under individual law. In addition, the rights of information, correction and deletion (Art. 15 to 17 GDPR) can also be pursued against the person responsible and the processor through the channels provided in Art. 79 para. 1 GDPR. In terms of substantive law, the claim and its enforcement are governed by the general provisions, whereby different legal channels are used vis-à-vis public and non-public bodies. As a rule, the data subject will have to seek legal protection before the administrative courts against faulty data processing by public bodies within the scope of their sovereign acts (Section 44 (2) BDSG). Since the corresponding procedural legal instruments were available in German law, there would not necessarily have been a need for certain implementation measures by the German legislator. Nevertheless, the legislator has included provisions on jurisdiction in Section 44 BDSG, but this does not result in any change to the existing legal situation in Germany (Becker in Plath, loc. cit.). In addition, a right of objection pursuant to Art. 21 para. 1 GDPR may be considered for the processing of personal data which is carried out on the basis of Art. 6 para. 1 letter e or f GDPR. This right of objection is systematically regulated in Section 4 of Chapter III ("Rights of Data Subjects"). This shows that it stands independently alongside the other rights of data subjects (Art. 13 to 20 GDPR), although these rights are not mutually exclusive but complementary. The systematic nature of Art. 21 GDPR shows that the right of objection has both procedural and substantive law character. In addition to the procedural right to raise an objection, Art. 21(1) sentence 2 GDPR grants a substantive right to injunctive relief, i.e. a right that the data controller will no longer process the data in future. The provision thus enables the data subject to prevent data processing with ex-nunc effect. This right to injunctive relief is granted in accordance with Art. 17 (1) Letter c Alt. 1 GDPR, supplemented by a right to the elimination of consequences in the form of a right to deletion and, pursuant to Art. 18 para. 1 letter d GDPR, by a temporary right to security in the form of a right to limitation, as long as it is not yet clear whether the legitimate reasons of the controller outweigh the special reasons of the data subject, and, pursuant to Art. 19 GDPR, by an obligation to provide subsequent notification and information in connection with the deletion. Some of these rights are directly limited by Union law (e.g. Article 13(4), Article 14(5), Article 21(1) GDPR). In addition, the rights and obligations under Articles 12 to 22, 34 and, where applicable, Article 5 GDPR may be limited by Union or national legislation under the conditions laid down in Article 23 GDPR. However, a general restriction of the rights of data subjects in court proceedings was not included in Union law, in the Judicature Act, in the codes of procedure, nor in the Federal Data Protection Act and Book X of the Tenth Book of the Social Code (SGB X), since the numerous exceptions already resulting from the Basic Data Protection Regulation did not make this necessary. Moreover, the relevant procedural rules can be considered by courts as a restriction of the rights of data subjects within the meaning of Article 23 GDPR and special federal law preceding the Federal Data Protection Act (Article 1 (2) sentence 1 BDSG) (Bieresborn, Die Auswirkungen der GDPR auf das gerichtliches Verfahren, DRiZ 2019, 18 et seq. The Basic Data Protection Regulation establishes a number of new rights of action, which, according to national design, are to be brought before the courts of administrative jurisdiction (Section 20 BDSG), the social courts (Sections 81a, 81b SGB X) or the fiscal courts (Section 32i AO). § Without prejudice to other legal remedies, Section 78 (1) GDPR establishes the right of every natural or legal person to an effective judicial remedy against legally binding decisions of the supervisory authority under data protection law. This includes all decisions and thus also administrative acts issued on the basis of Art. 58 GDPR that are capable of having legal force. Any natural or legal person is entitled to bring an action, provided that its own protected rights are affected. It is not absolutely necessary that the decision is also legally binding on this person; it is sufficient that the person's interests are in fact directly affected. Art. 78, para. 2 GDPR grants affected persons and, without prejudice to other legal remedies, an action for failure to act against the supervisory authorities under data protection law. A precondition for this legal remedy is that a complaint pursuant to Art. 77 GDPR has been lodged beforehand. Art. 79 para. 1 GDPR grants data subjects an additional judicial remedy against what they consider to be a breach of the Basic Data Protection Regulation in the handling of their personal data. The standard of review is the Basic Data Protection Regulation. The infringed standards must not only have an objective-legal character - such as the obligation to appoint a data protection officer (Art. 37 GDPR) or to carry out a data protection impact assessment (Art. 35 GDPR) - but must also have concrete effects on the plaintiff's subjective rights. Defendants are data controllers and processors. Parallel proceedings for injunctive relief or claims for damages against the responsible party do not preclude admissibility, nor does a parallel complaint to the supervisory authority (Art. 77 and 78 GDPR).<br />
22<br />
In the present case, video surveillance is to be assumed to involve data processing in accordance with Art. 6 Para. 1 letter e GDPR, so that for the plaintiff, in addition to the rights of the persons concerned in accordance with Art. 16 et seq. GDPR, the plaintiff would also have had the possibility to object under Art. 21 Para. 1 GDPR. As already explained above, the obligations to cease and desist and to remedy the consequences only cover the data relating to the data subject. If (automated) processing also includes third-party data, this does not have to be omitted altogether (Ehmann/Selmayr, Basic Data Protection Regulation, 2018, 2nd ed., Art. 18 marginals 40, 41). If an objection is rejected, the data subject is also entitled to all legal remedies provided by the Regulation. This refers to primary legal protection based on the aforementioned right to appeal to the competent supervisory authority (Art. 77 GDPR) and an appeal against a decision of the supervisory authority (which does not remedy the situation), also in the form of an action for failure to act (Art. 78 GDPR). In addition, the person concerned has the right to an effective judicial remedy directly against the person responsible (Art. 79 GDPR). If the person responsible is an authority and the authority rejects a request or an objection by the person concerned, the rejection - as already stated above - is an administrative act which can be challenged by the relevant administrative remedies (loc. cit. para. 69). According to the wording of the provision, the right under Art. 79 (1) GDPR to an effective remedy against violations of rights caused by data processing in breach of the Regulation exists "without prejudice to any other administrative or extrajudicial remedy". Even if, contrary to obvious legal considerations, the judicial remedy under Article 79(1) GDPR is not in a tiered relationship with the above-mentioned remedies, but rather in addition to them, the judicial remedy is, however, subject to the same limitation as the other above-mentioned rights of the data subject, namely that the subject of the proceedings can only be the personal data concerning the data subject. This legal restriction also speaks against the general right of injunction pursued by the plaintiff in the present action. In addition, according to general principles of procedural law, a prior application or objection in the above sense must be filed with the responsible party in order to protect the right to legal redress (loc. cit. Art. 79 marginals 2, 5; Schwartmann/Jaspers/Thüsing/Kugelmann, DS-GVO/BDSG, 2018, Art. 79 marginals 18).<br />
23<br />
Accordingly, a general action for an injunction in its present form must - as already stated above - be assumed to be inadmissible in view of the specific rights of data subjects under the basic data protection regulation since its entry into force on 25 May 2018. It is undisputed between the parties to the proceedings that the plaintiff did not make any "request" under Art. 13 et seq. GDPR or an objection pursuant to Art. 21 para. 1 GDPR directly to the defendant or pursuant to Art. 77 GDPR in conjunction with Art. 20 BayDSG to a supervisory authority. Even if a direct judicial assertion of the rights of the persons affected were to be considered permissible in circumvention of the above-mentioned procedural rights or without any referral to the responsible authority, the nature and scope of this judicial assertion cannot go any further in substantive law than the above-mentioned procedural rights, so that there is no need for legal redress for the claim in its present form.<br />
24<br />
Furthermore, the applicant bases his alleged infringement of rights in the final analysis only on the fact that he, as the beneficiary of the public institution K.-garten, is affected by the video surveillance system, firstly, because his person may actually be visually recorded when he enters the monitored site, and secondly, because the video surveillance system is only present even without surveillance activity and this surveillance system is installed and operated contrary to the provisions of the Basic Data Protection Regulation. Such a statement cannot suffice to prove an independent violation of the law. The "view" of a violation of rights within the meaning of Art. 79 (1) GDPR in the above sense would mean in effect that this would coincide with the presentation of data processing by video surveillance that does not comply with the Regulation. However, the Basic Data Protection Regulation makes a distinction - as already explained above - between the mere unlawfulness of the data processing, on which a right of objection under Article 21 GDPR and a right of appeal under Article 77 GDPR can be based, and the additional infringement of rights that is alleged to have been committed by the data subject. Against this background, it cannot be assumed in the present case that the plaintiff has asserted a violation of rights, so that taking legal action under Art. 79 GDPR would also be ruled out in the present case.<br />
25<br />
Moreover, the action would also be unfounded only on the basis of the unlawfulness of the processing of personal data by video surveillance.<br />
26<br />
Video surveillance using the camera-monitor system constitutes processing of personal data within the meaning of Art. 4 nos. 1 and 2 GDPR if the video recordings allow the identification of the person concerned (Ehmann/Selmayr, loc.cit., Art. 4 marginal 7). Their legality is governed by Art. 6 GDPR. Among other things, the lawfulness of the processing is mentioned as a condition that the processing is necessary for the fulfilment of a legal obligation to which the controller is subject (Art. 6 para. 1 letter c GDPR) or that it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (Art. 6 para. 1 letter c GDPR). e GDPR) or that the processing is necessary to safeguard the legitimate interests of the controller or of a third party, except where such interests are overridden by the fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child, with the exception of processing carried out by public authorities in the performance of their duties (Art. 6 para. 1 letter f, second sentence GDPR). The legal basis for the processing operations pursuant to Article 6(1)(f), second sentence, GDPR c and e GDPR is determined by Union law or the law of the Member States to which the controller is subject (Article 6(3), first sentence, GDPR).<br />
27<br />
The Federal Data Protection Act (BDSG) came into force at the same time as the Basic Data Protection Regulation. There the video surveillance is regulated in § 4 BDSG. According to § 1 paragraph 1 No. 2 BDSG, the Federal Data Protection Act applies to the processing of personal data by public bodies of the federal states, unless data protection is regulated by state law. In the Free State of Bavaria, the new version of the Bavarian Data Protection Act (BayDSG) also came into force on 25 May 2018. Art. 24 of the BayDSG specifies the conditions for the processing of personal data with the aid of optical-electronic devices (video surveillance). According to this, video surveillance is permissible if this is necessary in the context of the fulfilment of public tasks or in the exercise of domestic authority to protect the life, health, freedom or property of persons who are in the area of public facilities, public transport, service buildings or other structural facilities of public bodies or in their immediate vicinity (para. 1 No. 1), or to protect cultural assets, public facilities, public transport, official buildings or other structural installations of public bodies as well as the objects located there or in their immediate vicinity and there are no indications that predominant interests of the persons concerned worthy of protection are impaired (para. 1 No. 2).<br />
28<br />
The defendant's city council decided in public session on 14 May 2018 to improve public safety in the inner city area by extending the toilet facilities at the K.-garten by an annex, which is temporarily manned by supervisory staff from 8:00 a.m. to 10:00 p.m., and to install video surveillance for the K.-garten area. In the draft resolution of April 10, 2018, first of all to the city council meeting of April 23, 2018, and then on May 14, 2018, it was stated that, despite the generally good security situation, the K.-garten had developed into a focal point with regard to crimes and administrative offences. On the legal basis of Article 21a of the BayDSG (old version, note of the G.), municipal video surveillance was admissible if a public institution was present and the police had documented the incident and concluded that the K.-garten was a focal point. According to the police, especially the drug offences that had been established pointed to a brisk turnover of drugs, the so-called "ant trade", with regard to known dark field investigations. This assessment was further supported by indications from the population as well as by the regular finding of drug paraphernalia in the nearby public toilets. It is expected that the installation of video surveillance in the K.-garten area will lead to a noticeable decrease in crimes and administrative offences. Moreover, crimes and administrative offences committed could be better prosecuted or clarified by evaluating the video material. Video surveillance would strengthen the sense of security of the population, who would like to use the K.-garten as a place of recreation and relaxation. Potential offenders would be deterred by video surveillance alone. In an internal data protection assessment of 14 May 2018 on the same day of the city council meeting, it was stated that the K.-garten was a public facility of the defendant; it served as a local recreation area. This purpose was undermined by the commission of criminal offences and administrative offences in this area. In addition, the facilities in the K.-garten were regularly damaged by vandalism. There would be additional costs of at least 25,000 euros for repairing the damage at the municipal nursery alone. The K.-garten is also a local focal point in the drug trade. The legal interests mentioned in Art. 21a BayDSG (old version, note of the G.) would probably also be violated in the future after an appropriate risk analysis by the administration and police, and the planned video surveillance would serve to counteract the predicted danger. The criminal and administrative offence statistics show that numerous offences were committed in the K.-garten, in particular drug trafficking, and that there were also constant violations of the city's green space statutes. The police documentation of the incidents also shows that, in addition to bodily injury offences and excessive alcohol abuse, vandalism and drug trafficking have not been brought under control in recent years. In some areas, especially in drug trafficking, there had even been a marked deterioration in the number of cases. Although various measures taken by the defendant in cooperation with the police had brought about certain improvements in recent years, the situation in the K.-garten was still unacceptable and the citizens' feeling of security in this area "virtually" non-existent. Measures already implemented, such as the occupation of a second streetworker position, expanded police presence, increased controls and punishment of offences had not yet resulted in any significant improvement, so that another measure, namely video surveillance, seemed appropriate as a means of averting danger. The administration was certain that the comprehensive surveillance of the K.-garten would reduce the number of offences and administrative offences and that the public grounds would be used again in accordance with their purpose. In addition, criminal prosecution was also to be facilitated as a secondary purpose. The encroachment by video surveillance on the interests of those affected that were worthy of protection was to be classified as not insignificant, and in particular the privacy of each individual was also affected. Every stay of a person in the K.-garten would be recorded by the planned measure. The K.-garten will be heavily frequented by students on their way to and from the university, especially at daytime. There is therefore a high number of people affected. The intervention by means of video surveillance could be regarded as justified, taking into account the overall legal interests. The legal interests to be protected would outweigh the rights of the persons concerned. The surveillance was not planned at market times and at events where surveillance would in any event be disproportionate. Video observation and recording would not be necessary at events at which, for example, security was ensured by security forces specifically assigned for this purpose. The fact that the K.-garten is an open park and not a place of fear is not convincing. In spite of the open design, there are in fact constantly various offences. The perpetrators were not bothered by the openness of the park. Even without hidden corners, the K.-garten currently represents a place that citizens avoid to linger. Even the argument that the planned measure only shifts the problem locally does not lead to a different assessment, especially since there are no tangible clues. If such a shift were to actually take place, video observation and recording would have to be discontinued.<br />
29<br />
The starting point for an admissibility review of video surveillance is - as already reflected in the content above - Art. 6 para. 2, para. 3 sentence 3 GDPR in conjunction with Art. 24 para. 1 BayDSG. The defendant's activity as a security authority within the meaning of Article 6 of the LStVG with the primary purpose of preventing crimes and administrative offences was repeatedly emphasised in the run-up to the resolution of 14 May 2018 on the establishment of video surveillance and was the subject of legal review by the defendant's administration. The general preventive aspects outweighed the inevitable side effect of successful punishment of committed crimes or administrative offences by the police and law enforcement agencies. In addition, the defendant's domiciliary right stands for the public institution K. -garten. The K.-garten was created as a public green space with a special purpose in the course of the implementation of the development and green space plan "Neue Mitte P. - Teilgebiet 1" (notice of 13 July 2006 in the Official Gazette No. 23 of the City of P.*) as a public green space with a special purpose Stadtpark "K.-garten" as a partially unsealed area (clause 3.6 of the textual stipulations of the development plan) and was thus also impliedly dedicated as a public institution. As a public green space, the K.-garten is covered by the Statute on the Use of Public Green Spaces, Municipal Playgrounds, Football Pitches and Leisure Facilities of the City of P. dated 29 May 2006 (entered into force upon publication in the Official Gazette of the City P. No. 19 dated 1 June 2006). Public green areas within the meaning of these statutes are the green areas and parks owned by the defendant, which are accessible to the public and maintained by the defendant, whereby the paths and squares, natural and artificial water surfaces and water facilities as well as the marked playgrounds and sunbathing areas and facilities are also part of the green areas (Article 1 para. 2 of the statutes). Sections 2 et seq. of the statutes regulate behaviour in public green areas, among other things, and stipulate obligations for removal, enforcement orders in individual cases, bans on entering the area and offences are included. This purpose of the K.-garten as a local recreation area in the city area may require the exercise of the householder's rights through the installation of video surveillance in order to avert disturbances, as described above.<br />
30<br />
The court is of the opinion that the appropriateness and necessity in terms of the principle of proportionality (Art. 8 LStVG) of the installation of video surveillance in accordance with Art. 24 para. 1 BayDSG was given at the time of commissioning on 18 December 2018 and that this decision is still given at the time of this decision. The incident documentation of the police for the year 2019 and the first half of 2020 prove that the legal interests mentioned in Art. 24 para. 1 BayDSG and the public institution K.-garten still require protection. This does not require the identification of a "centre of crime", i.e. a place where a significant accumulation of crimes can be observed in comparison to other parts of the urban area (cf. VG Gelsenkirchen, B.v. 7.5.2020 - 17 L 88/20 - juris on video surveillance by the police pursuant to Article 15a para. 1 sentence 1 no. 1 PolG NRW).<br />
31<br />
Video surveillance does not affect the plaintiff's right to informational self-determination in its core area of intimacy and privacy, which would require a legal basis for authorisation, the application of which in the individual case would be in accordance with the principle of proportionality, but at most the public sphere, thus describing an area which at most affects the right of personality and which in any case cannot be shielded from the environment. Measures affecting this area have - if at all - only a low intensity of burden. From the point of view of proportionality, this is where the lowest justification requirements exist. Depending on the circumstances of the individual case, even the scope of protection of the right of personality is not affected because of the social reference in this area (Maunz/Dürig, Grundgesetzkommentar, Art. 2 marginal no. 160 with further references). In this context, it should also be mentioned for further understanding that an image recording made in the course of video surveillance initially only represents the recording of information, and that the personal reference (through assignment to an identifier such as the name) can often only be established later through additional knowledge (often obtained from third parties), so that the processing of personal data as a result of identification does not regularly begin with the image recording, but only when the identification of the person concerned is possible (see ECJ, U.v. 11 December 2014 - C-212/13 - juris). On this basis, a purely isolated recording, which is also not merged with other recordings, does indeed provide information, but as long as no personal date within the meaning of Art. 4 No. 1 GDPR, as long as the information cannot be assigned to any natural person who is identified or identifiable (e.g. by surname or identification number). However, it is not necessary for identifiability that all the information required to identify the person concerned is in the hands of the person responsible. In this respect, a personal date exists if the person responsible has legal means that enable him to have the person concerned identified on the basis of additional information provided by a third party (cf. ECJ, U.v. 19.10.2016 - C-582/14 - juris). The possibility of using police assistance for the identification of offenders in the case of the commission of criminal offences can be regarded as such legal means. In this mixed situation, it must be assumed - even if only for the sake of security - that in principle every video surveillance encroaches on the general right of personality in its manifestation as a right to informational self-determination, because the processing (collection) of personal data, i.e. of information of an identifiable natural person, at least in individual cases (i.e. (i.e. in relation to individual conspicuous persons) cannot be ruled out and - for example in the case of criminal offences - such identifiability is hoped for, should take place and will often be legally possible through recourse to third parties (police) (cf. Data Protection in Bavaria, 29th AL June 2018, Art. 24 BayDSG marginal no. 11 ff.) Such identifiability and recourse to the police can also be assumed in the present case and has already been successfully practised in the past in terms of criminal prosecution. However, it is also clear from this that even the scope of protection of the right of personality with the above-mentioned social reference is even less affected if the plaintiff's person is not exceptionally recorded and subsequently becomes identifiable after storage for the identification of a third party. The plaintiff did not substantiate whether the scope of protection of his or her personal right - apart from the above-described limitation of identifiability - is to be regarded as affected at all on account of the social reference, because it was only stated that the plaintiff could enter and cross the K.-garten for private, political or professional purposes or even stay there. In the comparison, it can be assumed that high-ranking legal interests such as life and health predominate, which are the main focus of attention in the case of BtMG violations (Art. 24 Para. 1 No. 1 BayDSG), but also with regard to the protection of the public institution K.-garten against vandalism (Art. 24 Para. 1 No. 2 BayDSG). The defendant acts with video surveillance in the context of the fulfilment of public duties (Art. 6 LStVG) as well as in the exercise of the right of the house. The fact that the K.-garten is not a public traffic area, but a municipal public facility (Article 21 of the German Rules of Procedure), where it must also be clear to the plaintiff that the whether and how of use can be subject to certain restrictions that take into account the principle of equality (see the defendant's statutes on the use of public green spaces, municipal playgrounds and football pitches and leisure facilities of 29 May 2006), certainly contributes to the clarification.<br />
32<br />
The transparency requirement (Art. 24 para. 2 BayDSG) is to be regarded as fulfilled. Information on video surveillance is provided by appropriate signs. Since the labelling is only of a typifying character, information on the times of video surveillance is dispensable. An indication that a certain building or area is under video surveillance is sufficient. It is also not necessary to draw attention to video surveillance - so that the person concerned could still avoid it - before entering the video-surveillance area, since video surveillance is based on a legal authorisation and not on (implied) consent. The duty to inform simply refers to the fact that use has been made of this legal basis for authorisation. The law does not provide for a kind of "implied consent" of the person concerned in such a way that he or she can make a conscious decision to enter the area under video surveillance on the basis of early notification. Signs would also be dispensable if video cameras were clearly visible to everyone, as this would also make the fact of surveillance recognisable. In this respect, in individual cases the clearly visible installation of cameras can also constitute a "suitable measure" in the sense of Art. 24 para. 2 sentence 1 BayDSG, whereby a strict standard must be applied here (cf. Data Protection in Bavaria, 29 AL June 2018, Art. 24 BayDSG margin no. 33 et seq.) According to this, the references to video surveillance of the K.-garten which the defendant has made so far satisfy the legal requirements of the transparency requirement, also with regard to the identification of the person responsible (Art. 24 para. 2 sentence 2 BayDSG). In a written statement dated August 4, 2020, the defendant announced that, following the court hearing following an inspection of the K.-garten, the information signs would be enlarged and the site relocated in individual places after consultation between the public order office and the official data protection officer. In addition, two further entrances, which have hardened over time, are to be additionally signposted. The earmarking and breaking of the earmarking (Art. 24 para. 3 BayDSG) has been taken into account in accordance with the law; the planned recording period of three days is within the scope of Art. 24 para. 4 BayDSG.<br />
33<br />
Accordingly, the action had to be dismissed with the costs under Paragraph 154(1) of the VwGO.<br />
34<br />
Provisional enforceability: Sections 167 (2), 84 (1) sentence 3 VwGO in conjunction with §§ Sections 708 et seq. ZPO.<br />
35<br />
Appeals are permitted on grounds of fundamental importance (§§ 124a para. 1 sentence 1, 124 para. 2 no. 3 VwGO).<br />
<br />
</pre></div>MLhttps://gdprhub.eu/index.php?title=UODO_(Poland)_-_DKE.561.3.2020&diff=11199UODO (Poland) - DKE.561.3.20202020-08-24T11:54:41Z<p>ML: </p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Poland<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoPL.png<br />
|DPA_Abbrevation=UODO<br />
|DPA_With_Country=UODO (Poland)<br />
<br />
|Case_Number_Name=DKE.561.3.2020<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Urzędu Ochrony Danych Osobowych - UODO<br />
|Original_Source_Link_1=https://uodo.gov.pl/decyzje/DKE.561.3.2020<br />
|Original_Source_Language_1=Polish<br />
|Original_Source_Language__Code_1=PL<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Decided=<br />
|Date_Published=<br />
|Year=<br />
|Fine=None<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 31 GDPR<br />
|GDPR_Article_Link_1=Article 31 GDPR<br />
|GDPR_Article_2=Article 58(1) GDPR<br />
|GDPR_Article_Link_2=Article 58 GDPR#1<br />
<br />
<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
|<br />
}}<br />
<br />
The Surveyor General of Poland violated the provisions of the GDPR by failing to provide the supervisory authority during the conducted inspection with access to premises, data processing equipment and means, and access to personal data and information necessary for the President of the Office for the performance of its tasks. <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
beginning of March 2020, the President of the Personal Data Protection Office decided on the necessity to perform an inspection of the processing by the Surveyor General of Poland on the portal GEOPORTAL2 of personal data from the poviat land and property registers, about which it informed GGK in the letter indicating the scope and the date of the inspection. In order to perform the inspection activities, the inspectors authorised by the President of the UODO presented their official identity cards and submitted personal authorisations containing information on the scope of the inspection to GGK. The Surveyor General of Poland did not allow for performing full inspection activities resulting from the submitted authorisations. <br />
<br />
=== Dispute ===<br />
GGK indicated that, according to its assessment, it was apparent from the scope of the inspection indicated in the authorisations that the inspection was to cover the numbers of land and property registers which, in its opinion, do not constitute personal data within the meaning of the provisions of the Geodetic (Surveying) and Cartographic Law.<br />
<br />
=== Holding ===<br />
THe UODO imposed an administrative fine in the amount of PLN 100 000 on the Surveyor General of Poland (Główny Geodeta Kraju, GGK), because due to the categorical lack of consent of GGK to carry out full inspection activities and the unambiguously expressed lack of will to cooperate, the inspectors could not determine how and on what legal ground the GEOPORTAL2 online portal (geoportal.gov.pl) enables access to personal data contained in land and property registers and whether GGK has implemented appropriate technical measures to ensure data security.<br />
<br />
== Comment ==<br />
This summary is based on the English summary of the Polish Data Protection Authority, which can be found here: https://uodo.gov.pl/en/553/1146<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details.<br />
<br />
<pre><br />
Warszawa, dnia 02 lipca 2020 r.<br />
DECYZJA<br />
DKE.561.3.2020<br />
<br />
Na podstawie art. 104 § 1 ustawy z dnia 14 czerwca 1960 r. Kodeks postępowania administracyjnego (Dz. U. z 2020 r. poz. 256) oraz art. 7 ust 1 i ust. 2, art. 60 i art. 102 ust. 1 pkt 1 i ust. 3 ustawy z dnia 10 maja 2018 r. o ochronie danych osobowych (Dz. U. z 2019 r. poz. 1781) w związku z art. 31, art. 57 ust. 1 lit. a), art. 58 ust 1 lit. e) i f) oraz art. 58 ust. 2 lit. i) w związku z art. 83 ust. 1 i 2, art. 83 ust. 4 lit. a) oraz art. 83 ust. 5 lit. e) rozporządzenia Parlamentu Europejskiego i Rady UE 2016/679 z dnia 27 kwietnia 2016 r. w sprawie ochrony osób fizycznych w związku z przetwarzaniem danych osobowych i w sprawie swobodnego przepływu takich danych oraz uchylenia dyrektywy 95/46/WE (ogólne rozporządzenie o ochronie danych) (Dz. Urz. UE L 119 z 04.05.2016, str. 1, z późn. zm.) (zwanego dalej „Rozporządzeniem 2016/679”), po przeprowadzeniu wszczętego z urzędu postępowania administracyjnego w sprawie nałożenia na Głównego Geodetę Kraju z siedzibą w Warszawie przy ul. Wspólnej 2, reprezentowanego przez adwokatów P. T. i S. K. (Kancelaria […]), administracyjnej kary pieniężnej, Prezes Urzędu Ochrony Danych Osobowych, stwierdzającnaruszenie przez Głównego Geodetę Kraju z siedzibą w Warszawie przy ul. Wspólnej 2, przepisów art. 31 oraz 58 ust. 1 lit. e) i f) Rozporządzenia 2016/679, polegające na niezapewnieniu Prezesowi Urzędu Ochrony Danych Osobowych, w trakcie kontroli przestrzegania przepisów o ochronie danych osobowych o sygn. […], dostępu do pomieszczeń, sprzętu i środków służących do przetwarzania danych osobowych oraz dostępu do danych osobowych i informacji niezbędnych Prezesowi Urzędu Ochrony Danych Osobowych do realizacji jego zadań, a także na braku współpracy z Prezesem Urzędu Ochrony Danych Osobowych w trakcie tej kontroli,<br />
<br />
nakłada na Głównego Geodetę Kraju z siedzibą w Warszawie przy ul. Wspólnej 2 administracyjną karę pieniężną w kwocie 100.000 złotych (słownie: sto tysięcy złotych).<br />
<br />
<br />
<br />
UZASADNIENIE<br />
<br />
<br />
<br />
W dniach […] lutego 2020 r. Prezes Urzędu Ochrony Danych Osobowych (zwany dalej „Prezesem UODO”) przeprowadził kontrolę przetwarzania danych osobowych w Starostwie Powiatowym w J. (sygn. akt kontroli […]). Kontrola dotyczyła udostępniania przez Starostę J., za pośrednictwem portalu internetowego GEOPORTAL2 (www.geoportal.gov.pl), danych osobowych z ewidencji gruntów i budynków prowadzonych przez starostów. W toku kontroli ustalono, że Starosta J. nie publikuje na tym portalu danych osobowych z ewidencji gruntów i budynków, lecz – na podstawie stosownego porozumienia – przekazuje je (w tym numery ksiąg wieczystych) Głównemu Geodecie Kraju, który następnie pozyskane dane udostępnia na portalu GEOPORTAL2. Z uwagi na powyższe Prezes UODO zdecydował o konieczności przeprowadzenia kontroli przetwarzania danych osobowych, w zakresie udostępniania za pośrednictwem portalu GEOPORTAL2 danych osobowych z ewidencji gruntów i budynków, u Głównego Geodety Kraju. O zaplanowanej na […] marca 2020 r. kontroli (oznaczonej sygn. akt […]), Główny Geodeta Kraju poinformowany został […] marca 2020 r. telefonicznie oraz pismem doręczonym tego dnia drogą elektroniczną (e-mail).<br />
<br />
W dniu […] marca 2020 r. kontrolujący (upoważnieni przez Prezesa UODO pracownicy Urzędu Ochrony Danych Osobowych) udali się do Głównego Urzędu Geodezji i Kartografii celem rozpoczęcia zaplanowanej kontroli. Kontrolujący okazali Głównemu Geodecie Kraju legitymacje służbowe oraz przedłożyli imienne upoważnienia, w których w następujący sposób określony został szczegółowy zakres kontroli: „Kontrola obejmie udostępnianie przez Głównego Geodetę Kraju za pośrednictwem portalu internetowego GEOPORTAL2, danych osobowych z ewidencji gruntów i budynków, poprzez ustalenie:<br />
<br />
Podstawy prawnej przetwarzania, w tym udostępniania danych osobowych.<br />
Źródła pozyskania danych osobowych.<br />
Zakresu i rodzaju udostępnianych danych osobowych.<br />
Sposobu oraz celu udostępniania dennych osobowych.<br />
Czy przetwarzania danych osobowych odbywa się na podstawie upoważnienia nadanego przez administratora danych osobowych lub podmiot przetwarzający (art. 29 rozporządzenia 2016/679).<br />
Czy Główny Geodeta Kraju wdrożył odpowiednie środki techniczne i organizacyjne, aby zapewnić odpowiedni stopień bezpieczeństwa danych objętych ochroną (art. 32, art.24 ust.1 i 2 rozporządzenia 2016/679).<br />
Czy Główny Geodeta Kraju wyznaczył inspektora ochrony danych (art. 37 rozporządzenia 2016/679).”<br />
<br />
Jak wynika ze sporządzonego […] marca 2020 r., podpisanego przez kontrolujących oraz przez Głównego Geodetę Kraju, protokołu kontroli, po okazaniu legitymacji i przedłożeniu upoważnień do przeprowadzenia kontroli, Główny Geodeta Kraju oświadczył, że nie podpisze przedłożonych upoważnień i odmawia wyrażenia zgody na przeprowadzenie czynności kontrolnych w zakresie wynikającym z przedłożonych upoważnień. Uzasadniając swoje stanowisko w tej sprawie wskazał, że według jego oceny z zakresu wskazanego w upoważnieniach kontrolujących wynika, że kontrola ma dotyczyć numeru księgi wieczystej, który to numer nie jest daną osobową w rozumieniu przepisów ustawy z dnia 17 maja 1989 r. Prawo geodezyjne i kartograficzne (Dz. U. z 2020 r. poz. 276 ze zm.), zwanej dalej „Prawem geodezyjnym i kartograficznym”. Na przedłożonych upoważnieniach Główny Geodeta Kraju zamieścił pisemną adnotację o treści: „Odmawiam wyrażenia zgody na przeprowadzenie czynności kontrolnych w zakresie przedstawionego upoważnienia (punkt od 1 do 5) ze względu na bezprzedmiotowość kontroli, co uzasadniam w piśmie […] z dnia […].03.2020 r. najkrócej wynika to z faktu, że zakres kontroli ma się skupić na numerze księgi wieczystej co nie jest daną osobową w rozumieniu przepisów Prawo geodezyjne i kartograficzne. Wnoszę o doprecyzowanie zakresu kontroli zgodnie z podstawą jej wszczęcia.” Główny Geodeta Kraju oświadczył następnie, że wyraża zgodę na przeprowadzenie czynności kontrolnych tylko w zakresie, jaki wynika z punktów 6 i 7 upoważnień imiennych kontrolujących. Dopiero wtedy podpisał upoważnienia imienne kontrolujących umieszczając przy podpisie adnotację „Podpisane zgodnie z oświadczeniem poniżej”. Zgodnie z przytoczonym wyżej oświadczeniem Główny Geodeta Kraju przedstawił do akt kontroli pismo o sygnaturze […], w którym wskazane zostały m.in. podstawy prawne zakwalifikowania numeru księgi wieczystej jako danej przedmiotowej, to jest art. 20 ust. 1 pkt 1 Prawa geodezyjnego i kartograficznego oraz § 73 rozporządzenia Ministra Rozwoju Regionalnego i Budownictwa z dnia 29 marca 2001 r. w sprawie ewidencji gruntów i budynków.<br />
<br />
Wobec jednoznacznie wyrażonego braku zgody Głównego Geodety Kraju na przeprowadzenie czynności kontrolnych w zakresie określonym w puntach 1-5 upoważnień imiennych, kontrolujący odstąpili od czynności w tym zakresie, dokonując ustaleń jedynie w zakresie, o którym mowa w punktach 6 i 7 upoważnień. W zakresie kontroli, na który wyraził zgodę Główny Geodeta Kraju, kontrolujący m.in.:<br />
<br />
przesłuchali w charakterze świadka Pana W. I. – Głównego Geodetę Kraju,<br />
uzyskali kopię przykładowego porozumienia ze starostą w sprawie współpracy przy tworzeniu i utrzymywaniu wspólnych elementów infrastruktury technicznej dotyczących publikacji danych PZGiK,<br />
uzyskali kopie dokumentów poświadczających wdrożone przez Głównego Geodetę Kraju ogólne (nie dotyczące szczególnie portalu GEOPRTAL2) środki organizacyjne mające na celu zapewnienie bezpieczeństwa danych objętych ochroną,<br />
uzyskali kopie dokumentów potwierdzających wyznaczenie przez Głównego Geodetę Kraju Pana [...] na Inspektora Ochrony Danych w Głównym Urzędzie Geodezji i Kartografii,<br />
przesłuchali w charakterze świadka Pana [...] – Głównego Specjalistę w Departamencie [...] w Głównym Urzędzie Geodezji i Kartografii,<br />
uzyskali wydruk Regulaminu serwisu www.geoportal.gov.pl,<br />
uzyskali kopie Rejestru czynności przetwarzania zawierającego analizę ryzyka oraz ocenę skutków dla ochrony danych oraz Rejestru kategorii czynności przetwarzania z analizą ryzyka.<br />
<br />
W toku kontroli kontrolujący – ze względu na brak zgody Głównego Geodety Kraju – nie dokonali oceny wdrożonych środków technicznych mających na celu zapewnienie bezpieczeństwa danych objętych ochroną (w tym danych przetwarzanych za pośrednictwem portalu GEOPORTAL2), w szczególności nie dokonali oględzin miejsc, przedmiotów, urządzeń nośników oraz systemów informatycznych służących do przetwarzania danych. Ponadto – ze względu m.in. na odmowę Głównego Geodety Kraju podpisania protokołu zeznań składanych w dniu […] marca 2020 r. – kontrolujący nie uzyskali pełnych i wiążących, mających skutek prawny, wyjaśnień kontrolowanego w przedmiocie objętym zakresem kontroli.<br />
<br />
Ze względu na niecelowość dalszej kontroli, spowodowaną brakiem zgody Głównego Geodety Kraju na czynności kontrolne dotyczące zakresu określonego w punktach 1-5 imiennych upoważnień kontrolujących, oraz brakiem współpracy z jego strony w tym zakresie, kontrolujący zdecydowali o zakończeniu w dniu […] marca 2020 r. kontroli. W tym dniu sporządzony został przez kontrolujących protokół kontroli, podpisany następnie przez Głównego Geodetę Kraju (bez żadnych zastrzeżeń).<br />
<br />
W związku z uniemożliwieniem przeprowadzenia kontroli przetwarzania przez Głównego Geodetę Kraju danych osobowych z ewidencji gruntów i budynków w portalu GEOPORTAL2, wszczęte zostało z urzędu niniejsze postępowanie w przedmiocie nałożenia na Głównego Geodetę Kraju administracyjnej kary pieniężnej za naruszenie art. 31 oraz art. 58 ust. 1 lit. e) i f) Rozporządzenia 2016/679, polegające na braku współpracy z Prezesem UODO w ramach wykonywania przez niego jego zadań, uniemożliwieniu przeprowadzenia kontroli w zakresie przetwarzania danych osobowych, a także niezapewnieniu Prezesowi UODO dostępu do pomieszczeń, sprzętu i środków służących do przetwarzania danych osobowych, oraz dostępu do danych osobowych i informacji niezbędnych Prezesowi UODO do realizacji jego zadań.<br />
<br />
O wszczęciu postępowania i o zgromadzeniu materiału dowodowego w sprawie, Główny Geodeta Kraju poinformowany został pismem z […] marca 2020 r., doręczonym mu drogą elektroniczną za pośrednictwem platformy ePUAP.<br />
<br />
Pismem z […] kwietnia 2020 r. (doręczonym Prezesowi UODO […] kwietnia 2020 r.) pełnomocnik Głównego Geodety Kraju wniósł o umożliwienie pełnomocnikom Głównego Geodety Kraju wglądu w akta sprawy oraz sporządzenie ich fotokopii, ewentualnie o udostępnienie kopii całości akt sprawy drogą elektroniczną. W odpowiedzi na wniosek, kopie całości akt sprawy przedstawione zostały pełnomocnikowi Głównego Geodety Kraju drogą pocztową, pismem z […] maja 2020 r., doręczonym pełnomocnikowi […] maja 2020 r.<br />
<br />
Pismem z […] maja 2020 r. (doręczonym Prezesowi UODO […] maja 2020 r.) pełnomocnik Głównego Geodety Kraju przedstawił stanowisko Głównego Geodety Kraju, wskazując, że „wszczęcie i prowadzenie postępowania przez Prezesa UODO w niniejszej sprawie jest bezprzedmiotowe i z tego powodu powinno zostać umorzone w całości”. Pełnomocnik Głównego Geodety Kraju podniósł w szczególności, że:<br />
<br />
„Zakres prowadzonej kontroli był bezprzedmiotowy, ponieważ dotyczył wykorzystywania informacji, które nie stanowią danych osobowych, oraz co do których Główny Geodeta Kraju nie decyduje o celach i sposobach przetwarzania (nie mógłby więc mieć statusu administratora danych). GKK nie udaremnił przeprowadzenia kontroli, a jedynie zakwestionował zakres prowadzenia kontroli, który miał dotyczyć przetwarzania danych osobowych w postaci numeru księgi wieczystej."<br />
„Kontrola […] prowadzona była nie u Głównego Geodety Kraju, ale w Głównym Urzędzie Geodezji i Kartografii, który z punktu widzenia przepisów RODO jest odrębnym administratorem danych osobowych.”<br />
„Prezes UODO bezpodstawnie uznał, że Główny Geodeta Kraju – który brał udział w postępowaniu kontrolnym jako osoba reprezentująca kontrolowanego, tj. Główny Urząd Geodezji i Kartografii – nie współpracował z Prezesem UODO w ramach wykonywania przez niego zadań”.<br />
„Prezes UODO bezpodstawnie uznał, że Główny Geodeta Kraju uniemożliwił przeprowadzenie kontroli w zakresie przetwarzania danych osobowych u podmiotu kontrolowanego, tj. w Głównym Urzędzie Geodezji i Kartografii.”<br />
„Prezes UODO bezpodstawnie uznał, że Główny Geodeta Kraju nie zapewnił Prezesowi UODO dostępu do pomieszczeń, sprzętu i środków służących do przetwarzania danych osobowych w związku z kontrolą prowadzoną w Głównym Urzędzie Geodezji i Kartografii, a także nie zapewnił dostępu do informacji niezbędnych Prezesowi UODO do realizacji jego zadań.”<br />
„W konsekwencji powyższego, Prezes UODO bezpodstawnie uznał, że GGK mógł naruszyć art. 31 oraz art. 58 ust. 1 lit. e) i f) RODO.”<br />
<br />
Po rozpatrzeniu całości materiału dowodowego zebranego w sprawie, Prezes UODO zważył, co następuje.<br />
<br />
Zgodnie z art. 57 ust. 1 lit. a) Rozporządzenia 2016/679, Prezes UODO – jako organ nadzorczy w rozumieniu art. 51 Rozporządzenia 2016/679 – ma za zadanie na swoim terytorium monitorować oraz egzekwować stosowanie tego rozporządzenia. W ramach swoich kompetencji Prezes UODO ma za zadanie m.in. prowadzić postępowania w sprawie stosowania Rozporządzenia 2016/679 (art. 57 ust. 1 lit. f). Dla umożliwienia realizacji tak określonych zadań Prezesowi UODO przysługuje szereg określonych w art. 58 ust. 1 Rozporządzenia 2016/679 uprawnień w zakresie prowadzonych postępowań, w tym uprawnienie do nakazania administratorowi i podmiotowi przetwarzającemu dostarczenia wszelkich informacji potrzebnych do realizacji jego zadań (art. 58 ust. 1 lit. a), uprawnienie do uzyskania od administratora i podmiotu przetwarzającego dostępu do wszelkich danych osobowych i wszelkich informacji niezbędnych do realizacji jego zadań (art. 58 ust. 1 lit. e) oraz uprawnienie do uzyskania dostępu do wszystkich pomieszczeń administratora i podmiotu przetwarzającego, w tym do sprzętu i środków służących do przetwarzania danych, zgodnie z procedurami określonymi w prawie unijnym lub w prawie państwa członkowskiego (art. 58 ust. 1 lit. f). Naruszenie przepisów Rozporządzenia 2016/679, polegające na niezapewnieniu przez organ publiczny będący administratorem lub podmiotem przetwarzającym dostępu do danych i informacji, o których mowa powyżej, skutkującym naruszeniem uprawnień organu określonych w art. 58 ust. 1 Rozporządzenia 2016/679 (w tym uprawnień do uzyskania danych osobowych i informacji niezbędnych do realizacji jego zadań oraz do uzyskania dostępu do pomieszczeń, sprzętu i środków służących do przetwarzania danych), podlegać zaś może – zgodnie z art. 83 ust. 5 lit e) in fine Rozporządzenia 2016/679 w związku z art. 102 ust. 1 i 3 ustawy z dnia 10 maja 2018 r. o ochronie danych osobowych (Dz. U. z 2019 r. poz. 1781), zwanej dalej „u.o.d.o.” – administracyjnej karze pieniężnej w wysokości do 100 000 złotych.<br />
<br />
Wskazać należy ponadto, że administrator i podmiot przetwarzający obowiązani są współpracować z organem nadzorczym w ramach wykonywania przez niego zadań, o czym stanowi art. 31 Rozporządzenia 2016/679. Niewywiązanie się z tego obowiązku również zagrożone jest - zgodnie z art. 83 ust. 4 lit. a)Rozporządzenia 2016/679 w związku z art. 102 ust. 1 i 3 u.o.d.o. – administracyjną karą pieniężną w wysokości do 100 000 złotych.<br />
<br />
Wskazaną w art. 58 ust. 1 lit. f) Rozporządzenia 2016/679 „procedurą określoną w prawie unijnym lub w prawie państwa członkowskiego” służącą realizacji uprawnienia organu nadzorczego do uzyskania dostępu do pomieszczeń administratora i podmiotu przetwarzającego, w tym do sprzętu i środków służących do przetwarzania danych, jest na gruncie prawa polskiego, opisana w Rozdziale 9 u.o.d.o. (art. 78 - 91), procedura „kontroli przestrzegania przepisów o ochronie danych osobowych”. Zgodnie z art. 78 u.o.d.o. Prezes UODO przeprowadza kontrolę przestrzegania przepisów o ochronie danych osobowych (ust. 1), a kontrola ta prowadzona być może „zgodnie z zatwierdzonym przez Prezesa Urzędu planem kontroli lub na podstawie uzyskanych przez Prezesa Urzędu informacji lub w ramach monitorowania przestrzegania stosowania rozporządzenia 2016/679” (ust. 2). Kontrolującym (upoważnionym pracownikom Urzędu Ochrony Danych Osobowych) przysługuje – o czym stanowi art. 84 ust. 1 u.o.d.o. – prawo: 1. wstępu w godzinach od 6.00 do 22.00 na grunt oraz do budynków, lokali lub innych pomieszczeń, 2. wglądu do dokumentów i informacji mających bezpośredni związek z zakresem przedmiotowym kontroli, 3. przeprowadzania oględzin miejsc, przedmiotów, urządzeń, nośników oraz systemów informatycznych lub teleinformatycznych służących do przetwarzania danych, 4. żądania złożenia pisemnych lub ustnych wyjaśnień oraz przesłuchania w charakterze świadka osoby w zakresie niezbędnym do ustalenia stanu faktycznego, 5. zlecania sporządzania ekspertyz i opinii. Kontrolujący ustala stan faktyczny na podstawie dowodów zebranych (z wykorzystaniem wskazanych powyżej uprawnień) w postępowaniu kontrolnym, a w szczególności dokumentów, przedmiotów, oględzin oraz ustnych lub pisemnych wyjaśnień i oświadczeń (art. 87 u.o.d.o.).<br />
<br />
Odnosząc wyżej przytoczone przepisy do stanu faktycznego niniejszej sprawy, stwierdzić należy, że Prezes UODO miał uprawnienie do wszczęcia i przeprowadzenia u Głównego Geodety Kraju kontroli przetwarzania danych osobowych; miał również uzasadnienie dla dokonania ustaleń w tego rodzaju postępowaniu (postępowaniu kontrolnym uregulowanym w rozdziale 9 u.o.d.o.).<br />
<br />
Uprawnienia kontrolne Prezesa UODO sformułowane zostały - w przytoczonych powyżej przepisach Rozporządzenia 2016/679 oraz u.o.d.o. – szeroko; ich stosowanie ograniczone jest jedynie celem – sprawdzeniem czy przestrzegane są przepisy o ochronie danych osobowych. Warto zwrócić uwagę, że warunkiem przeprowadzenia takiej kontroli nie jest nawet uzasadnione podejrzenie stwierdzenia naruszenia. Ustawodawca wyraźnie dopuszcza w art. 78 ust. 2 u.o.d.o. możliwość przeprowadzania kontroli „zgodnie z […] planem kontroli”, a więc bez wcześniejszych informacji wskazujących na nieprawidłowości w zakresie przetwarzania danych osobowych mających miejsce w konkretnym podmiocie, a nawet bez informacji wskazujących na to czy dany podmiot w ogóle przetwarza dane osobowe (kontrola takiego podmiotu w pierwszej kolejności musiałaby jednak ustalić taką okoliczność – przed podjęciem dalszych ustaleń dotyczących np. legalności i zgodności z prawem przetwarzania). Ogólne i szerokie określenie zadania, do realizacji którego zobowiązany jest Prezes UODO („monitorowanie i egzekwowanie stosowania rozporządzenia”, o którym mowa w art. 57 ust. 1 lit. a) Rozporządzenia 2016/679, „kontrola przestrzegania przepisów o ochronie danych osobowych”, o której mowa w art. 78 ust. 1 u.o.d.o.) pozostawia Prezesowi UODO swobodę określania zarówno kręgu podmiotów kontrolowanych, jak i zakresu przeprowadzanych kontroli. Zadanie to należy bowiem rozumieć szeroko – nie tylko jako sprawdzenie czy konkretny podmiot w konkretnej sprawie narusza w konkretny sposób przepisy o ochronie danych osobowych, ale także jako zadanie podejmowane w celu zidentyfikowania rodzajów, obszarów występowania i skali problemów związanych ze stosowaniem przepisów o ochronie danych osobowych (w szczególności Rozporządzenia 2016/679), ich eliminowania oraz zapobiegania im na przyszłość. W kontekście swobody pozostawionej Prezesowi UODO w określeniu podmiotu poddanego kontroli i zakresu tej kontroli stwierdzić należy, że w niniejszej sprawie Prezes UODO miał szczególnie uzasadnioną podstawę do wszczęcia i przeprowadzenia u Głównego Geodety Kraju kontroli w zakresie, który uznał za niezbędny dla realizacji zadania monitorowania stosowania Rozporządzenia 2016/679. Wskutek kontroli przeprowadzonej w dniach […] lutego 2020 r. w Starostwie Powiatowym w J. (sygn. akt kontroli […]) pozyskał bowiem informację o przekazywaniu Głównemu Geodecie Kraju przez Starostę J. danych osobowych z ewidencji gruntów i budynków (w tym numerów ksiąg wieczystych) i dalszym przetwarzaniu ich (udostępnianiu) za pośrednictwem portalu GEOPORTAL2. Sam fakt dysponowania tymi danymi przez Głównego Geodetę Kraju stanowi wystarczającą podstawę przeprowadzenia u niego kontroli mającej na celu – o czym mówi art. 87 u.o.d.o. – jedynie zebranie dowodów pozwalających ustalić stan faktyczny sprawy (a nie ocenę prawną tego stanu, która – w przypadku podejrzenia zaistnienia naruszenia – następuje w odrębnym postępowaniu administracyjnym). Z tak rozumianej istoty kontroli wynika, że podmiot kontrolowany nie może kwestionować – na etapie wszczęcia i prowadzenia kontroli – jej zasadności oraz jej zakresu. Jak słusznie zauważył Naczelny Sąd Administracyjny w wyroku z dnia 3 marca 2016 r. w sprawie o sygn. II OSK 1667/14 (dotyczącym wymierzenia przez Głównego Inspektora Sanitarnego, na gruncie ustawy z dnia 25 sierpnia 2006 r. o bezpieczeństwie żywności i żywienia (Dz. U. z 2019 r. poz. 1252 ze zm.), kary pieniężnej w związku z uniemożliwieniem przeprowadzenia urzędowej kontroli żywności): „Ma rację sąd I instancji oraz kontrolowane w postępowaniu sądowoadministracyjnym organy iż poddany badaniu zakład nie jest uprawniony do decydowania o zakresie kontroli. Jest to wyłączna domena jednostek kontrolujących.” (Lex nr 2113109). Stwierdzenie to – w ocenie Prezesa UODO – ma znaczenie ogólne i znajduje zastosowanie również w odniesieniu do kontroli przestrzegania przepisów o ochronie danych osobowych. Miejscem na kwestionowanie oceny prawnej stanu faktycznego sprawy (a do tego w niniejszej sprawie sprowadza się w istocie kwestionowanie przez Głównego Geodetę Kraju zakresu kontroli, związane z twierdzeniem, że numer księgi wieczystej nie stanowi danej osobowej) jest ewentualne postępowanie w przedmiocie naruszenia, wszczęte w oparciu o dowody zebrane w trakcie postępowania kontrolnego.<br />
<br />
Jak zostało wykazane wyżej, uprawnienia kontrolne Prezesa UODO ograniczone są celem kontroli, którym jest sprawdzenie przestrzegania przepisów o ochronie danych osobowych. Stanowisko Głównego Geodety Kraju wyrażone w trakcie kontroli, a rozwinięte w piśmie jego pełnomocnika z […] maja 2020 r., jakoby dane w postaci numerów ksiąg wieczystych nie stanowiły danych osobowych, jest w istocie twierdzeniem, że kontrola (w zakresie określonym w punktach 1-5 imiennych upoważnień kontrolujących) nie mieściła się w tym celu. Takie twierdzenie stanowczo należy uznać za błędne. Nie przesądzając w niniejszej decyzji o kwalifikacji tych danych jako danych osobowych w rozpatrywanym przypadku, wskazać należy, że w momencie wszczęcia kontroli Prezes UODO miał co najmniej uzasadnione podstawy do przyjęcia takiej kwalifikacji. Uzasadnienie to wynikało z konsekwentnie zajmowanego stanowiska Prezesa UODO, a wcześniej Generalnego Inspektora Ochrony Danych Osobowych, a także stanowiska doktryny oraz orzecznictwa sądów administracyjnych (vide wyrok NSA z 18 lutego 2014 r. sygn. I OSK 1839/12 – LEX nr 1449867, wyrok NSA z 26 września 2018 r. sygn. I OSK 276/17 – LEX nr 2737936, wyrok NSA z 26 września 2018 r. sygn. I OSK 11/17 – LEX nr 2573629). Za niedopuszczalne w związku z powyższym należy uznać działania Głównego Geodety Kraju mające na celu udaremnienie lub utrudnienie kontroli, w szczególności gdy działania te oparte są wyłącznie na subiektywnej ocenie prawnej kontrolowanego (nawet jeśli są one wsparte wybranymi, niereprezentatywnymi głosami doktryny i orzeczeniami sądowymi). Takie działanie prowadziłoby do nieakceptowalnej sytuacji, polegającej na tym, że uniemożliwiając ustalenia stanu faktycznego sprawy, kontrolowany odbiera niezależnemu organowi kontrolującemu możliwość dokonania własnej, rzetelnej i wszechstronnej oceny prawnej sytuacji, która to ocena mogłaby być poddana w razie konieczności późniejszej weryfikacji przez właściwe organy sądowoadministracyjne.<br />
<br />
Podobnie do powyższej argumentacji Głównego Geodety Kraju należy ocenić przedstawione przez jego pełnomocnika w piśmie z […] maja 2020 r. stanowisko, jakoby „zakres prowadzonej kontroli był bezprzedmiotowy, ponieważ dotyczył wykorzystywania informacji […] co do których Główny Geodeta Kraju nie decyduje o celach i sposobach przetwarzania (nie mógłby więc mieć statusu administratora danych)”. Ocena czy Główny Geodeta Kraju pełni w procesie przetwarzania danych w portalu GEOPRTAL2 rolę administratora (czy też może współadministratora, ewentualnie podmiotu przetwarzającego) stanowi element stanu faktycznego, który miał zostać ustalony w toku kontroli. W momencie wszczęcia kontroli Prezes UODO dysponował informacjami, że w portalu GEOPORTAL2, którego administratorem jest Główny Geodeta Kraju przetwarzane są informacje stanowiące (lub mogące stanowić) dane osobowe, w szczególności numery ksiąg wieczystych przypisane do prezentowanych w portalu nieruchomości. Powyższe potwierdzone zostało wynikami kontroli przeprowadzonej w Starostwie Powiatowym w J. (sygn. akt kontroli […]), z których wynikało, że Główny Geodeta Kraju pozyskiwał z ewidencji gruntów i budynków, prowadzonej przez Starostę J., dane (w tym numery ksiąg wieczystych) celem ich dalszego przetwarzania za pośrednictwem portalu GEOPORTAL2. Dodatkowo jeszcze wskazać warto, że w Regulaminie serwisu www.geoportal.gov.pl (zamieszczonego na stronie internetowej www.geoportal.gov.pl.) znajduje się informacja wprost wskazująca, że administratorem danych osobowych przetwarzanych w portalu GEOPORTAL2 jest Główny Geodeta Kraju („Administratorem Pani/Pana danych osobowych jest Główny Geodeta Kraju z siedzibą w Warszawie, ul. Wspólna 2, 00-926 Warszawa”). Takie informacje uzasadniały właśnie potrzebę przeprowadzenia kontroli przestrzegania przepisów o ochronie danych osobowych, m.in. w celu ustalenia roli Głównego Geodety Kraju w tym procesie przetwarzania danych. Stanowisko Głównego Geodety Kraju, przedstawione w piśmie jego pełnomocnika z […] maja 2020 r., zakłada ponadto błędnie, że podmiotem podlegającym kontroli Prezesa UODO może być jedynie podmiot decydujący o celach i sposobach przetwarzania czyli administrator (którym on – we własnej ocenie – w rozpatrywanej sprawie nie jest). Główny Geodeta Kraju wydaje się nie zauważać, że obowiązek zapewnienia dostępu do danych osobowych i informacji niezbędnych do realizacji zadań Prezesa UODO oraz dostępu do pomieszczeń, sprzętu i środków służących do przetwarzania danych, o którym to obowiązku mowa jest w art. 58 ust 1 lit. e) i f), spoczywa nie tylko na administratorze, ale i na współadministratorze oraz na podmiocie przetwarzającym dane osobowe. Zaprzeczając swojej roli administratora, Główny Geodeta Kraju zdaje się nie wykluczać, że przetwarza dane osobowe pochodzące z ewidencji gruntów i budynków jako podmiot przetwarzający - w imieniu administratorów (starostów), na podstawie umów, które w istocie można by ocenić jako umowy, o których mowa w art. 28 ust. 3 Rozporządzenia 2016/679). Powyższy brak pewności co do roli pełnionej w procesie przetwarzania w portalu GEOPORTAL2 danych pozyskanych z ewidencji gruntów i budynków, który mógłby zostać usunięty w toku przeprowadzonej kontroli, świadczy o zasadności przeprowadzenia u Głównego Geodety Kraju kontroli w pełnym – określonym w upoważnieniach imiennych kontrolujących – zakresie. Podobnie, jeśli chodzi o określony w art. 31 Rozporządzenia 2016/679 obowiązek współpracy z organem nadzorczym, to skierowany on jest nie tylko do administratora, ale i do podmiotu przetwarzającego.<br />
<br />
Odnosząc się do ostatniego, przedstawionego przez pełnomocnika Głównego Geodety Kraju w piśmie z […] maja 2020 r., aspektu uzasadniającego – w jego ocenie – odmowę wyrażenia zgody na przeprowadzenie przez Prezesa UODO kontroli, to jest do stwierdzenia, że „kontrola […] prowadzona była nie u Głównego Geodety Kraju, ale w Głównym Urzędzie Geodezji i Kartografii, który z punktu widzenia przepisów RODO jest odrębnym administratorem danych osobowych”, zauważyć należy, że opiera się on jedynie na okoliczności, że w kilku miejscach w dokumentach dotyczących kontroli (w upoważnieniach imiennych kontrolujących, protokole kontroli oraz wnioskach z kontroli) Prezes UODO wskazał Główny Urząd Geodezji i Kartografii jak miejsce, w których miały być (były) przeprowadzone czynności kontrolne w związku z tym, że to w Głównym Urzędzie Geodezji i Kartografii jako jednostce organizacyjnej, przy pomocy której Główny Geodeta Kraju realizuje swoje zadania, znajdują się dane osobowe oraz źródła informacji, pomieszczenia, sprzęt i środki służące przetwarzaniu danych osobowych, do których dostęp niezbędny był Prezesowi UODO celem zebrania dowodów w sprawie. Analiza całości treści dokumentów dotyczących kontroli (w szczególności tych przygotowujących kontrolę – zawiadomienia o kontroli z […] marca 2020 r. oraz upoważnień imiennych kontrolujących z […] marca 2020 r.) wskazuje jednoznacznie, że cel kontroli związany był z realizacją ustawowego zadania Głównego Geodety Kraju jakim jest stworzenie i utrzymywanie portalu GEOPORTAL2. Świadczą o tym takie sformułowania jak: „zakresem kontroli objęte zostanie udostępnianie przez Głównego Geodetę Kraju…”, „proszę o przygotowanie dokumentacji dotyczącej przetwarzania danych osobowych przez Głównego Geodetę Kraju.” (oba z zawiadomienia o kontroli), „kontrola obejmie udostępnianie przez Głównego Geodetę Kraju…”, „czy Główny Geodeta Kraju wdrożył odpowiednie środki techniczne i organizacyjne…”, „czy Główny Geodeta Kraju wyznaczył inspektora ochrony danych…” (trzy ostatnie z upoważnień imiennych kontrolujących). Jak wskazał sam pełnomocnik Głównego Geodety Kraju w piśmie z […] maja 2020 r. zadanie stworzenia i utrzymywania portalu GEOPORTAL2 sformułowane zostało w przepisach art. 5 ustawy z dnia 17 maja 1989 r. Prawo geodezyjne i kartograficzne (Dz. U. z 2020 r. poz. 276 ze zm.) oraz art. 13 ust. 1 ustawy z dnia 4 marca 2010 r. o infrastrukturze informacji przestrzennej (Dz. U. z 2020 r. poz. 177 ze zm.). Ten ostatni przepis stanowi, że Główny Geodeta Kraju tworzy i utrzymuje geoportal infrastruktury informacji przestrzennej jako centralny punkt dostępu do usług dotyczących zbiorów i usług danych przestrzennych; nie przewiduje natomiast żadnego udziału w tym zadaniu dla Głównego Urzędu Geodezji i Kartografii. Powyższy zapis określający kompetencje i odpowiedzialność w zakresie funkcjonowania portalu GEOPORTAL2, w połączeniu ze wskazywanym przez Prezesa UODO przedmiotem i zakresem kontroli, nie powinien pozostawiać (szczególnie centralnemu organowi właściwemu w sprawach geodezji i kartografii) żadnych wątpliwości co do określenia podmiotu podlegającego kontroli. Podkreślić należy dodatkowo, że Główny Geodeta Kraju, zarówno w momencie rozpoczęcia kontroli, jak i w jej trakcie nie podnosił żadnych zastrzeżeń co do wskazania podmiotu kontrolowanego, chociaż miał taką możliwość (składając na upoważnienia imiennych kontrolujących oświadczenie o braku zgody na przeprowadzenie kontroli, składając takie zastrzeżenia do protokołu przesłuchania w charakterze świadka czy też w formie zastrzeżenia do protokołu kontroli). W ocenie Prezesa UODO zastrzeżenie co do wskazania podmiotu kontrolowanego sformułowane zostało przez Głównego Geodetę Kraju post factum – wyłącznie na potrzeby uzasadnienia dokonanego przez siebie naruszenia przepisów o ochronie danych osobowych. <br />
<br />
Podsumowując powyższe rozważania stwierdzić należy, że przedstawione przez Głównego Geodetę Kraju w trakcie kontroli, a rozwinięte przez jego pełnomocnika w stanowisku przedstawionym Prezesowi UODO w piśmie z […] maja 2020 r., uzasadnienie odmowy wyrażenia zgody na przeprowadzenie kontroli przetwarzania przez niego danych osobowych, nie zasługuje w żadnym punkcie na akceptację. Prezes UODO miał prawo i uzasadnienie dla przeprowadzenia kontroli u Głównego Geodety Kraju. Zakres tej kontroli mieścił się w celach określonych w art. 57 ust. 1 lit. a) Rozporządzenia 2016/679 („monitorowanie i egzekwowanie stosowania rozporządzenia”) oraz w art. 78 ust. 1 u.o.d.o. („kontrola przestrzegania przepisów o ochronie danych osobowych”). Działanie Głównego Geodety Kraju jako kontrolowanego polegające na odmowie wyrażenia zgody na przeprowadzenie kontroli w zakresie określonym w punktach 1-5 upoważnień imiennych kontrolowanych uniemożliwiło w pełnym zakresie przeprowadzenie czynności kontrolnych w tym obszarze (w szczególności oględzin systemów informatycznych i teleinformatycznych, w których przetwarzane przez Głównego Geodetę Kraju są dane osobowe, odebrania w tym zakresie wyjaśnień Głównego Geodety Kraju, odebrania wyjaśnień i zeznań pracowników Głównego Geodety Kraju, uzyskania wglądu w dokumenty stanowiące podstawę pozyskiwania danych osobowych przetwarzanych w portalu GEOPORTAL2 – np. umów łączących Głównego Geodetę Kraju ze starostami). Odmowa Głównego Geodety Kraju na przeprowadzenie kontroli w zakresie określonym w punktach 1-5 upoważnień imiennych kontrolowanych, oznaczająca deklarację braku jakiejkolwiek współpracy z kontrolującymi w tym zakresie, spowodowała odstąpienie przez kontrolujących od czynności w tym zakresie. Naczelny Sąd Administracyjny w przywołanym już powyżej wyroku z dnia 3 marca 2016 r. w sprawie o sygn. II OSK 1667/14 słusznie wskazał, że: „zgodzić za to należy się ze stanowiskiem, iż aby kontrola mogła osiągnąć swój cel wymaga to przynajmniej minimalnego stopnia współdziałania ze strony kontrolowanego. Przy czym współdziałanie winno dotyczyć pełnego zakresu uprawnień przysługujących organom.” W niniejszej sprawie brak było jakiejkolwiek współpracy ze strony Głównego Geodety Kraju w zakresie kontroli, który sam, w sposób arbitralny, uznał za bezpodstawny.<br />
<br />
Odnosząc powyższe ustalenia do obowiązków nałożonych przepisami Rozporządzenia 2016/679 na administratora i podmiot przetwarzający, a dotyczących ich stosunku do organu nadzorczego, należy stwierdzić, że Główny Geodeta Kraju, w trakcie postępowania kontrolnego o sygn. […], swoim działaniem naruszył:<br />
<br />
art. 58 ust. 1 lit. e) Rozporządzenia 2016/679 nakładający na niego obowiązek zapewnienia Prezesowi UODO dostępu do wszelkich danych osobowych i wszelkich informacji niezbędnych organowi nadzorczemu do realizacji jego zadań,<br />
art. 58 ust. 1 lit. f) Rozporządzenia 2016/679 nakładający na niego obowiązek zapewnienia Prezesowi dostępu do wszystkich pomieszczeń administratora i podmiotu przetwarzającego, w tym do sprzętu i środków służących do przetwarzania danych, zgodnie z procedurami określonymi w prawie unijnym lub w prawie państwa członkowskiego,<br />
art. 31 Rozporządzenia 2016/679 nakładający na niego obowiązek współpracy z Prezesem UODO, na jego żądanie, w ramach wykonywania przez niego jego zadań.<br />
<br />
W związku z powyższymi naruszeniami przepisów Rozporządzenia 2016/679, Prezes UODO stwierdza, że w niniejszej sprawie zaistniały przesłanki uzasadniające nałożenie na Głównego Geodetę Kraju – na mocy art. 83 ust. 4 lit. a) oraz art. 83 ust. 5 lit. e) in fine Rozporządzenia 2016/679 – administracyjnej kary pieniężnej w związku z niezapewnieniem przez Głównego Geodetę Kraju dostępu do pomieszczeń, sprzętu i środków służących do przetwarzania danych osobowych oraz dostępu do danych osobowych i informacji niezbędnych Prezesowi UODO do realizacji jego zadań, a także z brakiem współpracy z Prezesem UODO w trakcie tej kontroli.<br />
<br />
Stosownie do treści art. 83 ust. 2 Rozporządzenia 2016/679, administracyjne kary pieniężne nakłada się zależnie od okoliczności każdego indywidualnego przypadku. Zwraca się przy tym w każdym przypadku na szereg okoliczności wymienionych w punktach od a) do k) wskazanego wyżej przepisu. Decydując o nałożeniu w niniejszej sprawie na Głównego Geodetę Kraju administracyjnej kary pieniężnej oraz ustalając jej wysokość, Prezes UODO wziął – spośród nich – pod uwagę następujące okoliczności wpływające obciążająco na ocenę naruszenia:<br />
<br />
Charakter, waga i czas trwania naruszenia (art. 83 ust. 2 lit. a) Rozporządzenia 2016/679).<br />
<br />
Naruszenie podlegające administracyjnej karze pieniężnej w niniejszej sprawie godzi w system mający na celu ochronę jednego z podstawowych praw osoby fizycznej, którym jest prawo do ochrony jej danych osobowych, czy też szerzej – do ochrony jej prywatności. Istotnym elementem tego systemu, którego ramy określone zostały Rozporządzeniem 2016/679, są organy nadzorcze, na które nałożone zostały zadania związane z ochroną i egzekwowaniem praw osób fizycznych w tym zakresie. W celu umożliwienia realizacji tych zadań organy nadzorcze wyposażone zostały w szereg uprawnień kontrolnych, uprawnień umożliwiających prowadzenie postępowań administracyjnych oraz uprawnień naprawczych. Natomiast na administratorów i podmioty przetwarzające nałożone zostały, skorelowane z uprawnieniami organów nadzorczych, określone obowiązki, w tym obowiązek współpracy z organami nadzorczymi oraz obowiązek zapewnienia tym organom dostępu do danych osobowych oraz innych informacji niezbędnych do realizacji ich zadań, a także dostępu do pomieszczeń, sprzętu i środków służących do przetwarzania danych osobowych. Działania Głównego Geodety Kraju w trakcie kontroli o sygn. […], mające na celu udaremnienie jej przeprowadzenia w zakresie wskazanym w punktach 1-5 oraz w pkt 6 (w odniesieniu do środków technicznych wdrożonych w celu zapewnienia odpowiedniego poziomu bezpieczeństwa) upoważnień imiennych kontrolujących, a skutkujące brakiem dostępu do dowodów wskazujących na legalność i zgodność z prawem przetwarzania przez Głównego Geodetę Kraju danych osobowych pochodzących z ewidencji gruntów i budynków, należy więc uznać za godzące w cały system ochrony danych osobowych, i z tego względu mające dużą wagę i naganny charakter. Wagę naruszenia zwiększa dodatkowo okoliczność, że dokonane przez Głównego Geodetę Kraju naruszenie, jakkolwiek jednorazowe (miało miejsce w dniach […] marca 2020 r.), wywołało skutki trwające do chwili obecnej. Brak współpracy Głównego Geodety Kraju, wyrażający się w odmowie uznania prawa Prezesa UODO do dokonania kontroli zgodności z przepisami przetwarzania przez niego danych osobowych pochodzących z ewidencji gruntów i budynków w portalu GEOPRTAL2, jest aktualny, co potwierdza stanowisko Głównego Geodety Kraju wyrażone w piśmie jego pełnomocnika z dnia […] maja 2020 r. Jako obciążającą wskazać należy ponadto okoliczność, że naruszenia godzącego w uprawnienia organu publicznego jakim jest Prezes UODO dopuścił się inny organ publiczny – Główny Geodeta Kraju. Od organu publicznego, w ocenie Prezesa UODO, należy oczekiwać szczególnego, większego niż w przypadku podmiotów prywatnych, zrozumienia i szacunku dla działań podejmowanych przez inne organy w ramach ich ustawowo określonych zadań, oraz większego stopnia współpracy w realizacji tych zadań.<br />
<br />
Umyślny charakter naruszenia (art. 83 ust. 2 lit. b) Rozporządzenia 2016/679).<br />
<br />
W ocenie Prezesa UODO po stronie Głównego Geodety Kraju istnieje intencjonalny brak woli współpracy w zapewnieniu organowi wszelkich informacji (dowodów) niezbędnych do ustalenia czy stanowiące przedmiot kontroli procesy przetwarzania danych mają podstawę prawną i przetwarzane są zgodnie z prawem. Brak zgody Głównego Geodety Kraju na przeprowadzenie kontroli i jego deklaracja braku współpracy w tym zakresie wyrażone zostały w sposób jednoznaczny i stanowczy. Argumentacja przedstawiona na uzasadnienie tego stanowiska Głównego Geodety Kraju jest zaś, jak zostało to wykazane powyżej, całkowicie niezasadna i – w ocenie Prezesa UODO – w dużym stopniu stworzona została post factum w celu usprawiedliwienia braku woli poddania się uzasadnionemu i zgodnemu z prawem badaniu niezależnego organu kontrolnego. Zważywszy, że Główny Geodeta Kraju jest podmiotem publicznym (a dodatkowo organem centralnym w strukturze służb geodezyjno-kartograficznych), podmiotem na dużą skalę przetwarzającym w ramach swoich kompetencji dane osobowe obywateli, przyjąć należy ponadto, że miał on (i ma do chwili obecnej) świadomość, że jego postępowanie może stanowić naruszenie przepisów Rozporządzenia 2016/679, i godzi się z tym stanem.<br />
<br />
Brak współpracy z organem nadzorczym w celu usunięcia naruszenia oraz złagodzenia jego ewentualnych negatywnych skutków (art. 83 ust. 2 lit. f) Rozporządzenia 2016/679).<br />
<br />
W toku niniejszego postępowania w przedmiocie nałożenia administracyjnej kary pieniężnej Główny Geodeta Kraju podtrzymał swój brak zgody na przeprowadzenie kontroli w kwestionowanym zakresie (oparty na stanowisku odmawiającym Prezesowi UODO prawa do zbadania procesów przetwarzania danych osobowych pochodzących z ewidencji gruntów i budynków w portalu GEOPORTAL2). Nie wyraził również w żadnym stopniu chęci współpracy z Prezesem UODO w celu usunięcia naruszenia, mogącej polegać w szczególności na udzieleniu pełnych i wyczerpujących wyjaśnień w zakresie, w którym doszło do udaremnienia kontroli.<br />
<br />
Pozostałe przesłanki wymiaru administracyjnej kary pieniężnej wskazane w art. 83. ust. 2 Rozporządzenia 2016/679 nie miały wpływu (obciążającego lub łagodzącego) na dokonaną przez Prezesa UODO ocenę naruszenia (w tym: wszelkie stosowne wcześniejsze naruszenia ze strony administratora lub podmiotu przetwarzającego, sposób w jaki organ nadzorczy dowiedział się o naruszeniu, przestrzeganie wcześniej zastosowanych w tej samem sprawie środków, stosowanie zatwierdzonych kodeksów postępowania lub zatwierdzonych mechanizmów certyfikacji) lub też, ze względu na specyficzny charakter naruszenia (dotyczącego stosunku administratora lub podmiotu przetwarzającego z organem nadzorczym, a nie stosunku administratora lub podmiotu przetwarzającego z osobą, której dane dotyczą), nie mogły być wzięte pod uwagą w niniejszej sprawie (w tym: liczba poszkodowanych osób oraz rozmiar poniesionej przez nie szkody, działania podjęte przez administratora lub podmiot przetwarzający w celu zminimalizowania szkody poniesionej przez podmioty danych, stopień odpowiedzialności administratora lub podmiotu przetwarzającego z uwzględnieniem wdrożonych przez niego środków technicznych i organizacyjnych, kategorie danych osobowych, których dotyczy naruszenie).<br />
<br />
Stosownie do brzmienia art. 83 ust. 1 Rozporządzenia 2016/679 nałożona przez organ nadzorczy administracyjna kara pieniężna powinna być w każdym indywidualnym przypadku skuteczna, proporcjonalna i odstraszająca. W ocenie Prezesa UODO kara nałożona na Głównego Geodetę Kraju w niniejszym postępowaniu spełnia te kryteria. Zdyscyplinuje Głównego Geodetę Kraju do prawidłowej współpracy z Prezesem UODO w postępowaniach prowadzonych w przyszłości przez Prezesa UODO z jego udziałem. Nałożona niniejszą decyzją kara w maksymalnej, określonej w art. 102 ust. 1 u.o.d.o., wysokości jest – w ocenie Prezesa UODO – uzasadniona i proporcjonalna do wagi stwierdzonego naruszenia. Kara ta spełni ponadto funkcję odstraszającą; będzie jasnym sygnałem zarówno dla Głównego Geodety Kraju jak i dla innych podmiotów zobowiązanych na mocy przepisów Rozporządzenia 2016/679 do współpracy z Prezesem UODO, że lekceważenie obowiązków związanych ze współpracą z nim (w szczególności utrudnianie kontroli przestrzegania przepisów o ochronie danych osobowych) stanowi naruszenie o dużej wadze i jako takie podlegać będzie sankcjom finansowym.<br />
<br />
W niniejszej sprawie zastosowanie znajdują przepisy art. 102 ust. 1 i 3 u.o.d.o. zgodnie z którymi wysokość administracyjnej kary pieniężnej nakładanej – na podstawie i na warunkach określonych w art. 83 Rozporządzenia 2016/679 – na jednostkę sektora finansów publicznych w rozumieniu ustawy z dnia 27 sierpnia 2009 r. o finansach publicznych (Dz. U. z 2019 r. poz. 869 ze zm.), ograniczona jest do kwoty 100 000 złotych.<br />
<br />
Mając powyższe na uwadze Prezes UODO orzekł jak w sentencji niniejszej decyzji. <br />
<br />
Decyzja jest ostateczna. Od decyzji stronie przysługuje prawo wniesienia skargi do Wojewódzkiego Sądu Administracyjnego w Warszawie, w terminie 30 dni od dnia jej doręczenia, za pośrednictwem Prezesa UODO (adres: ul. Stawki 2, 00 - 193 Warszawa). Od skargi należy wnieść wpis stosunkowy, zgodnie z art. 231 w związku z art. 233 ustawy z dnia 30 sierpnia 2002 r. Prawo o postępowaniu przed sądami administracyjnymi (Dz. U. z 2019 r., poz. 2325). Zgodnie z art. 74 ustawy z dnia 10 maja 2018 r. o ochronie danych osobowych (Dz. U. z 2019 r., poz. 1781) wniesienie przez stronę skargi do sądu administracyjnego wstrzymuje wykonanie decyzji w zakresie administracyjnej kary pieniężnej.<br />
<br />
Zgodnie z art. 105 ust. 1 ustawy z dnia 10 maja 2018 r. o ochronie danych osobowych (Dz. U. z 2019 r., poz. 1781), administracyjną karę pieniężną należy uiścić w terminie 14 dni od dnia upływu terminu na wniesienie skargi do Wojewódzkiego Sądu Administracyjnego, albo od dnia uprawomocnienia się orzeczenia sądu administracyjnego, na rachunek bankowy Urzędu Ochrony Danych Osobowych w NBP O/O Warszawa nr 28 1010 1010 0028 8622 3100 0000. Ponadto, zgodnie z art. 105 ust. 2 wskazanej wyżej ustawy Prezes UODO może, na uzasadniony wniosek podmiotu ukaranego, odroczyć termin uiszczenia administracyjnej kary pieniężnej albo rozłożyć ją na raty. W przypadku odroczenia terminu uiszczenia administracyjnej kary pieniężnej albo rozłożenia jej na raty, Prezes UODO nalicza od nieuiszczonej kwoty odsetki w stosunku rocznym, przy zastosowaniu obniżonej stawki odsetek za zwłokę, ogłaszanej na podstawie art. 56d ustawy z dnia 29 sierpnia 1997 r. - Ordynacja podatkowa (Dz. U. z 2019 r. poz. 900, z późn. zm.), od dnia następującego po dniu złożenia wniosku.<br />
</pre></div>MLhttps://gdprhub.eu/index.php?title=UODO_(Poland)_-_DKN.5112.7.2020&diff=11197UODO (Poland) - DKN.5112.7.20202020-08-24T10:36:15Z<p>ML: Created page with "{{DPAdecisionBOX |Jurisdiction=Poland |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoPL.png |DPA_Abbrevation=UODO |DPA_With_Country=UODO (Poland) |Case_Number_Name=DKN..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Poland<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoPL.png<br />
|DPA_Abbrevation=UODO<br />
|DPA_With_Country=UODO (Poland)<br />
<br />
|Case_Number_Name=DKN.5112.7.2020 <br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Urzędu Ochrony Danych Osobowych - UODO<br />
|Original_Source_Link_1=https://uodo.gov.pl/decyzje/DKN.5112.7.2020%20%09<br />
|Original_Source_Language_1=Polish<br />
|Original_Source_Language__Code_1=PL<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Decided=30.06.2020<br />
|Date_Published=<br />
|Year=2020<br />
|Fine=None<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 5(1)(a) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1a<br />
|GDPR_Article_2=Article 6(1)(c) GDPR<br />
|GDPR_Article_Link_2=Article 6 GDPR#1c<br />
|GDPR_Article_3=Article 58(2)(b) GDPR<br />
|GDPR_Article_Link_3=Article 58 GDPR#2b<br />
<br />
<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
|<br />
}}<br />
<br />
The President of the Personal Data Protection Office (UODO) imposed a penalty of a reprimand for the processing of students’ personal data without legal basis in connection with survey carried out by a school in the school year 2019/2020. <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The survey entitled “Diagnosis of student’s home and school situation” examined personal situation of students.<br />
<br />
In connection with the survey, the school processed personal data of students, including minors, in particular names and surnames, attended class, indication of legal guardians (parents), family status (single parent, full family), information about death of a legal guardian (parent), separation of legal guardians (parents), their education and professional situation, the number of people in the household, financial situation, health condition and addictions of legal guardians (parents), housing situation and information on social benefits.<br />
<br />
The processing of students’ personal data included collection, storage and destruction of those data.<br />
<br />
the survey was conducted to identify students who require psychological support from the school they attend. The survey was carried out by class teachers in classes 7-8 of elementary school and in high school classes as in blanco paper forms on direct instruction from school principal.<br />
<br />
=== Dispute ===<br />
It was disputed that the legal acts regulating the functioning of educational institutions do not specify such tasks and obligations of schools that would justify the processing of students' personal data in the way it was done in the penalised entity, in connection with the conducted survey.<br />
<br />
=== Holding ===<br />
By conducting a survey among students, the school has violated the principle of lawfulness of data processing, according to which personal data must be processed lawfully, fairly and in a transparent manner for the data subject. <br />
<br />
== Comment ==<br />
This summary is based on the English summary of the Polish Data Protection Authority<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details.<br />
<br />
<pre><br />
Warsaw, 30 June 2020.<br />
DECISION<br />
SEE 5112.7.2020<br />
<br />
Warsaw, 30 June 2020.<br />
<br />
<br />
<br />
Pursuant to Article 104 § l of the Act of 14 June 1960 Code of Administrative Procedure (Journal of Laws of 2020, item 256) in connection with Article 7 and Article 60 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781) and pursuant to Article 58(2)(b) in connection with Article 5(1)(a) and Article 6(1)(c) of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016. on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulations) (OJ EU L 119, 04.05.2016, p. 1, as amended), after the administrative proceedings on the processing of personal data have been carried out by the General School Complex in D., President of the Office for Personal Data Protection,<br />
<br />
<br />
<br />
gives a warning for the violation by the General School Complex in D. of the provisions of Article 5(1)(a) and Article 6(1)(c) of Regulation 2016/679 of the European Parliament and of the Council of the EU 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 2016/679, p. 1). EU L 119 of 04.05.2016, p. 1 as amended), hereinafter referred to as "Regulation 2016/679", consisting of processing without a legal basis of personal data of students in connection with conducting surveys (interviews) on their personal situation among them in the school year 2019/2020, using a survey called "Diagnosing the home and school situation of a student. Student Survey".<br />
<br />
<br />
<br />
Justification .<br />
<br />
<br />
<br />
Pursuant to Article 78 paragraph 1, Article 79 paragraph 1 point 1 and Article 84 paragraph 1 point 1-4 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), hereinafter referred to as the "Act", in connection with Article 57 paragraph 1 point a and point h, Article 58 paragraph 1 point b and point e of the Regulation 2016/679, in order to control the compliance of data processing with the provisions on the protection of personal data, control activities were carried out in the Complex of General Education Schools in D. (file reference DKN.5112.7.2020).<br />
<br />
The scope of control included processing by the General Education School Complex in D. (hereinafter also referred to as "ZSO") of personal data of students in connection with conducting among them in the school year 2019/2020 surveys (interviews) concerning their personal situation, using a questionnaire called "Diagnosing the home and school situation of a student. Student Survey".<br />
<br />
During the audit oral explanations were received from the CSO employees. The facts were described in detail in the inspection protocol, which was signed by the CSO Director.<br />
<br />
On the basis of the collected evidence it was established that in the process of personal data processing, the CSO, as the administrator, violated the regulations on personal data protection by processing without legal basis the personal data of students in connection with conducting among them in the school year 2019/2020 surveys (interviews) concerning their personal situation, using a questionnaire called "Diagnosing the home and school situation of a student. Student Survey".<br />
<br />
In connection with the above, the President of the Office of Personal Data Protection initiated administrative proceedings in the scope of the identified violations, in order to clarify the circumstances of the case (letter from [...] May 2020, mark: [...]).<br />
<br />
In response to the notice of initiation of administrative proceedings the CSO Director in a letter of [...] June 2020. (mark: [...]) submitted explanations, in which he indicated, among others, that the circumstance that should be taken into account by the supervisory authority in connection with the control is the fact that as of July [...], 2019 personal changes took place on the position of the CSO Director. Moreover, the CSO Director raised that due to lack of continuity in the management of documentation and procedures in the CSO, including those related to personal data protection, the CSO's internal documents related to personal data protection in this institution were not provided to him and he was not informed about the person performing the duties of data protection inspector and his contact details.<br />
<br />
The CSO Director also pointed out that he was "forced" to create rules concerning proper data protection in the CSO from the beginning, without proper support from the CSO's director, who did not contact the CSO management until the incident covered by this control, and thus the CSO Director took actions based on the knowledge and experience of his staff. Moreover, after the school pedagogue passed the questionnaire to the CSO Manager for review, the CSO Manager was to indicate in the interview with the above mentioned pedagogue that the questionnaires must be voluntary and should be anonymous, i.e. the student may or may not fill in the questionnaires, as well as fill in only the part where he considers it appropriate. The headmaster of the CSO admitted in a letter that the school pedagogue at that time did not consult the content of the questionnaire with the CSO's data protection officer, because he performed his duties improperly, i.e. he did not contact the CSO's management during his duties. Moreover, the CSO director indicated that in each class where the questionnaires were distributed to students, recommendations were to be made that the questionnaires were voluntary and may be anonymous. According to the Director of the CSO, despite the instructions given by the majority of tutors, some of the students indicated their names or personal data of their parents or legal representatives in the survey.<br />
<br />
To the above mentioned letter addressed to the Office of Personal Data Protection, the Director of the CSO attached the following attachments:<br />
<br />
1) Information Security Policy in the CSO of 2019,<br />
<br />
2) Order No. [...] of the Director of the Comprehensive School Complex in D. of [...] October 2019,<br />
<br />
3) the protocol of destruction of questionnaires of [...] October 2019,<br />
<br />
4) register of information security incidents in the CSO,<br />
<br />
5) the analysis of the event in terms of the risk of violation of rights and freedoms of individuals (risk analysis) performed by the Data Protection Officer [...] October 2019,<br />
<br />
6) e-mail correspondence between the CSO Director and the data protection officer of [...] October 2019,<br />
<br />
7) post-control report of the Board of Education in L. of [...] October 2019,<br />
<br />
8) information of the Disciplinary Ombudsman for Teachers at the Governor's Office [...] to the Director of the CSO with a request to send documents in connection with the initiation of an investigation,<br />
<br />
9) the handover protocol for the Complex of General Education Schools in D. of July [...], 2019,<br />
<br />
10) the list of attendance of persons trained in the field of personal data protection by the CSO data protection inspector of [...] October 2019.<br />
<br />
After reviewing all the evidence gathered in the case, the President of the Office for the Protection of Personal Data (hereinafter the "President of the Office for the Protection of Personal Data") weighed the following:<br />
<br />
Article 5 of the Regulation 2016/679, formulates the rules concerning the processing of personal data, which must be respected by all controllers, i.e. entities which determine the purposes and means of processing personal data on their own or together with others. According to Article 5(1)(a) of Regulation 2016/679, personal data must be processed lawfully, fairly and transparently for the data subject ("lawfulness, fairness and transparency"). Furthermore, pursuant to Article 6(1)(c) of Regulation 2016/679, processing is lawful only if and in so far as the condition that the processing is necessary for compliance with a legal obligation on the controller is met.<br />
<br />
In the course of the inspection it was established (the protocol of acceptance of oral explanations is attached as Appendix 1 to the inspection protocol) that in the CSO a survey was conducted among its students using a questionnaire form called "Diagnosing the home and school situation of a student. Student survey". (hereinafter "the survey"). As part of the survey, personal data of CSO students, including data of minors, were processed, especially in the following scope: name and surname, class designation, identification of legal guardians (parents), information about the condition of the family (full, incomplete), as well as information about the death of the legal guardian (parent), separation of legal guardians (parents), their education and professional situation, number of people in the household, financial situation, health condition and addictions of legal guardians (parents), housing situation and the fact of receiving or not receiving financial assistance. Students' data were processed in terms of collection, storage and deletion.<br />
<br />
It was also established in the course of the inspection (minutes of acceptance of oral explanations are attachments No. 1 and No. 23 to the inspection protocol) that a survey was conducted in order to identify students who require psychological support from the school they attend. It was also established that the survey was conducted solely using blank paper forms, which were distributed to classroom educators: 7 - 8 and high school classes at the request of the Principal of the CSO. It follows from the above that personal data of ZSO's students were processed only with the use of paper questionnaire forms, on which the data were obtained (collected) and then stored and finally destroyed (minutes of oral explanation are attachments no. 1 and no. 23 to the control protocol). All copies of the questionnaire returned to the Director of the CSO were destroyed by the commission [...] October 2019. As it results from the findings of the inspection, personal data included in the questionnaires were not introduced into electronic telecommunication systems, nor were they recorded on electronic data carriers or other information carriers, including in paper form. After collecting the questionnaires, the educators did not make any scans or paper copies of them, nor did they make any other additional documents containing personal data concerning the questionnaires. As of the date of starting the audit the personal data of students obtained in connection with the surveys were no longer processed by the CSO.<br />
<br />
As it results from the evidence obtained as a result of the control activities (protocols of acceptance of oral explanations are appendices no. 20, no. 22, no. 23 to the control protocol), the questionnaires were carried out in a way that excludes the possibility of getting acquainted with the data contained therein by unauthorized persons. According to the statements made by the tutors who conducted or were supposed to conduct the questionnaires, they did not get acquainted with the content of the filled in questionnaires, and thus with the personal data included in them (protocols of acceptance of oral explanations are appendices no. 20, no. 22, no. 23 to the control protocol). Some tutors, after receiving the printed questionnaire forms, did not even carry out the survey at all (the protocol of acceptance of oral explanations is an appendix no. 24 to the control protocol), i.e. they did not distribute the above mentioned forms to the students to be filled in. Moreover, as it was explained, the way of storing the questionnaire forms took into account the necessity of securing them against unauthorized access, i.e. after the completed questionnaires were collected by the tutors, they were stored in lockable lockers, to which only the above-mentioned tutors had access.<br />
<br />
In connection with the above findings, it should be concluded that the CSO, by conducting a survey among students, violated the principle of processing data in accordance with the law, expressed in Article 5(1)(a) of Regulation 2016/679, according to which personal data must be processed in accordance with the law, fairly and transparent to the data subject. This principle is developed in Article 6(1)(c) of Regulation 2016/679, according to which the processing is lawful only if and to the extent that it is necessary for the controller to fulfil a legal obligation.<br />
<br />
Referring to the above mentioned principles, it should be stated that the evidence gathered in the course of the inspection allows to conclude that the processing of personal data of CSO students took place without a legal basis resulting from the provisions of applicable normative acts.<br />
<br />
In particular, it should be pointed out that in accordance with § 9 of the CSO Statute and § 1 clause 11 of the Primary School Statute in D. in connection with Article 9 point 3 of the Act of 27 August 2009 on Public Finance (Journal of Laws of 2019, item 869 as amended), the CSO is a budgetary unit, and thus also a unit of the financial sector identical to a public entity within the meaning of Regulation 2016/679. Therefore, the ATS as a public entity may process personal data within the scope of its tasks imposed by the Acts, only in accordance with Article 5(1)(a) and Article 6(1)(c) of Regulation 2016/679. In turn, in accordance with Article 30a of the Act of 14 December 2016. Educational Law (Journal of Laws of 2019, item 1148 as amended), schools shall process personal data to the extent necessary to carry out the tasks and obligations arising from these provisions.<br />
<br />
It should be noted that in the provisions of the Act of 14 December 2016. Educational Law (Journal of Laws of 2019, item 1148, as amended) and other legal acts governing the functioning of educational institutions, do not specify such tasks and obligations of schools that would justify the processing of students' personal data in the way that was done in the CSO in connection with the survey. Conducting the survey, which entailed the processing of students' data by the CSO, did not constitute the fulfillment of the obligation or task imposed on this educational institution by the Act, and therefore it should be considered that there was also a violation of Article 6(1)(c) of Regulation 2016/679.<br />
<br />
The President of UODO, analyzing all the evidence gathered in the course of the audit, decided that the statements of the Director of the CSO included in the letter of [...] June 2020. (mark: [...]), concerning the key issues in this decision, do not confirm the findings made in this case or are not essential for it and therefore do not bring new circumstances to it. First of all it should be pointed out that the fact of personal changes in the ATS directorate, referred to by the ATS Director, has no meaning for the responsibility of the ATS as a personal data controller in the light of Regulation 2016/679. The data controller, which is the ATS represented by the Director, is obliged to ensure continuity of performance of duties resulting from the provisions of Regulation 2016/79, regardless of personal changes in the above position. Explanations of the Director of the CSO in this respect, including referring, inter alia, to the circumstances of failure to provide him/her with the documentation, may be relevant at most in the sphere of his/her responsibility resulting from the employment relationship between him/her and the local government body being the organizer of the CSO, and not in the sphere of responsibility resulting from the regulations on personal data protection.<br />
<br />
Moreover, the Director of CSO's explanation that from the beginning of the implementation of the survey and giving copies of it to CSO teachers, they were instructed about the necessity of conducting the survey anonymously, should be considered questionable. First of all it should be pointed out that the questionnaire form, due to the fact that it included in its content a place to indicate the student's name, suggested filling in the questionnaire by name, which was a violation of the regulation 679/2016. Moreover, the statement of ZSO Director about the obligation of teachers to instruct the students about the anonymity of the questionnaire is in contradiction with his earlier explanations, as well as the explanations of ZSO teachers. As the Principal of ZSO explained during the inspection (the protocol of acceptance of oral explanations is attached as Appendix no. 1 to the main inspection protocol), he noticed during the conversation with the school pedagogue about the questionnaire that by assumption it is not anonymous and ordered the school pedagogue to inform the tutors that completing the questionnaire is optional. He also instructed the tutors to inform the students about the voluntary nature of the questionnaire directly at the time of handing out the survey forms.<br />
<br />
It follows from the above that the recommendations regarding the anonymity of the survey were not made to the tutors at the very beginning of the survey, since the voluntary nature of the survey does not in any way imply anonymity, especially because of its content. This state of affairs is confirmed by the explanations of Mrs. M. K., ZSO teacher, classroom teacher [...] (the protocol of acceptance of oral explanations is attached as Appendix No. 20 to the protocol of the main audit), according to which the school teacher did not inform her about any recommendations concerning the method or date of the survey. According to Ms. K.'s explanations, the questionnaires were filled in by name, i.e., the students gave their names and surnames, and she did not inform the students about her voluntariness and anonymity before they filled in the questionnaire. Mrs. M. K. also mentioned that after the students had completed the questionnaires, a pedagogical council took place, during which her teacher friends posed questions to the ZSO Director, Mrs. J. P., regarding the anonymity and voluntariness of completing the questionnaire, as well as the purposefulness of its content. According to Mrs. M. K., the Principal of ZSO informed during the above mentioned council that the questionnaire can be filled in voluntarily and anonymously by students. However, from the response of the Principal of the CSO Mrs. M. K. concluded that there is no general recommendation from the Principal that the survey must be anonymous.<br />
<br />
The fact that the classroom tutors were not informed about the need to conduct the questionnaire anonymously is also due to the explanations of Mrs. I. J., ZSO teacher, class tutor of [...] High School (the protocol of acceptance of oral explanations is attached as Appendix No. 21 to the main control protocol). Mrs. I. J. stated that she learned about the questionnaire from her school teacher, Mrs. D. K., who personally brought her printed and unfilled questionnaire forms in September 2019 while Mrs. I. was conducting it. J. of the classroom's teaching hours [...] of the High School. Mrs. D. K. asked Mrs. I. J. to conduct a survey among the students of the [...] class, and informed her that completing the survey was voluntary (optional). Ms. D. K. did not inform Ms. J. about any other recommendations concerning the method or date of the survey.<br />
<br />
She also provided explanations of similar content: Mrs. W. M., teacher of the Comprehensive School Complex in D., class teacher of [...] High School (the protocol of accepting oral explanations is enclosed in the protocol of the main control), Mrs. M. D., teacher of the Comprehensive School Complex in D.., the tutor of the class [...] of the High School (the protocol of the oral hearing is attached as appendix no. 23 to the protocol of the main audit) and Mrs. M. C., teacher of the High School Complex in D., tutor of the class [...] of the High School (the protocol of the oral hearing is attached as appendix no. 24 to the protocol of the main audit). In view of the above, the statement of the Headmaster of the CSO that despite the instructions of the majority of tutors, some of the students indicated their names or personal data of their parents or statutory representatives on the survey, as no one directed such instructions to the students for the most part, should be considered unconvincing.<br />
<br />
In connection with the above, acting pursuant to Article 58(2)(b) of Regulation 2016/679, pursuant to which each supervisory authority is entitled to issue a warning to the controller or processor in the event of a breach of the provisions of this Regulation by the processing operations, the President of UODO considers it justified to issue a warning to the CSO in the event of a breach of the provisions of Article 6(1)(c) in connection with Article 5(1)(a) of Regulation 2016/679.<br />
<br />
Recital 148 of Regulation 2016/679 provides that in order to make enforcement more effective, sanctions, including administrative fines, should be imposed for a breach of the Regulation, in addition to or instead of the appropriate measures imposed by the supervisory authority under this Regulation. If the infringement is minor, the financial penalty may be replaced by a warning. However, due consideration should be given to the nature, gravity and duration of the breach, to whether the breach was not intentional, to actions taken to minimise damage, to the degree of liability or any relevant previous breaches, to the manner in which the supervisory authority learned of the breach, to compliance with measures imposed on the controller or processor, to the application of codes of conduct and any other aggravating or mitigating factors.<br />
<br />
Determining the nature of the breach consists in determining which provision of Regulation 2016/679 has been breached and classifying the breach in the appropriate category of breaches, i.e. those indicated in Article 83(4) or 83(5) and (6) of Regulation 2016/679. The assessment of the severity of the breach (e.g. low, medium or significant) is indicated by the nature of the breach, as well as the scope, purpose of the processing in question, the number of data subjects affected and the extent of the damage suffered by them. The purpose of the processing of personal data involves determining the extent to which the processing meets the two key elements of the 'limited purpose' principle, i.e. the determination of the purpose and its consistent application by the controller or processor. In choosing the corrective measure, the supervisory authority takes into account whether the damage has been or may be suffered due to a breach of Regulation 2016/679, although the supervisory authority itself is not competent to grant specific compensation for the damage suffered. By specifying the duration of the breach, it may be concluded that the breach has been rectified immediately and for how long it lasted, which consequently makes it possible to assess, for example, the appropriateness or effectiveness of the actions of the controller or processor. The Article 29 Working Party, in its guidelines on the application and determination of administrative fines for the purposes of Regulation 2016/679 adopted on October 3, 2017, referring to the intentional or unintentional nature of the infringement, indicated that, in principle, "intentionality" includes both knowledge and intentional action, in relation to the characteristics of the prohibited act, while "unintentionality" means the lack of intent to cause the infringement, despite the failure of the controller or the processor to comply with the duty of care required by law. Intentional infringements are more serious than unintentional ones and, consequently, more often involve the imposition of an administrative fine.<br />
<br />
The President of UODO decided that in the established circumstances of this case a warning to the CSO is sufficient. The President of UODO considered that the above mentioned infringement was of unintentional nature as an attenuating circumstance, which supports it. ZSO immediately took a number of corrective actions, such as: destruction of survey forms or failure to conduct it by some teachers, organization of training for ZSO employees in order to raise their awareness of the issue of personal data protection, as well as analysis of the event, which was conducting a survey among students, due to the risk of violation of rights and freedoms of individuals. Moreover, based on the circumstances of the case in question, there are no grounds to consider that the data subjects suffered damage as a result of the event.<br />
<br />
The President of UODO also did not receive any other signals that similar behaviors resulting in violation from the CSO took place. Therefore, the event refers to a one-time incident, not a systematic action or omission that would pose a serious threat to the rights of persons whose personal data are processed by the CSO. The above circumstances justify the granting of a reminder to the CSO for the found violation, taking into account the possibility of avoiding similar events in the future.<br />
<br />
It should be noted that in case of occurrence of a similar event in the future, each reminder issued by the President of UODO to the CAC will be taken into account when assessing the prerequisites for a possible administrative penalty, in accordance with the principles set out in Article 83 paragraph 2 of Regulation 2016/679.<br />
<br />
In this factual and legal situation the President of UODO decided, as in the operative part.<br />
<br />
<br />
<br />
The decision is final. A party has the right to lodge a complaint against the decision with the Voivodeship Administrative Court in Warsaw, within 30 days from the date of its delivery, through the President of the Office for Personal Data Protection (address: 2 Stawki Street, 00 - 193 Warsaw). A fixed entry in the amount of 200 PLN should be made from the complaint, according to art. 231 in connection with art. 233 of the Act of August 30, 2002. Law on proceedings before administrative courts (Journal of Laws of 2019, item 2325, as amended). A party (natural person, legal person, other organizational unit without legal personality) has the right to apply for the right of assistance, which includes exemption from court costs and establishment of an advocate, legal adviser, tax advisor or patent attorney. The right of assistance may be granted at the request of a party submitted before or during the proceedings. The application is free of court fees.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
They receive:<br />
<br />
<br />
<br />
General School Complex in D.<br />
<br />
<br />
<br />
A/a<br />
<br />
</pre></div>MLhttps://gdprhub.eu/index.php?title=Garante_per_la_protezione_dei_dati_personali_(Italy)_-_9446659&diff=11194Garante per la protezione dei dati personali (Italy) - 94466592020-08-24T07:50:39Z<p>ML: /* English Machine Translation of the Decision */</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Italy<br />
|DPA-BG-Color=background-color:#095d7e;<br />
|DPAlogo=LogoIT.png<br />
|DPA_Abbrevation=Garante per la protezione dei dati personali<br />
|DPA_With_Country=Garante per la protezione dei dati personali (Italy)<br />
<br />
|Case_Number_Name= 9446659<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Garante's website<br />
|Original_Source_Link_1=https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9446659<br />
|Original_Source_Language_1=Italian<br />
|Original_Source_Language__Code_1=IT<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Decided=09.07.2020<br />
|Date_Published=<br />
|Year=2020<br />
|Fine=2000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 5(1)(a) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1a<br />
|GDPR_Article_2=Article 5(1)(c) GDPR<br />
|GDPR_Article_Link_2=Article 5 GDPR#1c<br />
|GDPR_Article_3=Article 6(1)(c) GDPR<br />
|GDPR_Article_Link_3=Article 6 GDPR#1c<br />
|GDPR_Article_4=Article 6(1)(e) GDPR<br />
|GDPR_Article_Link_4=Article 6 GDPR#1e<br />
|GDPR_Article_5=Article 6(2) GDPR<br />
|GDPR_Article_Link_5=Article 6 GDPR#2<br />
|GDPR_Article_6=Article 6(3) GDPR<br />
|GDPR_Article_Link_6=Article 6 GDPR#3<br />
<br />
<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Antonella Luisi<br />
|<br />
}}<br />
<br />
The Italian DPA (Garante) fined a city council 2.000 euros for publishing citizens' personal data on its website without a valid legal basis and failing to comply with the principle of data minimization. <br />
<br />
==English Summary==<br />
<br />
===Facts===<br />
A data subject filed a complaint with the Garante regarding the publication on the city council's website of personal data concerning him and his wife.<br />
<br />
===Dispute===<br />
The Garante considered whether the publication of the compliants' personal data was justified and grounded on a valid legal basis while complying with the transparency obligations public administration are subject to. <br />
<br />
===Holding===<br />
The Garante considered that the data processing at sake should have been grounded on compliance with a legal obligation to which the controller is subject, under Article 6 (1) (c) GDPR. <br />
In this case, the compliants' personal data remained published for several years thus exceeding the 15 days period required under Italian law for transparency purposes. <br />
The controller failing to demonstrate on which legal basis it grounded the data processing for the exceeding period of time, the Authority judged the processing unlawful on the basis of Article 6 (1) (c) (e), (2), (3) (b). Also, the Garante found that the personal data published was not adequate, relevant and limited to the fixed purpose thus breaching the principles of data minimization under article 5 (1) (c) GDPR. <br />
<br />
==Comment==<br />
''Share your comments here!''<br />
<br />
==Further Resources==<br />
''Share blogs or news articles here!''<br />
<br />
==English Machine Translation of the Decision==<br />
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.<br />
<br />
<pre><br />
[web doc. n. 9446659]<br />
<br />
Ordinance injunction against the Municipality of Baronissi - July 9, 2020<br />
<br />
Register of measures<br />
n. 139 of July 9, 2020<br />
<br />
THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA<br />
<br />
In today's meeting, which was attended by Dr. Antonello Soro, President, Prof. Licia Califano and Dr. Giovanna Bianchi Clerici, members and Dr. Giuseppe Busia, Secretary General;<br />
<br />
HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC, "General Data Protection Regulation" (hereinafter referred to as "GPSD");<br />
<br />
HAVING REGARD TO Legislative Decree no. 196 of 30 June 2003, "Personal Data Protection Code" (hereinafter referred to as the "Code");<br />
<br />
HAVING REGARD to General Provision no. 243 of 15/5/2014 containing the "Guidelines on the processing of personal data, also contained in administrative acts and documents, carried out for purposes of publicity and transparency on the web by public entities and other obligatory bodies", published in G.U. no. 134 of 12/6/2014 and in www.gpdp.it, web document no. 3134436 (hereinafter "Guidelines on transparency");<br />
<br />
HAVING REGARD TO Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved by resolution no. 98 of 4/4/2019, published in OJ no. 106 of 8/5/2019 and www.gpdp.it, web doc. no. 9107633 (hereinafter "Regulation of the Guarantor no. 1/2019");<br />
<br />
VIEW the documentation in deeds;<br />
<br />
HAVING REGARD to the observations made by the Secretary General pursuant to art. 15 of the Regulation of the Guarantor n. 1/2000 on the organization and operation of the office of the Guarantor for the protection of personal data, in www.gpdp.it, web doc. n. 1098801;<br />
<br />
Rapporteur Dr. Antonello Soro;<br />
<br />
PRESS<br />
<br />
1. Introduction<br />
<br />
This Authority has received a complaint regarding the publication on the institutional website of the Municipality of Baronissi of personal data and information of Mr. XX and his spouse XX.<br />
<br />
In particular, from the preliminary assessment carried out by the Office on XX, it was found that the following documents were visible and freely downloadable on the institutional website of the aforementioned Municipality, in the section Services / Historical Register: Measure prot. n. XX of XX of XX of the urban planning-construction sector having as object "XX", with attached the note of the municipal technician prot. n. XX of XX having as object "XX (url http://...).<br />
<br />
The above mentioned documents contained personal data and information of the interested parties, such as personal and residence data, identification and cadastral data of the property, information relating to the realization of illegal works and the results from the inspection report, the photographic surveys of the veranda of your apartment, etc..<br />
<br />
2. Applicable regulations.<br />
<br />
According to the relevant regulations, "personal data" is "any information concerning an identified or identifiable natural person ("interested party") and "is considered identifiable the natural person who can be identified, directly or indirectly, with particular reference to an identifier such as name, an identification number, location data, an online identifier or one or more characteristic elements of his physical, physiological, genetic, psychic, economic, cultural or social identity" (art. 4, par. 1, no. 1, of the RGPD).<br />
<br />
Personal data must be processed in compliance with the principles indicated in art. 5 of the RGPD, including those of "lawfulness, correctness and transparency" as well as "data minimization", according to which personal data must be - respectively - "processed in a lawful, correct and transparent way towards the person concerned", as well as "adequate, relevant and limited to what is necessary with respect to the purposes for which they are processed" (par. 1, lett. a and c).<br />
<br />
Within this framework, the processing of personal data carried out by public entities (such as the Municipality) is lawful only if necessary "to fulfil a legal obligation to which the data controller is subject" or "for the performance of a task in the public interest or related to the exercise of public authority vested in the data controller" (art. 6, par. 1, lett. c and e, of the RGPD).<br />
<br />
It is also provided that "Member States may maintain [...] more specific provisions to adapt the application of the provisions of this Regulation with regard to processing, in accordance with paragraph 1(c) and (e), determining more precisely specific requirements for processing and other measures to ensure lawful and correct processing [...]", with the result that the provisions contained in Article 6(1)(c) and (e) are applicable to the present case. 19, paragraph 3, of the Code (now repealed but in force at the time of the facts, whose content is reproduced in art. 2-ter, paragraphs 1 and 3, of the Code), where it is provided that the operation of dissemination of personal data (such as publication on the Internet), by public entities, is allowed only when required by law or regulation.<br />
<br />
The state legislation provides, in this regard, that "All the resolutions of the municipality and the province are published by publication in the register, at the headquarters of the body, for fifteen consecutive days, unless specific provisions of law" (art. 124, paragraph 1, of Legislative Decree 18/8/2000 n. 267).<br />
<br />
The Guarantor has provided specific indications to public administrations regarding the precautions to be taken for the dissemination of personal data on the Internet for the purposes of transparency and publicity of administrative action with its Guidelines on transparency, also with reference to publications in the online register of local authorities.<br />
<br />
In the aforesaid Guidelines, it is expressly provided that, once the time period provided for by the individual disciplines for the publication of the acts and documents in the register of local authorities has elapsed, "local authorities may not continue to disseminate the personal data contained therein. Otherwise, it would result, for the period exceeding the duration provided for by the reference legislation, a dissemination of personal data illegal because not supported by appropriate regulatory requirements [...]. In this regard, for example, the permanence on the web of personal data contained in the deliberations of local authorities beyond the term of fifteen days, provided for by art. 124 of the aforementioned Legislative Decree no. 267/2000, may constitute a violation of the aforementioned art. 19, paragraph 3, of the Code [n.d.r. now reproduced in art. 2-ter, paragraphs 1 and 3, of the Code], where there is no different legislative or regulatory parameter that provides for its dissemination [...]. In this case] if the local authorities want to continue to maintain the acts and documents published on their institutional website, for example in the sections dedicated to the archives of the acts and/or the regulations of the authority, they must make the appropriate arrangements for the protection of personal data. In such cases, therefore, it is necessary to obscure in the published records the data and information suitable to identify, even indirectly, the subjects concerned" (part two, par. 3.a).<br />
<br />
3. Preliminary assessments of the Office on the processing of personal data carried out.<br />
<br />
From the verifications carried out on the basis of the elements acquired and the facts that emerged as a result of the investigation activity, as well as the subsequent evaluations, the Office with note prot. n. XX of XX has ascertained that the Municipality of Baronissi by disseminating - at least until the preliminary verification carried out by the Office on XX - the personal data of the complainants, contained in the documents identified above published on the institutional website, has carried out a processing of personal data that does not comply with the relevant discipline on the protection of personal data contained in the RGPD. Therefore, with the same note were notified to the Municipality the violations carried out (pursuant to art. 166, paragraph 5, of the Code), communicating the initiation of the procedure for the adoption of the measures referred to in Article 58, paragraph 5, of the Code. 2, of the RGPD and inviting the above mentioned Municipality to send to the Guarantor defensive writings or documents and, if necessary, to ask to be heard by this Authority, within 30 days (art. 166, paragraphs 6 and 7, of the Code; as well as art. 18, paragraph 1, by Law n. 689 of 24/11/1981).<br />
<br />
4. Defensive pleadings and hearing.<br />
<br />
With the note prot. n. XX of XX the Municipality of Baronissi sent to the Guarantor its defensive writings in relation to the violations notified.<br />
<br />
In this regard, it is recalled that, unless the fact does not constitute a more serious crime, anyone who, in a proceeding before the Guarantor, falsely declares or certifies news or circumstances or produces false acts or documents is liable under Article 168 of the Code, entitled "False statements to the Guarantor and interruption of the performance of duties or exercise of powers of the Guarantor".<br />
<br />
Specifically, it has been highlighted, among other things, that:<br />
<br />
- "Preliminarily it is reiterated that the publication of the Ordinance de qua (see Provv. Prot. n. XX of XX) concerning personal data and information - freely visible and downloadable on the institutional website of the Municipality of Baronissi (Servizionline/Albo Pretorio) - has occurred beyond the time prescribed by law for a mere technical error and a misunderstanding related to the internal organization of this Municipality".<br />
<br />
- "A scrupulous and diligent obligation towards the regulations on transparency then guided the organization of the Municipality and the personnel in charge, considering the publication of the common data relating to the ordinance in question to be due and necessary".<br />
<br />
- "In the background, a conduct based on good faith and respectful of the context in which this error is manifested [...]".<br />
<br />
- "the Municipality of Baronissi has provided to adopt specific guidelines on general principles and issued directives on the processing of personal data, if the purposes of publicity and transparency of administrative action emerge, representing also the multiple hypotheses in which the activity of the public administration, rectius of the Municipality of Baronissi, can balance the requirements of transparency under the prescribed rules, those of publicity in conjunction with the rules to be observed on the processing of personal data, especially in terms of relevance and necessity of treatment (principle of minimization)".<br />
<br />
- "In order to ensure that the contents of the aforementioned ordinance fulfil the obligation prescribed by law without violating the precepts imposed by Regulation (EU) 2016/679, Legislative Decree 196/2003 and Legislative Decree 101 of 2018, the Municipality of Baronissi has undertaken to remove the aforementioned ordinance from its institutional site. In this regard, the Local Authority has organized itself, after the time prescribed by law to comply with the obligations of transparency and publicity, to make available on the Archives section of the Municipality the administrative acts and documents but accessible only at the request of the interested party".<br />
<br />
- The body "has issued very precise instructions aimed at modifying the information contained in the administrative acts issued and issued, avoiding the insertion of personal data that are not relevant and in excess of those required, in order to comply with the constraints of the law".<br />
<br />
5. Outcome of the investigation relating to the complaint submitted<br />
<br />
The subject matter of the case submitted to the attention of the Guarantor concerns the dissemination of data and personal information of the complainants (such as personal and residence data, identification data and cadastral data of the property, information relating to the realization of illegal works and results from the inspection report, photographic surveys of the veranda of the apartment subject to the surveys) contained in the measure prot. n. XX of the Municipality and its annex containing the note of the municipal technician prot. n. XX.<br />
<br />
The Municipality in the defensive memoirs confirmed the online dissemination of personal data of the complainants, justifying it in the light of "a mere technical error" and "a misunderstanding regarding the internal organization [of the] Municipality", as well as an incorrect assessment regarding the application of the provisions on transparency and protection of personal data.<br />
<br />
Some observations in this regard, although worthy of consideration, do not allow in any case to overcome the findings notified by the Office with the act of initiation of proceedings and are insufficient to allow the filing of these proceedings, since none of the cases provided for in Article 11 of the Regulation of the Guarantor No. 1/2019. This is also considering that since 2014, the Authority, in the Guidelines on transparency, has provided all public entities with specific indications on how to balance the obligations of transparency and publicity of administrative action with the right to protection of personal data of those concerned.<br />
<br />
In this framework, the preliminary assessments of the Office are confirmed and it is noted that the processing of personal data carried out by the Municipality of Baronissi is unlawful, as the full publication on the institutional website of the document prot. n. XX of XX of the urban-building sector of the Municipality of Baronissi concerning "XX", with all data and information in clear text of the interested parties, has produced a dissemination of personal data of the complainants:<br />
<br />
a. were not necessary with respect to the purpose of the treatment, with particular reference to the disclosure of the date and place of birth, residence, identification data and cadastral data of the property, information relating to the realization of illegal works, in violation of the principle of minimization and, therefore, the basic principles of treatment contained in Articles 5, paragraph 1, letter c) of the RGPD;<br />
<br />
b. has lasted for more than fifteen days provided for in Article 124, paragraph 1, of Legislative Decree no. 267/2000 for the publication in the register, in the absence then - for the period exceeding - of appropriate legal requirements for the dissemination of personal data and, therefore, in violation of art. 19 paragraph 3 of the Code (in force at the time of the facts and whose content is now reproduced in Article 2-ter, paragraphs 1 and 3, of the Code), as well as the basic principles of treatment contained in Articles 5, paragraph 1, letter a and c; 6, paragraph 1, letter c and e, paragraph 2 and paragraph 3, letter b, of the RGPD.<br />
<br />
Considering, however, that the conduct has exhausted its effects, since the personal data of the complainants described above are no longer accessible at the url address indicated above, without prejudice to what will be said about the application of the administrative fine, the conditions for the adoption of further corrective measures under Article 58, paragraph 2, of the RGPD are not met.<br />
<br />
6. Adoption of the injunction order for the application of the pecuniary administrative sanction (Art. 58, par. 2, letter i; 83 RGPD)<br />
<br />
The Municipality of Baronissi appears to have violated articles 5, par. 1, letter a) and c); 6, par. 1, letter c) and e), par. 2 and par. 3, letter b), of the RGPD; as well as art. 19, par. 3, of the Code, in force at the time of the illegal conduct.<br />
<br />
In this regard, Art. 83, par. 3, of the RGPD, provides that "If, in relation to the same processing or related processing, a data controller or a data processor violates, intentionally or negligently, various provisions of this Regulation, the total amount of the pecuniary administrative sanction shall not exceed the amount specified for the most serious violation".<br />
<br />
In the present case, the violation of the above mentioned provisions is subject to the application of the same pecuniary administrative sanction provided for by Article 83, paragraph 5, of the RGPD, which therefore applies to the present case.<br />
<br />
It should also be taken into account that, although the document subject of the complaint, published online, dates back to May 2017, for the determination of the applicable rule, from a temporal point of view, it must be recalled in particular the principle of legality set forth in Article 1, paragraph 2, of Law no. 689/1981 which states that "Laws providing for administrative sanctions apply only in the cases and times considered". This determines the obligation to take into account the provisions in force at the time of the violation committed, which in the case in question - given the permanent nature of the alleged offence - must be identified at the time of cessation of the illegal conduct, which occurred after the date of 25/5/2018 when the RGPD became applicable. From the acts of the investigation it has emerged that the illegal online dissemination has continued at least until the preliminary verification carried out by the Office on the date of the XX.<br />
<br />
The Guarantor, pursuant to Articles 58, paragraph 2, letter i) and 83 of the RGPD and Article 166 of the Code, has the corrective power to "impose a pecuniary administrative sanction pursuant to Article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each individual case". In this framework, "the Board [of the Guarantor] adopts the injunction, with which it also orders the application of the accessory administrative sanction of its publication, in whole or in excerpts, on the website of the Guarantor pursuant to Article 166, paragraph 7, of the Code" (Article 16, paragraph 1, of the Regulation of the Guarantor No 1/2019).<br />
<br />
The above mentioned administrative fine imposed, depending on the circumstances of each individual case, must be determined in the amount, taking due account of the elements provided for in Article 83, paragraph 2, of the RGPD.<br />
<br />
In relation to the aforementioned elements, the conduct found to have been carried out in violation of the regulations on the protection of personal data has involved the disclosure of personal data not belonging to special categories or to criminal convictions or crimes (Articles 9 and 10 of the RGPD) of two persons involved. The dissemination has lasted for several years, but the administration has taken steps to obscure the personal data subject of the complaint, working with the Authority during the investigation of this procedure in order to remedy the violation - whose character, according to what the Municipality, appears to be of a culpable nature - mitigating the possible negative effects. In the response to the Guarantor were also described several technical and organizational measures put in place pursuant to Articles 25-32 of the RGPD. There are no previous violations of the relevant RGPD committed by the Municipality of Baronissi.<br />
<br />
Because of the above elements, assessed as a whole, it is considered necessary to determine the amount of the financial penalty, provided by art. 83, par. 2 and 3, of the RGPD, in the amount of € 2,000.00 (two thousand) for the violation of articles. 5, par. 1, lett. a) and c); 6, par. 1, lett. c) and e), par. 2 and par. 3, lett. b), of the RGPD; as well as art. 19, par. 3, of the Code, as a pecuniary administrative sanction considered effective, proportionate and dissuasive pursuant to art. 83, par. 1, of the same RGPD.<br />
<br />
In relation to the specific circumstances of this case, relating to the violation of the principle of data minimization and the dissemination on the web of personal data in the absence of a suitable regulatory basis, it is also considered that the accessory sanction of the publication of this measure on the website of the Guarantor, provided by Article 166, paragraph 7, of the Code and Article 16, paragraph 1, of the Regulation of the Guarantor No 1/2019.<br />
<br />
It is also considered that the conditions set out in art. 17 of Regulation No. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.<br />
<br />
ALL THIS BEING SAID, THE GUARANTOR<br />
<br />
found the unlawfulness of the processing carried out by the City of Baronissi in the terms indicated in the statement of reasons pursuant to Articles 58, paragraph 2, letter i) and 83 of the RGPD<br />
<br />
ORDER<br />
<br />
to the Municipality of Baronissi, in the person of the legal representative pro-tempore, with registered office in Piazza della Repubblica, 1 - 84081 Baronissi (SA) - C.F. 80032710651 to pay the sum of € 2,000.00 (two thousand) as a fine for violations referred to in the grounds;<br />
<br />
INGIUNGE<br />
<br />
to the same Municipality to pay the sum of euro 2.000,00 (two thousand), according to the modalities indicated in the attachment, within 30 days from the notification of the present measure, under penalty of adopting the consequent executive acts according to art. 27 of the law n. 689/1981.<br />
<br />
Please note that this is without prejudice to the right for the offender to settle the dispute by paying - again in the manner indicated in the Annex - an amount equal to half of the penalty imposed, within the period referred to in Article 10, paragraph 3, of Legislative Decree no. 150 of 1/9/2011 provided for the lodging of the appeal as indicated below (Article 166, paragraph 8, of the Code).<br />
<br />
AVAILABLE<br />
<br />
the publication of this measure on the website of the Guarantor pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Regulation of the Guarantor No. 1/2019, and it is also considered that the requirements of art. 17 of Regulation No. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.<br />
<br />
Pursuant to Article 78 of the RGPD, Article 152 of the Code and Article 10 of Legislative Decree no. 150/2011, this measure may be appealed against before the ordinary judicial authorities, under penalty of inadmissibility, within thirty days from the date of notification of the measure itself or within sixty days if the applicant resides abroad.<br />
<br />
Rome, 9 July 2020<br />
<br />
THE PRESIDENT<br />
Soro<br />
<br />
THE REPORTER<br />
Soro<br />
<br />
THE SECRETARY GENERAL<br />
Busia<br />
<br />
</pre></div>MLhttps://gdprhub.eu/index.php?title=Garante_per_la_protezione_dei_dati_personali_(Italy)_-_9446659&diff=11193Garante per la protezione dei dati personali (Italy) - 94466592020-08-24T07:50:21Z<p>ML: /* English Machine Translation of the Decision */ added machine translation</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Italy<br />
|DPA-BG-Color=background-color:#095d7e;<br />
|DPAlogo=LogoIT.png<br />
|DPA_Abbrevation=Garante per la protezione dei dati personali<br />
|DPA_With_Country=Garante per la protezione dei dati personali (Italy)<br />
<br />
|Case_Number_Name= 9446659<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Garante's website<br />
|Original_Source_Link_1=https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9446659<br />
|Original_Source_Language_1=Italian<br />
|Original_Source_Language__Code_1=IT<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Decided=09.07.2020<br />
|Date_Published=<br />
|Year=2020<br />
|Fine=2000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 5(1)(a) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1a<br />
|GDPR_Article_2=Article 5(1)(c) GDPR<br />
|GDPR_Article_Link_2=Article 5 GDPR#1c<br />
|GDPR_Article_3=Article 6(1)(c) GDPR<br />
|GDPR_Article_Link_3=Article 6 GDPR#1c<br />
|GDPR_Article_4=Article 6(1)(e) GDPR<br />
|GDPR_Article_Link_4=Article 6 GDPR#1e<br />
|GDPR_Article_5=Article 6(2) GDPR<br />
|GDPR_Article_Link_5=Article 6 GDPR#2<br />
|GDPR_Article_6=Article 6(3) GDPR<br />
|GDPR_Article_Link_6=Article 6 GDPR#3<br />
<br />
<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Antonella Luisi<br />
|<br />
}}<br />
<br />
The Italian DPA (Garante) fined a city council 2.000 euros for publishing citizens' personal data on its website without a valid legal basis and failing to comply with the principle of data minimization. <br />
<br />
==English Summary==<br />
<br />
===Facts===<br />
A data subject filed a complaint with the Garante regarding the publication on the city council's website of personal data concerning him and his wife.<br />
<br />
===Dispute===<br />
The Garante considered whether the publication of the compliants' personal data was justified and grounded on a valid legal basis while complying with the transparency obligations public administration are subject to. <br />
<br />
===Holding===<br />
The Garante considered that the data processing at sake should have been grounded on compliance with a legal obligation to which the controller is subject, under Article 6 (1) (c) GDPR. <br />
In this case, the compliants' personal data remained published for several years thus exceeding the 15 days period required under Italian law for transparency purposes. <br />
The controller failing to demonstrate on which legal basis it grounded the data processing for the exceeding period of time, the Authority judged the processing unlawful on the basis of Article 6 (1) (c) (e), (2), (3) (b). Also, the Garante found that the personal data published was not adequate, relevant and limited to the fixed purpose thus breaching the principles of data minimization under article 5 (1) (c) GDPR. <br />
<br />
==Comment==<br />
''Share your comments here!''<br />
<br />
==Further Resources==<br />
''Share blogs or news articles here!''<br />
<br />
==English Machine Translation of the Decision==<br />
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.<br />
<br />
<pre><br />
<br />
</pre><br />
<br />
<br />
[web doc. n. 9446659]<br />
<br />
Ordinance injunction against the Municipality of Baronissi - July 9, 2020<br />
<br />
Register of measures<br />
n. 139 of July 9, 2020<br />
<br />
THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA<br />
<br />
In today's meeting, which was attended by Dr. Antonello Soro, President, Prof. Licia Califano and Dr. Giovanna Bianchi Clerici, members and Dr. Giuseppe Busia, Secretary General;<br />
<br />
HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC, "General Data Protection Regulation" (hereinafter referred to as "GPSD");<br />
<br />
HAVING REGARD TO Legislative Decree no. 196 of 30 June 2003, "Personal Data Protection Code" (hereinafter referred to as the "Code");<br />
<br />
HAVING REGARD to General Provision no. 243 of 15/5/2014 containing the "Guidelines on the processing of personal data, also contained in administrative acts and documents, carried out for purposes of publicity and transparency on the web by public entities and other obligatory bodies", published in G.U. no. 134 of 12/6/2014 and in www.gpdp.it, web document no. 3134436 (hereinafter "Guidelines on transparency");<br />
<br />
HAVING REGARD TO Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the protection of personal data, approved by resolution no. 98 of 4/4/2019, published in OJ no. 106 of 8/5/2019 and www.gpdp.it, web doc. no. 9107633 (hereinafter "Regulation of the Guarantor no. 1/2019");<br />
<br />
VIEW the documentation in deeds;<br />
<br />
HAVING REGARD to the observations made by the Secretary General pursuant to art. 15 of the Regulation of the Guarantor n. 1/2000 on the organization and operation of the office of the Guarantor for the protection of personal data, in www.gpdp.it, web doc. n. 1098801;<br />
<br />
Rapporteur Dr. Antonello Soro;<br />
<br />
PRESS<br />
<br />
1. Introduction<br />
<br />
This Authority has received a complaint regarding the publication on the institutional website of the Municipality of Baronissi of personal data and information of Mr. XX and his spouse XX.<br />
<br />
In particular, from the preliminary assessment carried out by the Office on XX, it was found that the following documents were visible and freely downloadable on the institutional website of the aforementioned Municipality, in the section Services / Historical Register: Measure prot. n. XX of XX of XX of the urban planning-construction sector having as object "XX", with attached the note of the municipal technician prot. n. XX of XX having as object "XX (url http://...).<br />
<br />
The above mentioned documents contained personal data and information of the interested parties, such as personal and residence data, identification and cadastral data of the property, information relating to the realization of illegal works and the results from the inspection report, the photographic surveys of the veranda of your apartment, etc..<br />
<br />
2. Applicable regulations.<br />
<br />
According to the relevant regulations, "personal data" is "any information concerning an identified or identifiable natural person ("interested party") and "is considered identifiable the natural person who can be identified, directly or indirectly, with particular reference to an identifier such as name, an identification number, location data, an online identifier or one or more characteristic elements of his physical, physiological, genetic, psychic, economic, cultural or social identity" (art. 4, par. 1, no. 1, of the RGPD).<br />
<br />
Personal data must be processed in compliance with the principles indicated in art. 5 of the RGPD, including those of "lawfulness, correctness and transparency" as well as "data minimization", according to which personal data must be - respectively - "processed in a lawful, correct and transparent way towards the person concerned", as well as "adequate, relevant and limited to what is necessary with respect to the purposes for which they are processed" (par. 1, lett. a and c).<br />
<br />
Within this framework, the processing of personal data carried out by public entities (such as the Municipality) is lawful only if necessary "to fulfil a legal obligation to which the data controller is subject" or "for the performance of a task in the public interest or related to the exercise of public authority vested in the data controller" (art. 6, par. 1, lett. c and e, of the RGPD).<br />
<br />
It is also provided that "Member States may maintain [...] more specific provisions to adapt the application of the provisions of this Regulation with regard to processing, in accordance with paragraph 1(c) and (e), determining more precisely specific requirements for processing and other measures to ensure lawful and correct processing [...]", with the result that the provisions contained in Article 6(1)(c) and (e) are applicable to the present case. 19, paragraph 3, of the Code (now repealed but in force at the time of the facts, whose content is reproduced in art. 2-ter, paragraphs 1 and 3, of the Code), where it is provided that the operation of dissemination of personal data (such as publication on the Internet), by public entities, is allowed only when required by law or regulation.<br />
<br />
The state legislation provides, in this regard, that "All the resolutions of the municipality and the province are published by publication in the register, at the headquarters of the body, for fifteen consecutive days, unless specific provisions of law" (art. 124, paragraph 1, of Legislative Decree 18/8/2000 n. 267).<br />
<br />
The Guarantor has provided specific indications to public administrations regarding the precautions to be taken for the dissemination of personal data on the Internet for the purposes of transparency and publicity of administrative action with its Guidelines on transparency, also with reference to publications in the online register of local authorities.<br />
<br />
In the aforesaid Guidelines, it is expressly provided that, once the time period provided for by the individual disciplines for the publication of the acts and documents in the register of local authorities has elapsed, "local authorities may not continue to disseminate the personal data contained therein. Otherwise, it would result, for the period exceeding the duration provided for by the reference legislation, a dissemination of personal data illegal because not supported by appropriate regulatory requirements [...]. In this regard, for example, the permanence on the web of personal data contained in the deliberations of local authorities beyond the term of fifteen days, provided for by art. 124 of the aforementioned Legislative Decree no. 267/2000, may constitute a violation of the aforementioned art. 19, paragraph 3, of the Code [n.d.r. now reproduced in art. 2-ter, paragraphs 1 and 3, of the Code], where there is no different legislative or regulatory parameter that provides for its dissemination [...]. In this case] if the local authorities want to continue to maintain the acts and documents published on their institutional website, for example in the sections dedicated to the archives of the acts and/or the regulations of the authority, they must make the appropriate arrangements for the protection of personal data. In such cases, therefore, it is necessary to obscure in the published records the data and information suitable to identify, even indirectly, the subjects concerned" (part two, par. 3.a).<br />
<br />
3. Preliminary assessments of the Office on the processing of personal data carried out.<br />
<br />
From the verifications carried out on the basis of the elements acquired and the facts that emerged as a result of the investigation activity, as well as the subsequent evaluations, the Office with note prot. n. XX of XX has ascertained that the Municipality of Baronissi by disseminating - at least until the preliminary verification carried out by the Office on XX - the personal data of the complainants, contained in the documents identified above published on the institutional website, has carried out a processing of personal data that does not comply with the relevant discipline on the protection of personal data contained in the RGPD. Therefore, with the same note were notified to the Municipality the violations carried out (pursuant to art. 166, paragraph 5, of the Code), communicating the initiation of the procedure for the adoption of the measures referred to in Article 58, paragraph 5, of the Code. 2, of the RGPD and inviting the above mentioned Municipality to send to the Guarantor defensive writings or documents and, if necessary, to ask to be heard by this Authority, within 30 days (art. 166, paragraphs 6 and 7, of the Code; as well as art. 18, paragraph 1, by Law n. 689 of 24/11/1981).<br />
<br />
4. Defensive pleadings and hearing.<br />
<br />
With the note prot. n. XX of XX the Municipality of Baronissi sent to the Guarantor its defensive writings in relation to the violations notified.<br />
<br />
In this regard, it is recalled that, unless the fact does not constitute a more serious crime, anyone who, in a proceeding before the Guarantor, falsely declares or certifies news or circumstances or produces false acts or documents is liable under Article 168 of the Code, entitled "False statements to the Guarantor and interruption of the performance of duties or exercise of powers of the Guarantor".<br />
<br />
Specifically, it has been highlighted, among other things, that:<br />
<br />
- "Preliminarily it is reiterated that the publication of the Ordinance de qua (see Provv. Prot. n. XX of XX) concerning personal data and information - freely visible and downloadable on the institutional website of the Municipality of Baronissi (Servizionline/Albo Pretorio) - has occurred beyond the time prescribed by law for a mere technical error and a misunderstanding related to the internal organization of this Municipality".<br />
<br />
- "A scrupulous and diligent obligation towards the regulations on transparency then guided the organization of the Municipality and the personnel in charge, considering the publication of the common data relating to the ordinance in question to be due and necessary".<br />
<br />
- "In the background, a conduct based on good faith and respectful of the context in which this error is manifested [...]".<br />
<br />
- "the Municipality of Baronissi has provided to adopt specific guidelines on general principles and issued directives on the processing of personal data, if the purposes of publicity and transparency of administrative action emerge, representing also the multiple hypotheses in which the activity of the public administration, rectius of the Municipality of Baronissi, can balance the requirements of transparency under the prescribed rules, those of publicity in conjunction with the rules to be observed on the processing of personal data, especially in terms of relevance and necessity of treatment (principle of minimization)".<br />
<br />
- "In order to ensure that the contents of the aforementioned ordinance fulfil the obligation prescribed by law without violating the precepts imposed by Regulation (EU) 2016/679, Legislative Decree 196/2003 and Legislative Decree 101 of 2018, the Municipality of Baronissi has undertaken to remove the aforementioned ordinance from its institutional site. In this regard, the Local Authority has organized itself, after the time prescribed by law to comply with the obligations of transparency and publicity, to make available on the Archives section of the Municipality the administrative acts and documents but accessible only at the request of the interested party".<br />
<br />
- The body "has issued very precise instructions aimed at modifying the information contained in the administrative acts issued and issued, avoiding the insertion of personal data that are not relevant and in excess of those required, in order to comply with the constraints of the law".<br />
<br />
5. Outcome of the investigation relating to the complaint submitted<br />
<br />
The subject matter of the case submitted to the attention of the Guarantor concerns the dissemination of data and personal information of the complainants (such as personal and residence data, identification data and cadastral data of the property, information relating to the realization of illegal works and results from the inspection report, photographic surveys of the veranda of the apartment subject to the surveys) contained in the measure prot. n. XX of the Municipality and its annex containing the note of the municipal technician prot. n. XX.<br />
<br />
The Municipality in the defensive memoirs confirmed the online dissemination of personal data of the complainants, justifying it in the light of "a mere technical error" and "a misunderstanding regarding the internal organization [of the] Municipality", as well as an incorrect assessment regarding the application of the provisions on transparency and protection of personal data.<br />
<br />
Some observations in this regard, although worthy of consideration, do not allow in any case to overcome the findings notified by the Office with the act of initiation of proceedings and are insufficient to allow the filing of these proceedings, since none of the cases provided for in Article 11 of the Regulation of the Guarantor No. 1/2019. This is also considering that since 2014, the Authority, in the Guidelines on transparency, has provided all public entities with specific indications on how to balance the obligations of transparency and publicity of administrative action with the right to protection of personal data of those concerned.<br />
<br />
In this framework, the preliminary assessments of the Office are confirmed and it is noted that the processing of personal data carried out by the Municipality of Baronissi is unlawful, as the full publication on the institutional website of the document prot. n. XX of XX of the urban-building sector of the Municipality of Baronissi concerning "XX", with all data and information in clear text of the interested parties, has produced a dissemination of personal data of the complainants:<br />
<br />
a. were not necessary with respect to the purpose of the treatment, with particular reference to the disclosure of the date and place of birth, residence, identification data and cadastral data of the property, information relating to the realization of illegal works, in violation of the principle of minimization and, therefore, the basic principles of treatment contained in Articles 5, paragraph 1, letter c) of the RGPD;<br />
<br />
b. has lasted for more than fifteen days provided for in Article 124, paragraph 1, of Legislative Decree no. 267/2000 for the publication in the register, in the absence then - for the period exceeding - of appropriate legal requirements for the dissemination of personal data and, therefore, in violation of art. 19 paragraph 3 of the Code (in force at the time of the facts and whose content is now reproduced in Article 2-ter, paragraphs 1 and 3, of the Code), as well as the basic principles of treatment contained in Articles 5, paragraph 1, letter a and c; 6, paragraph 1, letter c and e, paragraph 2 and paragraph 3, letter b, of the RGPD.<br />
<br />
Considering, however, that the conduct has exhausted its effects, since the personal data of the complainants described above are no longer accessible at the url address indicated above, without prejudice to what will be said about the application of the administrative fine, the conditions for the adoption of further corrective measures under Article 58, paragraph 2, of the RGPD are not met.<br />
<br />
6. Adoption of the injunction order for the application of the pecuniary administrative sanction (Art. 58, par. 2, letter i; 83 RGPD)<br />
<br />
The Municipality of Baronissi appears to have violated articles 5, par. 1, letter a) and c); 6, par. 1, letter c) and e), par. 2 and par. 3, letter b), of the RGPD; as well as art. 19, par. 3, of the Code, in force at the time of the illegal conduct.<br />
<br />
In this regard, Art. 83, par. 3, of the RGPD, provides that "If, in relation to the same processing or related processing, a data controller or a data processor violates, intentionally or negligently, various provisions of this Regulation, the total amount of the pecuniary administrative sanction shall not exceed the amount specified for the most serious violation".<br />
<br />
In the present case, the violation of the above mentioned provisions is subject to the application of the same pecuniary administrative sanction provided for by Article 83, paragraph 5, of the RGPD, which therefore applies to the present case.<br />
<br />
It should also be taken into account that, although the document subject of the complaint, published online, dates back to May 2017, for the determination of the applicable rule, from a temporal point of view, it must be recalled in particular the principle of legality set forth in Article 1, paragraph 2, of Law no. 689/1981 which states that "Laws providing for administrative sanctions apply only in the cases and times considered". This determines the obligation to take into account the provisions in force at the time of the violation committed, which in the case in question - given the permanent nature of the alleged offence - must be identified at the time of cessation of the illegal conduct, which occurred after the date of 25/5/2018 when the RGPD became applicable. From the acts of the investigation it has emerged that the illegal online dissemination has continued at least until the preliminary verification carried out by the Office on the date of the XX.<br />
<br />
The Guarantor, pursuant to Articles 58, paragraph 2, letter i) and 83 of the RGPD and Article 166 of the Code, has the corrective power to "impose a pecuniary administrative sanction pursuant to Article 83, in addition to the [other] [corrective] measures referred to in this paragraph, or in place of such measures, depending on the circumstances of each individual case". In this framework, "the Board [of the Guarantor] adopts the injunction, with which it also orders the application of the accessory administrative sanction of its publication, in whole or in excerpts, on the website of the Guarantor pursuant to Article 166, paragraph 7, of the Code" (Article 16, paragraph 1, of the Regulation of the Guarantor No 1/2019).<br />
<br />
The above mentioned administrative fine imposed, depending on the circumstances of each individual case, must be determined in the amount, taking due account of the elements provided for in Article 83, paragraph 2, of the RGPD.<br />
<br />
In relation to the aforementioned elements, the conduct found to have been carried out in violation of the regulations on the protection of personal data has involved the disclosure of personal data not belonging to special categories or to criminal convictions or crimes (Articles 9 and 10 of the RGPD) of two persons involved. The dissemination has lasted for several years, but the administration has taken steps to obscure the personal data subject of the complaint, working with the Authority during the investigation of this procedure in order to remedy the violation - whose character, according to what the Municipality, appears to be of a culpable nature - mitigating the possible negative effects. In the response to the Guarantor were also described several technical and organizational measures put in place pursuant to Articles 25-32 of the RGPD. There are no previous violations of the relevant RGPD committed by the Municipality of Baronissi.<br />
<br />
Because of the above elements, assessed as a whole, it is considered necessary to determine the amount of the financial penalty, provided by art. 83, par. 2 and 3, of the RGPD, in the amount of € 2,000.00 (two thousand) for the violation of articles. 5, par. 1, lett. a) and c); 6, par. 1, lett. c) and e), par. 2 and par. 3, lett. b), of the RGPD; as well as art. 19, par. 3, of the Code, as a pecuniary administrative sanction considered effective, proportionate and dissuasive pursuant to art. 83, par. 1, of the same RGPD.<br />
<br />
In relation to the specific circumstances of this case, relating to the violation of the principle of data minimization and the dissemination on the web of personal data in the absence of a suitable regulatory basis, it is also considered that the accessory sanction of the publication of this measure on the website of the Guarantor, provided by Article 166, paragraph 7, of the Code and Article 16, paragraph 1, of the Regulation of the Guarantor No 1/2019.<br />
<br />
It is also considered that the conditions set out in art. 17 of Regulation No. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.<br />
<br />
ALL THIS BEING SAID, THE GUARANTOR<br />
<br />
found the unlawfulness of the processing carried out by the City of Baronissi in the terms indicated in the statement of reasons pursuant to Articles 58, paragraph 2, letter i) and 83 of the RGPD<br />
<br />
ORDER<br />
<br />
to the Municipality of Baronissi, in the person of the legal representative pro-tempore, with registered office in Piazza della Repubblica, 1 - 84081 Baronissi (SA) - C.F. 80032710651 to pay the sum of € 2,000.00 (two thousand) as a fine for violations referred to in the grounds;<br />
<br />
INGIUNGE<br />
<br />
to the same Municipality to pay the sum of euro 2.000,00 (two thousand), according to the modalities indicated in the attachment, within 30 days from the notification of the present measure, under penalty of adopting the consequent executive acts according to art. 27 of the law n. 689/1981.<br />
<br />
Please note that this is without prejudice to the right for the offender to settle the dispute by paying - again in the manner indicated in the Annex - an amount equal to half of the penalty imposed, within the period referred to in Article 10, paragraph 3, of Legislative Decree no. 150 of 1/9/2011 provided for the lodging of the appeal as indicated below (Article 166, paragraph 8, of the Code).<br />
<br />
AVAILABLE<br />
<br />
the publication of this measure on the website of the Guarantor pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Regulation of the Guarantor No. 1/2019, and it is also considered that the requirements of art. 17 of Regulation No. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.<br />
<br />
Pursuant to Article 78 of the RGPD, Article 152 of the Code and Article 10 of Legislative Decree no. 150/2011, this measure may be appealed against before the ordinary judicial authorities, under penalty of inadmissibility, within thirty days from the date of notification of the measure itself or within sixty days if the applicant resides abroad.<br />
<br />
Rome, 9 July 2020<br />
<br />
THE PRESIDENT<br />
Soro<br />
<br />
THE REPORTER<br />
Soro<br />
<br />
THE SECRETARY GENERAL<br />
Busia</div>MLhttps://gdprhub.eu/index.php?title=Garante_per_la_protezione_dei_dati_personali_-_doc.web._9446659&diff=11192Garante per la protezione dei dati personali - doc.web. 94466592020-08-24T07:41:47Z<p>ML: ML moved page Garante per la protezione dei dati personali - doc.web. 9446659 to Garante per la protezione dei dati personali - 9446659: correction of title</p>
<hr />
<div>#REDIRECT [[Garante per la protezione dei dati personali - 9446659]]</div>MLhttps://gdprhub.eu/index.php?title=Garante_per_la_protezione_dei_dati_personali_(Italy)_-_9446659&diff=11191Garante per la protezione dei dati personali (Italy) - 94466592020-08-24T07:41:47Z<p>ML: ML moved page Garante per la protezione dei dati personali - doc.web. 9446659 to Garante per la protezione dei dati personali - 9446659: correction of title</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Italy<br />
|DPA-BG-Color=background-color:#095d7e;<br />
|DPAlogo=LogoIT.png<br />
|DPA_Abbrevation=Garante per la protezione dei dati personali<br />
|DPA_With_Country=Garante per la protezione dei dati personali (Italy)<br />
<br />
|Case_Number_Name= 9446659<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Garante's website<br />
|Original_Source_Link_1=https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9446659<br />
|Original_Source_Language_1=Italian<br />
|Original_Source_Language__Code_1=IT<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Decided=09.07.2020<br />
|Date_Published=<br />
|Year=2020<br />
|Fine=2000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 5(1)(a) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1a<br />
|GDPR_Article_2=Article 5(1)(c) GDPR<br />
|GDPR_Article_Link_2=Article 5 GDPR#1c<br />
|GDPR_Article_3=Article 6(1)(c) GDPR<br />
|GDPR_Article_Link_3=Article 6 GDPR#1c<br />
|GDPR_Article_4=Article 6(1)(e) GDPR<br />
|GDPR_Article_Link_4=Article 6 GDPR#1e<br />
|GDPR_Article_5=Article 6(2) GDPR<br />
|GDPR_Article_Link_5=Article 6 GDPR#2<br />
|GDPR_Article_6=Article 6(3) GDPR<br />
|GDPR_Article_Link_6=Article 6 GDPR#3<br />
<br />
<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Antonella Luisi<br />
|<br />
}}<br />
<br />
The Italian DPA (Garante) fined a city council 2.000 euros for publishing citizens' personal data on its website without a valid legal basis and failing to comply with the principle of data minimization. <br />
<br />
==English Summary==<br />
<br />
===Facts===<br />
A data subject filed a complaint with the Garante regarding the publication on the city council's website of personal data concerning him and his wife.<br />
<br />
===Dispute===<br />
The Garante considered whether the publication of the compliants' personal data was justified and grounded on a valid legal basis while complying with the transparency obligations public administration are subject to. <br />
<br />
===Holding===<br />
The Garante considered that the data processing at sake should have been grounded on compliance with a legal obligation to which the controller is subject, under Article 6 (1) (c) GDPR. <br />
In this case, the compliants' personal data remained published for several years thus exceeding the 15 days period required under Italian law for transparency purposes. <br />
The controller failing to demonstrate on which legal basis it grounded the data processing for the exceeding period of time, the Authority judged the processing unlawful on the basis of Article 6 (1) (c) (e), (2), (3) (b). Also, the Garante found that the personal data published was not adequate, relevant and limited to the fixed purpose thus breaching the principles of data minimization under article 5 (1) (c) GDPR. <br />
<br />
==Comment==<br />
''Share your comments here!''<br />
<br />
==Further Resources==<br />
''Share blogs or news articles here!''<br />
<br />
==English Machine Translation of the Decision==<br />
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.<br />
<br />
<pre><br />
<br />
</pre></div>MLhttps://gdprhub.eu/index.php?title=Garante_per_la_protezione_dei_dati_personali_(Italy)_-_9446659&diff=11190Garante per la protezione dei dati personali (Italy) - 94466592020-08-24T07:34:23Z<p>ML: changed title</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Italy<br />
|DPA-BG-Color=background-color:#095d7e;<br />
|DPAlogo=LogoIT.png<br />
|DPA_Abbrevation=Garante per la protezione dei dati personali<br />
|DPA_With_Country=Garante per la protezione dei dati personali (Italy)<br />
<br />
|Case_Number_Name= 9446659<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Garante's website<br />
|Original_Source_Link_1=https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9446659<br />
|Original_Source_Language_1=Italian<br />
|Original_Source_Language__Code_1=IT<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Decided=09.07.2020<br />
|Date_Published=<br />
|Year=2020<br />
|Fine=2000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 5(1)(a) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1a<br />
|GDPR_Article_2=Article 5(1)(c) GDPR<br />
|GDPR_Article_Link_2=Article 5 GDPR#1c<br />
|GDPR_Article_3=Article 6(1)(c) GDPR<br />
|GDPR_Article_Link_3=Article 6 GDPR#1c<br />
|GDPR_Article_4=Article 6(1)(e) GDPR<br />
|GDPR_Article_Link_4=Article 6 GDPR#1e<br />
|GDPR_Article_5=Article 6(2) GDPR<br />
|GDPR_Article_Link_5=Article 6 GDPR#2<br />
|GDPR_Article_6=Article 6(3) GDPR<br />
|GDPR_Article_Link_6=Article 6 GDPR#3<br />
<br />
<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Antonella Luisi<br />
|<br />
}}<br />
<br />
The Italian DPA (Garante) fined a city council 2.000 euros for publishing citizens' personal data on its website without a valid legal basis and failing to comply with the principle of data minimization. <br />
<br />
==English Summary==<br />
<br />
===Facts===<br />
A data subject filed a complaint with the Garante regarding the publication on the city council's website of personal data concerning him and his wife.<br />
<br />
===Dispute===<br />
The Garante considered whether the publication of the compliants' personal data was justified and grounded on a valid legal basis while complying with the transparency obligations public administration are subject to. <br />
<br />
===Holding===<br />
The Garante considered that the data processing at sake should have been grounded on compliance with a legal obligation to which the controller is subject, under Article 6 (1) (c) GDPR. <br />
In this case, the compliants' personal data remained published for several years thus exceeding the 15 days period required under Italian law for transparency purposes. <br />
The controller failing to demonstrate on which legal basis it grounded the data processing for the exceeding period of time, the Authority judged the processing unlawful on the basis of Article 6 (1) (c) (e), (2), (3) (b). Also, the Garante found that the personal data published was not adequate, relevant and limited to the fixed purpose thus breaching the principles of data minimization under article 5 (1) (c) GDPR. <br />
<br />
==Comment==<br />
''Share your comments here!''<br />
<br />
==Further Resources==<br />
''Share blogs or news articles here!''<br />
<br />
==English Machine Translation of the Decision==<br />
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.<br />
<br />
<pre><br />
<br />
</pre></div>MLhttps://gdprhub.eu/index.php?title=Garante_per_la_protezione_dei_dati_personali_(Italy)_-_9446730&diff=11178Garante per la protezione dei dati personali (Italy) - 94467302020-08-21T11:49:21Z<p>ML: Created page with "{{DPAdecisionBOX |Jurisdiction=Italy |DPA-BG-Color=background-color:#095d7e; |DPAlogo=LogoIT.png |DPA_Abbrevation=Garante per la protezione dei dati personali |DPA_With_Count..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Italy<br />
|DPA-BG-Color=background-color:#095d7e;<br />
|DPAlogo=LogoIT.png<br />
|DPA_Abbrevation=Garante per la protezione dei dati personali<br />
|DPA_With_Country=Garante per la protezione dei dati personali (Italy)<br />
<br />
|Case_Number_Name=9446730<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Autorità Garante per la Protezione dei Dati Personali<br />
|Original_Source_Link_1=https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9446730<br />
|Original_Source_Language_1=Italian<br />
|Original_Source_Language__Code_1=IT<br />
<br />
|Type=Complaint<br />
|Outcome=Partly Upheld<br />
|Date_Decided=<br />
|Date_Published=<br />
|Year=<br />
|Fine=None<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 5(1)(e) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1e<br />
|GDPR_Article_2=Article 5(1)(a) GDPR<br />
|GDPR_Article_Link_2=Article 5 GDPR#1a<br />
|GDPR_Article_3=Article 6 GDPR<br />
|GDPR_Article_Link_3=Article 6 GDPR<br />
|GDPR_Article_4=Article 13 GDPR<br />
|GDPR_Article_Link_4=Article 13 GDPR<br />
|GDPR_Article_5=Article 23 GDPR<br />
|GDPR_Article_Link_5=Article 23 GDPR<br />
|GDPR_Article_6=Article 32 GDPR<br />
|GDPR_Article_Link_6=Article 32 GDPR<br />
|GDPR_Article_7=Article 57 GDPR<br />
|GDPR_Article_Link_7=Article 57 GDPR<br />
|GDPR_Article_8=Article 58(2)(c) GDPR<br />
|GDPR_Article_Link_8=Article 58 GDPR#2c<br />
|GDPR_Article_9=Article 58(2)(d) GDPR<br />
|GDPR_Article_Link_9=Article 58 GDPR#2d<br />
|GDPR_Article_10=Article 58(2)(f) GDPR<br />
|GDPR_Article_Link_10=Article 58 GDPR#2f<br />
|GDPR_Article_11=Article 58(2)(i) GDPR<br />
|GDPR_Article_Link_11=Article 58 GDPR#2i<br />
|GDPR_Article_12=Article 83 GDPR<br />
|GDPR_Article_Link_12=Article 83 GDPR<br />
<br />
<br />
<br />
|Party_Name_1=Cavauto srl.<br />
|Party_Link_1=<br />
|Party_Name_2=Employee<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
|<br />
}}<br />
<br />
The Italian DPA decided on March 26th 2020 to impose on Cavauto srl., an appointed car dealer, a fine of € 10.000,00, as well as other measurements to ensure compliance with the GDPR. The Italian DPA held that Cavauto accessed and processed personal data of its employee saved on the employee´s business computer and generally failed to comply with principles in terms of personal data protection in violation of Articles 5, 6, 13, 23 and 32 GDPR. The employer dismissed the employee after a disciplinary proceeding on the basis of the personal data found on the computer and subsequently refused to recognize her right of access to personal data left behind in the company.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
After a complaint was lodged by the data subject, the Italian DPA proceeded with the examination of the case in accordance with national law, evaluating the statements of the controller and the acquired documents. It was established that the controller had accessed the online browsing history on the business computer used by the data subject, as well as other personal data stored in it, taken into account that the password used to get access to the computer was known not only to the employee but also to the legal representative of the company. It was ascertained that the data subject was not sufficiently informed about the possible proceedings, namely the possible controls carried out by the controller at any moment, neither in regard to browsing history, E-Mail nor other work tools. The information contained in the “internal regulation” is, according to the Italian DPA, too generic in order to comply with the GDPR, failing to inform about the “essential characteristics” of the personal data processing. In fact, in only indicates the possibility of “regular controls”, not delineating however the specific modalities, which violates the principle of data limitation as well as the principle of transparency and fairness. Furthermore, the employer Cavauto limited the right of access to personal data after the dismissal, handing out only the USB-memory stick and some of the agenda-pages, motivating its actions with the need to keep proof for justifying the dismissal in the ongoing judicial proceeding.<br />
<br />
=== Dispute ===<br />
Is the employer allowed to process personal data kept at work-place, without prior and detailed information about the exact modalities of possible controls?<br />
Is he allowed to consequently limit the exercise of the data subjects right of access to its personal data, which was dismissed subsequently to a disciplinary proceeding, initiated on the basis of personal data found on the business computer?<br />
<br />
<br />
=== Holding ===<br />
In applying art. 57 and 58 GDPR, the Italian DPA imposed a limitation on the processing of personal data taken by the browsing history for the ongoing judicial proceeding, ordered the controller to comply with the employees request to access to the personal data stored in the company, ordered the controller to bring its processing operations into compliance with Art. 32 GDPR within sixty (60) days of notification of the decision, imposed an obligation to adapt its internal regulation, specifically regarding the use of business computers and the internet-browsing, to the GDPR, imposed a fine in the amount of € 10.000 and ordered Cavauto srl. to communicate the proposed changes in view of compliance with GDPR. The Italian DPA did not decide on whether the use of personal data acquired in violation of the GDPR and national law can be used in a civil proceeding in which the rightfulness of the dismissal of an employee is discussed.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.<br />
<br />
<pre><br />
Order injunction against Cavauto s.r.l. - 26 March 2020<br />
<br />
Register of measures<br />
No 65 of 26 March 2020<br />
<br />
THE DATA PROTECTION SUPERVISOR<br />
<br />
At today's meeting, in the presence of Dr. Antonello Soro, President, Dr. Augusta Iannini, Vice President, Dr. Giovanna Bianchi Clerici and Prof. Licia Califano, members, and Dr. Giuseppe Busia, Secretary General;<br />
<br />
HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter 'the Regulation');<br />
<br />
HAVING REGARD to the Personal Data Protection Code, laying down provisions for the adaptation of national law to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (Legislative Decree No 196 of 30 June 2003, as amended by Legislative Decree No 101 of 10 August 2018, hereinafter 'the Code');<br />
<br />
HAVING REGARD to the "Guidelines for electronic mail and internet", adopted by measure no. 13 of 1 March 2007 (published in the Official Journal of 10 March 2007, no. 58);<br />
<br />
HAVING REGARD to the complaint submitted to the Guarantor pursuant to Article 77 of Regulation XX concerning the processing of personal data relating to the data subject carried out by Cavauto s.r.l.;<br />
<br />
EXAMINED the documentation in deeds;<br />
<br />
HAVING REGARD to the observations made by the Secretary-General pursuant to Article 15 of the Garante Regulation No 1/2000;<br />
<br />
REPORTER Dr. Antonello Soro;<br />
<br />
PRESENTED<br />
<br />
1. The complaint against the company and the investigation activity.<br />
<br />
1.1 By complaint of 24 July 2018 Ms XX (represented and defended by lawyer XX) asked the Authority to order the blocking or prohibition of the processing of personal data, considered unlawful, carried out by Cavauto s.r.l. (hereinafter: the company) through access to the browsing history and other data collected during the employment relationship also through the company's pc, subsequently used in a disciplinary procedure against the complainant concluded with the dismissal (see disciplinary complaint of 29.5.2018 and dismissal letter of 5.6.2018, attached to the complaint). The complaint also asks the complainant to enjoin the company to satisfy 'the right of access [...] to [...] the computer supplied until the date of termination of employment in order to identify and obtain the deletion of files containing personal data [...]; the electronic mail file of the customercare@cavauto address. com in order to identify and obtain the deletion of emails containing personal content [...]; to the company's premises in order to obtain the recovery of all personal documents stored in paper form in the desk and chest of drawers used by the company; to the pages of the personal diary retained by the company in order to identify and obtain the destruction of personal content' (see complaint cited above), p. 6-7).<br />
<br />
According to the complainant, these processing operations ˗ and, in particular, access to the PC provided "for exclusive use [...] and provided with a password" for the performance of one's duties, also containing data "of a personal and family nature" ˗ would have taken place "without [the complainant] being notified or even present" (see complaint cit., p. 3). Moreover, the company would not have informed the interested party about "the prohibition to use the company's PC and internet for non-work purposes" or to consult "the personal e-mail that it used also for work reasons", nor about the possibility for the employer to carry out checks, specifying the type, on the correct use of company tools.<br />
<br />
1.2. The company, in response to the request for elements (dated 24.9.2018) made by the Office, stated that:<br />
<br />
a. the "PC assigned to the former employee [...] had a single but corporate password, so as to allow access only to the [complainant] and, if necessary, to Mr XX, as direct superior";<br />
<br />
b. access to the complainant's PC 'limited itself [...] to collecting the history of the sites visited by the employee and did not extend to other data, neither to the custody@cavauto account nor to the personal gmail account';<br />
<br />
c. access to the PC was carried out 'in the context of defensive investigations, [...] by Mr XX, the company's legal representative, in the presence of the company's external technician [...]';<br />
<br />
d. the PC used by the complainant 'was using the Google Chrome browser which records browsing data history, as there is no company server on which such data is recorded [...]';<br />
<br />
e. the company "provided oral and written information at the time of the assignment of the work tools which was subsequently made known through the publication of the internal rules on the use of electronic tools on the virtual notice board available on the company intranet";<br />
<br />
f. 'for defensive purposes, the [complainant's] request for access to the PC and the data contained therein could not be granted, since the electronic tool was sealed after inspection by the legal representative [...] and is no longer in use, since it constitutes a source of evidence in court'.<br />
<br />
1.3. With reply notes of 19 December 2018 and 1 March 2019 the complainant reiterated the requests already made to the Authority, representing ˗ among other things ˗ that "the use [...] of the company pc has always been in compliance with the directives received and any use other than strictly working has always been [...] known and tolerated" as it has not affected the working performance (note 19.12.2018, p. 3). Furthermore, he complained that the regulation referred to by the company, concerning the use of the company's instruments and possible controls, has a date (21.5.2018) subsequent to the date on which the complainant's computer was accessed (16.5.2018) (note 1.3.2019, p. 4-5).<br />
<br />
1.4. On 17 May 2019, pursuant to Article 166, paragraph 5, of the Code, the Office notified the company of the alleged violations of the Regulation found. By note of 16 June 2019 the company, represented and defended by lawyers XX and XX, represented that:<br />
<br />
a. the attribution to the (former) employee of a password to access the PC shared with the legal representative was assessed as an "appropriate" measure, both because "no personal data should have been transmitted, stored or otherwise processed through the company PC, as required by company practice, by the instructions given at the time of hiring and by company policies prohibiting the use of electronic work tools for private purposes" and because the employee had not been assigned a "personal company" account (note 16.6.2019, p. 2);<br />
<br />
b. 'oral and written information was provided at the time of the assignment of the work tools, which was subsequently made known through the publication of the internal rules [...] on the virtual notice board available on the company intranet' (note cit., p. 2);<br />
<br />
c. 'a mere listing of websites cannot be considered 'personal data''. (footnote cit., p. 3);<br />
<br />
d. "d. 'even if the legal basis for the processing [...] must be found in the 'pursuit of a legitimate interest' of the data controller in accordance with Article 6.1(f) and recital 47 of the Regulation' (footnote cit., p. 3);<br />
<br />
e. in response to the requests for access made by the complainant, the company, in accordance with the provisions of the regulation, handed over a USB key and the diary, even though it was deprived of some pages, while in relation to all the data present in the PC and the pages removed from the diary "it was not able to comply with such requests for "defensive" reasons", in accordance with the provisions of Article 6.1 letter f) and recital 47 of the Regulation" (note cit., p. 3). 2-undecies, letter e) of the Code; in fact, at the time of the presentation of the request "a dispute between the parties was already underway" which then resulted in the appeal against the dismissal; the existence of "conditions which legitimized a partial limitation of the right of access" was communicated, in accordance with the provisions of Art. 2-undecies, para 3, of the Code, with a note of the company's attorney dated 10 July 2018 (note cit, p. 5);<br />
<br />
f. the rules in force with regard to remote control are not applicable, either because 'mere knowledge of internet traffic [...] does not constitute 'personal data'' or because 'in the present case [...] control [...] is 'defensive' [...] outside the scope of the applicability of Article 4 of the Workers' Statute' (footnote cit., p. 5-6).<br />
<br />
1.5. During the hearing requested by the company and held on 24 July 2019, the legal representative pointed out that the conduct deemed "incorrect" by the employee occurred in contrast with the provisions (also) of the Internal Company Regulations dated 17 October 2017, provided in copy. The company also considered that it had acted legitimately in its control activities also on the basis of what was published on a website linked to a specialized newspaper (Il Sole 24 Ore, 29.5.2018, "Employees' PCs are controllable").<br />
<br />
2. The outcome of the investigation.<br />
<br />
As a result of the examination of the statements made to the Authority during the proceedings as well as the documentation acquired, it appears that the company, in its capacity as owner, has carried out some processing operations of personal data relating to the complainant - in a period of time immediately prior and immediately subsequent to the application in national law, as of 25 May 2018, of Regulation (EU) 2016/679 - which do not comply with the rules on the protection of personal data, as described below.<br />
<br />
2.1. Provided that, unless the fact does not constitute a more serious offence, whoever, in proceedings before the Guarantor, falsely declares or certifies news or circumstances or produces false acts or documents is liable under Article. 168 of the Code "False statements to the Guarantor and interruption of the performance of the duties or exercise of the powers of the Guarantor", on the merits it emerged that the company, in the person of the legal representative, on 16 May 2018 (as attested by the same owner in the disciplinary challenge of 29.5.2018) has made access to the PC provided in use to the complainant by extracting the history of Internet access made available by Google Chrome. Access by the employer was allowed by sharing the access password between the complainant and the legal representative of the company. There is no evidence at this stage that the company has decided to change the described password management practice.<br />
Such sharing is in contrast with the obligation to adopt security measures aimed at ensuring "a minimum level of protection of personal data" (see art. 33 of Legislative Decree no. 196 of 30.6.2003, Personal Data Protection Code, text in force at the time of the facts).<br />
<br />
In fact, in the context of computer authentication systems, the authentication credentials assigned to the persons in charge consist, at least, of an identification code associated with a keyword known exclusively to the data subject. Instead of the keyword, having regard to the concrete nature of the information contained in the system, devices may be delivered in the exclusive availability of the person concerned (see what has already been established in the Technical Regulations on minimum security measures, rules 1-11, Annex B of the Code, text prior to the amendments made by Legislative Decree no. 101/2018).<br />
<br />
This principle has been incorporated in art. 32 of the Regulation, according to which the data controller, in order to guarantee the confidentiality and integrity of computer systems, must adopt "adequate technical and organizational measures to ensure a level of security appropriate to the risk". Moreover, according to art. 5, par. 1, letter f) of the Regulation, the data controller must guarantee "adequate security of personal data" by applying the principles of "integrity and confidentiality" to the processing carried out.<br />
<br />
2.2. It also appears that access to the PC assigned to the complainant, in the absence of the same, took place without the data subject having been provided with adequate information. In fact, the individual information, signed by the complainant on 14.10.2016, does not contain any indication on the use of electronic mail, internet access and other work tools, nor on the type of controls that the employer reserves the right to activate.<br />
<br />
With regard to the alleged information that, by admission of the same complainant (see letter of 4th June, 2018 in deeds), it would appear to have been given informally, no proof has been provided by the company that it was exhaustive and, in any case, in compliance with the most factual criteria expressed by the jurisprudence of the Guarantor (see for all measures containing the "Guidelines of the Guarantor by e-mail and Internet" (adopted by the Authority on 1st March, 2007 and published in the Official Gazette No. 58 of 10th March, 2007). On the other hand, it is noted that the documents containing the "Internal Regulations" relative (also) to the use of the work instruments adopted by the Company, both in the version dated 17.10.2017 (delivered to the Authority only on 24.7.2019) and in the version dated 21.5.2018 (subsequent, in any case, to the facts subject to complaint), are without subscription and without elements suitable to indicate the certain date.<br />
<br />
This being the case, in any case, the provision contained in the text of the aforesaid regulation in relation to the controls that can be activated on Internet browsing ("Internet browsing is prohibited for reasons other than those functional to the work activity itself; for the protection of the company's assets, Internet connections will be regularly checked on each client in compliance with privacy regulations"), where it seems to provide for "regular" checks (without specifying the modalities) on Internet connections does not appear to comply with the principles of lawfulness and proportionality (see art. 5, par. 1, lett. a) and c), of the Regulation; see also "Guidelines for e-mail and internet", cited in the introduction, points 5.2. and 6.1.).<br />
<br />
The data controller, therefore, has not complied with the obligation to provide the data subject with prior information on the essential characteristics of the processing carried out (see art. 13 of the Code, text in force at the time of access to the complainant's PC; the obligation to provide information to the data subject is, under current legislation, established by art. 13 of the Regulation). In the context of the employment relationship, the obligation to inform the employee is also an expression of the general principle of correctness of treatment (see 11, paragraph 1, letter a) of the Code, text in force at the time of access to the complainant's PC; this principle has been incorporated in art. 5, paragraph 1, letter a) of the Regulation; see European Court of Human Rights, Grand Chamber, case of Bărbulescu v. Romania, Application no. 61496/08, 5 September 2017, spec. no. 140). The provisions laid down in Article 6 of the Regulation concerning the criteria for entitlement are also infringed.<br />
<br />
2.3. The data controller found the access requests submitted by the complainant (on 4 and 12 July 2018) only partially, rejecting access to the data contained in the PC with the exception of those transferred to a USB key and to some pages of the diary used by the complainant removed before delivery, as well as the request to verify the existence of further personal documents within the room assigned to the complainant.<br />
<br />
The limitations to the exercise of the rights, including the right of access, were regulated, pursuant to art. 23 of the Regulations, by art. 2-undecies of the Code which came into force after the submission of the request and the feedback note by the data controller. However, in application of general principles and in accordance with the provisions of the previous Code, on the basis of the above mentioned rule in force, the right of access may be limited by the data controller only in the presence of one of the specific conditions indicated and provided that reasons are given to the data subject. In the case in point, in rejecting the request for access, no specific reasons have been indicated for the protection of the rights referred to the data in question. In fact, with the note of 10.7.2018 (Annex 5, company note of 26.10.2018), it was communicated to the complainant that on the company computer and on the mailbox "there should not be "files containing personal data, saved in the memory of the computer itself, and internet history related to [...] private life"" and that "the personal assets of the worker [...] if they have not all been returned". Nothing, therefore, has been represented with regard to any postponement or limitation or exclusion of the right of access claimed against the holder.<br />
<br />
3. Conclusion: unlawfulness of the processing. Corrective measures pursuant to Article 58(2) of the Regulation.<br />
<br />
For the above reasons, the processing of personal data carried out by the company is certainly unlawful under Articles 5 and 6 of the Regulation, and also constitutes a violation of Article 4 of Law no. 300/1970 as amended by Legislative Decree no. 151/2015. Further profiles of illegality have been ascertained in relation to the violation of security measures, regulated at the time of the facts by Article 33 of the Code in force at the time of access to the complainant's PC. Considering also that the company has not changed its policy in this regard, Article 32 of the Regulation is applicable in this regard. The processing also took place in violation of Article 13 of the Code in force at the time of access to the complainant's PC in the terms set out above. Considering also that the company has not modified its information documents on this point, Article 13 of the Regulation is applicable in this regard. The unsuitable and partial response provided to the request for access in relation to art. 23 of the Regulation was also unlawful.<br />
<br />
On the other hand, it is not necessary to make an assessment of the legitimacy of the allegedly "defensive" control carried out by the company after the complainant's failure to comply with its official duties, as this issue may, if anything, be subject to examination by the judicial authorities.<br />
<br />
In light of the above, given the corrective powers granted by Article 58, paragraph 2 of the Regulation, in the light of the circumstances of the specific case:<br />
<br />
- the prohibition of further processing of data extracted from the Internet history (art. 58, par. 2, letter f) of the Regulation), without prejudice to their preservation for the exclusive purpose of protecting rights in court - in relation to the case pending before the ordinary judicial authorities - taking into account that, pursuant to art. 160-bis of the Code, "The validity, effectiveness and usability in court proceedings of acts, documents and measures based on the processing of personal data not in compliance with provisions of law or Regulation remain governed by the relevant procedural provisions";<br />
<br />
- the company is enjoined to comply with the request for access to the complainant's data (art. 58, par. 2, letter c) Regulations) contained in the company's PC as well as to the other personal data currently held (including, if necessary, in the mail account customercare@cavauto.com, even if the address is not individualized), with particular reference to the agenda pages retained by the company at the time of return and to any data contained in further documents if necessary present in the spaces and furnishings assigned to the employee (see reply note of the complainant 1.3.2019);<br />
<br />
- the company is ordered to comply with the provisions of art. 32 of the Regulation on security measures (art. 58, par. 2, letter d) Regulation);<br />
<br />
- the company is required to comply with the Regulation, also with reference to the provisions of the internal regulations, providing for measures aimed at preventing the risk of improper or promiscuous use of PCs and company systems, also with reference to employees' Internet browsing, in any case refraining from excessively general provisions relating to the methods of controls;<br />
<br />
- in addition to the corrective measures, a pecuniary administrative sanction pursuant to art. 83 of the Regulation, commensurate with the circumstances of the specific case (art. 58, par. 2, letter i) Regulation).<br />
<br />
4. Order for an injunction.<br />
<br />
Pursuant to art. 58(2)(i) of the Regulation and art. 166(3) and (7) of the Code, the Guarantor shall order the application of the pecuniary administrative sanction provided for in art. 83(5)(a) of the Regulation, through the adoption of an injunction order (art. 18, Law no. 24.11.1981, no. 1). 689), in relation to the processing of personal data relating to the complainant carried out by the company through the methods of access to the history of Internet browsing, as well as through the unsuitable and partial response provided to the request for access, in the terms set out above, in relation to Articles 5, 6, 13, 32 and 88 of the Regulation, the outcome of the procedure referred to in Article 166, paragraph 5 conducted in contradictory manner with the owner of the treatment (see point 1.4. and 1.5. above).<br />
<br />
Considered that paragraph 3 of Article 83 of the Regulation should be applied where it provides that "If, in relation to the same processing or related processing, a data controller [...] violates, intentionally or negligently, various provisions of this Regulation, the total amount of the pecuniary administrative sanction does not exceed the amount specified for the most serious violation", considering that the established violations of Article. 5 of the Regulation, are to be considered more serious, since they relate to the non-observance of several principles of a general nature applicable to the processing of personal data, the total amount of the sanction is calculated so as not to exceed the maximum amount specified for the aforementioned violation. Consequently, the sanction provided for in Article 83(5)(a) and (c) of the Regulation, which sets the maximum amount at 20 million euros or, for companies, 4% of the annual worldwide turnover of the previous year, whichever is higher, is applied.<br />
<br />
With reference to the elements listed in Article 83(2) of the Regulation for the purposes of the application of the pecuniary administrative sanction and the related quantification, taking into account that the sanction must "in any case [be] effective, proportionate and dissuasive" (Article 83(1) of the Regulation), it is represented that, in the present case, the following circumstances have been considered:<br />
<br />
a) in relation to the nature, seriousness and duration of the violation, the nature of the violation was considered relevant and concerned the general principles of the processing; the violations also concerned the provisions on the exercise of rights, on security measures, on the legal basis of the processing and on information;<br />
<br />
(b) with regard to the intentional or negligent nature of the breach and the degree of liability of the data controller, the negligent conduct of the company and the degree of liability of the company which failed to comply with data protection rules in relation to a number of provisions was taken into account;<br />
<br />
c) the company has overall and actively cooperated with the Authority during the proceedings;<br />
<br />
e) the absence of specific precedents (relating to the same type of processing) charged to the company.<br />
<br />
It is also considered that the principles of effectiveness, proportionality and dissuasiveness to which the Authority must adhere when determining the amount of the sanction (Article 83, paragraph 1, of the Regulation) are relevant in the case in point, taking into account the aforementioned principles of effectiveness, proportionality and dissuasiveness, first of all the economic conditions of the offender, determined on the basis of the revenues achieved by the company with reference to the financial statements for the year 2018. It is also deemed necessary to take into account all the corrective measures actually adopted against the company. Lastly, account is taken of the administrative sanctions imposed under the previous regime for the corresponding administrative offences and the extent of the penalties imposed in similar cases.<br />
<br />
In the light of the above elements and the assessments made, it is considered that, in the case in point, an administrative penalty of EUR 10,000.00 (ten thousand) should be applied to Cavauto s.r.l..<br />
<br />
In this context it is also considered, in consideration of the nature and seriousness of the violations ascertained, that pursuant to Article 166, paragraph 7, of the Code and Article 16, paragraph 1, of the Regulation of the Guarantor no. 1/2019, this measure should be published on the website of the Guarantor.<br />
<br />
It is also considered that the conditions set forth in Article 17 of Regulation No. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, are met.<br />
<br />
It should be noted that, pursuant to article 170 of the Code, anyone who, being required to do so, fails to comply with this prohibition measure shall be punished by imprisonment from three months to two years; in any case, the sanction set forth in article 83, paragraph 5, letter e) of the Regulation may be applied at administrative level.<br />
<br />
ALL THIS BEING SAID, THE GUARANTOR<br />
<br />
pursuant to Articles 57(1)(f) and 58(2)(c), (d), (f) and (i) of the Rules:<br />
<br />
1. orders Cavauto s.r.l. to limit the processing of data extracted from the Internet history (art. 58, par. 2, letter f) of the Regulation) to the sole storage for the sole purpose of protecting rights in court, within the limits of art. 160-bis of the Code;<br />
<br />
2. orders Cavauto s.r.l. to comply with the request for access to the data contained in the company's PC as well as other personal data currently held, with particular reference to the agenda pages retained by the company at the time of return (art. 58, par. 2, letter c) Regulations);<br />
<br />
3. orders Cavauto s.r.l. to comply with the provisions of art. 32 of the Regulation on security measures, within 60 days of receipt of this measure (art. 58, par. 2, letter d) Regulation);<br />
<br />
4. orders Cavauto s.r.l. to conform its internal policy to the Regulation by providing for measures aimed at preventing the risk of improper or promiscuous use of PCs and company systems, also with reference to employees' Internet browsing, within 60 days of receipt of this measure (art. 58, par. 2, letter d) Regulation);<br />
<br />
5. inflicts on Cavauto s.r.l., in addition to the corrective measures, the pecuniary administrative sanction provided for by art. 83, par. 5, letter a) of the Regulation, ordering and at the same time enjoining the aforesaid offender to pay the sum of € 10,000.00 (ten thousand) according to the methods indicated in the attachment, within 30 days from the notification of this measure, under penalty of the adoption of the consequent executive acts in accordance with art. 27 of Law no. 689/1981; this without prejudice to Cavauto s.r.l.'s right to settle the dispute by paying an amount equal to half of the penalty imposed within 30 days from the date of notification of this measure, pursuant to art. 166, paragraph 8 of the Code;<br />
<br />
6. orders, pursuant to art. 166, paragraph 7, of the Code, the publication of this measure/injunction on the website of the Guarantor;<br />
<br />
7. considers that the conditions set out in Article 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, are met;<br />
<br />
8. requests Cavauto s.r.l. to communicate what initiatives have been undertaken in order to implement the provisions of this measure and to provide adequately documented feedback pursuant to art. 157 of the Code, within 90 days from the date of notification of this measure; failure to do so may result in the application of the administrative penalty provided for in art. 83, paragraph 5, letter e) of the Regulation.<br />
<br />
Pursuant to Article 78 of the Regulation, as well as Articles 152 of the Code and 10 of Legislative Decree no. 150/2011, opposition to this measure may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place where the data controller resides, within thirty days from the date of notification of the measure itself, or sixty days if the claimant resides abroad.<br />
<br />
Rome, 26 March 2020<br />
<br />
THE PRESIDENT<br />
Soro<br />
<br />
THE REPORTER<br />
Soro<br />
<br />
THE SECRETARY GENERAL<br />
Busia<br />
</pre></div>MLhttps://gdprhub.eu/index.php?title=Garante_per_la_protezione_dei_dati_personali_(Italy)_-_9445796&diff=11177Garante per la protezione dei dati personali (Italy) - 94457962020-08-21T11:43:14Z<p>ML: Created page with "{{DPAdecisionBOX |Jurisdiction=Italy |DPA-BG-Color=background-color:#095d7e; |DPAlogo=LogoIT.png |DPA_Abbrevation=Garante per la protezione dei dati personali |DPA_With_Count..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Italy<br />
|DPA-BG-Color=background-color:#095d7e;<br />
|DPAlogo=LogoIT.png<br />
|DPA_Abbrevation=Garante per la protezione dei dati personali<br />
|DPA_With_Country=Garante per la protezione dei dati personali (Italy)<br />
<br />
|Case_Number_Name=9445796<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Autorità Garante per la Protezione dei Dati Personali<br />
|Original_Source_Link_1=https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9445796<br />
|Original_Source_Language_1=Italian<br />
|Original_Source_Language__Code_1=IT<br />
<br />
|Type=Other<br />
|Outcome=<br />
|Date_Decided=<br />
|Date_Published=<br />
|Year=<br />
|Fine=None<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 5(1)(b) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1b<br />
|GDPR_Article_2=Article 5(1)(c) GDPR<br />
|GDPR_Article_Link_2=Article 5 GDPR#1c<br />
<br />
<br />
<br />
|Party_Name_1=Municipality Campi Bisenzio / Responsible for transparency of the Italian municipality Campi Bisenzio<br />
|Party_Link_1=<br />
|Party_Name_2=Executive personnel and directors of Italian municipalities <br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
|<br />
}}<br />
<br />
On request of the responsible for transparency in the Italian municipality Campi Bisenzio regarding access to details on the performance evaluation of executive personnel and directors in the same municipality, the Italian Data Protection Authority (Autorità garante per la protezione dei dati personali) stated, in its opinion from 29th of July 2020, in a manner consistent with precedent decisions and opinions, that even after a formal request, the municipality is not obliged to publish any information regarding the detailed assignment of points in the analysis of the organizational behavior in accordance with the principles set out in Article 5(1)(b) and (e).<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
Generally speaking, Italian law states that anyone can request access to public information. This right of access is only limited by the protection of other legally important interests. A first application for civic access to detailed information about the assignment of points for organizational behavior in the performance evaluation brought forward by a resident was dismissed by the public administration. Before denial, the responsible for transparency of the municipality contacted the Italian DPA and requested its opinion on the publication of detailed information regarding the organizational behavior of executive personnel and directors in the local municipality. This information, which is based on detailed personal data, was gathered to evaluate their performance and attribute a corresponding performance bonus, the amount of which was published according to national law.<br />
<br />
=== Dispute ===<br />
Does the public have the right to access the detailed evaluation of organizational behavior of executive personnel and directors of public institutions on the basis of which performance bonuses are paid?<br />
<br />
=== Holding ===<br />
The publication of information regarding the assignment of points in an evaluation of the organizational behavior of directors and executive personnel of an Italian municipality may cause an “unjustified and disproportional interference with their rights and liberty”. It could, furthermore, lead to damage on a “professional, personal, social and relational” level. In addition, it was considered that the data subjects relied on a certain confidentiality regarding the processing of their personal data, being completely ignorant about the fact that these analyses could be published after an application for civic access. Such detailed personal information exceeds the duty of transparency as provided for in national law. By recalling the fundamental principles of the GDPR mentioned in Article 5, namely the limitation of purpose and the minimization of data, as well as the national legislation (d.lgs. 33/2013), which obliges the community to publish the compound emoluments received by the directors and executive personnel as well as general data regarding the evaluation of performance and the corresponding distribution of bonuses, the national Authority states that further details must not be published.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.<br />
<br />
<pre><br />
Opinion on request for civic access - 29 July 2020<br />
<br />
Register of measures<br />
No 147 of 29 July 2020<br />
<br />
THE DATA PROTECTION SUPERVISOR<br />
<br />
At today's meeting, which was attended by Prof. Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice-President, Dr. Agostino Ghiglia and Mr. Guido Scorza, members and Mr. Giuseppe Busia, Secretary General;<br />
<br />
HAVING REGARD TO Regulation (EU) No 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC, 'General Data Protection Regulation' (hereinafter 'GPSD');<br />
<br />
Having regard to Article 154(1)(g) of the Personal Data Protection Code - Legislative Decree No 196 of 30 June 2003 (hereinafter 'the Code');<br />
<br />
Having regard to Article 5, paragraph 7, of Legislative Decree no. 33 of 14 March 2013 on "Reorganization of the rules concerning the right of civic access and the obligations of publicity, transparency and dissemination of information by public administrations";<br />
<br />
Having regard to Determination no. 1309 of 28/12/2016 of the National Anti-Corruption Authority (ANAC), adopted in agreement with the Guarantor, entitled "Guidelines containing operational indications for the purposes of defining exclusions and limits to civic access pursuant to Article 5, paragraph 2, of Legislative Decree no. 33/2013", in the Official Gazette General Series no. 7 of 10/1/2017 and in http://www.anticorruzione.it/portal/public/classic/AttivitaAutorita/AttiDellAutorita/_Atto?ca=6666 (hereinafter "ANAC Guidelines on civic access");<br />
<br />
Having regard to the provision of the Guarantor no. 521 of 15/12/2016, containing the aforementioned "Understanding on the outline of the ANAC Guidelines providing operational indications for the definition of exclusions and limits to civic access", in www.gpdp.it, web document no. 5860807;<br />
<br />
Having regard to the documentation in deeds;<br />
<br />
Having regard to the remarks made by the Secretary General pursuant to Article 15 of the Garante Regulation No. 1/2000;<br />
<br />
Rapporteur: Prof. Ginevra Cerrina Feroni;<br />
<br />
PREMISE<br />
<br />
With the note in deeds, the Head of Transparency of the Municipality of Campi Bisenzio has asked the Guarantor for the opinion provided for by Article 5, paragraph 7, of Legislative Decree no. 33/2013, as part of the proceedings relating to a request for review by a citizen on a measure of denial of its own request for civic access submitted to that municipality.<br />
<br />
The investigation shows that a request for civic access was submitted - pursuant to art. 5, paragraph 2, of Legislative Decree no. 33/2013 - concerning the issue of a copy "of the assessment forms filled out by the Mayor in 2019, relating to the organizational conduct of the Executives/Managers for the year 2018", as well as "final and total scores in percentage, attributed to the Executives/Managers, relating to the result allowance for the year 2018".<br />
<br />
The administration has made the communication to the other interested parties (art. 5, paragraph 5, Legislative Decree no. 33/2013), who objected, highlighting the strictly personal content of the required documentation and the inappropriateness of the relative communication to third parties given the potential dissemination. A counterinterested party also pointed out that the cognitive requirements instrumental to the pursuit of the purposes of civic access, with reference to managers, would already be met by the obligations to publish online the total emoluments received by public finance and the data relating to performance evaluation and distribution of bonuses to personnel (Article 14, paragraph 1-ter; and 20, of Legislative Decree no. 33/2013).<br />
<br />
The Municipality granted partial access, allowing the display of the "part concerning final and total scores" (providing the link to the institutional website on which these data were published), but instead denied access to the "copy of the evaluation form filled in by the Mayor in 2019, on the organisational behaviour of the Managers for the year 2018", as "all the counter-interested parties have communicated their opposition to the [...] request, given the purely personal content of the evaluation forms in question, of which it was not considered appropriate for it to be made known to third parties and, potentially, even disseminated".<br />
<br />
The applicant for civic access subsequently submitted a request for review to the person in charge of transparency of the partial acceptance measure (art. 5, paragraph 7, of Legislative Decree no. 33/2013), considering it not legitimate and insisting in his requests.<br />
<br />
OBSERVES<br />
<br />
1. Introduction<br />
<br />
The issue submitted to the attention of the Guarantor concerns the display, through the institution of civic access, of the scores attributed to the Managers and/or Directors of the Municipality, relating to the result indemnity for the year 2018, as well as a copy of the individual evaluation forms referred to them "relating to organisational behaviour". The records show that the scores were provided, but civic access to the evaluation forms was denied.<br />
<br />
In this regard, it should be noted that, in accordance with industry regulations, "anyone has the right to access data and documents held by public administrations, in addition to those that are subject to publication under this decree, in compliance with the limits relating to the protection of legally relevant interests in accordance with Article 5-bis" (Article 5, paragraph 2, Legislative Decree no. 33/2013).<br />
<br />
In relation to the profiles of competence of this Authority, it should be noted that the cited 5-bis provides that civic access must be refused, among other things, "if the refusal is necessary to avoid a concrete prejudice to the protection [of] personal data protection, in accordance with the legislative discipline on the subject" (paragraph 2, letter a). Personal data means 'any information relating to an identified or identifiable natural person ('data subject')' and 'identifiable' means 'the natural person who can be identified, directly or indirectly, by reference in particular to an identifier such as name, an identification number, location data, an online identifier or to one or more factors characteristic of his physical, physiological, genetic, mental, economic, cultural or social identity' (Article 4(1) PPRD).<br />
<br />
That being said, it must be borne in mind that among the assessments to be made with regard to the possible display of personal data (or documents containing them) through the institution of civic access must be taken into account that - unlike the documents to which access has been given under Law No. 241 of 7/8/1990 - the data and documents received as a result of a request for civic access become "public and anyone has the right to know them, to use them free of charge, and to use and re-use them in accordance with Article 7", although their further processing must in any case be carried out in compliance with the limits deriving from the legislation on the protection of personal data (Article 3, paragraph 1, of Legislative Decree no. 33/2013). Consequently, it is also in the light of this amplified publicity regime that the existence of a possible concrete prejudice to the protection of the personal data of the subjects against whom the data is processed must be assessed, on the basis of which to decide whether or not to refuse access to the data, information or documents requested.<br />
<br />
Moreover, it is necessary to respect, in any case, the principles of the RGPD of "purpose limitation" and "data minimisation", according to which personal data must be "collected for specified, explicit and legitimate purposes and subsequently processed in a way that is not incompatible with those purposes", as well as "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed" (art. 5, par. 1, letter b and c).<br />
<br />
With particular reference to the case in question, it should be recalled that the State legislation on transparency already provides for specific obligations to publish on the institutional websites of public administrations data and information relating to the "organization" and "activity of public administrations", sanctioning, among other things, the disclosure of the total emoluments received from public finance by managers and the data relating to the performance evaluation and distribution of bonuses (see Articles 14, paragraph 1-ter and 20 of Legislative Decree no. 33/2013).<br />
<br />
In this context, it is considered that, without prejudice to the aforementioned publication obligations, the Municipality of Campi Bisenzio - in accordance with the regulations in force and the indications contained in the ANAC Guidelines on civic access, in accordance with the previous guidelines of this Authority - has correctly rejected civic access to the "copy of the assessment forms completed by the Mayor in 2019, relating to the organizational conduct of the Managers / Directors for the year 2018". (See opinions contained in the following measures: No 421 of 11/7/2018, www.gpdp.it, web doc. No 9037343; No 142 of 8/3/2018, ivi, web doc. No 8684742; No 574 of 29/12/2017, ivi, web doc. 7658152. See also further opinions on the subject of civic access to economic and career progression assessments and assessments of workers: n. 466 of 11/10/2018, ivi, web doc. n. 9063969; n. 421 of 11/7/2018, ivi, web doc. n. 9037343; n. 142 of 8/3/2018, ivi, web doc. n. 8684742; n. 574 of 29/12/2017, ivi, web doc. n. 7658152).<br />
<br />
This is because the relative ostentation, also considering the particular regime of publicity of the data and information received through the institution of civic access (see art. 3, paragraph 1, Legislative Decree no. 33/2013), could determine an unjustified and disproportionate interference in the rights and freedoms of the executives involved, causing the latter precisely that concrete prejudice to the protection of personal data protection provided by art. 5-bis, paragraph 2, letter a), of Legislative Decree no. 33/2013.<br />
<br />
In fact, taking into account the type and nature of personal data and information, including detailed information, contained in the evaluation forms referred to the individual managers of the Municipality, a possible acceptance of civic access could have negative repercussions on the professional, personal, social and relational level, both inside and outside the working environment of the latter, exposing them to possible relational difficulties with colleagues and creating potential prejudices from external users with whom they could come into contact in the exercise of their functions. It is also necessary to take into account the reasonable expectations of confidentiality of the other parties involved in relation to the processing of their personal data at the time the data were collected by the Municipality, as well as the unpredictability, at the time the data were collected, of the consequences deriving from the possible knowledge by anyone of the data requested through civic access (see par. 8.1 of the ANAC Guidelines on civic access, cit.).<br />
<br />
In any case, the possibility remains that the personal data for which civic access has been denied may be made ostensible, where the applicant, possibly reformulating the request in accordance with the different rules on access to administrative documents (Articles 22 et seq. of Law No. 675/1998, paragraph 8.1 of the Guidelines on Civic Access, cited above). 241 of 7/8/1990), reasons in the request for the existence of a "qualified" interest and the administration deems to exist, in the light of what reported by the applicant, "a direct, concrete and current interest, corresponding to a situation legally protected and connected to the document to which access is requested" which may otherwise allow the ostentation of the requested documentation.<br />
<br />
ALL THIS BEING SAID, THE GUARANTOR<br />
<br />
expresses an opinion in the above terms on the request of the Transparency Manager of the Municipality of Campi Bisenzio, pursuant to art. 5, paragraph 7, of Legislative Decree no. 33/2013.<br />
<br />
Rome, 29 July 2020<br />
<br />
THE PRESIDENT<br />
This appropriation<br />
<br />
THE REPORTER<br />
Cerrina Feroni<br />
<br />
THE SECRETARY GENERAL<br />
Busia<br />
<br />
</pre></div>MLhttps://gdprhub.eu/index.php?title=Datatilsynet_(Denmark)_-_2018-423-0018&diff=11176Datatilsynet (Denmark) - 2018-423-00182020-08-21T11:18:57Z<p>ML: Created page with "{{DPAdecisionBOX |Jurisdiction=Denmark |DPA-BG-Color= |DPAlogo=LogoDK.png |DPA_Abbrevation=Datatilsynet |DPA_With_Country=Datatilsynet (Denmark) |Case_Number_Name=2018-423-0..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Denmark<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoDK.png<br />
|DPA_Abbrevation=Datatilsynet<br />
|DPA_With_Country=Datatilsynet (Denmark)<br />
<br />
|Case_Number_Name=2018-423-0018<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Datatilsynet<br />
|Original_Source_Link_1=https://www.datatilsynet.dk/tilsyn-og-afgoerelser/afgoerelser/2020/aug/tilsyn-med-udarbejdelse-af-fortegnelser-i-varde-kommune<br />
|Original_Source_Language_1=Danish<br />
|Original_Source_Language__Code_1=DA<br />
<br />
|Type=Investigation<br />
|Outcome=Other Outcome<br />
|Date_Decided=<br />
|Date_Published=10.08.2020<br />
|Year=<br />
|Fine=None<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 5(1) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1<br />
|GDPR_Article_2=Article 24(2) GDPR<br />
|GDPR_Article_Link_2=Article 24 GDPR#2<br />
|GDPR_Article_3=Article 26 GDPR<br />
|GDPR_Article_Link_3=Article 26 GDPR<br />
|GDPR_Article_4=Article 30 GDPR<br />
|GDPR_Article_Link_4=Article 30 GDPR<br />
|GDPR_Article_5=Article 30(1) GDPR<br />
|GDPR_Article_Link_5=Article 30 GDPR#1<br />
<br />
<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
|<br />
}}<br />
<br />
In August 2020, the Danish Data Protection Authority completed a planned inspection at Varde Municipality. The audit focused on the municipality's compliance with the requirement to keep records of treatment activities, including in particular whether the municipality's records could be used for the purposes on which the requirement to keep records is based.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The audit focused on the municipality's compliance with the requirement to keep records of treatment activities, including in particular whether the municipality's records could be used for the purposes on which the requirement to keep records is based.<br />
<br />
=== Dispute ===<br />
The Danish Data Protection Authority found reason to conclude that certain sections of the municipality's directories raised some challenges in relation to the underlying purposes of maintaining directories.<br />
After a review of the submitted lists, it was not clear to the Danish Data Protection Authority which categories of personal data Varde Municipality processes about the individual categories of data subjects. <br />
<br />
=== Holding ===<br />
The Danish Data Protection Authority informed Varde Municipality that an employee who has been assigned an internal responsibility for the processing of personal data is not considered a joint data controller in accordance with the rules in the GDPR.<br />
A list - if personal data is or will be passed on - must contain information about which categories of personal data are or will be passed on to the recipient in question, it must also be stated which categories of data subjects the information in question relates to. The lists should be prepared in such a way that the requested information can be clearly deduced directly from the lists.<br />
<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.<br />
<br />
<pre><br />
Supervision of preparation of lists in Varde Municipality<br />
Published 10-08-2020<br />
Decision Public authorities<br />
<br />
Journal number: 2018-423-0018<br />
Summary<br />
<br />
In August 2020, the Danish Data Protection Authority completed a planned inspection at Varde Municipality. The audit focused on the municipality's compliance with the requirement to keep records of treatment activities, including in particular whether the municipality's records could be used for the purposes on which the requirement to keep records is based.<br />
<br />
Following the audit of Varde Municipality, the Danish Data Protection Authority found reason to conclude that certain sections of the municipality's directories raised some challenges in relation to the underlying purposes of maintaining directories.<br />
<br />
On the basis of the overall experience from the three completed inspections regarding the preparation of lists, the Danish Data Protection Authority has found reason to update the guidelines on lists from January 2018.<br />
<br />
You can read the Danish Data Protection Agency's guide on listing here.<br />
<br />
Decision<br />
<br />
Varde Municipality was among the authorities that the Danish Data Protection Authority in autumn 2018 had chosen to supervise in accordance with the General Data Protection Regulation [1] and the Data Protection Act [2].<br />
<br />
The Data Inspectorate's planned inspection of Varde Municipality focused on the municipality's compliance with the requirement to keep records of processing activities in accordance with Article 30 GDPR.<br />
<br />
At the request of the Danish Data Protection Agency, Varde Municipality had - before the inspection visit - submitted the municipality's lists to the inspection. The actual inspection visit took place on 24 October 2018.<br />
<br />
The GDPR's requirement to keep records of processing activities is to a large extent related to the Regulation's principle of accountability. This principle requires both the data controller to ensure that the processing of personal data is in accordance with the Regulation and the data controller to be able to demonstrate compliance with the Regulation, in accordance with Article 5 (1) of the Regulation. And Article 24 (2). The list must be drawn up in order to demonstrate compliance with the Regulation [3] and must be made available to the Danish Data Protection Agency upon request so that it can be used for supervision in accordance with Article 30 (1). 4.<br />
<br />
One of the Data Inspectorate's focus points for the supervision of Varde Municipality was thus whether the municipality's records could be used for the purposes on which the requirement to keep records of processing activities is kept.<br />
<br />
Following the audit of Varde Municipality, the Danish Data Protection Authority finds a summary reason to conclude that the preparation of certain sections of the municipality's records raised some challenges in relation to the underlying purposes of keeping records.<br />
<br />
On the basis of the experiences from the inspections concerning the preparation of lists, the Danish Data Protection Authority has therefore found reason to update the guidelines on lists from January 2018 [4].<br />
<br />
1. Shared data responsibility<br />
<br />
Prior to the inspection visit, the Danish Data Protection Authority had noted that Varde Municipality had generally listed named employees in the municipality's registers as being joint data controllers with the municipality for the processing of personal data. When asked about this, Varde Municipality stated that the municipality had stated the names of the heads of the departments / units in which the information is processed.<br />
<br />
Against this background, the Danish Data Protection Authority informed Varde Municipality that an employee who has been assigned an internal responsibility for the processing of personal data is not considered a joint data controller in accordance with the rules in the GDPR. The concept of joint data controller is directed at another / external legal entity, e.g. another municipality with which Varde Municipality shares a data responsibility. In cases where there is a common data responsibility, it is also a requirement under Article 26 GDPR that the parties define in a transparent manner their respective responsibilities for compliance with the obligations in the Regulation.<br />
<br />
Varde Municipality then stated that the municipality would change the lists so that it becomes clearer that this is an internal division of responsibilities and not a joint data responsibility under Article 26 GDPR.<br />
Categories of data subjects and categories of personal data<br />
<br />
Pursuant to Article 30 (I) (1) (c) GDPR, a list must contain a description of the categories of data subjects and the categories of personal data.<br />
<br />
2.1. Categories of registered<br />
<br />
Prior to the inspection visit, the Danish Data Protection Authority had noted that Varde Municipality's lists generally contained a list of the categories of data subjects about which the municipality processes information.<br />
<br />
In some registers, for example, "family members" were listed as categories of registered persons. During the inspection visit, the Danish Data Protection Authority asked in more detail what each of the specified categories covered.<br />
<br />
It was then the Data Inspectorate's opinion that those present could not state this with certainty, but that they could only make a qualified guess as to what the listed categories covered. Varde Municipality referred, however, to the fact that the municipality's employees in the individual areas would be able to explain exactly what the specified categories of registered persons covered.<br />
<br />
The Danish Data Protection Auhtority therefore stated during the inspection visit that Varde Municipality can advantageously specify several of the specified categories of data subjects in order to ensure that it is not only the municipality's employees in the individual areas who can provide further information about the categories.<br />
<br />
2.2. Categories of personal information<br />
<br />
Prior to the inspection visit, the Danish Data Protection Auhtority had noted that Varde Municipality's lists generally contain fields in which the municipality could check whether Article 6 information, Article 9 information and Article 10 information are processed in connection with the specific processing activity.<br />
<br />
During the inspection visit, however, the Danish Data Protection Auhtority was able to establish that neither those present nor the inspection could see from the lists which specific Article 6 information, Article 9 information or Article 10 information that the municipality processes in connection with the processing activities in question. When asked about this, Varde Municipality stated, however, that the municipality's employees in the individual areas to which the lists relate would be able to specify the categories of information.<br />
<br />
In this connection, the Danish Data Protection Agency referred to the Authority's (now earlier) guidelines on inventories from January 2018, which state that the data controller must be able to specify which specific types of Article 9 information are processed.<br />
<br />
During the inspection visit, it was therefore discussed that Varde Municipality - in the opinion of the Data Inspectorate - can advantageously prepare its lists in such a way that all categories of personal information are specified in more detail, including to ensure that it is not only the municipality's employees. individual areas that can provide more information about the categories.<br />
<br />
Link between categories of data subjects and categories of information<br />
<br />
After a review of the submitted lists, it was not clear to the Danish Data Protection Authority which categories of personal data Varde Municipality processes about the individual categories of data subjects. For example, the Danish Data Protection Auhtority could not deduce from the records whether the municipality processes Article 9 information on all of the categories of data subjects listed in the individual directories, or whether this was only the case for some of the specified categories of data subjects.<br />
<br />
When asked about this, Varde Municipality stated that the persons present would not be able to state from the lists which categories of personal data the municipality processes about the individual categories of data subjects, and that this would at best be qualified guesses.<br />
<br />
Against this background, the Danish Data Protection Agency stated during the inspection visit that, in view of the purposes of the record requirement, the Authority's assessment is that a list of processing activities must contain a clear link between which categories of personal data are processed about the individual categories of data subjects. The Danish Data Protection Authority's updated guidance on inventories from August 2020 is in accordance with this.<br />
<br />
4. Categories of recipients to whom the information is or will be passed on<br />
<br />
Pursuant to Article 30 (1) (1) (d) GDPR, a list shall include information on the categories of recipients to whom the personal data is or will be transferred, including recipients in third countries or international organizations.<br />
<br />
Prior to the inspection visit, the Danish Data Protection Authority had noted that Varde Municipality's lists generally contained a list of the companies, authorities, etc. to which personal data is or could be passed on. In addition, the municipality had specified data processors as a category of recipients to whom personal data is or could be passed on.<br />
<br />
During the inspection visit, the Danish Data Protection Authority stated that - in the Data Inspectorate's opinion - it is important to distinguish between when information is handed over to data processors and when information is passed on to other independent data controllers, as there are different forms of exchange of personal data. <br />
<br />
After a review of the submitted lists, it was not clear to the Danish Data Protection Authority which categories of personal data, including which categories of data subjects, could be passed on to the recipients that the municipality had stated in the list. When asked about this, Varde Municipality stated that the persons present would not be able to state this based on the lists.<br />
<br />
In this connection, the Danish Data Protection Authority's assessment is that a list - if personal data is or will be passed on - must contain information about which categories of personal data are or will be passed on to the recipient in question. In connection with this, it must also be stated which categories of data subjects the information in question relates to. The Danish Data Protection Auhtority has therefore updated the guidelines on inventories so that the edition from August 2020 is in accordance with this.<br />
5. Deadlines for deleting the different categories of information<br />
<br />
Pursuant to Article 30 (I) (1) (f) GDPR, a list shall, if possible, include the expected time limits for deletion of the various categories of information.<br />
<br />
Prior to the inspection visit, the Danish Data Protection Authority had noted that in Varde Municipality's registers there was a reference to the recommended deletion deadlines in the municipalities' subject system, KLE.<br />
<br />
Asked about the lists' references to the recommended deletion deadlines in KLE, Varde Municipality demonstrated during the inspection visit how to quickly look up in KLE during certain treatment activities and then see the recommended deletion deadline.<br />
<br />
During the inspection visit, the Danish Data Protection Authority stated that, after the inspection's assessment, it was sufficient that the municipality had stated a reference to the recommended deletion deadlines in KLE.<br />
<br />
6. Description of the technical and organizational security measures<br />
<br />
Pursuant to Article 30 (1), 32 (1) (g) GDPR, a list shall, if possible, include a general description of the technical and organizational security measures referred to in Article 32 (1) (g) GDPR. 1.<br />
<br />
Prior to the inspection visit, the Danish Data Protection Authority had noted that Varde Municipality in the lists generally referred to the municipality's information security policy.<br />
<br />
During the inspection visit, the Danish Data Protection Authority generally had no comments on the fact that Varde Municipality referred in the lists to the municipality's information security policy with regard to a general description of the technical and organizational security measures. However, the Danish Data Protection Authority stated that the municipality can advantageously state this in the list if special measures are implemented - in addition to the general security measures - e.g. in relation to the security in Citizen Service Centers, in municipal libraries or in connection with the processing of personal data via television surveillance, etc.<br />
<br />
Prior to the inspection visit, the Danish Data Protection Auhtority had also noted that Varde municipality had stated in several lists "obtaining a child certificate" as a technical or organizational security measure. During the inspection visit, the Danish Data Protection Auhtority stated that “obtaining child certificates - in the Authority's view - does not constitute a security measure within the meaning of Article 32 (1) GDPR. 1 in obtaining such a certificate has a purpose other than the protection of personal data.<br />
<br />
7. TV surveillance as a treatment activity<br />
<br />
Prior to the inspection visit, the Danish Data Protection Auhtority had noted that it did not appear from Varde Municipality's records whether the municipality processes personal data in connection with television surveillance.<br />
<br />
When asked about this, Varde Municipality stated that TV surveillance is carried out in the municipality's citizen service center.<br />
<br />
The Danish Data Protection Authority pointed out that this processing should appear in the list for the civil service area. In addition, the Authority pointed out that if the TV surveillance is set up with a view to crime prevention, the municipality should also be aware that information about criminal offenses is potentially processed and that this should be stated in the list.<br />
<br />
8. Conclusion<br />
<br />
The Danish Data Protection Authority has generally noted that there were several sections in Varde Municipality's records where neither those present from the municipality nor the Danish Data Protection Authority were able to see through the processing activities solely from the records. Although Varde Municipality stated that the municipality's employees in the areas to which the lists relate could elaborate on the contents of the lists, it is the Data Inspectorate's opinion that the lists should be prepared in such a way that the requested information can be clearly deduced directly from the lists.<br />
<br />
However, the Danish Data Protection Auhtority can also conclude that the preparation of certain sections of Varde Municipality's lists - including the sections of the lists concerning deletion deadlines and technical and organizational security measures - provides a good overview for both the municipality and the Danish Data Protection Auhtority.<br />
<br />
The requirement to keep records of processing activities is - as mentioned above - largely related to the Regulation's principle of accountability.<br />
<br />
The responsibility is expressed in that the data controller must both comply with the rules of the regulation and at the same time be able to demonstrate that this is in fact the case. It is thus up to the data controller to have an overview of the processing activities that he carries out and to be able to demonstrate to e.g. the supervisory authority that the treatment activities in question comply with the rules of the Regulation.<br />
<br />
Each data controller (and data processor) must thus cooperate with the supervisory authority and, upon request, make the records available to the supervisory authority so that these can be used to monitor whether the data controller complies with the processing conditions in the Regulation. The common thread in the regulation on liability is thus implemented, among other things. in the requirement to list treatment activities in Article 30 GDPR.<br />
<br />
Based on the experiences with the inspections of lists in a number of municipalities - including Varde Municipality - the Danish Data Protection Authority has therefore found an opportunity to update the guidelines on lists from January 2018 [5].<br />
<br />
This is partly due to the fact that the records that the Danish Data Protection Auhtority has had for review in connection with the inspections, in the Authority's assessment, could not be used to a sufficient extent for the purposes behind the inventory requirement. In several cases, neither the municipalities nor the Danish Data Protection Auhtority could form an overview of the scope of the processing activities based on the content of the lists. Thus, it was also difficult for the Authority to ensure that the treatment activities in question complied with the rules of the Regulation.<br />
<br />
It is the Data Inspectorate's assessment that an update of the guidelines contributes to inventories being prepared in a way that ensures that the inventories are concretely and practically applicable to both the data controller / data processor and to the Data Inspectorate.<br />
<br />
The Danish Data Protection Auhtority thus emphasizes that the requirement to draw up lists must not just become a formal requirement, and that the lists only become really substantive when they are drawn up in a way that creates a real overview of the treatments in question and forms a basic foundation for the data controller's / data processor's general compliance with the data protection rules.<br />
<br />
<br />
<br />
[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to<br />
<br />
on the processing of personal data and on the free movement of such data and on the repeal of Directive 95/46 / EC (General Data Protection Regulation).<br />
<br />
[2] Act No. 502 of 23 May 2018 on supplementary provisions to the Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the Data Protection Act).<br />
<br />
[3] Cf. Preamble No 80<br />
<br />
[4] The Danish Data Protection Agency's updated guide to inventories from August 2020 can be found on the Authority's website.<br />
<br />
[5] The Danish Data Protection Agency's updated guide to inventories from August 2020 can be found on the Authority's website.<br />
</pre></div>MLhttps://gdprhub.eu/index.php?title=BVwG_-_W274_2230370-1/4E&diff=11166BVwG - W274 2230370-1/4E2020-08-20T15:07:00Z<p>ML: Created page with "{{COURTdecisionBOX |Jurisdiction=Austria |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=BVwG |Court_With_Country=BVwG (Austria) |Case_Number_Name=W274 22303..."</p>
<hr />
<div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=Austria<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=BVwG<br />
|Court_With_Country=BVwG (Austria)<br />
<br />
|Case_Number_Name=W274 2230370-1/4E <br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Datenschutzbehörde - DSB - Newsletter<br />
|Original_Source_Link_1=https://www.dsb.gv.at/documents/22758/115212/Newsletter_DSB_3_2020.pdf/90579856-6cb5-4206-823a-cacc724cf94e<br />
|Original_Source_Language_1=German<br />
|Original_Source_Language__Code_1=DE<br />
<br />
|Date_Decided=<br />
|Date_Published=<br />
|Year=<br />
<br />
|GDPR_Article_1=Article 15(3) GDPR<br />
|GDPR_Article_Link_1=Article 15 GDPR#3<br />
<br />
<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_From_Body=<br />
|Appeal_From_Case_Number_Name=<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
|<br />
}}<br />
<br />
The BVwG holds that there is no right to a copy of the documents relating to an exclusion from a religious community under Article 15 (3) GDPR, because they are - as paper files - no file system and therefore excluded from the GDPR.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The complainant insisted on the transmission of a copy of all documents relating to his exclusion from the religious community of Jehovah's Witnesses (respondents in the main proceedings), which would be in the so-called proclamation report card in a sealed envelope. <br />
<br />
=== Dispute ===<br />
The subject-matter of the complaint in the main proceedings was an alleged infringement of the right of access on the basis of allegedly defective information.<br />
<br />
=== Holding ===<br />
The BVwG argued that a paper files are no file systems and therefore excluded from the GDPR. Moreover, the right to information under the ECJ's ruling is not suitable for securing access to administrative documents. <br />
<br />
== Comment ==<br />
This summary is based on a summary of a decision in the newsletter of the Data Protection Authority of Austria.<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the German original. Please refer to the German original for more details.<br />
<br />
<pre><br />
The subject-matter of the complaint in the main proceedings was an alleged infringement of the right of access on the basis of allegedly defective information. The complainant insisted on the transmission of a copy of all documents relating to his exclusion from the religious community of Jehovah's Witnesses (respondents in the main proceedings), which would be in the so-called proclamation report card in a sealed envelope. The data protection authority rejected the initial complaint because it had emerged in the course of the preliminary proceedings that the Jehovah's Witnesses had opened the envelope and had fully examined the personal data contained therein (in particular the grounds for exclusion). The BVwG argued otherwise: the envelope was a paper file, which is why the applicability of the GDPR would be excluded. Paper files were not file systems. Moreover, the right to information under the ECJ's ruling was not suitable for securing access to administrative documents. The internal documents from an exclusion procedure under the internal statutes of Jehovah's Witnesses were to be treated as administrative documents. The scope of the data copy pursuant to Article 15.3 of the DPA was not to be discussed for lack of general applicability of the DPA.<br />
</pre></div>MLhttps://gdprhub.eu/index.php?title=DSB_(Austria)_-_D123.768/0004-DSB/2019&diff=11164DSB (Austria) - D123.768/0004-DSB/20192020-08-20T14:43:12Z<p>ML: Created page with "{{DPAdecisionBOX |Jurisdiction=Austria |DPA-BG-Color= |DPAlogo=LogoAT.png |DPA_Abbrevation=DSB |DPA_With_Country=DSB (Austria) |Case_Number_Name=DSB-D123.768/0004-DSB/201 |E..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Austria<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoAT.png<br />
|DPA_Abbrevation=DSB<br />
|DPA_With_Country=DSB (Austria)<br />
<br />
|Case_Number_Name=DSB-D123.768/0004-DSB/201<br />
|ECLI=ECLI:AT:DSB:2019:DSB.D123.768.0004.DSB.2019 <br />
<br />
|Original_Source_Name_1=Rechtsinformationssystem<br />
|Original_Source_Link_1=https://www.ris.bka.gv.at/Dokument.wxe?ResultFunctionToken=9ec4ddd8-196a-40c7-8f01-a806a2df17b2&Abfrage=Dsk&Entscheidungsart=Undefined&Organ=Undefined&SucheNachRechtssatz=&SucheNachText=True&GZ=&VonDatum=01.01.1990&BisDatum=20.08.2020&Norm=&ImRisSeitVonDatum=&ImRisSeitBisDatum=&ImRisSeit=Undefined&ResultPageSize=100&Suchworte=&Dokumentnummer=DSBT_20191218_DSB_D123_768_0004_DSB_2019_00<br />
|Original_Source_Language_1=German<br />
|Original_Source_Language__Code_1=DE<br />
<br />
|Type=Complaint<br />
|Outcome=Rejected<br />
|Date_Decided=18.12.2019<br />
|Date_Published=<br />
|Year=2019<br />
|Fine=None<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 4(4) GDPR<br />
|GDPR_Article_Link_1=Article 4 GDPR#4<br />
|GDPR_Article_2=Article 4(7) GDPR<br />
|GDPR_Article_Link_2=Article 4 GDPR#7<br />
|GDPR_Article_3=Article 85(1) GDPR<br />
|GDPR_Article_Link_3=Article 85 GDPR#1<br />
|GDPR_Article_4=Article 85(2) GDPR<br />
|GDPR_Article_Link_4=Article 85 GDPR#2<br />
<br />
|EU_Law_Name_1=Art. 10 (XI) European Convention of Human Rights - ECHR<br />
|EU_Law_Link_1=https://www.echr.coe.int/Documents/Convention_ENG.pdf<br />
|EU_Law_Name_2=Article 8 (XI), 11 (I) Charta of Fundamental Rights - CFR<br />
|EU_Law_Link_2=https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A12012P%2FTXT<br />
<br />
|National_Law_Name_1=§§ 1 (I), (II), 9 (I) Data Protection Law (DSG - Datenschutzgesetz)<br />
|National_Law_Link_1=https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=Bundesnormen&Gesetzesnummer=10001597<br />
|National_Law_Name_2=§ 1 no. 6, 7, 8, lit. c Mediengesetz (MedienG) - Media Law<br />
|National_Law_Link_2=https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=Bundesnormen&Gesetzesnummer=10000719<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=ML<br />
|<br />
}}<br />
<br />
The data protection authority had to weigh up the right to secrecy against the right to freedom of expression.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The complainant belongs to a political party and is a member of the city council of an Austrian municipality. In November, the municipality held a meeting on the "parking space concept", to which a certain group of addressees, including the complainant, was invited. The complainant did not take part in this discussion because of an incorrect delivery of the invitation. The respondent, another political party, then posted an entry on her public Facebook page in which, to put it bluntly, criticism was made of the complainant's failure to appear.<br />
<br />
=== Dispute ===<br />
Is this Facebook post processed for journalistic purposes or a contribution to a debate of public interest, namel whether the complainant, as a polititcian and a person in the public interest, would be entitled to his or her tasks or requirements as a city councilor.<br />
<br />
=== Holding ===<br />
The limits of permissible criticism in relation to a politician acting in his public function must be interpreted more broadly than in relation to a private individual. Moreover, the use of the complainant's data in the proceedings was not unlawful because this form of political work is covered by § 1.2 of the PartG, and thus has a legal basis in the meaning of § 1.2 of the DSG.<br />
<br />
== Comment ==<br />
In the decision of 18 December 2019, reference number: DSB-D123.768/0004-DSB/2019, the data protection authority had to weigh up the right to secrecy against the right to freedom of expression. The complainant belongs to a political party and is a member of the city council of an Austrian municipality. In November, the municipality held a meeting on the "parking space concept", to which a certain group of addressees, including the complainant, was invited. The complainant did not take part in this discussion because of an incorrect delivery of the invitation. The respondent, another political party, then posted an entry on her public Facebook page in which, to put it bluntly, criticism was made of the complainant's failure to appear. <br />
<br />
The data protection authority rejected the complaint. On the one hand, it was established that even with a broad interpretation of the term "journalism", no processing for journalistic purposes can be identified. Furthermore, the Data Protection Authority found that the posting was a contribution to a debate of public interest, namely whether the complainant, as a politician and a person in the public interest, would be entitled to his or her tasks or requirements as a city councilor. According to the decision of the Supreme Court, the limits of permissible criticism in relation to a politician acting in his public function must be interpreted more broadly than in relation to a private individual. Moreover, the use of the complainant's data in the proceedings was not unlawful because this form of political work is covered by § 1.2 of the PartG, and thus has a legal basis in the meaning of § 1.2 of the DSG.<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the German original. Please refer to the German original for more details.<br />
<br />
<pre><br />
<br />
Deciding authority<br />
Data Protection Authority<br />
Document type<br />
Decision text<br />
Decision type<br />
Notice of appeal<br />
Business figures<br />
DSB-D123.768/0004-DSB/2019<br />
Decision date<br />
18.12.2019<br />
Contestation with the BVwG/VwGH/VfGH<br />
This decision is final.<br />
Standard<br />
Data Protection Law §1 para 1<br />
Data Protection Law §1 para 2<br />
Data Protection Law §9 para 1<br />
Media Law §1 no 6<br />
Media Law §1 no 7<br />
Media Law §1 Z8 lit c<br />
Law of Parties §1 para 2<br />
Municipal Code of Styria §59 para1<br />
CFR Art8 para 11<br />
CFR Art11 para 1<br />
ECHR Art10 para 1<br />
GDPR Art4 no 2<br />
GDPR Art4 no 7<br />
GDPR Art85 para 1<br />
GDPR Art85 para 2<br />
Text<br />
<br />
GZ: DSB-D123.768/0004-DSB/2019 of 18.12.2019<br />
<br />
Note Processor: Names and companies, legal forms and product names, addresses (including URLs, IP and e-mail addresses), file numbers (and similar), etc., as well as their initials and abbreviations may be abbreviated and/or changed for reasons of pseudonymisation. Obvious spelling, grammar and punctuation errors have been corrected].<br />
<br />
DECISION<br />
<br />
RULING<br />
<br />
The data protection authority decides on the data protection complaint of Bruno A*** (complainant) of 9 November 2018, improved by submission of 19 November 2018, against the N*** party E***stadt (respondent), represented by Erich R***, for violation of the right to secrecy as follows<br />
<br />
- The complaint is dismissed as unfounded.<br />
<br />
Legal basis: Sections 1(1) and (2), 24(1) and (5) of the Data Protection Act (Datenschutzgesetz - DSG), Federal Law Gazette I No 165/1999 as amended, Articles 8 and 11 of the Charter of Fundamental Rights of the European Union (EU-CFR), OJ No C 326 of 26 October 2012, p. 39, Article 12 of the Convention for the Protection of Human Rights and Fundamental Freedoms, Federal Law Gazette No 210/1958, Section 1(2) of the Political Parties Act 2012 (PartG), Federal Law Gazette I No 56/2012 as amended.<br />
<br />
EXPLANATIONS<br />
<br />
A. Arguments of the parties and procedure<br />
<br />
1 By letter of 9 November 2018, as improved by submission of 19 November 2018, the complainant submitted that on 7 November 2018, the defendant had published on Facebook the list of participants in a non-public meeting, which included his name. The defendant had intended to publicly pillory him for not attending the meeting on the parking concept. It subsequently emerged that the municipality had forgotten to send an invitation to the meeting to the correct e-mail address or to the address known to the municipality. Nevertheless, the respondent had published the list of participants in the meeting, which was not open to the public, together with his data.<br />
<br />
2 In its observations of 3 December 2018, the respondent submitted that a public meeting of the municipality of E***stadt on the E***stadt parking concept had taken place on 7 November 2018. In addition to municipal representatives, other representatives of the target group had also been invited to this meeting. The complainant had also been invited, but had not participated. A copy of the list of participants had been posted on the complainant's Facebook page. After the complaint had become known, the posting had been removed, although this was not considered necessary.<br />
<br />
The respondent submitted that, according to § 59 (1) of the Styrian Municipal Code (Steirische Gemeindeordnung - GemO), meetings of the municipal council were public. Pursuant to § 60.1 GemO, a record of proceedings was to be made of every meeting of the municipal council (public or non-public). According to no. 3 leg. cit. it must contain the name of the chairman and the members of the municipal council who are present and absent. The controller processing the data contained therein is the municipality of E***stadt.<br />
<br />
The attendance lists of municipal council meetings are in any case public, since even at non-public meetings only the deliberations are to be treated confidentially. This data was generally available, which meant that an interest worthy of protection could be excluded.<br />
<br />
Neither name, function nor absence from the meeting were data worthy of protection. On the one hand, there was an overriding public interest in knowing these data of the complainant as a politician and as a person of public interest and, on the other hand, there was also an overriding public interest in knowing whether he fulfilled the requirements of this position in his public role as a city councillor.<br />
<br />
The Facebook page of the N*** party E***stadt constituted, in the same way as the homepage of the City Party, a periodic electronic medium within the meaning of the Media Act (§ 1.1 no. 5a of the Media Act) and was maintained by the media employees of the N*** party. § 9 DSG is applicable.<br />
<br />
Both the DSG and the GDPR restrict their scope of application to the wholly or partially automated processing of personal data of natural persons and to the non-automated processing of personal data of natural persons which are or are to be stored in a file system. Processing of personal data which is or is to be stored in a file system is not apparent.<br />
<br />
(3) In his letter of 28 March 2019, the complainant submitted, in summary, that this was not a public meeting in accordance with the GemO, given that only a certain group of addressees had been informally invited by e-mail and that the fact that this meeting had not been properly publicised was sufficient to prevent it from becoming public. The GemO provides for three committees for a local politician. This meeting would not fall into any of these bodies.<br />
<br />
It was subsequently confirmed by the municipality by e-mail that the invitation had "unfortunately" been sent to the old e-mail address. The posting had deliberately been online for a few days after it had become known. The Facebook page of the N*** party E***stadt is not a media company or a media service.<br />
<br />
4 The respondent was asked by letter of 21 May 2019 to submit a supplementary statement and to send the invitation to the meeting at that time. By letter of 3 June 2019, this letter was sent to the data protection authority.<br />
<br />
5 In his letter of 1 July 2019, the complainant submitted, in the context of his hearing, that the annex clearly indicated that the meeting had been a non-public meeting without binding character. None of the three bodies of the GemO had been submitted that it had been an "interim presentation of a report" on the new "parking space concept" to which a specific group of addressees had been informally invited by e-mail. Furthermore, it was clearly recognizable that the invitation had been sent to the wrong e-mail address.<br />
<br />
B. Reasoning<br />
<br />
The question arises as to whether the respondent infringed the complainant's right to confidentiality by posting the list of participants of the "Zwischenpräsentation Parkraumkonzept E***stadt" ("Interim Presentation Parking Concept E*** City") on its Facebook page on 7 November 2018, on which the name of the complainant also appears, together with comments that the complainant did not attend this meeting.<br />
<br />
C. Findings of the facts<br />
<br />
The complainant is a councillor in the municipality of E***stadt and belongs to the W*** party. On 7 November 2018, the municipality of E***stadt held a meeting on the "Parking Concept E***stadt". The invitation to this meeting was sent out on 23 October 2018 and a specific group of addressees was invited. The e-mail was sent to the wrong (old) e-mail address of the complainant.<br />
<br />
Editor's note: The original invitation letter and distribution list (with the complainant's old e-mail address) reproduced here as a graphic file cannot be pseudonymised with reasonable effort].<br />
<br />
The complainant did not take part in this meeting.<br />
<br />
The respondent posted the following entry on her public Facebook page on 7 November 2018:<br />
<br />
Editor's note: The respondent's Facebook posting, which is reproduced here in its original form as a graphic file, cannot be pseudonymised with reasonable effort. In addition to a picture of the list of participants with missing signature of the complainant, it consisted of the following text (spelling mistake in the original):<br />
<br />
"Once again, cooperation Not enough for W*** party city council A***. Or is a parking concept for the city E***stadt not an issue for the traffic representative? Or is the well paid city city council just working on the next leaflet?"]<br />
<br />
Evaluation of evidence: The findings result from the undisputed submissions of the parties as well as from the submitted enclosures.<br />
<br />
D. From a legal point of view, it follows that<br />
<br />
I. Jurisdiction of the data protection authority<br />
<br />
First of all, it must be examined whether the media privilege in the sense of § 9 para. 1 DSG is relevant and whether subsequently the competence of the data protection authority is to be negated.<br />
<br />
The data protection authority dealt with Section 9 para. 1 FADP in the notice of 2 December 2019, GZ DSB-D124.352/0003-DSB/2019, among others, and explained the following:<br />
<br />
1 In Article 9 (1) DSG, the previous "media privilege" under data protection law under Article 48 DSG 2000, Federal Law Gazette I No. 165/1999 as amended by Federal Law Gazette I No. 83/2013, is transposed into the system of the DSGVO with an extended scope of application. The national provision in § 9 DSG ties in with Art. 85 DSGVO, a provision of principle including an opening clause (see Suda/Veigl in Gantschacher/Jelinek/Schmidl/Spanberger, Datenschutzgesetz1 § 9 Rz. 1, still with reference to § 9 DSG as amended by Federal Law Gazette I no. 165/1999 as amended by Federal Law Gazette I no. 120/2017 [Datenschutz-Anpassungsgesetz 2018]).<br />
<br />
According to the express legal text of Article 9.1 of the DSG, two conditions must be cumulatively fulfilled in order to qualify for the privileged scope of application:<br />
<br />
Firstly, there must be processing of personal data by media owners, publishers, media employees and employees of a media company or media service within the meaning of the Media Act and, secondly, this processing must be for journalistic purposes of the media company or media service.<br />
<br />
It is noticeable that Section 9 (1) DSG contains a restriction to a specific professional group ("classical media companies"), although Art. 85 (2) GDPR does not contain such a restriction and is legally binding. (Kunnert in Bresich/Dopplinger/Dörnhofer/Kunnert/Riedl, Datenschutzgesetz Kommentar, margin no. 9 to § 9, also critical of Blocher/Wieser in Jahnel (ed.), Datenschutzrecht. Jahrbuch 19, p. 303 ff, who consider the restriction to be contrary to equality or the principle of legality).<br />
<br />
2 It should be noted that - despite the concerns about the restriction of the media privilege under § 9.1 of the DSG - a direct application of Art. 85.2 GDPR does not appear to be expedient because of the primacy of Union law regulations, since Art. 85.2 GDPR does not provide for a direct application of Art. 2 GDPR is not a substantive provision, but - as mentioned above - contains the mandate addressed to the Member States to enact corresponding legal provisions for certain processing situations (see Schiedermair in Ehmann/Selmayr, Datenschutz-Grundverordnung Kommentar2 [2018] Art. 85 marginals 1 and 9).<br />
<br />
3 The analogous application of § 9.1 of the DPA to the present case is also ruled out, because the restriction laid down in § 9.1 of the DPA was not included in the originally planned implementation of Article 85.1 of the DPA. 2 GDPR in the version of the Data Protection Adaptation Act 2018, which is why this is a deliberately restrictive approach by the Austrian legislature (see VwGH 10.10.2018, Ra 2018/08/0189 Rs 4 mwN, according to which the analogy is in principle permissible in public law, but the existence of a genuine legal loophole is presupposed).<br />
<br />
4 In addition, the complainant objectively claims a violation of the fundamental right to data protection under § 1 of the German Data Protection Act, i.e. a constitutional provision. The wording of the simple-law provision of § 9.1 of the DSG, according to which "the provisions of this Federal Act and of the GDPR shall be interpreted in accordance with Chapters II (Principles), III (Rights of the Data Subject), etc. of the GDPR" is not applicable. (...) do not apply", can probably not refer to § 1 of the DSG if interpreted in conformity with the constitution, since a provision of simple law cannot derogate from any constitutional provision (similar to Kunnert in Bresich/Dopplinger/Dörnhofer/Kunnert/Riedl, Datenschutzgesetz Kommentar, margin no. 9 to § 9).<br />
<br />
5 It must therefore be assumed that only if the (narrow) requirements of § 9.1 of the Data Protection Act are met, legal protection can be obtained exclusively by way of the ordinary courts under the Media Act and that the data protection authority has no jurisdiction.<br />
<br />
6) In all other cases, the data protection authority is responsible for dealing with the content, but must take into account the right to freedom of expression under Article 11 EU FRC and Article 10 ECHR when weighing the merits of the case (cf. the ruling of 9 September 2019, GZ DSB-D124.274/0007-DSB/2019).<br />
<br />
The same must apply to the present case.<br />
<br />
Admittedly, the respondent can by definition be regarded as a media owner within the meaning of § 1 item 8 letter c of the Media Act. However, § 9.1 DSG requires that the processing of data must be carried out "for journalistic purposes of the media company or media service".<br />
<br />
By definition, however, the respondent is not a media company (§ 1 item 6 MedienG) or a media service (§ 1 item 7 MedienG).<br />
<br />
Furthermore, in the present case, "journalistic purposes" cannot be assumed in the following reasons:<br />
<br />
It cannot be assumed that any information published on the Internet which refers to personal data would fall under the concept of "journalistic activities" and would therefore be subject to the derogations and exceptions provided for in Art. 9 of Directive 95/46 (see ECJ 01.06.2017, C-345/17, Rz 58 [Sergejs Buivids and Datu valsts inspekcija]). Although the present case refers to the old legal situation, Art. 9 of Directive 95/46 is to be understood as a counterpart provision to Art. 85 GDPR.<br />
<br />
Even with a broad interpretation of the term "journalism", no processing for journalistic purposes can be recognized in the present proceedings. Even the fact that the Facebook page is maintained by media employees of the N*** party cannot change this. Political parties are often active in the field of journalism and have editorial staff and employees who often work exclusively in public relations. However, the aim of political parties is not to shape the content of the medium, but rather to influence state decision-making comprehensively - especially through public relations work - through political activity. Media activity can only be understood as a "side effect" in the course of the intended achievement of these goals.<br />
<br />
Since Section 9 (1) Data Protection Act does not apply, the data protection authority is therefore competent to deal with the complaint.<br />
<br />
According to Art. 4 No. 7 GDPR, "controller" is the natural or legal person, authority, institution or other body which alone or jointly with others decides on the purposes and means of processing personal data.<br />
<br />
In the present case, as the operator of a publicly accessible Facebook profile, the respondent to the complaint is to be qualified as the data protection officer in accordance with Art. 4 Z 7 GDPR, as it decides on purposes (sharing of content) and means (use of a publicly accessible Facebook profile).<br />
<br />
II. on the alleged violation of the right to secrecy in the sense of § 1 paragraph 1 DSG:<br />
<br />
1. general<br />
<br />
§ Section 1 (1) of the DSG stipulates that everyone has the right to the confidentiality of personal data concerning him or her, in particular with regard to respect for his or her private and family life, insofar as there is an interest worthy of protection. A limitation of this right is basically derived from paragraph 2 of the Data Protection Act. However, the GDPR and in particular the principles enshrined therein must be taken into account in any event when interpreting the right to secrecy (see the DSB's decision of 31 October 2018, GZ DSB-D123.076/0003-DSB/2018).<br />
<br />
The data contained therein are undoubtedly personal data of the complainant and there is in principle also a legitimate interest in the confidentiality of these personal data.<br />
<br />
In any event, the commented publication of the list of participants on the respondent's Facebook profile constitutes processing within the meaning of Article 4 no. 2 of the GDPR.<br />
<br />
Pursuant to Art. 1 para. 2 GDPR, restrictions of the right to confidentiality are only permissible if the use of personal data is in the vital interest of the person concerned or with his or her consent, or in the case of overriding legitimate interests of another person or if there is a qualified legal basis.<br />
<br />
It is undisputed that there is no vital interest of the complainant or his or her consent, and nothing has been brought forward in this respect.<br />
<br />
It must therefore be examined whether a qualified legal basis or predominant legitimate interests of another would justify the restrictions of the claim to secrecy in the case at hand.<br />
<br />
2. the right to freedom of expression<br />
<br />
In the present case, the respondent refers to the fact that municipal council meetings are public under Section 59(1) of the GemO. The lists of attendance at municipal council meetings are also public in any event, since even at meetings that are not public only consultations are to be treated confidentially. However, it is already clear from the letter dated 17 October 2018 that this is neither a local council meeting nor any other body (town council/committee board or committees) covered by the GemO. Rather, it is a non-public, extra-natural meeting (invitation to an interim presentation of the parking concept) to which municipal mandataries, business people and other representatives were invited. An appeal to the GemO and a justified publication based on it is therefore in vain.<br />
<br />
For the sake of completeness, it is also pointed out that the very general assumption of the non-existence of a violation of confidentiality interests worthy of protection for permissibly published data is not compatible with the provisions of the DSGVO (cf. DSB 31.10.2018, GZ DSB-D123.076/0003-DSB/2018 mwN).<br />
<br />
However, the respondent's overriding legitimate interests in the use of the complainant's data which are the subject of the proceedings are in question.<br />
<br />
The respondent's legitimate interests lie in the freedom of expression in accordance with Article 10 ECHR and Article 11 EU CFR, whereas the complainant's legitimate interests lie in the protection of his or her personal data in general and also in protection against discrediting by the respondent.<br />
<br />
Article 11 EU-CFR reads as follows:<br />
<br />
Article 11 of the EU CFR reads as follows<br />
<br />
Freedom of expression and information<br />
<br />
1. Everyone has the right to freedom of expression. This right includes freedom of expression and freedom to receive and impart information and ideas without interference by public authority and regardless of frontiers.<br />
<br />
(2) Freedom of the media and their plurality shall be respected.<br />
<br />
Art. 10 ECHR reads as follows [Editor's note: due to an editorial mistake, the text of Art. 11 ECHR is reproduced here in the original under the heading]:<br />
<br />
Article 10<br />
<br />
freedom of expression<br />
<br />
(1) Everyone has the right to freedom of expression. This right includes freedom of opinion and expression and freedom to receive and impart information and ideas without interference by public authority and regardless of frontiers. Nothing in this Article shall prevent States from subjecting radio, cinema or television broadcasting organisations to an authorisation procedure.<br />
<br />
Since the exercise of these freedoms carries with it duties and responsibilities, it may be subject to such formalities, conditions, restrictions or penalties as are prescribed by law and are in keeping with the requirements of a democratic society in the interests of national security, territorial integrity or public safety, are indispensable to the maintenance of law and order and the prevention of crime, the protection of health and morals, the protection of the reputation or rights of others, to prevent the dissemination of confidential information or to ensure the prestige and impartiality of justice.<br />
<br />
Art. 11 EU CFR defines two interrelated areas of protection: on the one hand, the (active) freedom of expression of the spokesperson and, on the other hand, the (passive) freedom of information of the recipient. The interaction of these two elements guarantees an exchange of information and opinions in the sense of a comprehensive freedom of communication. Although the applicability to legal persons is not explicitly ordered, this provision is open to both natural and legal persons (see Stangl in Kahl/Raschauer/Storr (Ed.), Grundsatzfragen der Grundrechtecharta as well as Bezemek in Holoubek/Lienbacher (Ed.), CFR Commentary Art. 11).<br />
<br />
Likewise, Art. 10 ECHR applies equally to natural and legal persons (see Öhlinger/Eberhard, Verfassungsrecht Rz 914).<br />
<br />
The complainant is a councillor of the municipality of E***stadt and thus a politician. In this role as a city councillor, he was invited, albeit wrongly to the wrong e-mail address, to give an interim presentation of the parking space concept. In this respect, it can be disregarded whether this meeting is a committee of the GemO. The complainant plays a role as a city councillor (of the W*** party) in the public life of the municipality, and there is also an interest, albeit only regional, in his work in the municipality.<br />
<br />
It is evident that the respondent's aim was to disseminate information to the public or, by publishing the list of participants, to initiate a contribution to a debate of general interest, namely whether the complainant, as a politician and a person of the public interest, is fulfilling his or her tasks or requirements as a city councillor.<br />
<br />
According to the decision of the Supreme Court, the limits of admissible criticism are wider in relation to a politician acting in his or her public function than in relation to a private individual. Every politician inevitably and willingly exposes himself or herself to a precise assessment of each of his or her words and actions, not only by journalists and the wider public, but especially by the political opponent (cf. OGH 28.01.1997, 4 Ob 2382/96i).<br />
<br />
With regard to the manner of publication (once again, cooperation Not enough for W*** Party City Council A***. Or is a parking space concept for the city E***stadt not an issue for the traffic officer? Or is the well paid city councilman working on the next leaflet right now? [sic]) it should be noted that the data protection authority cannot deny itself the impression that the present Facebook posting is not exclusively intended to trigger a contribution to a debate of general interest, but that the posting in question was formulated in a rather exaggerated manner.<br />
<br />
According to the Supreme Court, an insulting statement towards a politician can still be covered by the right to freedom of expression, provided that there is a connection to a political debate or a debate of general interest. A deliberately defamatory statement, which does not focus on the discussion of the matter but on defaming the person, is not protected (see OGH 29.06.2011, 15 Os 81/11t). Art. 10 ECHR protects not only stylistically high-quality, factually presented and sophisticatedly executed evaluations, but also any unvalidated judgment that does not culminate in an excess of evaluation (cf. OGH 15.10.2012, 6 Ob 162/12k). Occasionally, Art. 10 ECHR also protects insulting language if this serves merely stylistic purposes (cf. ECtHR 17.04.2014, 20981/10).<br />
<br />
With regard to the effects, it should be noted that these are not to be classified as material. Furthermore, the posting has already been deleted from the Facebook page. With regard to the manner and circumstances under which the information was obtained, it should be noted that the respondent did not unlawfully gain knowledge of the list of participants, and the data in the list are undoubtedly correct.<br />
<br />
3. the existence of a legal basis<br />
<br />
Furthermore, it should be noted that in view of the definition of a political party in (the constitutional provision of) § 1, Subsection 2, PartG, it is clear that the legislator sees the purpose of political parties primarily in the continuous "comprehensive influence on the state's decision-making process".<br />
<br />
According to the case-law of the Constitutional Court, the existence of political parties and the possibility of changing the majority relationships are effects of the democratic principle underlying the B-VG. One of the essential aims of political parties is the realisation of their political ideas by means of the exercise of state functions by their representatives and trusted representatives in the various bodies of legislation and state administration, especially in the general representative bodies (see VfSlg. 14.803/1997 and VfSlg. 20.128/2016 mwN).<br />
<br />
This also includes influencing the shaping of public opinion on political competitors. The use of the complainant's data by the respondent in the proceedings is thus also covered by the PartG.<br />
<br />
III Result<br />
<br />
The data protection authority therefore comes to the conclusion that, on the basis of the weighing of interests carried out, there is no violation of the right to secrecy, since the legitimate interests of the respondent (freedom of expression) outweigh the stated impairments of the complainant's legitimate interests (secrecy of the data subject of the proceedings) in accordance with Section 1 (2) of the Data Protection Act.<br />
<br />
Even if this were to be denied, the publication together with the commentary would not be unlawful because this form of political work is covered by § 1.2 PartG, and thus has a legal basis in the meaning of § 1.2 DSG.<br />
<br />
It was therefore to be decided in accordance with the Rules of Procedure.<br />
Keywords<br />
Confidentiality, posting, Facebook, social media, city council, political party, media, media companies, media privilege, freedom of expression, freedom of information, limits to permissible criticism<br />
European Case Law Identifier (ECLI)<br />
ECLI:AT:DSB:2019:DSB.D123.768.0004.DSB.2019<br />
Last updated on<br />
17.03.2020<br />
Document number<br />
DSBT_20191218_DSB_D123_768_0004_DSB_2019_00<br />
<br />
</pre></div>MLhttps://gdprhub.eu/index.php?title=DSB_(Austria)_-_DSB-D213.95&diff=11142DSB (Austria) - DSB-D213.952020-08-18T08:31:25Z<p>ML: Created page with "{{DPAdecisionBOX |Jurisdiction=Austria |DPA-BG-Color= |DPAlogo=LogoAT.png |DPA_Abbrevation=DSB |DPA_With_Country=DSB (Austria) |Case_Number_Name=DSB-D213.95 |ECLI= |Origina..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Austria<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoAT.png<br />
|DPA_Abbrevation=DSB<br />
|DPA_With_Country=DSB (Austria)<br />
<br />
|Case_Number_Name=DSB-D213.95<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Data Protection Authority of Austria<br />
|Original_Source_Link_1=https://www.dsb.gv.at/documents/22758/115212/Newsletter_DSB_3_2020.pdf/90579856-6cb5-4206-823a-cacc724cf94e<br />
|Original_Source_Language_1=German<br />
|Original_Source_Language__Code_1=DE<br />
<br />
|Type=Complaint<br />
|Outcome=Rejected<br />
|Date_Decided=<br />
|Date_Published=<br />
|Year=<br />
|Fine=None<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 6(1)(f) GDPR<br />
|GDPR_Article_Link_1=Article 6 GDPR#1f<br />
<br />
|EU_Law_Name_1=Article 11 CFR<br />
|EU_Law_Link_1=https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A12012P%2FTXT<br />
<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=ML<br />
|<br />
}}<br />
<br />
The DSP hold that the processing of teacher data of an App called "Lernsieg" to evaluate teachers is lawful on the basis of Art. 6 para. 1 lit. f GDPR, i.e. that the interests of the general public and in particular of the pupils in the processing in question outweighed the interests of the teachers.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The Lernsieg app is an evaluation platform on which students can evaluate their school and teachers according to a predefined points system. The individual criteria that can be evaluated include (currently): teaching, respect, patience, explanatory style, personality, fairness, motivation and organisation. The operator of the app (hereinafter: "the data controller") relied on the legal basis pursuant to Art. 6 para. 1 lit. f GDPR (legitimate interests) with regard to the processing of teacher data (name, department, related assessments). The controller has implemented several mechanisms to counteract the effect of pillorying.<br />
<br />
=== Dispute ===<br />
The data controller argued that the processing was in pursuit of the interest of exercising the right to freedom of expression and information pursuant to Art. 11 EU CFR. In this way, increased transparency in the field of education was to be achieved and the quality of education in the classroom was to be subject to comprehensible control. From the point of view of the persons concerned, it had to be taken into account that teachers had to expose themselves to anonymous evaluation by means of the data processing in question, that in principle also non-pupils of the respective teacher could give an evaluation, that this evaluation sometimes did not correspond to the true facts (for example, unobjective evaluations).<br />
<br />
=== Holding ===<br />
The processing of teacher data was lawful on the basis of Art. 6 para. 1 lit. f GDPR, i.e. that the interests of the general public and in particular of the pupils in the processing in question outweighed the interests of the teachers. The right to freedom of expression and information is not limited to objectifiable, generally valid value judgments. The present teacher evaluation concerns the professional activity of the teacher. The professional group of teachers must therefore be prepared for the observation of their behaviour by a broad public and for criticism of their performance. In the present case, the professional sphere is affected, which, in contrast to the intimate sphere, enjoys less protection.<br />
<br />
== Comment ==<br />
This summary of the case is basesd on a summary published by the Data protection Authority in their newsletter.<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the German original. Please refer to the German original for more details.<br />
<br />
<pre><br />
Information on the Lernsieg teacher evaluation platform The admissibility of the "Lernsieg" app under data protection law was checked as part of the official examination procedure for the number DSB-D213.953. The Lernsieg app is an evaluation platform on which students can evaluate their school and teachers according to a predefined points system. The individual criteria that can be evaluated include (currently): teaching, respect, patience, explanatory style, personality, fairness, motivation and organisation. The operator of the app (hereinafter: "the data controller") relied on the legal basis pursuant to Art. 6 para. 1 lit. f GDPR (legitimate interests) with regard to the processing of teacher data (name, department, related assessments), which is why a weighing of interests had to be carried out. The data controller argued that the processing was in pursuit of the interest of exercising the right to freedom of expression and information pursuant to Art. 11 EU CFR In this way, increased transparency in the field of education was to be achieved and the quality of education in the classroom was to be subject to comprehensible control. From the point of view of the persons concerned, it had to be taken into account that teachers had to expose themselves to anonymous evaluation by means of the data processing in question, that in principle also non-pupils of the respective teacher could give an evaluation, that this evaluation sometimes did not correspond to the true facts (for example, unobjective evaluations) and that these evaluations were disclosed to the public and could lead to a pillory effect. In this respect, it was first of all to be noted that anonymous use is inherent in the Internet and that the obligation to commit oneself by name to a certain evaluation would create the danger that the evaluator, for fear of reprisals or other negative consequences, would decide not to express his opinion at all. In the DSB's view, such self-censorship is not compatible with Article 11 EU CFR. Similarly, the right to freedom of expression and information is not limited to objectifiable, generally valid value judgments. in line with the DSB's stRsp on physician evaluation platforms (cf. the decision of 15 January 2019, GZ DSB-D123. 527/0004-DSB/2018 mwN), it was also to be noted that the present teacher evaluation concerns the professional activity of the teacher, i.e. an area in which personal development takes place in contact with the environment from the outset. The professional group of teachers must therefore be prepared for the observation of their behaviour by a broad public and for criticism of their performance. In the present case, the professional sphere is affected, which, in contrast to the intimate sphere, enjoys less protection, and the controller has implemented several mechanisms to counteract the effect of pillorying: For example, it is not possible for a teacher to be criticised for his or her behaviour. In order to protect against abuse, for example, it is necessary that the person making the assessment first verifies himself/herself via a telephone number (which is not stored or used in any other way) ("overcoming an inhibition threshold"), a certain minimum number of assessments is required before this is displayed, the submission of a personal, sometimes insulting comment is not possible (whereby, in return, the assessment can be justified in more detail in the form of sub-categories) or a report and change button for teachers is built in. The controller has also not included elementary and special schools in the app and has thus linked the possibility of evaluation to a certain minimum age or mental development. However, there is an indirect choice of teacher insofar as parents (in agreement with their children, i.e. the pupils) can choose the school and get a corresponding picture of the teachers working there, and for certain subjects (e.g. optional subjects) there is a free choice of teacher. The concrete teacher evaluation is also relevant for the assessment of the selection of special schools (e.g. whether the school's subject focuses are implemented with the corresponding quality). Furthermore, teacher evaluations can be a reason for students or parents to seek a conversation with the teacher (or vice versa). In the opinion of the DSB, the fact that this is a comparatively new app and that it may not yet be of great factual importance for the school choice of the general population is not decisive. Evaluation platforms can offer added value for society in the form of easily accessible information, whereby each evaluation platform requires a certain start-up time to achieve a corresponding relevance. Against the background of these considerations, the DSB came to the conclusion that the processing of teacher data on the basis of Art. In view of these considerations, the DSB came to the conclusion that the processing of teacher data was lawful on the basis of Art. 6 para. 1 lit. f GDPR, i.e. that the interests of the general public and in particular of the pupils in the processing in question outweighed the interests of the teachers. For the sake of completeness, it should be noted that the processing of the data of the evaluators (children and young people) was also reviewed and no objections were raised in this respect. In particular, it was established on the basis of the investigation that the evaluators' data will not be used in any form (e.g. for advertising purposes) or transferred to third parties. The DSB will, however, continue to monitor the development of the Lernsieg app and reserves the right to initiate a further review procedure in the event of such commercialisation.<br />
</pre></div>MLhttps://gdprhub.eu/index.php?title=OVG_Greifswald_-_2_LB_565/17&diff=11088OVG Greifswald - 2 LB 565/172020-08-10T14:44:31Z<p>ML: Created page with "{{COURTdecisionBOX |Jurisdiction=Germany |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=OVG Greifswald |Court_With_Country=OVG Greifswald (Germany) |Case_Nu..."</p>
<hr />
<div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=Germany<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=OVG Greifswald<br />
|Court_With_Country=OVG Greifswald (Germany)<br />
<br />
|Case_Number_Name=2 LB 565/17<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Dienstleistungsportal - Mecklenburg-Vorpommern<br />
|Original_Source_Link_1=http://www.landesrecht-mv.de/jportal/portal/page/bsmvprod.psml;jsessionid=3C3C789590D4E1AEBAB8E3CCD5688C50.jp23?doc.id=MWRE200002885&st=ent&doctyp=juris-r&showdoccase=1&paramfromHL=true#focuspoint<br />
|Original_Source_Language_1=German<br />
|Original_Source_Language__Code_1=DE<br />
<br />
|Date_Decided=07.07.2020<br />
|Date_Published=<br />
|Year=2020<br />
<br />
|GDPR_Article_1=Article 6(1)(c) GDPR<br />
|GDPR_Article_Link_1=Article 6 GDPR#1c<br />
<br />
<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_From_Body=<br />
|Appeal_From_Case_Number_Name=<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=ML<br />
|<br />
}}<br />
<br />
The court held that according to Article 6 (1) (c) GDPR, access to data of members of a hunting cooperative be granted to fellow members GDPR, as it is necessary to fulfil a legal obligation of the controller; only then can he or she claim the rights as a member, which, are essentially determined by the ownership and size of the areas that can be hunted. <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The plaintiff would like to inspect the defendant's hunting register, a hunting cooperative. The plaintiff is a member of the defendant.<br />
<br />
The plaintiff based his claim on the necessity of being able to verify compliance with the corresponding distribution key in view of his claim to payment of the share of the income from the hunting lease to which he was entitled. <br />
<br />
Furthermore, he stated that he could only meaningfully exercise his membership rights in knowledge of the other members of the Hunting Cooperative. Finally, the plaintiff referred to the Freedom of Information Act of Mecklenburg-Vorpommern.<br />
<br />
=== Dispute ===<br />
The defendant refused the requested access in order to protect the personal data of the other members of the hunting cooperative, who would refise to have their addresses published. Nor could it be seen why the plaintiff needed the data in order to be able to assert its claim for a pro rata payment of the defendant's earnings.<br />
<br />
=== Holding ===<br />
A member of a hunting cooperative has a claim against the hunting cooperative to inspect the current hunting cadastre of the hunting cooperative, insofar as this contains the names, addresses and size of the areas of the individual hunting companions<br />
<br />
If these claims cannot be excluded obviously and unambiguously, the Hunting Cooperative owes the hunting companion disclosure of its books and other documents. The type and scope of the documents to which this disclosure extends in detail depends largely on the data required for the effective verification of the respective claim prerequisite<br />
<br />
The plaintiff is therefore entitled to inspect the hunting cadastre of the defendant, as far as the names of the other hunting companions contained therein, their addresses as well as the information on the size of the respective property areas of the individual owners are concerned. Only on the basis of this information can he effectively exercise his rights as a member of the Hunting Cooperative and thus as part of the General Meeting. It must be possible for the plaintiff to make arrangements with other members in advance of such meetings and therefore to contact them. In particular, the statutes also provide for the possibility that a certain quorum of members may call an extraordinary general meeting.<br />
<br />
All these rights can only be exercised if the claimant has the possibility to contact other hunting companions. This requires that not only the names but also the addresses are accessible to him. <br />
<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the German original. Please refer to the German original for more details.<br />
<br />
<pre><br />
<br />
<br />
Right to inspect the hunting register of the hunting cooperative<br />
<br />
A member of a hunting cooperative has a claim against the hunting cooperative to inspect the current hunting cadastre of the hunting cooperative, insofar as this contains the names, addresses and size of the areas of the individual hunting companions. <br />
<br />
Higher Administrative Court for the State of Mecklenburg-Western Pomerania 2nd Senate, ruling of 07.07.2020, 2 LB 565/17<br />
<br />
Article 6(1c) TEU 2016/679<br />
Tenor<br />
<br />
The ruling of the Greifswald Administrative Court of 6 July 2017 is amended.<br />
<br />
The defendant is ordered to grant the plaintiff access to the defendant's current hunting cadastre, insofar as this contains the names, addresses and the size of the areas of the individual hunting companions.<br />
<br />
Orders the defendant to pay the costs.<br />
<br />
The judgment is provisionally enforceable as regards the costs. The defendant may avert enforcement against provision of security in the amount of the costs determined by the court, unless the plaintiff provides prior security in the same amount.<br />
<br />
The appeal is not allowed.<br />
<br />
Facts of the case<br />
<br />
1<br />
<br />
The parties involved are in dispute over the question of whether and to what extent the plaintiff is entitled to inspect the defendant's hunting register, a hunting cooperative. The plaintiff is a member of the defendant with a base area of 1.0855 hectares of forest. Since 2016 the hunting lease has been uniformly 0.80 Euro/ha for all areas.<br />
<br />
2<br />
<br />
The plaintiff based his claim filed on 30 May 2016 on the necessity of being able to verify compliance with the corresponding distribution key in view of his claim to payment of the share of the income from the hunting lease to which he was entitled. For example, there would be overhead costs of the hunting cooperative, so that income from the lease could not be fully paid out. Furthermore, he stated that he could only meaningfully exercise his membership rights in knowledge of the other members of the Hunting Cooperative. Finally, the plaintiff referred to the Freedom of Information Act of Mecklenburg-Vorpommern.<br />
<br />
3<br />
<br />
The defendant refused the requested access and referred to the need to ensure the protection of personal data contained in the cadastre. Numerous members of the hunting cooperative would refuse to have their addresses published. Nor could it be seen why the plaintiff needed the data in order to be able to assert its claim for a pro rata payment of the defendant's earnings. The question as to which parcels of land belonged in detail to which members of the hunting cooperative was in any case irrelevant for the exercise of membership rights.<br />
<br />
4<br />
<br />
The Administrative Court dismissed the claim. The question of whether there is a right to information depends on the relevant substantive law. If and to the extent that information for the assertion of a claim by a member of a hunting cooperative is at least not obviously and unambiguously excluded, the hunting cooperative owes the hunting companion disclosure of its books and other documents (BVerwG, decision of 27 June 2013, 3 C 20.12, para. 5). Measured against this standard, the Administrative Court considered the preconditions for the right of inspection to be non-existent. The amount of the share of the earnings to which the plaintiff is entitled would be readily apparent from the size of the base area multiplied by the agreed rent amount known to him. Nor did the plaintiff require the information for the review of majority decisions of the cooperative assembly. Nor did he have any claim from the membership relationship. The interest in reaching agreements with other members of the Hunting Cooperative with a view to voting at general meetings did not justify the claim.<br />
<br />
5<br />
<br />
Finally, such a right to information does not arise from the Freedom of Information Act M-V (IFG). In this respect, an action would already be inadmissible for lack of preliminary proceedings. In addition, the IFG was not applicable to the legal relationship between the plaintiff and the defendant. The defendant would not act as an authority vis-à-vis the plaintiff, but would ultimately take over a private matter with the administration of the hunt. The information requested by the plaintiff served this purpose alone, which therefore did not constitute records serving official purposes within the meaning of § 2.1 no. 1 IFG.<br />
<br />
6<br />
<br />
The Senate allowed the appeal by decision of 20.03.2019.<br />
<br />
7<br />
<br />
In the appeal, the applicant bases his arguments essentially on the same arguments as those he put forward at first instance.<br />
<br />
8<br />
<br />
He requests,<br />
<br />
9<br />
<br />
the defendant is ordered to grant the plaintiff access to the respective current hunting cadastre with the details of the names, addresses and the respective area size of all hunting companions, overriding the judgement of the Greifswald Administrative Court of 6 July 2017.<br />
<br />
10<br />
<br />
The defendant claims that the Court should<br />
<br />
11<br />
<br />
dismiss the appeal.<br />
<br />
12<br />
<br />
It puts forward the same arguments as it did before the Administrative Court.<br />
<br />
13<br />
<br />
For further details of the state of affairs and the dispute, reference is made to the content of the judicial and administrative acts consulted.<br />
<br />
Reasons for decisions<br />
<br />
14<br />
<br />
The applicant's admissible appeal is well founded. The decision of the Administrative Court must be amended. The defendant is to be ordered to allow the plaintiff to inspect the current hunting cadastre as far as the names and addresses of hunting companions and the sizes of their areas are concerned. The plaintiff is entitled to a corresponding claim.<br />
<br />
15<br />
<br />
The hunting law does not contain any explicit regulations regarding the right to inspection. For such claims, the Federal Administrative Court (BVerwG) stated in its decision of 27.06.2013 - 3 C 20/13, juris, that these<br />
<br />
16<br />
<br />
" according to general principles of law as a prerequisite for effective protection of rights under the substantive law in dispute (follow), to which they constitute annexes or ancillary claims (on civil law, see for example the Federal Court of Justice (BGH), judgments of 7 May 2013 - X ZR 69/11 - juris nos. 27 et seq. and of 29 May 2013 - IV ZR 165/12 - juris no. 10). In this respect, neither an explicit regulation nor an analogy is required. This also applies to the Hunting Cooperative if a hunting companion - as here - asserts material legal claims against it arising from the membership relationship. If these claims cannot be excluded obviously and unambiguously, the Hunting Cooperative owes the hunting companion disclosure of its books and other documents. The type and scope of the documents to which this disclosure extends in detail depends largely on the data required for the effective verification of the respective claim prerequisite.".<br />
<br />
17<br />
<br />
The recognizing senate agrees with this. Incidentally, the Higher Administrative Court of North Rhine-Westphalia has also recognised a right of a hunting companion to inspect a hunting register to be maintained by the hunting association, in which "the owners of the properties belonging to the hunting district and the size of these properties are shown" (judgement of 17 September 1985 - 20 A 918/84 - juris, only guiding principles, here guiding principle 6).<br />
<br />
18<br />
<br />
According to these standards, the plaintiff is entitled to the right of inspection which he permissibly concretized during the hearing before the recognizing senate. He is therefore entitled to inspect the hunting cadastre of the defendant, as far as the names of the other hunting companions contained therein, their addresses as well as the information on the size of the respective property areas of the individual owners are concerned. Only on the basis of this information can he effectively exercise his rights as a member of the Hunting Cooperative and thus as part of the General Meeting. The Articles of Association of the Hunting Cooperative provide for it to be its central organ. In certain cases, this body decides by qualified majority. However, even in cases where only a simple majority decision is required, it must be possible for the plaintiff to make arrangements with other members in advance of such an event and therefore to contact them. In particular, the statutes also provide for the possibility that a certain quorum of members may call an extraordinary general meeting.<br />
<br />
19<br />
<br />
All these rights can only be exercised if the claimant has the possibility to contact other hunting companions. This requires that not only the names but also the addresses are accessible to him. In view of the fact that in the Hunting Cooperative, the size of the huntable property area available to each hunting companion is decisive for the voting weight in the General Meeting, the plaintiff must also have access to the information available in this respect at the Hunting Cooperative. On the other hand, the plaintiff has not asserted that he also requires information on the location of the respective parcels of land. The questions associated with this are therefore not part of the subject matter of the dispute. Accordingly, it is not to be decided whether a claim also exists in this respect.<br />
<br />
20<br />
<br />
This right to information is also not opposed by data protection aspects. The defendant rightly points out that the inspection of the hunting cadastre is also connected with the possibility for the plaintiff to gain access to personal data. Under Article 6 of the General Data Protection Regulation (GDPR), access to such data may only be granted under special conditions. However, according to the provision of Art. 6 (1) lit. c) GDPR, which in this respect is the sole standard, such access is permissible insofar as it is necessary to fulfil a legal obligation of the controller for data processing. According to the above, the controller, the hunting cooperative, is obliged to grant the plaintiff access to the relevant information; only then can he or she claim the rights as a member, which, as mentioned above, are essentially determined by the ownership and size of the areas that can be hunted. Such information is also proportionate. Anyone who is a member of an organisation has the right to determine the fate of that organisation together with other members. However, he must then at the same time accept that these other members contact him in order to be able to make effective use of this right.<br />
<br />
21<br />
<br />
The question of whether other aspects also support the claim asserted by the applicant is not relevant in this respect.<br />
<br />
22<br />
<br />
The decision on costs follows from Paragraph 154(2) of the General Administrative Law Code (VwGO).<br />
<br />
23<br />
<br />
The decision on provisional enforceability is based on §§ 167 VwGO, 708 ff. German Code of Civil Procedure Rules (Zivilprozessordnung - ZPO).<br />
<br />
24<br />
<br />
The appeal is not to be admitted, as none of the grounds provided for in § 132 (2) VwGO are present.<br />
<br />
</pre></div>MLhttps://gdprhub.eu/index.php?title=Datatilsynet_(Denmark)_-_2019-431-0045&diff=11005Datatilsynet (Denmark) - 2019-431-00452020-08-03T09:00:02Z<p>ML: /* Dispute */</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Denmark<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoDK.png<br />
|DPA_Abbrevation=Datatilsynet<br />
|DPA_With_Country=Datatilsynet (Denmark)<br />
<br />
|Case_Number_Name=2019-431-0045<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Datatilsynet<br />
|Original_Source_Link_1=https://www.datatilsynet.dk/tilsyn-og-afgoerelser/afgoerelser/2020/jun/videregivelse-af-opgavebesvarelser<br />
|Original_Source_Language_1=Danish<br />
|Original_Source_Language__Code_1=DA<br />
<br />
|Type=Other<br />
|Outcome=<br />
|Date_Decided=<br />
|Date_Published=18.06.2020<br />
|Year=<br />
|Fine=None<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 6(1) GDPR<br />
|GDPR_Article_Link_1=Article 6 GDPR#1<br />
|GDPR_Article_2=Article 6(3) GDPR<br />
|GDPR_Article_Link_2=Article 6 GDPR#3<br />
<br />
<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Maria Lohmann<br />
|<br />
}}<br />
<br />
The Danish Data Protection Agency finds that the passing on of answers of assignments to researchers without having received instrutions by the data controller is a violation of data protection rules. Moreover, it has been hold that answers to questions can be regarded as personal data, as there is a specific kind of answering so that a machine can associate respective authors.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
MaCom A / S has developed and provided the school administration system Lectio. As part of the operation of Lectio, MaCom A / S is the data processor for a number of upper secondary schools and business schools. MaCom A / S is processing answers of assignments.<br />
<br />
On 15 and 16 August 2019, respectively, the data controllers reported breaches of personal data to the Danish Data Protection Agency, as they had become aware that MaCom A / S had given researchers from the Department of Computer Science at the University of Copenhagen (hereinafter DIKU) access to information from assignments. The individual data controller had not been made aware of the disclosure and had not given permission for the disclosure.<br />
<br />
=== Dispute ===<br />
The data controllers had to notify the Danish Data Protection Agency about a data breach due to the forwarding of answers of assignments to researchers without approval of disclosure.<br />
<br />
=== Holding ===<br />
In this decision, the Danish Data Protection Agency only decides whether a transfer of information has taken place without a documented instruction, cf. Article 28 (1) of the Data Protection Regulation. Thus, it has not been decided on whether or not MaCom could process information in accordance with Article 6 (3) (a), (1) (a) - (f).<br />
<br />
An answer to a question can be regarded as personal data, as defined in Article 4 (1) of the Data Protection Regulation, cf. Directive 95/45. It therefore follows from paragraph 37 that '… firstly, the content of that answer reflects the participant's knowledge and competence in a given field and, where appropriate, his thinking, judgment and critical sense'.<br />
<br />
However, the fact that the information has been disclosed for scientific purposes and for a societal purpose, that disclosure has taken place by attendance and not by disclosure, and that the disclosure has taken place in pseudonymised form are mitigating circumstances.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.<br />
<br />
<pre><br />
Dissemination of assignment answers<br />
Published 18-06-2020<br />
Decision Private companies<br />
<br />
The Danish Data Protection Agency expresses serious criticism that a data processor for a number of upper secondary schools has passed on parts of the students' assignments.<br />
<br />
Journal number: 2019-431-0045<br />
Summary<br />
<br />
The Danish Data Protection Agency has made a decision in a case where three high schools have reported a breach of personal data security to the Danish Data Protection Agency regarding MaCom A / S, which as data processor has passed on parts of the students' assignments to researchers from the Department of Computer Science at the University of Copenhagen for development of plagiarism programs.<br />
<br />
In the decision, the Danish Data Protection Agency has established that MaCom has acted in violation of the data protection law rules by passing on extracts from assignment answers to the researchers without having received instructions to this effect from the data controllers.<br />
<br />
The Danish Data Protection Agency found that answering questions can be regarded as personal data, as they are an expression of the answering machine's thinking, judgment and critical sense. The Danish Data Protection Agency also found that extracts from assignment answers that are passed on for the purpose of developing plagiarism programs must be regarded as pseudonymised personal data, as the extracts must have qualities that can identify people on the basis of thinking, judgment, critical sense, and MaCom continued to keep the assignment answers. in their entirety in another, closed, system, for which reason the extracts could be attributed to a particular registered.<br />
<br />
In relation to the degree of seriousness, the Danish Data Protection Agency has in its assessment emphasized that MaCom could not account for the number of extracts that were disclosed or the number of times the disclosure took place. However, the Danish Data Protection Agency regards it as mitigating circumstances that the information has been disclosed for scientific purposes and for a societal purpose, that disclosure has taken place by attendance and not by disclosure, and that the disclosure has taken place in pseudonymised form.<br />
<br />
Decision<br />
<br />
The Danish Data Protection Agency hereby returns to the case where the Authority, through three reports of breaches of personal data security in accordance with Article 33 of the Data Protection Ordinance [1], has become aware that MaCom A / S as data processor for a number of educational institutions (Paderup Gymnasium, Aalborg Katedralskole and Århus Akademi ) (hereinafter the data controllers) have passed on information about students to researchers.<br />
<br />
In this decision, the Danish Data Protection Agency only decides whether a transfer of information has taken place without a documented instruction, cf. Article 28 (1) of the Data Protection Regulation. Thus, in this decision, the Danish Data Protection Agency has not taken a position on whether MaCom could process information in accordance with Article 6 (3) (a). 1, letters a-f, if MaCom A / S had been data responsible.<br />
<br />
Decision<br />
<br />
Following a review of the case, the Danish Data Protection Agency finds that there are grounds for expressing serious criticism that MaCom A / S 'processing of personal data has not taken place in accordance with the rules in Article 28 (1) of the Data Protection Regulation. Third<br />
<br />
Below is a more detailed review of the case and a justification for the Danish Data Protection Agency's decision.<br />
<br />
2. Case presentation<br />
<br />
It appears from the case that MaCom A / S has developed and delivered the operation of the school administration system Lectio. As part of the operation of Lectio, MaCom A / S is the data processor for a number of upper secondary schools and business schools, including the data controllers, e.g. in connection with the processing of assignment answers.<br />
<br />
On 15 and 16 August 2019, respectively, the data controllers reported breaches of personal data security to the Danish Data Protection Agency, as they had become aware that MaCom A / S had given researchers from the Department of Computer Science at the University of Copenhagen (hereinafter DIKU) access to information from assignments . The individual data controller had not been made aware of the disclosure and had not given permission for the disclosure.<br />
<br />
The disclosure of the information has taken place by the researchers having physical access to data / information in the form of excerpts from assignments in physical presence at MaCom A / S. The extracts of the assignment answers are stored in an electronic copy, which is stored on an independent and closed medium, which does not have access to MaCom A / S 'IT system and other data.<br />
<br />
It appears from the case that MaCom A / S does not have an overview of the number of information that has been made available to the Department of Computer Science, or an overview of the number of times this has taken place, as the data / information in question is ongoing. has been deleted in the closed media / data room. The project at the Department of Computer Science has been in force since the summer of 2016, with a planned completion in March 2020. It is over a year since the researchers in the project have had access to information, and they will not receive it as long as this case is pending.<br />
<br />
2.1. MaCom A / S ’comments<br />
On behalf of MaCom A / S, Therkildsen Advokater has generally stated that this is concrete data / information that does not contain personal information, and which it is also not possible in any way to attribute to one or more specific persons, which is why is personal data within the meaning of the Data Protection Regulation.<br />
<br />
MaCom A / S has noted that the scientific purpose of the disclosure has primarily been to develop effective algorithms that can detect plagiarism, for example in the case where a student has written off from a previously handed in assignment or got another person to write a Report.<br />
<br />
In addition, MaCom A / S has stated that MaCom A / S makes new versions of the study administration system Lectio on a daily basis to ensure that the educational institutions that subscribe constantly live up to the requirements imposed. Functionality to expose plagiarism must be regarded as socially relevant, politically desirable and necessary to the educational institutions, which have a strong focus on exam cheating.<br />
<br />
Justification for the Danish Data Protection Agency's decision<br />
<br />
The Danish Data Protection Agency assumes that parts of the assignment answers from MaCom A / S have been passed on to researchers from DIKU.<br />
<br />
It follows from the judgment of the European Court of Justice of 20 December 2017 in C-434/16 (Peter Nowak case) that an answer to a question can be regarded as personal data, as defined in Article 4 (1) of the Data Protection Regulation, cf. Directive 95/45. It therefore follows from paragraph 37 that '… firstly, the content of that answer reflects the participant's knowledge and competence in a given field and, where appropriate, his thinking, judgment and critical sense'.<br />
<br />
On that basis, the Danish Data Protection Agency assumes that this is personal data, cf. Article 4 (1) of the Data Protection Regulation, when a task answer is processed in its entirety.<br />
<br />
It also follows from the judgment of the European Court of Justice of 19 October 2016 in C-582/14 (Breyer case), paragraph 40, that by identifiable person is meant a person who can be identified not only directly but also indirectly. It further follows from paragraph 44 of the judgment that the classification of information as personal data does not require that all the information enabling the data subject to be identified be held by a single person.<br />
<br />
On this basis, the Danish Data Protection Agency finds that MaCom A / S 'processing of the extracts of the assignment answers must be regarded as a processing of pseudonymised personal data, cf. Article 4, no. 5 of the Data Protection Regulation.<br />
<br />
The Danish Data Protection Agency has hereby emphasized that MaCom A / S continued to store the assignment answers in their entirety in their own, for the researchers, closed system, through which the individual data subjects could be identified. The purpose of the processing of the extracts of the assignment answers has been to avoid plagiarism and thereby ensure that a given answer is an expression of the test participant's own way of thinking, judgment and critical sense. The extracts from the assignment answers have thus been of such a scope that the plagiarism system should be able to recognize the individual answers from each other, which is why the extracts continued to have such a detailed character that, using additional information, they could be attributed to a specific registrant.<br />
The Danish Data Protection Authority also assumes that there has been no instruction from the data controller to MaCom A / S that a transfer may take place, just as the Authority assumes that there is no authority in the submitted data processor agreement for MaCom A / S could process information, in the form of assignment answers, with a view to disclosure.<br />
<br />
It follows from Article 28 (1) of the Data Protection Regulation 3, letter a, that a data processor may only process personal data in accordance with documented instructions from the data controller.<br />
<br />
On the basis of the above, the Danish Data Protection Agency finds that there are grounds for expressing serious criticism that MaCom A / S 'processing of personal data has not taken place in accordance with the rules in Article 28 (1) of the Data Protection Regulation. <br />
<br />
Third<br />
<br />
The Danish Data Protection Agency has hereby emphasized that personal data has been processed without the proper instructions from the data controller in question.<br />
<br />
When choosing the degree of criticism in an aggravating direction, the Danish Data Protection Agency has emphasized that MaCom A / S cannot account for the number of information that has been made available or the number of times the transfer has taken place.<br />
<br />
In a mitigating direction, the Danish Data Protection Agency has emphasized that disclosure has taken place for scientific purposes and with a community service purpose, that it is a matter of disclosure of extracts, that disclosure has taken place by appearance and not by extradition, and that the disclosure has taken place in pseudonymised form. <br />
<br />
<br />
<br />
[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General data protection regulation).<br />
</pre></div>MLhttps://gdprhub.eu/index.php?title=Datatilsynet_(Denmark)_-_2019-431-0045&diff=11004Datatilsynet (Denmark) - 2019-431-00452020-08-03T08:56:49Z<p>ML: Created page with "{{DPAdecisionBOX |Jurisdiction=Denmark |DPA-BG-Color= |DPAlogo=LogoDK.png |DPA_Abbrevation=Datatilsynet |DPA_With_Country=Datatilsynet (Denmark) |Case_Number_Name=2019-431-0..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Denmark<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoDK.png<br />
|DPA_Abbrevation=Datatilsynet<br />
|DPA_With_Country=Datatilsynet (Denmark)<br />
<br />
|Case_Number_Name=2019-431-0045<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Datatilsynet<br />
|Original_Source_Link_1=https://www.datatilsynet.dk/tilsyn-og-afgoerelser/afgoerelser/2020/jun/videregivelse-af-opgavebesvarelser<br />
|Original_Source_Language_1=Danish<br />
|Original_Source_Language__Code_1=DA<br />
<br />
|Type=Other<br />
|Outcome=<br />
|Date_Decided=<br />
|Date_Published=18.06.2020<br />
|Year=<br />
|Fine=None<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 6(1) GDPR<br />
|GDPR_Article_Link_1=Article 6 GDPR#1<br />
|GDPR_Article_2=Article 6(3) GDPR<br />
|GDPR_Article_Link_2=Article 6 GDPR#3<br />
<br />
<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Maria Lohmann<br />
|<br />
}}<br />
<br />
The Danish Data Protection Agency finds that the passing on of answers of assignments to researchers without having received instrutions by the data controller is a violation of data protection rules. Moreover, it has been hold that answers to questions can be regarded as personal data, as there is a specific kind of answering so that a machine can associate respective authors.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
MaCom A / S has developed and provided the school administration system Lectio. As part of the operation of Lectio, MaCom A / S is the data processor for a number of upper secondary schools and business schools. MaCom A / S is processing answers of assignments.<br />
<br />
On 15 and 16 August 2019, respectively, the data controllers reported breaches of personal data to the Danish Data Protection Agency, as they had become aware that MaCom A / S had given researchers from the Department of Computer Science at the University of Copenhagen (hereinafter DIKU) access to information from assignments. The individual data controller had not been made aware of the disclosure and had not given permission for the disclosure.<br />
<br />
=== Dispute ===<br />
<br />
<br />
=== Holding ===<br />
In this decision, the Danish Data Protection Agency only decides whether a transfer of information has taken place without a documented instruction, cf. Article 28 (1) of the Data Protection Regulation. Thus, it has not been decided on whether or not MaCom could process information in accordance with Article 6 (3) (a), (1) (a) - (f).<br />
<br />
An answer to a question can be regarded as personal data, as defined in Article 4 (1) of the Data Protection Regulation, cf. Directive 95/45. It therefore follows from paragraph 37 that '… firstly, the content of that answer reflects the participant's knowledge and competence in a given field and, where appropriate, his thinking, judgment and critical sense'.<br />
<br />
However, the fact that the information has been disclosed for scientific purposes and for a societal purpose, that disclosure has taken place by attendance and not by disclosure, and that the disclosure has taken place in pseudonymised form are mitigating circumstances.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.<br />
<br />
<pre><br />
Dissemination of assignment answers<br />
Published 18-06-2020<br />
Decision Private companies<br />
<br />
The Danish Data Protection Agency expresses serious criticism that a data processor for a number of upper secondary schools has passed on parts of the students' assignments.<br />
<br />
Journal number: 2019-431-0045<br />
Summary<br />
<br />
The Danish Data Protection Agency has made a decision in a case where three high schools have reported a breach of personal data security to the Danish Data Protection Agency regarding MaCom A / S, which as data processor has passed on parts of the students' assignments to researchers from the Department of Computer Science at the University of Copenhagen for development of plagiarism programs.<br />
<br />
In the decision, the Danish Data Protection Agency has established that MaCom has acted in violation of the data protection law rules by passing on extracts from assignment answers to the researchers without having received instructions to this effect from the data controllers.<br />
<br />
The Danish Data Protection Agency found that answering questions can be regarded as personal data, as they are an expression of the answering machine's thinking, judgment and critical sense. The Danish Data Protection Agency also found that extracts from assignment answers that are passed on for the purpose of developing plagiarism programs must be regarded as pseudonymised personal data, as the extracts must have qualities that can identify people on the basis of thinking, judgment, critical sense, and MaCom continued to keep the assignment answers. in their entirety in another, closed, system, for which reason the extracts could be attributed to a particular registered.<br />
<br />
In relation to the degree of seriousness, the Danish Data Protection Agency has in its assessment emphasized that MaCom could not account for the number of extracts that were disclosed or the number of times the disclosure took place. However, the Danish Data Protection Agency regards it as mitigating circumstances that the information has been disclosed for scientific purposes and for a societal purpose, that disclosure has taken place by attendance and not by disclosure, and that the disclosure has taken place in pseudonymised form.<br />
<br />
Decision<br />
<br />
The Danish Data Protection Agency hereby returns to the case where the Authority, through three reports of breaches of personal data security in accordance with Article 33 of the Data Protection Ordinance [1], has become aware that MaCom A / S as data processor for a number of educational institutions (Paderup Gymnasium, Aalborg Katedralskole and Århus Akademi ) (hereinafter the data controllers) have passed on information about students to researchers.<br />
<br />
In this decision, the Danish Data Protection Agency only decides whether a transfer of information has taken place without a documented instruction, cf. Article 28 (1) of the Data Protection Regulation. Thus, in this decision, the Danish Data Protection Agency has not taken a position on whether MaCom could process information in accordance with Article 6 (3) (a). 1, letters a-f, if MaCom A / S had been data responsible.<br />
<br />
Decision<br />
<br />
Following a review of the case, the Danish Data Protection Agency finds that there are grounds for expressing serious criticism that MaCom A / S 'processing of personal data has not taken place in accordance with the rules in Article 28 (1) of the Data Protection Regulation. Third<br />
<br />
Below is a more detailed review of the case and a justification for the Danish Data Protection Agency's decision.<br />
<br />
2. Case presentation<br />
<br />
It appears from the case that MaCom A / S has developed and delivered the operation of the school administration system Lectio. As part of the operation of Lectio, MaCom A / S is the data processor for a number of upper secondary schools and business schools, including the data controllers, e.g. in connection with the processing of assignment answers.<br />
<br />
On 15 and 16 August 2019, respectively, the data controllers reported breaches of personal data security to the Danish Data Protection Agency, as they had become aware that MaCom A / S had given researchers from the Department of Computer Science at the University of Copenhagen (hereinafter DIKU) access to information from assignments . The individual data controller had not been made aware of the disclosure and had not given permission for the disclosure.<br />
<br />
The disclosure of the information has taken place by the researchers having physical access to data / information in the form of excerpts from assignments in physical presence at MaCom A / S. The extracts of the assignment answers are stored in an electronic copy, which is stored on an independent and closed medium, which does not have access to MaCom A / S 'IT system and other data.<br />
<br />
It appears from the case that MaCom A / S does not have an overview of the number of information that has been made available to the Department of Computer Science, or an overview of the number of times this has taken place, as the data / information in question is ongoing. has been deleted in the closed media / data room. The project at the Department of Computer Science has been in force since the summer of 2016, with a planned completion in March 2020. It is over a year since the researchers in the project have had access to information, and they will not receive it as long as this case is pending.<br />
<br />
2.1. MaCom A / S ’comments<br />
On behalf of MaCom A / S, Therkildsen Advokater has generally stated that this is concrete data / information that does not contain personal information, and which it is also not possible in any way to attribute to one or more specific persons, which is why is personal data within the meaning of the Data Protection Regulation.<br />
<br />
MaCom A / S has noted that the scientific purpose of the disclosure has primarily been to develop effective algorithms that can detect plagiarism, for example in the case where a student has written off from a previously handed in assignment or got another person to write a Report.<br />
<br />
In addition, MaCom A / S has stated that MaCom A / S makes new versions of the study administration system Lectio on a daily basis to ensure that the educational institutions that subscribe constantly live up to the requirements imposed. Functionality to expose plagiarism must be regarded as socially relevant, politically desirable and necessary to the educational institutions, which have a strong focus on exam cheating.<br />
<br />
Justification for the Danish Data Protection Agency's decision<br />
<br />
The Danish Data Protection Agency assumes that parts of the assignment answers from MaCom A / S have been passed on to researchers from DIKU.<br />
<br />
It follows from the judgment of the European Court of Justice of 20 December 2017 in C-434/16 (Peter Nowak case) that an answer to a question can be regarded as personal data, as defined in Article 4 (1) of the Data Protection Regulation, cf. Directive 95/45. It therefore follows from paragraph 37 that '… firstly, the content of that answer reflects the participant's knowledge and competence in a given field and, where appropriate, his thinking, judgment and critical sense'.<br />
<br />
On that basis, the Danish Data Protection Agency assumes that this is personal data, cf. Article 4 (1) of the Data Protection Regulation, when a task answer is processed in its entirety.<br />
<br />
It also follows from the judgment of the European Court of Justice of 19 October 2016 in C-582/14 (Breyer case), paragraph 40, that by identifiable person is meant a person who can be identified not only directly but also indirectly. It further follows from paragraph 44 of the judgment that the classification of information as personal data does not require that all the information enabling the data subject to be identified be held by a single person.<br />
<br />
On this basis, the Danish Data Protection Agency finds that MaCom A / S 'processing of the extracts of the assignment answers must be regarded as a processing of pseudonymised personal data, cf. Article 4, no. 5 of the Data Protection Regulation.<br />
<br />
The Danish Data Protection Agency has hereby emphasized that MaCom A / S continued to store the assignment answers in their entirety in their own, for the researchers, closed system, through which the individual data subjects could be identified. The purpose of the processing of the extracts of the assignment answers has been to avoid plagiarism and thereby ensure that a given answer is an expression of the test participant's own way of thinking, judgment and critical sense. The extracts from the assignment answers have thus been of such a scope that the plagiarism system should be able to recognize the individual answers from each other, which is why the extracts continued to have such a detailed character that, using additional information, they could be attributed to a specific registrant.<br />
The Danish Data Protection Authority also assumes that there has been no instruction from the data controller to MaCom A / S that a transfer may take place, just as the Authority assumes that there is no authority in the submitted data processor agreement for MaCom A / S could process information, in the form of assignment answers, with a view to disclosure.<br />
<br />
It follows from Article 28 (1) of the Data Protection Regulation 3, letter a, that a data processor may only process personal data in accordance with documented instructions from the data controller.<br />
<br />
On the basis of the above, the Danish Data Protection Agency finds that there are grounds for expressing serious criticism that MaCom A / S 'processing of personal data has not taken place in accordance with the rules in Article 28 (1) of the Data Protection Regulation. <br />
<br />
Third<br />
<br />
The Danish Data Protection Agency has hereby emphasized that personal data has been processed without the proper instructions from the data controller in question.<br />
<br />
When choosing the degree of criticism in an aggravating direction, the Danish Data Protection Agency has emphasized that MaCom A / S cannot account for the number of information that has been made available or the number of times the transfer has taken place.<br />
<br />
In a mitigating direction, the Danish Data Protection Agency has emphasized that disclosure has taken place for scientific purposes and with a community service purpose, that it is a matter of disclosure of extracts, that disclosure has taken place by appearance and not by extradition, and that the disclosure has taken place in pseudonymised form. <br />
<br />
<br />
<br />
[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General data protection regulation).<br />
</pre></div>MLhttps://gdprhub.eu/index.php?title=VGH_Baden-W%C3%BCrttemberg_-_1_S_1739/20&diff=10983VGH Baden-Württemberg - 1 S 1739/202020-07-30T10:12:14Z<p>ML: Created page with "{{COURTdecisionBOX |Jurisdiction=Germany |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=VGH Mannheim |Court_With_Country=VGH Mannheim (Germany) |Case_Number..."</p>
<hr />
<div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=Germany<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=VGH Mannheim<br />
|Court_With_Country=VGH Mannheim (Germany)<br />
<br />
|Case_Number_Name=1 S 1739/20<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Landesrechtsprechung Baden-Württemberg<br />
|Original_Source_Link_1=http://lrbw.juris.de/cgi-bin/laender_rechtsprechung/document.py?Gericht=bw&GerichtAuswahl=Verwaltungsgerichte&Art=en&Datum=2020&nr=31735&pos=0&anz=206<br />
|Original_Source_Language_1=German<br />
|Original_Source_Language__Code_1=DE<br />
<br />
|Date_Decided=25.06.2020<br />
|Date_Published=<br />
|Year=2020<br />
<br />
|GDPR_Article_1=Article 5 GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR<br />
|GDPR_Article_2=Article 6(1) GDPR<br />
|GDPR_Article_Link_2=Article 6 GDPR#1<br />
|GDPR_Article_3=Article 9(1) GDPR<br />
|GDPR_Article_Link_3=Article 9 GDPR#1<br />
<br />
<br />
|National_Law_Name_1=Article 2 (2) Grundgesetz (GG)<br />
|National_Law_Link_1=https://www.gesetze-im-internet.de/gg/BJNR000010949.html<br />
|National_Law_Name_2=Artikle 2 (1) i.V.m. Artikel 2 (2) Grundgesetz (GG)<br />
|National_Law_Link_2=https://www.gesetze-im-internet.de/gg/BJNR000010949.html<br />
|National_Law_Name_3=§ (1) Verordnung der Landesregierung über infektionsschützende Maßnahmen gegen die Ausbreitung des Virus SARS-CoV-2 (Corona-Verordnung - CoronaVO)<br />
|National_Law_Link_3=https://www.baden-wuerttemberg.de/en/service/aktuelle-infos-zu-corona/aktuelle-corona-verordnung-des-landes-baden-wuerttemberg/<br />
|National_Law_Name_4=§ 2 (3) Corona-Verordnung Gaststätten - CoronaVO Gaststätten<br />
|National_Law_Link_4=https://www.baden-wuerttemberg.de/en/service/aktuelle-infos-zu-corona/verordnung-gastronomie/<br />
|National_Law_Name_5=§ 47 (6) Verwaltungsgerichtsordnung (VwGO) - Code of Administrative Court Procedure<br />
|National_Law_Link_5=https://www.gesetze-im-internet.de/englisch_vwgo/index.html<br />
|National_Law_Name_6=§ 32, § 28 (1) Infektionsschutzgesetz (IfSG) - Law on the Protection of Infections<br />
|National_Law_Link_6=https://www.gesetze-im-internet.de/ifsg/<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_From_Body=<br />
|Appeal_From_Case_Number_Name=<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Maria Lohmann<br />
|<br />
}}<br />
<br />
The court holds that the obligation to provide contact details in restaurants during the corona pandemic is legitimate in summary review.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
Due to the Corona pandemic, the Land Baden-Württemberg issued a regulation with measures to contain the Corona virus as well as a special regulation for restaurants and alike.<br />
<br />
According to these regulations, one has among others, the obligation to leave contact details when visiting a restaurant.<br />
<br />
=== Dispute ===<br />
A data subject complaint about the obligation of these regulations to provide contact details when visiting a restaurant, stasting that the purpose to process special categories of data according to Article 9 (1) GDPR is not proportional and necessary, as there are less restrictive measures like shorter opening hours and restrictions on how many people can be in a restaurant at the same time and the voluntarily provision of data for contract tracing. Moreover, it has been claimed that there is not enough protection for the personal data as personnel is not trained and changes a lot. Additionally, the data retention period of four weeks is too long.<br />
<br />
=== Holding ===<br />
The obligation to provide contact details when visiting restaurants, as regulated in § 2 (3) CoronaVO Gaststätten, is likely to be constitutional and compatible with the provisions of the basic data protection regulation.<br />
<br />
== Comment ==<br />
The holding of this case is the one for the request for an interim measure according to Article 47 (6) Code of Administrative Court Procedure. It might be the case that a decision on a control request of the disputed legal basis will be taken in the main proceedings.<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the German original. Please refer to the German original for more details.<br />
<br />
<pre><br />
<br />
VGH Baden-Württemberg Decision of 25.6.2020, 1 S 1739/20<br />
<br />
The obligation to wear masks and to provide contact details in restaurants during the corona pandemic is clearly legitimate in summary review<br />
<br />
Guiding Principles<br />
<br />
The obligation to provide contact details when visiting restaurants, as regulated in § 2 (3) CoronaVO Gaststätten, is likely to be constitutional and compatible with the provisions of the basic data protection regulation.<br />
<br />
Tenor<br />
<br />
The motion is defeated.<br />
<br />
The applicant is ordered to pay the costs.<br />
<br />
The amount in dispute is fixed at EUR 10,000.<br />
<br />
Reasons<br />
<br />
I.<br />
1 <br />
<br />
In the present proceedings, the applicant objects, pursuant to Paragraph 47(6) of the VwGO (German Rules of the Administrative Courts), - if interpreted correctly - to the third sentence of Paragraph 3(1) of the Ordinance of the Land Government on infection-protection measures against the spread of the SARS-CoV-2 virus (Corona Ordinance - CoronaVO) of 9 March 2003, which was adopted by the Commission on 9 March 2003. May 2020 (in the version valid from 15 June 2020), last amended by Article 1 of the Third Ordinance of the Federal State Government amending the Corona Ordinance of 9 June 2020, according to which persons aged six or over must be protected against the spread of the SARS-CoV-2 virus (1st pillar - Corona Ordinance - CoronaVO) from 9 May 2020 (in the version valid from 15 June 2020) in order to protect other persons against the spread of the SARS-CoV-2 virus (1st pillar - Corona Ordinance - CoronaVO). ) in public transport, on train and bus platforms, in the waiting area of passenger ship landing stages as well as in airport buildings and (2.) in the salesrooms of shops and generally in shopping centres must wear a non-medical everyday mask or a comparable mouth and nose cover, unless this is unreasonable for medical or other compelling reasons or unless there is no other at least equivalent structural protection (so-called mask obligation).<br />
2 <br />
<br />
Furthermore, the applicant contests Section 2(3) of the Ordinance of the Ministry of Social Affairs and the Ministry of Economic Affairs on the containment of transmissions of the corona virus (SARS-CoV-2) in restaurants (Corona Ordinance Restaurants - CoronaVO Restaurants) of 16 May 2020 (in the version applicable from 2 May 2020). Last amended by the Ordinance of the Ministry of Social Affairs and the Ministry of Economics amending the Corona Ordinance on Restaurants of 28 May 2020, according to which guests may only visit restaurants if they provide the operator with complete and accurate personal contact data.<br />
3 <br />
<br />
The applicant submits that the obligation to wear a mouth and nose protector infringes her right to physical integrity under Article 2.2 sentence 1 of the Basic Law; after only a short time she suffers health impairments in the form of headaches and dizziness, and is deprived of the air she needs to breathe. The obligation was unlawful, since it was not based on a suitable basis for authorisation and was otherwise disproportionate. Furthermore, for the same reasons, her fundamental right to personal freedom (Article 2.2 sentence 2 of the Basic Law) and her general right of personality (Article 2.1 of the Basic Law in conjunction with Article 1.1 of the Basic Law) were violated.<br />
4 <br />
<br />
The obligation to collect and store data when visiting restaurants or the ban on visiting restaurants if the data is not provided violates their fundamental rights to informational self-determination, to personal freedom and to freedom of occupation. § 28, Subsection 1, Sentence 1, IfSG was not a suitable basis for authorization in this regard either. Furthermore, the fundamental rights may not be restricted by a statutory instrument. There was an encroachment on the freedom of occupation, since the applicant was professionally self-employed, depended on constant contact with her business partners throughout Germany and undertook permanent business trips. Meetings often took place in restaurants.<br />
5 <br />
<br />
In addition, Paragraph 2(3) of the CoronaVO infringes the provisions of the Basic Data Protection Regulation (DSGVO). Art. 9 para. 1 DSGVO stipulates that the processing of personal data from which, inter alia, racial and ethnic origin is derived is prohibited. The surname/first name and address of persons regularly reveal such data. Furthermore, there was a violation of Article 5 of the DPA, the measure was not necessary and appropriate for the purpose. The storage period was too long and the persons concerned had no security whatsoever with regard to their personal data. Finally, the conditions for the processing of data under Article 6(1) of the DPA were not fulfilled. There was no consent of the applicant, the measure was neither necessary nor appropriate. There were milder means, e.g. notification to public authorities of visits to restaurants, voluntary submission of data, the insertion of partitions, shorter opening hours for restaurants, a minimum number of persons, the other hygiene and distance requirements under the CoronaVO. In addition, the four-week deletion period is too long. The SARS-CoV-2 virus is no more serious than the influenza virus. Moreover, collateral damage, especially in the catering and hotel industry, must be avoided by ensuring that guests do not stay away. Especially the leaving of personal data in restaurants could not only allow conclusions to be drawn about the individual person, but also about sensitive networks of people, which would increase criminal energy. Due to the high fluctuation of personnel in the catering industry, a large number of people could gain access to the data. The restaurant staff is not trained in data protection and is completely inexperienced, so that there is not sufficient protection of personal data.<br />
6 <br />
<br />
The defendant opposed the application for interim measures. Among other things, he asserts, with more detailed reasons in each case, that, contrary to the submissions made in the application, the provision of the order on the so-called duty to wear a mask does not encroach in an unconstitutional way on the fundamental rights to general freedom of action and physical integrity. In particular, there is a sufficient basis for authorisation that satisfies the parliamentary reservation. The obligation to wear a mouth-nose cover was also proportionate.<br />
7 <br />
<br />
The obligation to provide personal data when entering a restaurant under Section 2(3) of the CoronaVO Gaststätten was not objectionable. The provision was based on a sufficient basis of authorisation, was compatible with Union law from the Basic Data Protection Regulation and was constitutionally unobjectionable. In particular, the interference with the applicant's right to informational self-determination was justified, since it served to contain the corona virus and thus to protect the life and health of the population.<br />
8 <br />
<br />
Reference is made to the pleadings exchanged and the annexes for further details of the facts of the case and the dispute.<br />
II.<br />
9 <br />
<br />
The Senate shall decide on the application for a temporary injunction pursuant to § 47.6 VwGO with three judges (§ 9.3 sentence 1 half-sentence 1 VwGO). The composition rule in § 4 AGVwGO is not applicable to decisions under § 47.6 VwGO (VGH Bad.-Württ., decision of 15 December 2008 - GRS 1/08 - ESVGH 59, 154).<br />
10 <br />
<br />
1. the application under Article 47(6) of the VwGO is admissible<br />
11 <br />
<br />
An application pursuant to Article 47 (6) VwGO is admissible if an application for review of a statute which has been or is to be filed in the main proceedings is likely to be admissible pursuant to Article 47 (1) VwGO (cf. on this requirement Ziekow, in: Sodan/Ziekow, VwGO, 5th ed., Article 47 marginal no. 387) and the separate requirements for admissibility of the application pursuant to Article 47 (6) VwGO are fulfilled.<br />
12 <br />
<br />
a) The admissibility of the application in the main proceedings follows from § 47 (1) no. 2 VwGO, § 4 AGVwGO. According to this, the Administrative Court also decides outside the scope of application of § 47.1 No. 1 VwGO on the validity of legal provisions ranking below the Land law. These include ordinances of the state government.<br />
13 <br />
<br />
b) The one-year period of § 47 Para. 2 Sentence 1 VwGO has been observed.<br />
14 <br />
<br />
(c) The applicant is entitled to file an application. Any natural or legal person who can claim that their rights have been infringed or will be infringed in the foreseeable future by the legal provision or its application has the right to file an application pursuant to § 47 (2) sentence 1 VwGO. It is sufficient if the asserted violation of rights appears possible (see Senate, Urt. v. 29.04.2014 - 1 S 1458/12 - VBlBW 2014, 462, with numerous proofs). According to this standard, the authority to file an application exists. It is possible that the applicant has violated her general right of personality and her right to informational self-determination (Article 2.1 in conjunction with Article 1.1 of the Basic Law).<br />
15 <br />
<br />
(d) there is an interest in bringing proceedings If her application is successful, the applicant could improve her legal position.<br />
16 <br />
<br />
2. however, the application under Article 47(6) of the VwGO is not justified.<br />
17 <br />
<br />
Pursuant to § 47 (6) VwGO, the Administrative Court may, upon application, issue a temporary injunction if this is urgently required to ward off serious disadvantages or for other important reasons. The standard of review in proceedings under § 47 Para. 6 VwGO is first of all the prospects of success of the application for review of the statute in the main proceedings, insofar as these can already be foreseen in proceedings for interim relief. If the application for a review of a statute is thereafter likely to be inadmissible or unfounded, the issuance of an interim injunction is not urgently required within the meaning of § 47 (6) VwGO to avert serious disadvantages or for other important reasons. If this examination shows that an application for a review of a statute is likely to be well-founded in the main proceedings, this is an essential indication that the execution of the statute or legal provision in dispute is to be suspended. In this case, a temporary injunction may be issued if the (further) execution of the legal provision prior to a decision in the main proceedings gives rise to the fear of disadvantages which, taking into account the interests of the applicant, affected third parties and/or the general public, are so important that a provisional regulation cannot be postponed with regard to the effectiveness and practicability of a decision in the main proceedings which is favourable to the applicant. If the prospects of success of the review proceedings cannot be assessed, a decision on the issue of a temporary injunction applied for must be made by way of a weighing of consequences: The consequences which would occur if a temporary injunction were not issued but the application for review of the statute would be successful must be compared with the disadvantages which would arise if the requested temporary injunction were issued but the application under § 47 (1) VwGO remained unsuccessful. The considerations in favour of issuing the temporary injunction must clearly outweigh the conflicting interests, i.e. be so serious that the issuing of the temporary injunction is urgently required - despite the open prospects of success in the main case (BVerwG, decision of 25 February 2015 - 4 BoD 5.14 -, ZfBR 2015, 381; decision of 16 September 2015 - 4 BoD 2/15 -, juris; VGH Bad. Württ., resolution of 09.08.2016 - 5 S 437/16 -, juris with further details; resolution of 13.03.2017 - 6 S 309/17 - juris). With these prerequisites, § 47.6 VwGO sets considerably stricter requirements for the suspension of the enforcement of a sub-statutory provision than § 123 VwGO otherwise sets for the issuing of a temporary injunction (BVerwG, decision of 18 May 1998 - 4 VR 2/98 - NVwZ 1998, 1065).<br />
18 <br />
<br />
Measured against these standards, the applicant's application for immediate exemption from the obligation to use a mask pursuant to Section 3(1) sentence 3 CoronaVO (see a)) and the obligation to provide personal data when visiting a restaurant pursuant to Section 2(3) CoronaVO Gaststätten (see b)) was unsuccessful.<br />
19 <br />
<br />
a) With resolutions of 13 May 2020 - 1 S 1314/20 - and of 18 May 2020 - 1 S 1417/20 - the Senate rejected applications under § 47.6 VwGO, which were also directed against § 3.1 sentence 3 CoronaVO, and explained the reasons for its rejection:<br />
20 <br />
<br />
"(a) The application for review of a statute directed against Section 3 (1) sentence 3 CoronaVO is unlikely to succeed (aa). The issue of a temporary injunction is also not required in the above sense (bb).<br />
21 <br />
<br />
aa) The application for a review of the law directed against Section 3 (1) sentence 3 CoronaVO will in all probability remain unsuccessful. The provision is likely to be consistent with higher-ranking law.<br />
22 <br />
<br />
§ Article 3 paragraph. 1 sentence 3 CoronaVO stipulates that persons from the age of six years or older must wear a non-medical everyday mask or a comparable mouth-nose cover to protect other persons against the spread of the SARS-CoV-2 virus (firstly) in public transport, on railway and bus platforms and in airport buildings and (secondly) in the salesrooms of shops and generally in shopping centres, unless this is unreasonable for medical or other compelling reasons or unless there is no other at least equivalent structural protection. The applicant has not raised any serious objections to the legality of this provision and no such objections are apparent.<br />
23 <br />
<br />
(1) For the regulation in Section 3 (1) sentence 3 CoronaVO there is probably a sufficient legal basis in Section 32 sentence 1 in conjunction with § Section 28(1) IfSG. If - as is indisputably the case with the coronavirus - a transmissible disease has been identified, then according to § 32 sentence 1 in conjunction with § 28 para. 1 IfSG. § 28 para. 1 IfSG, the necessary protective measures to prevent the spread of the disease can be taken by a decree of the state government. There are no serious objections to the definiteness of this standard.<br />
24 <br />
<br />
(2) The basis of authorization in § 32 sentence 1 in conjunction with § Section 28(1) IfSG should also satisfy the reservation of the Act in its manifestation as a parliamentary reservation for the fundamental requirement of wearing mouth and nose covers in certain public areas regulated in Section 3(1) sentence 3 CoronaVO (for the requirements, cf. BVerfG, Order of 14 March 1989 - 1 BvR 1033/82 and others - BVerfGE 80, 1, 20; Order of 21 April 2015 - 2 BvR 1322/12 and others - BVerfGE 139, 19; also drawn up by the Senate, Order of 9 April 2020 - 1 S 925/20 - with further references). For the legislature itself has expressly provided in § 28.1 sentence 1 half of the second half of the IfSG that the competent authority, under the preconditions of half-sentence 1, may in particular oblige persons to enter places or public places designated by it only under certain conditions (see on a prohibition under ordinance of gatherings and all gatherings of persons that favour the spread of pathogens, cf. Senate, decision of 09.04.2020, loc. cit.)<br />
25 <br />
<br />
(3) Probably without success, the applicant submits that the Infection Protection Act contains only general clauses which do not cover measures against - as in her case - (presumably) healthy persons.<br />
26 <br />
<br />
As the Senate has already decided (resolution of 23.04.2020 - 1 S 1046/20 - und ausf. Beschl. v. 09.04.2020, loc.cit.), § 28 para. 1 IfSG authorises, according to its wording, its meaning and purpose and the will of the legislator, to take measures also against non-disturbing persons. This is also assumed by the highest court rulings (see BVerwG, judgment of 22 March 2012 - 3 C 16/11 - BVerwGE 142, 205, 213). It is beyond question that there are people suffering from the coronavirus at all and that the requirements of § 28.1 IfSG are met in this respect. Moreover, it should be noted that a large number of transmissions of the SARS-CoV-2 virus can already take place in the pre-symptomatic phase or even by completely symptom-free carriers. Therefore, the question arises whether a differentiation between interfering and noninterfering agents in the case of SARS-CoV-2 is at all appropriate (see Senate, decision of 23.04.2020, ibid., etc., at https://www.rki.de/DE/Content/InfAZ/N/Neuartiges_Coronavirus/Steckbrief.html#doc13776792bodyText20 [No. 20]). Nor does Section 28 para. 1 IfSG contain a limitation to short-term measures only. An interpretation to this effect would be incompatible with the wording of the provision and with the purpose of combating - often not short-term - infections.<br />
27 <br />
<br />
Nor can the applicant successfully argue that the Infektionsschutzgesetz does not in any event provide a legal basis for imposing a so-called mask obligation on all citizens, because under Paragraph 20(6), first sentence, IfSG 'even' compulsory vaccination cannot be ordered for the entire population, but only for 'threatened parts' of it. The first-right conclusion drawn by the applicant does not bear. It overlooks the fact that compulsory vaccination is associated with a serious encroachment on the fundamental right to physical integrity (Article 2.2 sentence 1 of the Basic Law) of the persons affected (see accordingly § 20.14 IfSG). The encroachments on the fundamental rights of the norm addressees associated with § 3.1 sentence 3 CoronaVO, namely on their general right of personality and general freedom of action (see below (4)), do not weigh more heavily in comparison, as the applicant suggests ("even"), but less lightly. Irrespective of this, the applicant's assumption that § 28.1 IfSG does not permit orders under infection protection law - in this case for the wearing of a mouth-nose cover - to be issued to all members of the population, even if the factual requirements in the first half of the first sentence are fulfilled, is fundamentally incompatible with the wording of the provision and its meaning and purpose, if this measure proves to be proportionate.<br />
28 <br />
<br />
(4) The fundamental requirement to wear mouth and nose covers in certain public areas, as regulated in § 3 para. 1 sentence 3 CoronaVO, is presumably also in accordance with constitutional law and, in particular, currently satisfies the principle of proportionality.<br />
29 <br />
<br />
(a) There is in all probability no unconstitutional encroachment on the applicant's general right of personality protected by fundamental rights (Article 2.1 in conjunction with Article 1.1 of the Basic Law).<br />
30 <br />
<br />
The general right of personality protects in particular the individual's right of self-determination with regard to the presentation of his or her personal image of life and character (BVerfG, decision of 14 January 2020 - 2 BvR 1333/17 - NJW 2020, 1049). The individual should be allowed to decide for himself or herself how he or she wishes to present himself or herself to third parties or the public and what should constitute his or her claim to social validity (BVerfG, resolution of 14 January 2020, loc. cit., and of 3 November 1999 - 2 BvR 2039/99 - NJW 2000, 1399). The defendant encroaches on this scope of protection by means of § 3.1 sentence 3 CoronaVO. This is because the applicant is thereby required to partially conceal her face behind a mask in certain public areas. This affects her decision, which is to be respected as an expression of her personal identity, not to cover her face in public either wholly or in part (see BVerfG, Order of 14 January 2020, loc. cit.<br />
31 <br />
<br />
However, this encroachment on the applicant's general right of personality is in all likelihood justified, in particular proportionate.<br />
32 <br />
<br />
(aa) Section 3(1) sentence 3 CoronaVO serves a legitimate purpose. The legislature thus pursues the objective of protecting the life and physical integrity of a potentially very large number of people and thus fulfilling the state's duty of protection under Article 2.2 sentence 1 of the Basic Law by preventing new infections with the corona virus as far as possible and at least slowing down the spread of the virus (see Senate, decision of 23 April 2020, loc. cit.)<br />
33 <br />
<br />
(bb) In order to achieve this objective, the means chosen by the legislature to require the wearing of a mouth-nose cover in the public areas mentioned in Section 3(1) sentence 3 CoronaVO, namely in public transport and in salesrooms, is likely to be suitable.<br />
34 <br />
<br />
A law is suitable if it can be used to promote the desired success, whereby the legislature has a margin of discretion in assessing suitability (see BVerfG, Order of 20 June 1984 - 1 BvR 1494/78 - BVerfGE 67, 157, 173 et seq.; Order of 9 March 1994 - 2 BvL 43/92 and others - BVerfGE 90, 145, 172 et seq.)<br />
35 <br />
<br />
This requirement is likely to be met by the so-called mask requirement in Section 3(1) sentence 3 CoronaVO. The spread of the novel corona virus has been classified as a pandemic by the WHO. Experience in other countries shows that the exponential spread of the virus, which is particularly easy to transmit from person to person, especially by droplet infection, can only be contained by strictly minimising personal contact between people. As has been shown, the imperative in § 3 (1) sentence 3 CoronaVO aims to slow down the spread of the corona virus by preventing new infections. The obligation to wear a mouth-and-nose covering in the public areas mentioned can probably contribute to achieving this goal.<br />
36 <br />
<br />
Without success, the applicant submits that at present it has not been 'proven' that - and is doubted by well-known representatives of the medical profession whether - the wearing of simple mouth and nose covers (MNB, also known as everyday masks) is at all suitable for reducing new infections. The legislature probably did not leave the scope for assessment to which it was entitled when creating § 3.1 sentence 3 CoronaVO if it assumed that the requirement laid down in it contributed to preventing new infections. The Robert Koch Institute, which is appointed pursuant to § 4 IfSG for the early detection and prevention of the further spread of infections and the corresponding analyses and research, has reached the following summarising assessment in knowledge of the differences between MNBs on the one hand and medical oral hygiene products (MNS) on the other hand, also taking into account the fact that the effectiveness of the masks is currently assessed in detail in the professional world, in part differently, against the background of the still limited empirical findings, and after an assessment of the studies currently available:<br />
37 <br />
<br />
As observations from outbreak investigations and modelling studies show, the rapid spread of SARS-CoV-2 is due to a high proportion of diseases that initially start with only mild symptoms without restricting the patients in their daily activities. Already 1 - 3 days before the onset of symptoms, high virus quantities can be excreted. A partial reduction of this unnoticed transmission of infectious droplets by carrying MNB could contribute to a further slowing down of the spread at population level. This applies to transmission in public places where several people meet and stay for a longer period of time (e.g. workplace) or where the physical distance of at least 1.5 m cannot always be maintained (e.g. shopping situation, public transport). Activities involving many or closer contacts are of particular importance here. Since the source of infection is unknown in many cases, unnoticed excretion of the virus in these cases can be detected neither by a change in behaviour (such as self quarantine) nor by early testing, since the beginning of infectivity is unknown. For this reason, the wearing of MNBs in public places can be effective in reducing transmissions, especially if as many people as possible participate. It must be taken into account that there are people who cannot tolerate the higher breathing resistance when wearing masks due to previous illnesses.<br />
38 <br />
<br />
In order to achieve a sustainable reduction in the rate of spread of COVID-19 in the population and a decrease in the number of new cases as quickly as possible, it is necessary to use several components that complement each other (see 2nd Strategy Update). The effectiveness of the measures taken and their undesirable effects must always be carefully weighed against each other. In the system of different measures, a situation-dependent general carrying of MNBs (or of MNS if production capacity allows) in the population is another component to reduce transmissions'. (RKI, Epidemiologisches Bulletin 19/2020 of 14.04.2020, p. 4 f.; in the same vein, "Does it make sense to wear a mouth-nose cover in the public to protect against SARS-CoV-2?", FAQ at https://www.rki.de, last accessed on 13.05.2020).<br />
39 <br />
<br />
Against the background of this assessment, which takes into account the current state of knowledge and research and is justified in a comprehensible manner, the legislator can currently, without legal error, regard the order of a so-called mask obligation for public passenger transport and sales outlets as a suitable means of preventing chains of infection (as a result, BayVGH, Beschl. of 07.05.2020 - 20 NE 20.926 - [PM]; HessVGH, decision of 06.05.2020 - 8 B 1153/2020.N - [PM]; VG Saarland, decision of 30.04. 2020 - 6 L 452/20 - juris; VG Mainz, decision of 28.04.2020 - 1 L 276/20.MZ - juris; left open by NdsOVG, decision of 05.05.2020 - 13 MN 119/20 - juris).<br />
40 <br />
<br />
Nor is the applicant able to call into question the suitability of Paragraph 3(1), third sentence, of the Corona Ordinance to achieve the abovementioned objective by its objections that wearing the mask does not prevent the spread of the corona virus but, on the contrary, on the contrary, promotes it, inter alia, by creating a deceptive feeling of safety and the risk of the virus collecting on the mask and spreading further if used improperly. These concerns can be countered by providing information on the proper use of mouth and nose covers (see BayVGH, decision of 07.05.2020, loc. cit.; VG Saarland, decision of 30.04.2020, loc. cit.) A similar information campaign is (also) already being carried out by state agencies (cf. only - with numerous further references - RKI "Does it make sense to wear a mouth and nose cover in public to protect against SARS-CoV-2?) It is possible and reasonable for the norm addressees to obtain information on the correct handling of the norm from generally accessible sources (see VG Mainz, decision of 28 April 2020, loc. cit.)<br />
41 <br />
<br />
Also unsuccessful in this connection, in all likelihood, are the applicant's objections that the imposition of the so-called mask requirement in Paragraph 3(1)(3) of the Corona Ordinance would lead to considerable negative effects in other areas, such as a higher climate impact if people switched to their cars or regress in video surveillance of public places. In this line of argument, the applicant loses sight of the legitimate objective pursued by the legislature. As has been shown, this consists in protecting the life and physical integrity of a potentially very large number of people and thus fulfilling the state's duty of protection under Article 2.2 sentence 1 of the Basic Law by preventing new infections with the coronavirus as far as possible. The suitability of the so-called mask obligation to achieve this objective is not called into question by the fact that the measure may entail disadvantages in other areas of life.<br />
42 <br />
<br />
The applicant's supplementary objection, which is probably also raised against the suitability of the measure, that there would be dangers in road traffic if people there wore a mask, is also unsuccessful. This argument already misses the provision challenged by the applicant. For Paragraph 3(1), third sentence, of the CoronaVO does not contain a requirement to wear a mouth-nose cover when driving a motor vehicle.<br />
43 <br />
<br />
(cc) In order to achieve the above-mentioned objective, the means chosen by the legislator of a general requirement to wear mouth and nose covers in the public areas mentioned is likely to be necessary.<br />
44 <br />
<br />
A statute is required if the legislature could not have chosen another equally effective means that would not have restricted the fundamental right or would have restricted it to a lesser extent, whereby the legislature also has a margin of discretion in this respect (see BVerfG, decision of 20 June 1984, loc. cit. and of 9 March 1994, loc. cit.) The applicant has not shown such equally effective but less restrictive means, and it is unlikely that such means are recognisable in any other way.<br />
45 <br />
<br />
Without success, the applicant submits in particular that the health care system in Germany is no longer in any concrete danger of being overburdened by a large number of people who fall ill at the same time. In making this objection, it overlooks, first, the fact that the legitimate aim of the legislature is not only to avoid overburdening the health system, but also to reduce the number of new infections, irrespective of that, because of the potentially fatal course of the disease and the current lack of medicinal treatment options. Irrespective of this, the Senate does not currently share the applicants' assessment of the risks to the health care system. In its most recent risk assessment (management report of 12.05.2020, last accessed on 13.05.2020, emphasis in original), the RKI arrives at the following - comprehensibly justified - opinion:<br />
46 <br />
<br />
This is a very dynamic and serious situation worldwide and in Germany. In some cases the course of the disease is severe, even fatal. The number of newly transmitted cases in Germany is declining. The risk to the health of the population in Germany is currently estimated to be high overall and very high for risk groups. The probability of severe disease progression increases with increasing age and existing pre-existing conditions. This risk varies from region to region. The burden on the health care system depends largely on the regional spread of the infection, the available capacities and the countermeasures taken (isolation, quarantine, physical distance) and can be very high locally. This assessment may change in the short term due to new findings'.<br />
47 <br />
<br />
Also unsuccessful is the applicant's objection that there are milder means in comparison to the so-called mask obligation regulated in Section 3 (1) sentence 3 CoronaVO, such as a ban on mass events, compliance with the rules on distance and hygiene, as well as targeted measures to protect the risk groups and self-protection of the latter. These measures may also be suitable to contribute to the achievement of the objective pursued by the legislator. However, the legislature does not exceed its scope of assessment if it assumes that such measures - and the other measures currently ordered in the Corona Ordinance - are not as effective on their own as the additional order of an obligation to wear mouth and nose covers in public areas where people typically gather in large numbers and in close proximity to each other and in which they therefore give rise to particular risks of infection and may be exposed to such risks.<br />
48 <br />
<br />
(dd) At the time of the present Senate decision, the means chosen by the legislature to achieve the aforementioned objective, a so-called mask obligation, is also still deemed to be proportionate in the narrower sense (appropriate).<br />
49 <br />
<br />
The encroachment on the applicant's general right of personality under Article 2 para. 1 in conjunction with Article 1.1(1) of the Basic Law is of certain weight. Because of the challenged provision of the ordinance, she cannot enter some important public areas without first putting on a mouth-and-nose cover and thus covering her face. She has credibly and comprehensibly demonstrated that she thereby sees her personal identity - which is to be respected in the court proceedings - subjectively considerably impaired.<br />
50 <br />
<br />
However, this is in contrast to the equally serious consequences for life and limb of a large number of people affected by the coronavirus and the associated maintenance of the efficiency of the German health care system. Even after the restriction measures that have been in place since mid-March and a noticeable decrease in the rate of infection, there is still the danger that without contact restrictions the rate of infection will increase again very quickly and that the health care system will be overloaded (see above (bb) and in addition Senate, decision of 09.04.2020 - 1 S 925/20 -, of 28.04.2020 - 1 S 1068/20 -, and of 30.04.2020 - 1 S 1101/20 -, each m.w.N.). In view of this, the provision in Section 3 (1) sentence 3 CoronaVO on the so-called mask obligation is likely to be proportionate in the narrower sense. This applies all the more so as the adverse consequences for the persons affected are somewhat mitigated by the fact that the provision contains a reservation of reasonableness and exceptional provisions ("if this is not unreasonable for medical reasons or other compelling reasons or if there is no other at least equivalent structural protection"). In addition, the measure only affects a spatially and temporally limited part of public life and the persons affected can to a certain extent avoid the interventions in a reasonable manner, for example by temporarily refraining from using public transport in favour of other means of transport, as the applicant also considered, and by reducing personal purchases by reducing the frequency and using long-distance trade offers (similar to the decision of the Mainz Administrative Court of 28 April 2020, loc. cit.) The order of the so-called mask obligation is also subject, as a permanent intervention measure, to the obligation of the federal state government to continuously review, in particular, how effective the measure is with regard to slowing down the spread of the coronavirus and what effect it has on those affected. It is in no way apparent that the state government has not yet complied with this obligation (similar to other company closure orders OVG Bln.-Bdbg., resolution of 23.03.2020 - 11 S 12/20 - juris; BayVGH, resolution of 30.03.2020 - 20 CS 20.611 - juris). With the entry into force of the Fifth, Sixth and Seventh Corona Ordinance and the new ordinance adopted on 9 May 2020 by way of a de facto eighth amendment, the state government, in response to the lower numbers of new infections, has made possible initial relaxation of the overall package of measures initially taken from March 2020 (see already Senate, decision of 28 April 2020 - 1 S 1068/20 -).<br />
51 <br />
<br />
(b) The applicant's human dignity, which is inviolable under Article 1 (1) of the Basic Law, is also not violated by Section 3 (1) sentence 3 of the Corona Regulation.<br />
52 <br />
<br />
Starting from the idea that man determines and develops himself in freedom (see BVerfG, Urt. v. 30 June 1999 - 2 BvE 2/08 et al. - BVerfGE 123, 267 <413> with further references), the guarantee of human dignity includes in particular the preservation of personal individuality, identity and integrity (cf. BVerfG, judgment of 17 January 2017 - 2 BvB 1/13 - BVerfGE 144, 20 <207>). This is associated with a social claim to value and respect, which prohibits making the person a "mere object" of state action or exposing him or her to treatment that fundamentally calls into question his or her subject quality (see BVerfG, Urt. v. 17.01.2017, loc. cit.) The applicant is not exposed to such treatment, which degrades her to an object, by the requirement to put on a mouth-nose cover in certain public areas to protect others from a potentially fatal disease.<br />
53 <br />
<br />
(c) An unconstitutional encroachment on the applicant's fundamental right to life and physical integrity (Article 2.2 sentence 1 of the Basic Law) is in all probability also not present.<br />
54 <br />
<br />
Without success, she claims that the use of mouth-nose covers poses health risks because viruses and other pathogens can collect on them. It is neither stated in her unfounded submission in this regard nor is it otherwise apparent that the use of the above-mentioned covering, which as a rule will be for short periods of time in each case, could, if used properly, give rise to serious health risks for healthy norm addressees. Each wearer should be able to sufficiently influence the hygiene concerns that may arise from the use of his or her own mouth and nose cover (cf. in this respect NdsOVG, decision of 5 May 2020, loc. cit.) Insofar as it is unreasonable for norm addressees to wear a mouth and nose cover in individual cases, for example due to previous illness-related strain on the airways, they are already excluded from the scope of application of § 3.1 sentence 3 CoronaVO (see again the last half sentence: "if this is not unreasonable for medical reasons or other compelling reasons").<br />
55 <br />
<br />
(d) An unconstitutional encroachment on the applicant's general freedom of action (Article 2.1.1 of the Basic Law) is also unlikely to exist.<br />
56 <br />
<br />
The scope of protection of this fundamental right includes the right to determine one's own external appearance at one's own discretion (see BVerfG, decision of 10 January 1991 - 2 BvR 550/90 - NJW 1991, 1477; BVerwG, judgment of 2 March 2006 - 2 C 3.05 - BVerwGE 125, 85 with further references). This scope of protection is encroached upon by the fundamental requirement to wear a mouth-and-nose covering in certain public areas, which is regulated in § 3.1 sentence 3 CoronaVO. This encroachment is, however, in all probability constitutionally justified, in particular for the reasons stated above (see (a)), proportionate.<br />
57 <br />
<br />
bb) The issue of a temporary injunction is also not required under Section 3(1) sentence 3 CoronaVO within the meaning of Section 47(6) VwGO.<br />
58 <br />
<br />
This already follows from the fact that, as has been shown, an application for review of a standard is probably unfounded. In such a case - as explained above - the issuance of a temporary injunction is not urgently required within the meaning of § 47 (6) VwGO to ward off serious disadvantages or for other important reasons. Irrespective of this, a considerable impairment of the applicant's interests, which outweighs the interests of the protection of life and limb put forward by the defendant, is not apparent. This is all the more true since, as shown, she can evade the interventions to a certain extent and thus limit the wearing of the mask to a few and manageable areas. The remaining restrictions are reasonable for her within the framework of the necessary consideration.<br />
59 <br />
<br />
After review, the Senate adheres to this, also in view of the objections of the applicant.<br />
60 <br />
<br />
aa) A violation of the reservation of the law in its manifestation as a parliamentary reservation and of Article 80.1 sentence 2 of the Basic Law is not likely to exist. The principle of the rule of law and the requirement of democracy oblige the legislature to make the regulations that are decisive for the realisation of fundamental rights essentially itself and not to leave them to the action and decision-making power of the executive. In the area relevant to fundamental rights, "essential" generally means "essential for the realisation of fundamental rights". An obligation for the legislature to take action exists in particular in multidimensional, complex fundamental rights constellations. In principle, laws that empower the legislature to issue ordinances pursuant to Article 80.1 of the Basic Law can also satisfy the requirements of the reservation of the right to legislate, but the essential decisions must be made by the parliamentary legislature itself. (see BVerfG, Order of 14 March 1989 - 1 BvR 1033/82 and others - BVerfGE 80, 1, 20; Order of 21 April 2015 - 2 BvR 1322/12 and others - BVerfGE 139, 19, with further references).<br />
61 <br />
<br />
According to this standard, there should be no objection to the fact that the obligation to wear masks has been regulated by the legislator. It is not a matter of a multi-dimensional complex constellation of fundamental rights, nor does the applicant claim this. The encroachment on fundamental rights by the obligation to wear a mask is - as explained - of a certain weight, but does not have a particularly pronounced depth of encroachment. In § 28.1 sentence 1 IfSG, the legislature of the parliament has already given the competent authorities the power to take the necessary protective measures, and in doing so has deliberately - as is evident from the history of legislation - included a general authorisation in the Act in order to be prepared for all eventualities (see already Senate, resolution of 09.04.2020 - 1 S 925/20 - juris).<br />
62 <br />
<br />
bb) In all probability, the obligation to wear a mouth-nose cover pursuant to § 3.1 sentence 3 CoronaVO also does not constitute an unjustified encroachment on the applicant's general right of personality (from Article 2.1 in conjunction with Article 1.1 of the Basic Law), the right to life and physical health (Article 2.2 sentence 1 of the Basic Law) and the fundamental right to personal freedom from Article 2.2 sentence 2 of the Basic Law.<br />
63 <br />
<br />
An encroachment on the applicant's general right of personality (Article 2.1 in conjunction with Article 1.1 of the Basic Law) is likely to exist, but according to the above (II. 2. a) "a) aa) (4) (a)') is likely to be justified and in particular proportionate.<br />
64 <br />
<br />
However, there is presumably no interference with the applicant's fundamental right to life and physical integrity (Article 2.2 sentence 1 of the Basic Law). With regard to the hygienic concerns that the applicant has with regard to the improper use of the masks, it is likely to be up to the wearer of the mask to decide whether the mask may pose a health hazard, e.g. due to contamination. Although the applicant has stated that she suffers health impairments, she is, however, free to claim the exemption under Section 3 (1) sentence 3 CoronaVO.<br />
65 <br />
<br />
It can remain open here whether the regulation on the obligation to wear a mask objected to by the applicant violates her fundamental right to personal freedom under Article 2.2 sentence 2 of the Basic Law. This fundamental right protects physical freedom of movement. In the present summary proceedings, no decision is required on the questions that are disputed in detail - because of the background of the provision in habeas corpus law and the connection of the provision with Article 104.2 of the Basic Law - whether this covers the freedom to move to any place without further preconditions (see on the state of opinion, Murswiek/Rixen, in: Sachs, GG, Eighth ed, Art. 2 marginal no. 228 et seq.; Lang, in: Epping/Hillgruber, BeckOK Grundgesetz, 42nd ed., Art. 2 marginal no. 84; in each case with further references), and under what conditions impairments of freedom of movement are to be regarded as encroachments (see Lang, loc. cit., Art. 2 marginal no. 86 et seq.) Even if the obligation to wear a mask in certain public places ordered by § 3.1 sentence 3 CoronaVO were to be classified as an encroachment on the applicant's fundamental right under Article 2.2 sentence 2 of the Basic Law, this encroachment would in all probability be justified, in particular on the basis of the above-mentioned (II. 2. a) "a) aa) (4)(a)'), and again on the basis of the reasons given, prove to be proportionate.<br />
66 <br />
<br />
cc) The issue of a temporary injunction is not required within the meaning of § 47 (6) VwGO. The provision of § 3.1 sentence 3 CoronaVO is in all probability already lawful. In addition, due to the low degree of intervention of the obligation to wear a mask, it is reasonable to expect the applicant to wear a mask in the areas laid down, after weighing the interests of the defendant in ensuring the protection of life and limb.<br />
67 <br />
<br />
b) The application for review of the standard against Section 2 (3) sentence 2 CoronaVO Gaststätten is also unlikely to be successful (aa)). The issue of a temporary injunction is also not required in this respect (bb)).<br />
68 <br />
<br />
aa) Section 2(3) of the CoronaVO Gaststätten is in all likelihood consistent with higher-ranking law.<br />
69 <br />
<br />
§ Section 3 (3) sentence 1 CoronaVO Gaststätten stipulates that the operator of the restaurant must collect and store the following information exclusively for the purpose of providing information to the public health department or the local police authority in accordance with Sections 16, 25 IfSG: surname and first name of the guest, date and beginning and end of the visit and the guest's telephone number or address. Under Section 2 (3) sentence 2 CoronaVO, guests may only visit restaurants if they provide the operator with complete and accurate data in accordance with Section 3 (3) sentence 1 CoronaVO Restaurants. The data must be deleted by the operator four weeks after being collected (§ 2 Para. 3 Sentence 3 CoronaVO Gaststätten), whereby the general provisions on the processing of personal data remain unaffected (§ 2 Para. 3 Sentence 4 CoronaVO Gaststätten). The applicant has not presented any fundamental legal objections to this provision and no such objections are apparent in any other way.<br />
70 <br />
<br />
For the regulation in § 2 (3) CoronaVO Gaststätten, there is probably a sufficient legal basis in § 32 sentence 1 in conjunction with § Section 28(1) IfSG and Section 4(5) CoronaVO (see (1)). It is also likely to be constitutional and, in particular, proportionate (see (2)) and consistent with the Basic Data Protection Regulation (DSGVO) under Union law (see (3)).<br />
71 <br />
<br />
(1) If - as is indisputably the case with the coronavirus - a transmissible disease has been identified, the following may be declared in accordance with § 32 sentence 1 in conjunction with § Section 28 para. 1 IfSG, the necessary protective measures to prevent the spread of the disease may be taken by a decree of the State Government. The state government has issued such a regulation in the CoronaVO of 9 May 2020 in the version applicable from 15 June 2020. This regulation provides - which § 32 sentence 2 IfSG permits - in § 4 para. 5 that the Ministry of Social Affairs and the Ministry of Economics are authorised to lay down hygiene requirements for [...] the catering industry which go beyond or deviate from § 4 para. 3 by means of a joint ordinance.<br />
72 <br />
<br />
The authorization basis in § 32 sentence 1 in conjunction with § Section 28(1) IfSG and Section 4(5) CoronaVO should satisfy the requirement set out in Section 2(3) CoronaVO Gaststätten for the complete and accurate provision of data within the meaning of Section 2(3) sentence 1 CoronaVO Gaststätten when visiting a restaurant with the reservation of the Act in its form as a parliamentary reservation (see Senate, decision of 09.04.2020 - 1 S 925/20 - with further details). For the legislature itself has expressly provided in § 28.1 sentence 1 half of the second half of the IfSG that the competent authority may in particular oblige persons under the conditions of half-sentence 1 to enter places or public places designated by it only under certain conditions (see on a prohibition under ordinance of gatherings and all gatherings of persons that favour the spread of pathogens, cf. Senate, decision of 09.04.2020, loc. cit.)<br />
73 <br />
<br />
(2) The obligation to provide certain personal data before entering restaurants, as regulated in Section 2(3) of the CoronaVO Gaststätten, is likely to be constitutional and in particular proportionate.<br />
74 <br />
<br />
(a) The encroachment on the applicant's fundamental right to informational self-determination under Article 2(1) in conjunction with Article 1.1 of the Basic Law is likely to be constitutionally justified and in particular proportionate.<br />
75 <br />
<br />
The obligation under Section 2(3) CoronaVO Gaststätten to provide personal data constitutes an infringement of the applicant's fundamental right to informational self-determination. As a manifestation of the general right of personality, the fundamental right to informational self-determination includes the right of the individual to decide on the disclosure and use of his or her personal data (cf. fundamentally BVerfG Urt. v. 15 December 1983 - 1 BvR 209/83 and others BVerfGE 65, 1 (43); BVerfG, Order of 6 November 2019 - 1 BvR 16/13 - juris marg. no. 83 et seq.) The possibility to invoke the right to informational self-determination does not depend on the possible sensitivity of the data concerned (see BeckOK GG/Lang, 43 Ed. 15.5.2020, GG Art. 2 marginal no. 45a), it generally protects against the state collecting and processing of personal data (BVerfG, Order of 9 March 1988 - 1 BvL 49/86 - juris marginal no. 29).<br />
76 <br />
<br />
Restrictions require a legal basis from which the conditions and the scope of the restrictions are clear. § Section 2(3) of the CoronaVO Restaurants, as a sub-statutory legal provision, constitutes a suitable basis for intervention in this respect (see II. 2. b) aa) above). (1 )), the intervention is likely to comply with the principle of proportionality.<br />
77 <br />
<br />
§ Paragraph 2(3) of the CoronaVO serves a legitimate purpose, namely to facilitate the tracing of contacts in the event of an occurrence of infection in the restaurant and thereby at least to slow down the spread of the corona virus, which is particularly easy to transmit by droplet infection and via aerosols. The Robert Koch Institute (RKI, cf. Senate, decision of 13 May 2020 - 1 S 1314/20 - juris), which was appointed in accordance with § 4 IfSG, among other things for the early detection and prevention of the further spread of infections and the corresponding analyses and research, continues to estimate the risk to the health of the population in Germany as high overall and as very high for risk groups (RKI, management report of 24 June 2020; https://www. rki.ene/EN/Content/InfAZ/N/New_Coronavirus/Situation Reports/2020-06-24-en.pdf? __blob=publicationFile) and continuously recommends to detect and isolate infected persons as early as possible and to trace contact persons (RKI, "COVID-19: Acting now, planning ahead - strategy supplement to recommended infection prevention measures and targets (2nd update)", Epidemiological Bulletin 12/2020 of 19.03.2020, p. 4).<br />
78 <br />
<br />
In order to achieve this objective, the means chosen by the legislator to oblige all guests to leave complete and accurate contact details in accordance with § 2(3) CoronaVO restaurants is likely to be suitable.<br />
79 <br />
<br />
A law is suitable if it can be used to promote the desired success, whereby the legislature has a margin of discretion in assessing suitability (see BVerfG, Order of 20 June 1984 - 1 BvR 1494/78 - BVerfGE 67, 157, 173 et seq.; Order of 9 March 1994 - 2 BvL 43/92 and others - BVerfGE 90, 145, 172 et seq.)<br />
80 <br />
<br />
The obligation to provide contact details when visiting a restaurant means that, in the event of an infection occurring in the guest rooms, it is always possible to trace who was there at the same time. In this way, potential risks of infection can be made transparent and even contact persons unknown to each other can be tracked and thus sensitised to possible infection. The commandment in § 2 para. 3 CoronaVO restaurants can therefore help to slow down the spread of the corona virus.<br />
81 <br />
<br />
In order to achieve the above-mentioned objective, the means chosen by the legislator, namely the mandatory provision of contact details during a visit to a restaurant, is likely to be necessary as well, since an equally suitable but milder means is not apparent. In this respect, the legislature has a margin of discretion (cf. BVerfG, decision of 09.03.1994, loc. cit.) Such an equally effective but less drastic means cannot be seen in the applicant's proposal to report visits to public places, to make the submission of data voluntary, to insert partitions, to shorten the opening hours of public places or to set a minimum number of persons. These may in turn help to slow down the spread of the coronavirus, but in any case, if the provision of data is voluntary, it must be assumed that not all restaurant visitors will provide their contact details. In the event of an infection, contact tracing would then only be incomplete and comparatively less effective. In its proposals regarding the shortening of opening hours, the setting of minimum numbers of persons and the erection of partition walls, the applicant fails to recognise that these pursue a different objective, namely to prevent infection. However, in the event that there is already an infected person in the guest rooms, they are not a suitable means of tracing contacts (people who do not know each other). The proposal to report visits to restaurants to public authorities appears to be much more complex in organisational terms, but would nevertheless require the provision of personal data.<br />
82 <br />
<br />
At the time of the Senate's decision, the ordered provision of personal data is still deemed to be proportionate in the narrower sense (appropriate) for achieving the stated objective.<br />
83 <br />
<br />
The encroachment on the applicant's right to informational self-determination is of some weight. She may only enter a restaurant if she provides her contact details correctly and completely in accordance with the challenged regulation. On the other hand, however, this is in contrast to the equally serious consequences for life and limb of a large number of people affected by the coronavirus and the associated maintenance of the efficiency of the German health care system. Even after the restrictive measures that have been in place since mid-March and a noticeable decrease in the rate of infection, there is still a risk that the incidence of infection will increase again very quickly due to individual undetected outbreaks - as is currently the case with outbreaks in the vicinity of meat processing companies - and that the health care system will be overloaded (cf. Senate, decision of 09.04.2020 - 1 S 925/20 -, of 28.04.2020 - 1 S 1068/20 -, and of 30.04.2020 - 1 S 1101/20 -, each with w.m.m.). In view of this, the provision in Section 2 (3) CoronaVO Gaststätten is probably proportionate in the narrower sense. The storage of data is limited in time, the purpose of data collection is clearly limited to providing information in accordance with Sections 16, 25 IfSG, and the operators of the restaurants and the health authorities and local police authorities are obliged to comply with data protection regulations via Section 2 (3) sentence 3 CoronaVO. The applicant can avoid the collection of the data at any time by avoiding restaurant visits, which are voluntary and dispensable in principle.<br />
84 <br />
<br />
(b) The provision in Section 2(3) of the Corona Ordinance objected to by the applicant does not in all probability also violate her fundamental right to personal freedom under Article 2(2) sentence 2 of the Basic Law.<br />
85 <br />
<br />
This fundamental right protects physical freedom of movement. Even if the commandments (or prohibitions of admission) standardised by § 2.3 CoronaVO Gaststätten were to be classified as an encroachment on the applicant's fundamental right under Article 2.2 sentence 2 of the Basic Law, such encroachments would in all probability prove to be justified, in particular on the grounds mentioned above (II. 2.b)aa) (a)), which also apply accordingly here.<br />
86 <br />
<br />
(c) An encroachment on the freedom to choose an occupation under Article 12 of the Basic Law is unlikely to exist. The applicant has not explained why she should be affected in her freedom to exercise an occupation by the requirement to provide her contact details. It is not apparent to the Senate that and whether she would be dependent on meetings in restaurants alone to initiate business. If it were nevertheless to be assumed that the scope of protection had been opened, the possible encroachment would also be justified on the basis of the above considerations (II. 2.b)aa) (a)).<br />
87 <br />
<br />
(4) The authorization of § 32 sentence 1 in conjunction with § 28.1 sentence 1, 2 IfSG does not violate the requirement of Article 19.1 sentence 2 of the Basic Law to cite. This applies only to fundamental rights which may be restricted by the legislature on the basis of express authorisation and to laws which aim to restrict a fundamental right beyond the limits laid down in the law itself. A distinction is made between restrictions of fundamental rights, to which the citation requirement applies, and other regulations relevant to fundamental rights which the legislature makes in carrying out the regulatory duties incumbent on it and provided for in the fundamental right, provisions on content or the setting of limits. The citation requirement does not apply to these. Therefore, laws regulating the professions are not subject to the citation requirement (see already Senate, Decisions of 9 April 2020 and 23 April 2020, both loc. cit.), nor are laws that guarantee the right to informational self-determination (from Article 2.1 of the Basic Law in conjunction with Article 2.1 of the Basic Law). Art. 1 para. 1 GG, cf. OVG BBbg, decision of 27 May 2020 - 11 S 43/20 - juris nr. 17) and the freedom of the person.<br />
88 <br />
<br />
(3) Section 2(3) CoronaVO Restaurants is also not likely to infringe the provisions of the DSGVO.<br />
89 <br />
<br />
According to Art. 6 para. 1 DSGVO, the processing of data, which according to Art. 4 No. 2 DSGVO unproblematically includes the collection, storage and use of personal data, is only lawful under one of the conditions set out in Art. 6 para. 1 letters a) to f) DSGVO. In the case of data processing pursuant to Art. 2 Para. 3 CoronaVO Restaurants, it is likely that the elements of permission under Art. 6 Para. 1 lit. c) and e) apply. According to Art. 6 para. 1 lit. c) DSGVO, the processing of data is lawful if it is necessary to fulfil a legal obligation to which the person responsible (within the meaning of Art. 4 No. 7 DSGVO) is subject. Art. 6 para. 1 lit. e) DPA permits the processing of data if it is necessary for the performance of a task carried out in the public interest (Art. 6 para. 1 lit. c) DPA. Contrary to the applicant's view, if these elements of permission are present, it does not depend on the applicant's consent to the processing of its data.<br />
90 <br />
<br />
According to Article 6(3)(b) DPA, the legal basis for processing operations under Article 3(1)(c) and (e) DPA is determined by the law of the Member State to which the controller is subject. The fact that Article 2(3) CoronaVO Gaststätten, as a subordinate statutory instrument, may in principle constitute a suitable legal basis - contrary to what the applicant submits - is apparent from recital 41 in the preamble to the DSGVO. In all other respects too, Article 2(3) CoronaVO Gaststätten satisfies the requirements of Article 6(3) sentences 2 to 4 DSGVO. Accordingly, the purpose of the processing of the data must be specified in the legal basis or, with regard to processing pursuant to Paragraph 1 letter e) DSGVO, must be necessary for the performance of a task in the public interest. § Section 2 (3) sentence 1 CoronaVO Gaststätten expressly mentions the purpose of data collection ("for the purpose of providing information to the health authority or local police authority in accordance with Sections 16, 25 IfSG"). As described above (II. 2.b)aa) (a)), the collection of data is also in the public interest, namely to prevent the spread of the corona virus. By making it possible to trace infection chains, the life and health of a large number of people should be protected. Furthermore, the legislator expressly regulates which types of data (name, duration of the visit, telephone number or address), by which persons (guests of the restaurant) and for how long (four weeks) may be stored. The data processing clearly defined and limited in time in Section 2 (3) CoronaVO Gaststätten is also proportionate to this (Art. 6 (3) sentence 4 DSGVO).<br />
91 <br />
<br />
Contrary to the applicant's view, Article 9(1) of the DSGVO probably does not prohibit the collection of personal data either, since their processing would be permissible under Article 9(2)(h) DSGVO. Pursuant to Art. 9 para. 1 DSGVO, the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as the processing of genetic data, biometric data for the unequivocal identification of a natural person, health data or data concerning the sexual life or sexual orientation of a natural person is prohibited. It is already doubtful here whether the data to be processed in Section 2 (3) sentence 1 nos. 1 to 3 CoronaVO Gaststätten constitute data types within the meaning of Art. 9 (1) DSGVO (on the difficulties of delimitation, see Ehmann/Selmayr/Schiff, 2nd ed. In any case, their processing would be permissible under Article 9(2)(h) DSGVO, as they are used for the purposes of health care and meet the other requirements of Article 9(3) DSGVO. The data processing pursuant to Art. 2 Para. 3 Sentence 1 CoronaVO Restaurants is carried out solely for the purpose of providing information to the Health Department or the local police authority for the performance of their sovereign duties pursuant to Arts. 16, 25 IfSG. These in turn are legally subject to professional secrecy (see § 203 Paragraph 2 Nos. 1 and 2 StGB).<br />
92 <br />
<br />
Nor does the Senate have any evidence to suggest that Section 2(3) of the CoronaVO Gaststätten infringes the general principles of Article 5 of the DSGVO. Insofar as the applicant has concerns about the trustworthiness of the restaurant staff in handling the data collected and thus refers to a possible infringement of Article 5 (1) (f) DSGVO, it is expressing these concerns in the blue. § Section 2 (3) sentence 3 CoronaVO Gaststätten explicitly points out that the general provisions on the processing of personal data remain unaffected, including in particular the provisions on the security and confidentiality of processed data under Art. 29 et seq. DSGVO, which must be observed by the operators of the restaurant as well as by the health authorities or local police authorities.<br />
93 <br />
<br />
(bb) In view of all the foregoing, there is no need to issue an injunction, even as regards the obligation to provide personal data when entering a restaurant.<br />
94 <br />
<br />
This already follows from the fact that the application for review of the standards is probably unfounded. In such a case - as explained above - the issuance of a temporary injunction is not urgently required within the meaning of § 47 (6) VwGO to ward off serious disadvantages or for other important reasons. Irrespective of this, a considerable impairment of the applicant's interests, which outweighs the interests of the protection of life and limb put forward by the defendant, is not apparent. Within the framework of the necessary weighing of interests, the restrictions are also reasonable for the applicant with regard to the restrictions of her fundamental right to informational self-determination.<br />
95 <br />
<br />
3. the decision on costs is based on Paragraph 154(1) of the VwGO. The determination of the amount in dispute is based on § 63.2 sentence 1, § 53.2 no. 2, § 52.2, § 39.1 GKG. There was no reason to halve the amount in dispute in the present proceedings for interim relief because the main proceedings were largely anticipated.<br />
96 <br />
<br />
This decision is final.<br />
<br />
</pre></div>MLhttps://gdprhub.eu/index.php?title=Rb._Zeeland-West-Brabant_-_AWB-_20_7155_VV&diff=10959Rb. Zeeland-West-Brabant - AWB- 20 7155 VV2020-07-28T08:57:46Z<p>ML: Created page with "{{COURTdecisionBOX |Jurisdiction=Netherlands |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=Rb. Zeeland-West-Brabant |Court_With_Country=Rb. Zeeland-West-Bra..."</p>
<hr />
<div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=Netherlands<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=Rb. Zeeland-West-Brabant<br />
|Court_With_Country=Rb. Zeeland-West-Brabant (Netherlands)<br />
<br />
|Case_Number_Name=AWB- 20_7155 VV<br />
|ECLI=ECLI:NL:RBZWB:2020:3052<br />
<br />
|Original_Source_Name_1=Uitspraken<br />
|Original_Source_Link_1=https://uitspraken.rechtspraak.nl/inziendocument?id=ECLI:NL:RBZWB:2020:3052<br />
|Original_Source_Language_1=Dutch<br />
|Original_Source_Language__Code_1=NL<br />
<br />
|Date_Decided=14.07.2020<br />
|Date_Published=17.07.2020<br />
|Year=2020<br />
<br />
|GDPR_Article_1=Article 6(1)(e) GDPR<br />
|GDPR_Article_Link_1=Article 6 GDPR#1e<br />
|GDPR_Article_2=Article 6(1)(f) GDPR<br />
|GDPR_Article_Link_2=Article 6 GDPR#1f<br />
|GDPR_Article_3=Article 21 GDPR<br />
|GDPR_Article_Link_3=Article 21 GDPR<br />
<br />
<br />
|National_Law_Name_1=Article 34 Uitvoeringswet Algemene verordening gegevensbescherming,UAgv <br />
|National_Law_Link_1=https://wetten.overheid.nl/BWBR0040940/2020-01-01<br />
|National_Law_Name_2=Wet gemeentelijke schuldhulpverlening<br />
|National_Law_Link_2=https://wetten.overheid.nl/BWBR0031331/2017-04-01<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_From_Body=<br />
|Appeal_From_Case_Number_Name=<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Maria Lohmann<br />
|<br />
}}<br />
<br />
The court held that an entry in a credit registry that precludes somebody from obtaining a credit has to be deleted if the interests of the data subject outweigh the responsible granting of mortgages of the Municipal Executive.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The data subject went through a debt assistance process at young age, due to medical costs and costs of her studies. However, she did her utmost to get rid of her debts. Now she has a stable job and would like to purchase a house. The registration in the credit registry was decisive in the refusal to grant a mortgage and the documents do show that in any event Rabobank and ING do not grant a mortgage if there is such a registration. The applicant cannot obtain a mortgage with the current registration, or it is very difficult and on much less favourable conditions.<br />
<br />
=== Dispute ===<br />
Does an entry in a credit registry that precludes somebody from obtaining a credit has to be deleted if the interests of the data subject outweigh the responsible granting of mortgages.<br />
<br />
=== Holding ===<br />
The applicant cannot obtain a mortgage with the current registration, or it is very difficult and on much less favourable conditions. The applicant therefore has a substantial interest in deleting this registration in light of the actual reason for the debt assistance programme and her development.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.<br />
<br />
<pre><br />
<br />
Authority<br />
Court of Zeeland West Brabant<br />
Date of pronunciation<br />
14-07-2020<br />
Date of publication<br />
17-07-2020 <br />
Case number<br />
AWB- 20_7155 VV<br />
Jurisdictions<br />
Administrative law<br />
Special features<br />
Provisional provision<br />
Content indication<br />
<br />
Assign request delete name registered coding at the BKR<br />
Sites<br />
Rechtspraak.nl<br />
Enriched pronunciation <br />
<br />
Ruling<br />
SEAS-WEST BRABANT COURT<br />
<br />
Administrative law<br />
<br />
Case number: BRE 20/7155 AVG VV<br />
judgment of 14 July 2020 of the court in preliminary relief proceedings in the case between<br />
[name of applicant] , at [address for service] , applicant,<br />
<br />
Agent: Mr. H.F.A. Notenboom,<br />
<br />
and<br />
the Municipal Executive of the municipality of Breda, defendant<br />
Process sequence<br />
<br />
The applicant objected to a decision of the College of 12 June 2020 concerning the refusal to remove a coding at the Bureau Kredietregistratie (BKR). It applied to the Interim Injunction Judge for interim relief.<br />
<br />
The hearing took place in Breda on 9 July 2020. The applicant appeared, assisted by her agent. The Board was represented by R.H.E.M. van de Sanden.<br />
Considerations<br />
<br />
1. On the basis of the documents and the proceedings at the hearing, the Interim Injunction Judge will assume the following facts and circumstances.<br />
<br />
The applicant has gone through a debt assistance process. This process was completed on 3 April 2008. Because of this process, the applicant is registered in the Central Credit Information System (CKI) at the Credit Registration Office (BKR) with a debt arrangement (SR).<br />
<br />
On 28 May 2020, the applicant requested, with reference to Article 21 of the General Data Protection Regulation (AVg), that the registration with the BKR be deleted.<br />
<br />
By the contested decision, the College refused to delete the registration.<br />
<br />
2. The applicant has, in summary, submitted that it wishes to purchase a dwelling. Since it is registered with the BKR, it cannot obtain a mortgage. She applied to the Court in preliminary relief proceedings for a ruling that the College must remove the SR coding.<br />
<br />
3. Pursuant to Section 8:81(1) of the General Administrative Law Act (Algemene wet bestuursrecht, Awb), the interim relief judge of the court that has jurisdiction or may become competent in the main proceedings may, on request, make an interim injunction if the interests involved so require.<br />
<br />
The Interim Injunction Judge states first and foremost that when taking a decision on a request for interim relief, a preliminary opinion on the lawfulness of the contested decision plays an important role. Furthermore, that decision must be the result of a balancing of interests, considering whether implementation of the contested decision would cause a disproportionate disadvantage to the applicant in relation to the interest to be served by immediate implementation of that decision.<br />
<br />
The judgment of the Court in preliminary relief proceedings is provisional in nature and does not bind the court in proceedings on the merits (if any).<br />
<br />
4. Article 4(7) of the AVG stipulates, in so far as relevant here, that the controller is understood to be: a natural or legal person, a government agency, a service or other body that, alone or together with others, determines the purpose of and the means for processing personal data.<br />
<br />
Article 21(1) of the AVG provides that the data subject has the right to object at any time to the processing of personal data relating to him/her on the basis of Article 6(1)(e) or (f) of Article 6(1), including profiling on the basis of those provisions, for reasons relating to his/her specific situation. The controller shall discontinue the processing of personal data unless he or she establishes compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or which are related to the institution, exercise or justification of legal proceedings.<br />
<br />
Article 34 of the Avg Implementing Act stipulates, insofar as relevant here, that a written decision on a request as referred to in Articles 15 to 22 of the Regulation, insofar as it has been taken by an administrative body, is considered a decision within the meaning of the General Administrative Law Act (Algemene wet bestuursrecht, Awb).<br />
5.1<br />
<br />
The Court in preliminary relief proceedings will first consider whether it is competent to decide on a request for interim relief. In answering this question it is important, among other things, who should be regarded as controller as referred to in Article 4(7) of the General Municipal Bye-Law.<br />
5.2<br />
<br />
The Municipal Debt Assistance Act (Wgs) entered into force on 1 July 2012. Pursuant to this Act, the Municipal Executive is responsible for providing debt assistance to the residents of its municipality.<br />
<br />
The Municipal Executive has mandated the implementation of the Wgs to the Kredietbank. This means that the Kredietbank acts on behalf of the Municipal Executive as far as debt assistance is concerned. Decisions regarding debt assistance must therefore be regarded as decisions within the meaning of the Awb.<br />
5.3<br />
<br />
It is not disputed that the applicant's BKR registration is based on the implementation of the Wgs. The Kredietbank has had the applicant's personal data included in the BKR. Because the registration is related to the Wgs, this registration was made on behalf of the Municipal Executive. The Municipal Executive must therefore be regarded as the controller as referred to in the Wgs.<br />
5.4<br />
<br />
In view of what has been considered above and also in view of the provisions of Section 34 of the Avg Implementation Act, the Court in preliminary relief proceedings is authorised to decide on the request for interim relief.<br />
<br />
6. The Court in preliminary relief proceedings is of the opinion that the urgency of the applicant's interest has been made sufficiently plausible. After all, the applicant has signed a provisional sales contract in which the resolutive condition must be invoked no later than 29 July 2020. If its request for removal of the BKR registration is only made clear after that date, it will have to invoke the resolutive condition in order not to incur high costs. As a result, it will not be possible for her to purchase the home she wants. This results in a sufficiently urgent interest.<br />
7.1<br />
<br />
Pursuant to Article 21 of the Avg, a balancing of interests must be carried out if a data subject requests that his or her data be deleted.<br />
7.2<br />
<br />
In summary, the Municipal Executive has argued that the purpose of credit registration is to promote socially responsible lending. In this context, it is important that consumers are protected against excessive lending and that a contribution is made to limiting the financial risks involved in granting credit. A credit registration can contribute to the assessment of whether a (new) loan is responsible. Furthermore, the Board wonders to what extent there has been an improvement in behaviour now that the applicant wishes to purchase a home for an amount that does not qualify for the National Mortgage Guarantee (NHG).<br />
7.3<br />
<br />
The applicant has argued that it has a major interest in being able to purchase the house in question. In that connection, she pointed to the wish to start living together, the travel distance between her work and the home she wanted and the fact that her parents-in-law live in the same street as where the desired new home is located.<br />
7.4<br />
<br />
It must be admitted to the Municipal Executive that the documents submitted by the applicant did not contain any explicit rejections from individual mortgage lenders showing that the BKR registration was decisive in the refusal to grant a mortgage. However, the documents do show that in any event Rabobank and ING do not grant a mortgage if there is an SR registration. Partly in view of what was explained during the hearing, the Court in preliminary relief proceedings was of the opinion that it is sufficiently plausible that the applicant cannot obtain a mortgage with the current BKR registration, or that it is very difficult and on much less favourable conditions, because of the SR registration. The applicant therefore has a substantial interest in deleting this registration.<br />
7.5<br />
<br />
The Court in preliminary relief proceedings is of the opinion that in this specific case the interests of the Municipal Executive do not outweigh those of the applicant. The following is involved in this.<br />
<br />
The debts of the applicant that gave rise to the debt assistance process arose at a young age. The fact that she had already started room training at the age of 16 and had to move into independent accommodation at the age of 18 is also important in this regard. It has been uncontested that the payment arrears arose in particular as a result of the combination of the costs of her studies and the medical costs she had to incur for her teeth. It is in no way apparent from the documents that the applicant spent her money in an irresponsible manner at the time. This is a special situation in which the applicant, despite the (financial) difficulties in which she found herself, nevertheless managed to complete her studies.<br />
<br />
Furthermore, the Court in preliminary relief proceedings considered it important that the applicant herself understood that she would not manage financially on her own and that she sought help from the municipality. From the statement of her debt counsellor at the time, it appears that during the debt counselling process, the applicant always neatly complied with her agreements, she always delivered the requested documents on time and had a job with a stable income throughout the process. According to the debt counsellor, she did her utmost to be able to continue with a clean slate.<br />
<br />
In the meantime, the applicant has had a stable income for many years and has not entered into any new debts. She has even been able to build up a (modest) savings balance. It is also important to note that the applicant chose to live with her boyfriend only after thorough preparation. After all, she first made sure that she had found a new job in the area where she wanted to live together.<br />
<br />
In view of what was considered above and what was put forward during the hearing, the Court in preliminary relief proceedings was convinced that by granting a loan to the applicant, a lender does not run a greater financial risk than with any other person. The fact that the purchase price of the house exceeds the amount of the NHG is irrelevant in this respect. The Court in preliminary relief proceedings was therefore of the opinion that the importance of responsible lending would not be harmed if the BKR registration were to lapse now. The application for interim relief will therefore be granted.<br />
<br />
8. Since the Court in preliminary relief proceedings granted the request, the Board must compensate the applicant for the court fee it paid. The Interim Injunction Judge orders the Board to pay the costs of the proceedings incurred by the applicant. Pursuant to the Decree on Administrative Procedure Costs (Besluit proceskosten bestuursrecht) the Court in preliminary relief proceedings sets these costs at € 1,050 (1 point for the submission of the application and 1 point for the appearance at the hearing, with a value per point of € 525, and weighting factor 1).<br />
Decision<br />
<br />
The preliminary relief judge:<br />
<br />
-<br />
<br />
grants the application for interim relief in the sense that the College must immediately remove or have removed the registration with the BKR under contract number 86144803.<br />
-<br />
<br />
orders the College to compensate the applicant for the court fee of €178;<br />
-<br />
<br />
orders the College to pay the applicant's legal costs to the amount of € 1,050.<br />
<br />
This judgment was rendered by Mr. T. Peters, judge in preliminary relief proceedings, in the presence of<br />
<br />
A.J.M. van Hees, Registrar on 14 July 2020 and made public by means of anonymous publication at www.rechtspraak.nl. <br />
</pre></div>ML