https://gdprhub.eu/api.php?action=feedcontributions&user=Norman.aasma&feedformat=atomGDPRhub - User contributions [en]2024-03-28T08:37:43ZUser contributionsMediaWiki 1.39.6https://gdprhub.eu/index.php?title=User:Norman.aasma&diff=39839User:Norman.aasma2024-02-18T19:42:07Z<p>Norman.aasma: </p>
<hr />
<div>'''Norman Aasma''', Country reporter for Estonia & Germany<br />
<br />
Data Protection Associate <br />
<br />
'''CV''': https://www.linkedin.com/in/norman-aasma-ll-m-0256b21a5<br />
<br />
<br />
<br />
<br />
<br />
'''My contributions''':<br />
<br />
[[AKI (Estonia) - 2.1.-4/22/2585]]<br />
<br />
[[AKI (Estonia) - 2.1.-5/22/22012]] <br />
<br />
[[BlnBDI (Berlin) - C-807/21 - Deutsche Wohnen]]<br />
<br />
[[The FG München - Auskunftsanspruch nach Art. 15 DSGVO]]<br />
<br />
[[AKI (Estonia) - 2.1-3/22/2542]]<br />
<br />
[[AKI (Estonia) - 2.1.-1/23/2891-5]]<br />
<br />
[[LG Köln - 33 O 376/22]]<br />
<br />
[[BVwG - W245 2252208-1/36E and W245 2252221-1/30E]]<br />
<br />
[[BfDI (Germany) - 9 O 1571/20]]<br />
<br />
[[OVG Sachsen-Anhalt - 1 M 49/23]]<br />
<br />
[[VG Potsdam - VG 3 K 1458/19]]</div>Norman.aasmahttps://gdprhub.eu/index.php?title=VG_Potsdam_-_VG_3_K_1458/19&diff=39838VG Potsdam - VG 3 K 1458/192024-02-18T19:39:57Z<p>Norman.aasma: </p>
<hr />
<div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=Germany<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=VG Potsdam<br />
|Court_Original_Name=Verwaltungsgericht Potsdam<br />
|Court_English_Name=Administrative Court Potsdam<br />
|Court_With_Country=VG Potsdam (Germany)<br />
<br />
|Case_Number_Name=VG 3 K 1458/19<br />
|ECLI=ECLI: DE: VGPOTSD: 2023: 1214.3K1458.19.00<br />
<br />
|Original_Source_Name_1=Recht des Landes Brandenburg<br />
|Original_Source_Link_1=https://gerichtsentscheidungen.brandenburg.de/gerichtsentscheidung/22662<br />
|Original_Source_Language_1=German<br />
|Original_Source_Language__Code_1=DE<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Date_Decided=14.12.2023<br />
|Date_Published=<br />
|Year=2023<br />
<br />
|GDPR_Article_1=Article 17 GDPR<br />
|GDPR_Article_Link_1=Article 17 GDPR<br />
|GDPR_Article_2=<br />
|GDPR_Article_Link_2=<br />
|GDPR_Article_3=<br />
|GDPR_Article_Link_3=<br />
<br />
|EU_Law_Name_1=Article 24(1) Regulation 2018/1861<br />
|EU_Law_Link_1=https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%253A32018R1861<br />
|EU_Law_Name_2=Article 24(2) Regulation 2018/1861<br />
|EU_Law_Link_2=https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%253A32018R1861<br />
|EU_Law_Name_3=<br />
|EU_Law_Link_3=<br />
|EU_Law_Name_4=<br />
|EU_Law_Link_4=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=A Pakistani national, the plaintiff<br />
|Party_Link_1=<br />
|Party_Name_2=Federal Police Presidium, the defendant<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
<br />
|Appeal_From_Body=<br />
|Appeal_From_Case_Number_Name=<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Norman.aasma<br />
|<br />
}}<br />
<br />
The Administrative Court of Potsdam ruled that the GDPR does not give the data subject the right to require the controller to immediately delete personal data relating to them, provided that they have not been processed illegally.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
A data subject, a Pakistani national, here also the plaintiff, appealed the decision of the Italian Federal Police Presidium, according to which the data subject was refused entry to Italy due to an alert by the Federal Police Headquarters related to refusal of entry in the Schengen Information System (SIS). According to factual circumstances, the plaintiff was suspected of having killed a person together with his brother and other persons in Pakistan, where he is wanted by warrant. The plaintiff requested the deletion of the alert.<br />
<br />
=== Holding ===<br />
The court held that the plaintiff's request was unfounded and dismissed it. The court ruled that the plaintiff is reasonably suspected of being involved in a killing offence committed in Pakistan. The court held that the plaintiff posed a threat to public order or security and thus police did not act wrong. Furthermore, according to the court, the plaintiff cannot request the police to delete personal data about them due to the fact that his personal data was not processed unlawfully. The court also ordered the plaintiff to pay the costs.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the German original. Please refer to the German original for more details.<br />
<br />
<pre><br />
The admissible lawsuit is unsuccessful. It is unfounded.<br />
1. The plaintiff is not entitled to have the entry refusal alert deleted from the SIS.<br />
a) The basis for this claim is now Article 17 letter d Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data, on the free movement of such data and repealing Directive 95/ 46/EC (General Data Protection Regulation, OJ L 119 of May 4, 2016, p. 1, hereinafter: GDPR) in conjunction with Art. 53 Para. 1 Regulation (EU) 2018/1861 of the European Parliament and of the Council of 28. November 2018 on the establishment, operation and use of the SIS in the field of border control, amending the Convention implementing the Schengen Agreement and amending and repealing Regulation (EC) No 1987/2006.<br />
According to Article 66 paragraph 5, Regulation (EU) No. 2018/1861 applies from the date set in accordance with paragraph 2, i.e. with the entry into operation of the so-called third generation SIS on March 7, 2023 in accordance with Article 1 of the implementing decision (EU ) 2023/201 of the Commission of 30 January 2023 (OJ L 27 of 31 March 2023, p. 29). With effect from the same time, Regulation (EC) No. 1987/2006, on which those involved had previously relied, was repealed, see Article 65 (1) of Regulation (EU) 2018/1861.<br />
b) The requirements of Article 17 letter d GDPR, to which Article 53 paragraph 1 of Regulation (EU) 2018/1861 refers, are not met.<br />
According to Article 17 letter d of the GDPR, the data subject has the right to demand that the person responsible delete personal data concerning him or her immediately if they have been processed unlawfully, which also includes the storage of the data, cf. Article 4 No .2 GDPR.<br />
The plaintiff's data was not processed unlawfully.<br />
Data processing is unlawful if there is neither the consent of the data subject nor any other legal basis for it (Herbst, in: Kühling/Buchner/Herbst, GDPR, 4th edition 2024, Art. 17 Rn. 28), whereby the legal basis may be justified in Union law or in the national law of the respective member state, Art. 6 Para. 3 Sentence 1 GDPR. The relevant time for assessing the legality of data processing is the time of the oral hearing (see Herbst, in: Kühling/Buchner, GDPR, 4th edition 2024, Art. 17 Rn. 28a: “current time”).<br />
In this case, the legal basis for the plaintiff's alert to refuse entry is Article 24 Paragraph 1 Letter a, Paragraph 2 Letter b Regulation (EU) 2018/1861 (corresponds to Article 24 Paragraph 1, Paragraph 2 Letter b Regulation ( EC) No. 1987/2006) in conjunction with Section 30 Paragraph 5 of the Federal Police Act [BPolG]). According to Article 24(1)(a) of Regulation (EU) 2018/1861, Member States shall issue an alert for refusal of entry and stay if the Member State, on the basis of an individual assessment, which includes an assessment of the personal circumstances of the third-country national concerned and the consequences of the refusal of entry and stay for the third-country national concerned, concludes that the presence of that third-country national in its territory constitutes a threat to public policy or to public security or national security in its territory, and the Member State is therefore in accordance has issued a judicial or administrative decision to refuse entry and stay with its national legislation and has issued a national alert for the refusal of entry and stay. The situations according to paragraph 1 letter a are given in accordance with Article 24 paragraph 2 letter b of Regulation (EU) 2018/1861, among other things, if there is reasonable suspicion that a third-country national has committed a serious crime. Such a situation exists here.<br />
aa) There is reasonable suspicion against the plaintiff that he was involved in a homicide committed in Pakistan.<br />
When there is a “threat to public order or security” within the meaning of Article 24 Paragraph 1 Letter a of Regulation (EU) 2018/1861 and a “reasonable suspicion” within the meaning of Article 24 Paragraph 2 Letter b Regulation ( EU) 2018/1861, the existence of which justifies the assumption of a danger within the meaning of paragraph 1, is not explained in more detail either in the regulation or elsewhere.<br />
The statements of the European Court of Justice in the judgment of December 12, 2019 (C-380/18) on the interpretation of the concept of danger within the meaning of Article 6 Paragraph 1 Letter e of Regulation (EU) 2016/399 of the European Court of Justice provide clues for the interpretation of the terms European Parliament and of the Council of March 9, 2016 on a Union code for the movement of persons across borders (Schengen Borders Code - SBC). According to this provision, the entry of a third-country national into the territory of the Union requires, among other things, that he or she does not pose a threat to public order. In the preliminary proceedings the question arose as to whether the mere suspicion of the commission of a crime could be viewed as a threat to public order. The Court stated that when interpreting the concept of danger in Article 6(1)(e) of the SBC, the national authorities have a wide margin of appreciation based on the wording, context and objectives of the regulation (see ibid., paragraph 33) ( ibid., paragraph 37). The provision should be viewed in connection with the further entry requirement according to Article 6 Paragraph 1 Letter d SGK (see ibid., paras. 35, 40), according to which a third-country national who wants to enter the Union territory is not advertised in the SIS may be. The provision of Article 24 Paragraph 1 of Regulation (EC) No. 1987/2006 (now Article 24 Paragraph 1 Letter a of Regulation (EU) 2018/1861), which is relevant for the assessment, shows that, according to the will of the Union legislature mere suspicion of a committed crime could constitute a threat to public order (ibid., para. 31). The danger concepts in Article 6 Paragraph 1 Letters d and e SGK should be interpreted in the same way (ibid., paragraph 43). However, since the principle of proportionality must be observed here, a threat to public order can only be established if the crime that the third-country national is suspected of having committed is of sufficient gravity in view of its nature and the threat of punishment (ibid., para. 48 ) and there was consistent, objective and clear evidence that the third-country national in question had committed such a crime (ibid., para. 49).<br />
Since, according to the above, the danger concepts in Article 6 Paragraph 1 Letter e SGK and Article 6 Paragraph 1 Letter d SGK in conjunction with (now) Article 24 Paragraph 1 Letter a Regulation (EU) 2018/1861 are to be interpreted with the same content the requirements formulated by the European Court of Justice regarding the degree of suspicion exceeding the threshold of a threat to public order can also be transferred to Article 24 Paragraph 2 Letter a of Regulation (EU) 2018/1861. A “well-founded” suspicion within the meaning of Article 24 Paragraph 1 Letter a of Regulation (EU) 2018/1861 can therefore be concluded if there is consistent, objective and clear evidence that the third-country national has committed a serious crime.<br />
This must be answered in the affirmative in the plaintiff's case.<br />
According to the search request from the Interpol central office in Pakistan, which the defendant, according to her uncontradicted statements, checked to ensure it was up to date the day before the oral hearing, the plaintiff is suspected of having been involved in a homicide in Pakistan. According to the defendant's assessment, the mere existence of the search request, which sufficiently individualizes the plaintiff and sufficiently specifies the accusation with the time of the crime, the crime scene, the victim and witnesses, justifies the conclusion that the suspicion in the plaintiff's case is justified. This is enough.<br />
To the extent that the plaintiff claims that the content of the wanted letter is contradictory, the defendant is not (was) obliged to investigate the contradictions and examine the content of the wanted letter. With regard to the question of whether there is a justified suspicion and thus a danger to public order, the authority has a wide scope for assessment, which is directly dictated by EU law and can only be reviewed to a limited extent by the chamber. The wording of Article 24 Paragraph 1 Letter a of Regulation (EU) 2018/1861, according to which the assumption of a threat to public order is based on an “individual assessment” by the Member State, speaks in favor of such an understanding. The European Court of Justice also accepted in its decision of December 19, 2013 (C-84/12 - Koushkaki) that the competent authorities of the Member States have a wide margin of appreciation when examining an application for the issuance of a visa, which applies to both requirements for the application of the relevant regulations as well as the assessment of the facts (ibid., tenor to 1, paras. 55, 63). In the decision of the European Court of Justice cited above on the interpretation of Article 6(1)(e) of the SBC, the Court referred to the decision of December 19, 2013 (C-84) by stating that the law granted to the authorities of the Member States broad scope of assessment must also be given when they determine whether a third-country national poses a threat to public order within the meaning of Article 6 Paragraph 1 Letter e SBC (C-380/18 –, juris para. 37). Since the risk concepts in Article 6 Paragraph 1 Letters d and e SGK and Article 24 Paragraph 1 Letter a of Regulation (EU) 2018/1861 must be interpreted in context, this leads to the conclusion that the responsible authorities Further scope for assessment is also granted with regard to the requirements of Article 24 Paragraph 1 Letter a of Regulation (EU) 2018/1861.<br />
Since EU law itself does not set any requirements for the extent of judicial review of the official scope for decision-making, which is referred to as the “wide scope of assessment”, the control standards are based on the principles that the Federal Administrative Court has developed for the judicial review of scope for assessment under German administrative law (as the Federal Administrative Court subsequently stated to the Koushkaki decision: judgment of September 17, 2015 - 1 C 37/14 -, juris para. 21 with further references). According to this, the exercise of discretion on the factual side is only checked to see whether the authority has complied with the valid procedural provisions, has assumed a correct understanding of the applicable legal concept, has fully and accurately determined the relevant facts and has adhered to generally applicable assessment standards in the actual assessment , in particular the prohibition of arbitrariness has not been violated (ibid. with further references).<br />
Such an error of assessment is not apparent in the present case. The defendant stated that it based the assumption of reasonable suspicion on the findings of the Pakistani search request, in which the plaintiff was sufficiently identified individually and the accusation was substantiated in sufficient detail with the time of the crime, the crime scene, the victim and witnesses. There is no evidence of an arbitrary decision that deviates from their usual procedure or of an inadequate investigation of the facts.<br />
In addition, it should be noted that the (supposed) contradictions asserted by the plaintiff do not exist with regard to the content of the wanted letter circulating via Interpol. The plaintiff states that his brother, Zahid Hussein, is or has been wanted for the same crime, but that he, the plaintiff, is not named as an accomplice in the identical wanted letter concerning his brother. On the one hand, he overlooks the fact that the “summary of the facts” states that “nine other […] people” were involved in the crime, but then only eight accomplices are listed by name. There remains room for the assumption that the plaintiff is the ninth accomplice. On the other hand, it is noticeable that ...in the wanted letter concerning him, he is not only listed as the perpetrator, but also as an accomplice, so that even two other suspects were not named. The wanted letter concerning the brother therefore does not force the conclusion that the plaintiff could not have been involved in the crime. There are no doubts about the existence of a well-founded suspicion of a crime due to the fact that the search request mentions other criminal offenses that at first glance have no connection with a homicide. On the one hand, due to the lack of a detailed description of the facts, it is unclear which behavior the plaintiff is specifically accused of. In particular, it cannot be ruled out that the plaintiff not only committed manslaughter but also facilitated the crime. To the extent that he suspects in this context that the alleged homicide is just a pretext to persecute him for other motives, the plaintiff has not stated, nor is it otherwise apparent, why the Pakistani state should have any other interest in him . Furthermore, the General Secretariat of Interpol examines a search request before its publication for compatibility with, among other things, Article 3 of the Constitution of the ICPO - Interpol (Interpol Statutes). According to this, the organization is prohibited from taking action in matters that have a political, military, religious and racist character. Furthermore, if the plaintiff considers the search request to be unlawful, it is the responsibility of the plaintiff to submit a request for its deletion to Interpol (via the internal legal remedy of the so-called red notice challenge) or Pakistan. The presumption of innocence on which the plaintiff relies does not apply to measures to avert danger, including the alert for refusal of entry in accordance with Article 24 (1) of Regulation (EU) 2018/1861.<br />
Even to the extent that the plaintiff claims that the cancellation of the arrest warrant issued in Italy shows that the suspicion against the plaintiff has been removed, the objection does not apply. The cancellation of the arrest warrant and the extradition of the plaintiff to Pakistan failed because Pakistan did not respond to Italy's request to send documents to examine the reasons for his arrest and did not submit an extradition request. Formal reasons were therefore the cause, but the suspicion of the crime was not examined by the Italian judiciary.<br />
bb) Homicide is a serious crime as it is punishable by at least one year's imprisonment (see Article 24 Paragraph 2 Letter a of Regulation (EU) 2018/1861).<br />
cc) The existence of a reasonable suspicion of the commission of a serious crime leads to the assumption of a situation in accordance with paragraph 24 paragraph 1 letter a of Regulation (EU) 2018/1861, i.e. a danger to public order, Article 24 paragraph 2 letter b Regulation (EU) 2018/1861.<br />
dd) This assumption is based on an individual assessment of the defendant, in which the personal circumstances of the plaintiff and the effects of the refusal of entry were taken into account, cf. Article 24 (1) (a) of Regulation (EU) 2018/1861. This element of the offense is an expression of the principle of proportionality according to Article 21 of Regulation (EU) 2018/1861, which, according to paragraph 1, requires that the appropriateness, relevance and importance of the case sufficiently justify an alert in the SIS. In this respect, the defendant correctly stated that the measure was appropriate in view of the danger to public order resulting from entry. In this respect, it should be noted that a homicide is a particularly serious crime and the dangers associated with the plaintiff's entry and stay are therefore particularly significant (cf. BVerfG, Chamber decision of October 24, 2006 - 2 BvR 1908/03 –, juris paragraph 27). The defense against this danger outweighs the plaintiff's interest in entering and staying in the federal territory. To the extent that he claims that he wants to enter the federal territory in order to be able to visit his brother who lives here, nothing different arises, even taking into account his rights under Article 6 of the Basic Law. It should be noted here that, unlike the wife and children, the brother is not part of the nuclear family and the plaintiff can maintain contact with him in other ways, such as by telephone or video call. In any case, personal meetings are possible outside the Schengen area, if not even in France, where the plaintiff is currently staying. According to the defendant's risk forecasts of February 16, 2021, March 4, 2022 and February 15, 2023, the extensions of the alert for refusal of entry for another year are also based on an individual assessment and are proportionate.<br />
2. The cost decision is based on Section 154 Paragraph 1 VwGO. The subsidiary decision on provisional enforceability follows from Section 167 VwGO in conjunction with Sections 708 No. 11, 711 ZPO.<br />
<br />
decision<br />
<br />
The amount in dispute is set at 5,000 euros.<br />
<br />
Reasons:<br />
<br />
The determination of the amount in dispute is based on Section 52 Paragraph 2 GKG.<br />
</pre></div>Norman.aasmahttps://gdprhub.eu/index.php?title=VG_Potsdam_-_VG_3_K_1458/19&diff=39837VG Potsdam - VG 3 K 1458/192024-02-18T19:39:09Z<p>Norman.aasma: </p>
<hr />
<div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=Germany<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=VG Potsdam<br />
|Court_Original_Name=Verwaltungsgericht Potsdam<br />
|Court_English_Name=Administrative Court Potsdam<br />
|Court_With_Country=VG Potsdam (Germany)<br />
<br />
|Case_Number_Name=VG 3 K 1458/19<br />
|ECLI=ECLI: DE: VGPOTSD: 2023: 1214.3K1458.19.00<br />
<br />
|Original_Source_Name_1=Recht des Landes Brandenburg<br />
|Original_Source_Link_1=https://gerichtsentscheidungen.brandenburg.de/gerichtsentscheidung/22662<br />
|Original_Source_Language_1=German<br />
|Original_Source_Language__Code_1=DE<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Date_Decided=14.12.2023<br />
|Date_Published=<br />
|Year=2023<br />
<br />
|GDPR_Article_1=Article 17 GDPR<br />
|GDPR_Article_Link_1=Article 17 GDPR<br />
|GDPR_Article_2=<br />
|GDPR_Article_Link_2=<br />
|GDPR_Article_3=<br />
|GDPR_Article_Link_3=<br />
<br />
|EU_Law_Name_1=Article 24(1) Regulation 2018/1861<br />
|EU_Law_Link_1=https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%253A32018R1861<br />
|EU_Law_Name_2=Article 24(2) Regulation 2018/1861<br />
|EU_Law_Link_2=https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%253A32018R1861<br />
|EU_Law_Name_3=<br />
|EU_Law_Link_3=<br />
|EU_Law_Name_4=<br />
|EU_Law_Link_4=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=A Pakistani national, the plaintiff<br />
|Party_Link_1=<br />
|Party_Name_2=Federal Police Presidium, the defendant<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
<br />
|Appeal_From_Body=<br />
|Appeal_From_Case_Number_Name=<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=https://gdprhub.eu/index.php?title=User:Norman.aasma<br />
|<br />
}}<br />
<br />
The Administrative Court of Potsdam ruled that the GDPR does not give the data subject the right to require the controller to immediately delete personal data relating to them, provided that they have not been processed illegally.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
A data subject, a Pakistani national, here also the plaintiff, appealed the decision of the Italian Federal Police Presidium, according to which the data subject was refused entry to Italy due to an alert by the Federal Police Headquarters related to refusal of entry in the Schengen Information System (SIS). According to factual circumstances, the plaintiff was suspected of having killed a person together with his brother and other persons in Pakistan, where he is wanted by warrant. The plaintiff requested the deletion of the alert.<br />
<br />
=== Holding ===<br />
The court held that the plaintiff's request was unfounded and dismissed it. The court ruled that the plaintiff is reasonably suspected of being involved in a killing offence committed in Pakistan. The court held that the plaintiff posed a threat to public order or security and thus police did not act wrong. Furthermore, according to the court, the plaintiff cannot request the police to delete personal data about them due to the fact that his personal data was not processed unlawfully. The court also ordered the plaintiff to pay the costs.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the German original. Please refer to the German original for more details.<br />
<br />
<pre><br />
The admissible lawsuit is unsuccessful. It is unfounded.<br />
1. The plaintiff is not entitled to have the entry refusal alert deleted from the SIS.<br />
a) The basis for this claim is now Article 17 letter d Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data, on the free movement of such data and repealing Directive 95/ 46/EC (General Data Protection Regulation, OJ L 119 of May 4, 2016, p. 1, hereinafter: GDPR) in conjunction with Art. 53 Para. 1 Regulation (EU) 2018/1861 of the European Parliament and of the Council of 28. November 2018 on the establishment, operation and use of the SIS in the field of border control, amending the Convention implementing the Schengen Agreement and amending and repealing Regulation (EC) No 1987/2006.<br />
According to Article 66 paragraph 5, Regulation (EU) No. 2018/1861 applies from the date set in accordance with paragraph 2, i.e. with the entry into operation of the so-called third generation SIS on March 7, 2023 in accordance with Article 1 of the implementing decision (EU ) 2023/201 of the Commission of 30 January 2023 (OJ L 27 of 31 March 2023, p. 29). With effect from the same time, Regulation (EC) No. 1987/2006, on which those involved had previously relied, was repealed, see Article 65 (1) of Regulation (EU) 2018/1861.<br />
b) The requirements of Article 17 letter d GDPR, to which Article 53 paragraph 1 of Regulation (EU) 2018/1861 refers, are not met.<br />
According to Article 17 letter d of the GDPR, the data subject has the right to demand that the person responsible delete personal data concerning him or her immediately if they have been processed unlawfully, which also includes the storage of the data, cf. Article 4 No .2 GDPR.<br />
The plaintiff's data was not processed unlawfully.<br />
Data processing is unlawful if there is neither the consent of the data subject nor any other legal basis for it (Herbst, in: Kühling/Buchner/Herbst, GDPR, 4th edition 2024, Art. 17 Rn. 28), whereby the legal basis may be justified in Union law or in the national law of the respective member state, Art. 6 Para. 3 Sentence 1 GDPR. The relevant time for assessing the legality of data processing is the time of the oral hearing (see Herbst, in: Kühling/Buchner, GDPR, 4th edition 2024, Art. 17 Rn. 28a: “current time”).<br />
In this case, the legal basis for the plaintiff's alert to refuse entry is Article 24 Paragraph 1 Letter a, Paragraph 2 Letter b Regulation (EU) 2018/1861 (corresponds to Article 24 Paragraph 1, Paragraph 2 Letter b Regulation ( EC) No. 1987/2006) in conjunction with Section 30 Paragraph 5 of the Federal Police Act [BPolG]). According to Article 24(1)(a) of Regulation (EU) 2018/1861, Member States shall issue an alert for refusal of entry and stay if the Member State, on the basis of an individual assessment, which includes an assessment of the personal circumstances of the third-country national concerned and the consequences of the refusal of entry and stay for the third-country national concerned, concludes that the presence of that third-country national in its territory constitutes a threat to public policy or to public security or national security in its territory, and the Member State is therefore in accordance has issued a judicial or administrative decision to refuse entry and stay with its national legislation and has issued a national alert for the refusal of entry and stay. The situations according to paragraph 1 letter a are given in accordance with Article 24 paragraph 2 letter b of Regulation (EU) 2018/1861, among other things, if there is reasonable suspicion that a third-country national has committed a serious crime. Such a situation exists here.<br />
aa) There is reasonable suspicion against the plaintiff that he was involved in a homicide committed in Pakistan.<br />
When there is a “threat to public order or security” within the meaning of Article 24 Paragraph 1 Letter a of Regulation (EU) 2018/1861 and a “reasonable suspicion” within the meaning of Article 24 Paragraph 2 Letter b Regulation ( EU) 2018/1861, the existence of which justifies the assumption of a danger within the meaning of paragraph 1, is not explained in more detail either in the regulation or elsewhere.<br />
The statements of the European Court of Justice in the judgment of December 12, 2019 (C-380/18) on the interpretation of the concept of danger within the meaning of Article 6 Paragraph 1 Letter e of Regulation (EU) 2016/399 of the European Court of Justice provide clues for the interpretation of the terms European Parliament and of the Council of March 9, 2016 on a Union code for the movement of persons across borders (Schengen Borders Code - SBC). According to this provision, the entry of a third-country national into the territory of the Union requires, among other things, that he or she does not pose a threat to public order. In the preliminary proceedings the question arose as to whether the mere suspicion of the commission of a crime could be viewed as a threat to public order. The Court stated that when interpreting the concept of danger in Article 6(1)(e) of the SBC, the national authorities have a wide margin of appreciation based on the wording, context and objectives of the regulation (see ibid., paragraph 33) ( ibid., paragraph 37). The provision should be viewed in connection with the further entry requirement according to Article 6 Paragraph 1 Letter d SGK (see ibid., paras. 35, 40), according to which a third-country national who wants to enter the Union territory is not advertised in the SIS may be. The provision of Article 24 Paragraph 1 of Regulation (EC) No. 1987/2006 (now Article 24 Paragraph 1 Letter a of Regulation (EU) 2018/1861), which is relevant for the assessment, shows that, according to the will of the Union legislature mere suspicion of a committed crime could constitute a threat to public order (ibid., para. 31). The danger concepts in Article 6 Paragraph 1 Letters d and e SGK should be interpreted in the same way (ibid., paragraph 43). However, since the principle of proportionality must be observed here, a threat to public order can only be established if the crime that the third-country national is suspected of having committed is of sufficient gravity in view of its nature and the threat of punishment (ibid., para. 48 ) and there was consistent, objective and clear evidence that the third-country national in question had committed such a crime (ibid., para. 49).<br />
Since, according to the above, the danger concepts in Article 6 Paragraph 1 Letter e SGK and Article 6 Paragraph 1 Letter d SGK in conjunction with (now) Article 24 Paragraph 1 Letter a Regulation (EU) 2018/1861 are to be interpreted with the same content the requirements formulated by the European Court of Justice regarding the degree of suspicion exceeding the threshold of a threat to public order can also be transferred to Article 24 Paragraph 2 Letter a of Regulation (EU) 2018/1861. A “well-founded” suspicion within the meaning of Article 24 Paragraph 1 Letter a of Regulation (EU) 2018/1861 can therefore be concluded if there is consistent, objective and clear evidence that the third-country national has committed a serious crime.<br />
This must be answered in the affirmative in the plaintiff's case.<br />
According to the search request from the Interpol central office in Pakistan, which the defendant, according to her uncontradicted statements, checked to ensure it was up to date the day before the oral hearing, the plaintiff is suspected of having been involved in a homicide in Pakistan. According to the defendant's assessment, the mere existence of the search request, which sufficiently individualizes the plaintiff and sufficiently specifies the accusation with the time of the crime, the crime scene, the victim and witnesses, justifies the conclusion that the suspicion in the plaintiff's case is justified. This is enough.<br />
To the extent that the plaintiff claims that the content of the wanted letter is contradictory, the defendant is not (was) obliged to investigate the contradictions and examine the content of the wanted letter. With regard to the question of whether there is a justified suspicion and thus a danger to public order, the authority has a wide scope for assessment, which is directly dictated by EU law and can only be reviewed to a limited extent by the chamber. The wording of Article 24 Paragraph 1 Letter a of Regulation (EU) 2018/1861, according to which the assumption of a threat to public order is based on an “individual assessment” by the Member State, speaks in favor of such an understanding. The European Court of Justice also accepted in its decision of December 19, 2013 (C-84/12 - Koushkaki) that the competent authorities of the Member States have a wide margin of appreciation when examining an application for the issuance of a visa, which applies to both requirements for the application of the relevant regulations as well as the assessment of the facts (ibid., tenor to 1, paras. 55, 63). In the decision of the European Court of Justice cited above on the interpretation of Article 6(1)(e) of the SBC, the Court referred to the decision of December 19, 2013 (C-84) by stating that the law granted to the authorities of the Member States broad scope of assessment must also be given when they determine whether a third-country national poses a threat to public order within the meaning of Article 6 Paragraph 1 Letter e SBC (C-380/18 –, juris para. 37). Since the risk concepts in Article 6 Paragraph 1 Letters d and e SGK and Article 24 Paragraph 1 Letter a of Regulation (EU) 2018/1861 must be interpreted in context, this leads to the conclusion that the responsible authorities Further scope for assessment is also granted with regard to the requirements of Article 24 Paragraph 1 Letter a of Regulation (EU) 2018/1861.<br />
Since EU law itself does not set any requirements for the extent of judicial review of the official scope for decision-making, which is referred to as the “wide scope of assessment”, the control standards are based on the principles that the Federal Administrative Court has developed for the judicial review of scope for assessment under German administrative law (as the Federal Administrative Court subsequently stated to the Koushkaki decision: judgment of September 17, 2015 - 1 C 37/14 -, juris para. 21 with further references). According to this, the exercise of discretion on the factual side is only checked to see whether the authority has complied with the valid procedural provisions, has assumed a correct understanding of the applicable legal concept, has fully and accurately determined the relevant facts and has adhered to generally applicable assessment standards in the actual assessment , in particular the prohibition of arbitrariness has not been violated (ibid. with further references).<br />
Such an error of assessment is not apparent in the present case. The defendant stated that it based the assumption of reasonable suspicion on the findings of the Pakistani search request, in which the plaintiff was sufficiently identified individually and the accusation was substantiated in sufficient detail with the time of the crime, the crime scene, the victim and witnesses. There is no evidence of an arbitrary decision that deviates from their usual procedure or of an inadequate investigation of the facts.<br />
In addition, it should be noted that the (supposed) contradictions asserted by the plaintiff do not exist with regard to the content of the wanted letter circulating via Interpol. The plaintiff states that his brother, Zahid Hussein, is or has been wanted for the same crime, but that he, the plaintiff, is not named as an accomplice in the identical wanted letter concerning his brother. On the one hand, he overlooks the fact that the “summary of the facts” states that “nine other […] people” were involved in the crime, but then only eight accomplices are listed by name. There remains room for the assumption that the plaintiff is the ninth accomplice. On the other hand, it is noticeable that ...in the wanted letter concerning him, he is not only listed as the perpetrator, but also as an accomplice, so that even two other suspects were not named. The wanted letter concerning the brother therefore does not force the conclusion that the plaintiff could not have been involved in the crime. There are no doubts about the existence of a well-founded suspicion of a crime due to the fact that the search request mentions other criminal offenses that at first glance have no connection with a homicide. On the one hand, due to the lack of a detailed description of the facts, it is unclear which behavior the plaintiff is specifically accused of. In particular, it cannot be ruled out that the plaintiff not only committed manslaughter but also facilitated the crime. To the extent that he suspects in this context that the alleged homicide is just a pretext to persecute him for other motives, the plaintiff has not stated, nor is it otherwise apparent, why the Pakistani state should have any other interest in him . Furthermore, the General Secretariat of Interpol examines a search request before its publication for compatibility with, among other things, Article 3 of the Constitution of the ICPO - Interpol (Interpol Statutes). According to this, the organization is prohibited from taking action in matters that have a political, military, religious and racist character. Furthermore, if the plaintiff considers the search request to be unlawful, it is the responsibility of the plaintiff to submit a request for its deletion to Interpol (via the internal legal remedy of the so-called red notice challenge) or Pakistan. The presumption of innocence on which the plaintiff relies does not apply to measures to avert danger, including the alert for refusal of entry in accordance with Article 24 (1) of Regulation (EU) 2018/1861.<br />
Even to the extent that the plaintiff claims that the cancellation of the arrest warrant issued in Italy shows that the suspicion against the plaintiff has been removed, the objection does not apply. The cancellation of the arrest warrant and the extradition of the plaintiff to Pakistan failed because Pakistan did not respond to Italy's request to send documents to examine the reasons for his arrest and did not submit an extradition request. Formal reasons were therefore the cause, but the suspicion of the crime was not examined by the Italian judiciary.<br />
bb) Homicide is a serious crime as it is punishable by at least one year's imprisonment (see Article 24 Paragraph 2 Letter a of Regulation (EU) 2018/1861).<br />
cc) The existence of a reasonable suspicion of the commission of a serious crime leads to the assumption of a situation in accordance with paragraph 24 paragraph 1 letter a of Regulation (EU) 2018/1861, i.e. a danger to public order, Article 24 paragraph 2 letter b Regulation (EU) 2018/1861.<br />
dd) This assumption is based on an individual assessment of the defendant, in which the personal circumstances of the plaintiff and the effects of the refusal of entry were taken into account, cf. Article 24 (1) (a) of Regulation (EU) 2018/1861. This element of the offense is an expression of the principle of proportionality according to Article 21 of Regulation (EU) 2018/1861, which, according to paragraph 1, requires that the appropriateness, relevance and importance of the case sufficiently justify an alert in the SIS. In this respect, the defendant correctly stated that the measure was appropriate in view of the danger to public order resulting from entry. In this respect, it should be noted that a homicide is a particularly serious crime and the dangers associated with the plaintiff's entry and stay are therefore particularly significant (cf. BVerfG, Chamber decision of October 24, 2006 - 2 BvR 1908/03 –, juris paragraph 27). The defense against this danger outweighs the plaintiff's interest in entering and staying in the federal territory. To the extent that he claims that he wants to enter the federal territory in order to be able to visit his brother who lives here, nothing different arises, even taking into account his rights under Article 6 of the Basic Law. It should be noted here that, unlike the wife and children, the brother is not part of the nuclear family and the plaintiff can maintain contact with him in other ways, such as by telephone or video call. In any case, personal meetings are possible outside the Schengen area, if not even in France, where the plaintiff is currently staying. According to the defendant's risk forecasts of February 16, 2021, March 4, 2022 and February 15, 2023, the extensions of the alert for refusal of entry for another year are also based on an individual assessment and are proportionate.<br />
2. The cost decision is based on Section 154 Paragraph 1 VwGO. The subsidiary decision on provisional enforceability follows from Section 167 VwGO in conjunction with Sections 708 No. 11, 711 ZPO.<br />
<br />
decision<br />
<br />
The amount in dispute is set at 5,000 euros.<br />
<br />
Reasons:<br />
<br />
The determination of the amount in dispute is based on Section 52 Paragraph 2 GKG.<br />
</pre></div>Norman.aasmahttps://gdprhub.eu/index.php?title=User:Norman.aasma&diff=39836User:Norman.aasma2024-02-18T19:30:33Z<p>Norman.aasma: </p>
<hr />
<div>'''Norman Aasma''', Country reporter for Estonia & Germany<br />
<br />
Data Protection Associate @ White Label Consultancy<br />
<br />
'''CV''': https://www.linkedin.com/in/norman-aasma-ll-m-0256b21a5<br />
<br />
<br />
<br />
<br />
<br />
'''My contributions''':<br />
<br />
[[AKI (Estonia) - 2.1.-4/22/2585]]<br />
<br />
[[AKI (Estonia) - 2.1.-5/22/22012]] <br />
<br />
[[BlnBDI (Berlin) - C-807/21 - Deutsche Wohnen]]<br />
<br />
[[The FG München - Auskunftsanspruch nach Art. 15 DSGVO]]<br />
<br />
[[AKI (Estonia) - 2.1-3/22/2542]]<br />
<br />
[[AKI (Estonia) - 2.1.-1/23/2891-5]]<br />
<br />
[[LG Köln - 33 O 376/22]]<br />
<br />
[[BVwG - W245 2252208-1/36E and W245 2252221-1/30E]]<br />
<br />
[[BfDI (Germany) - 9 O 1571/20]]<br />
<br />
[[OVG Sachsen-Anhalt - 1 M 49/23]]<br />
<br />
[[VG Potsdam - VG 3 K 1458/19]]</div>Norman.aasmahttps://gdprhub.eu/index.php?title=VG_Potsdam_-_VG_3_K_1458/19&diff=39835VG Potsdam - VG 3 K 1458/192024-02-18T19:28:22Z<p>Norman.aasma: Created page with "{{COURTdecisionBOX |Jurisdiction=Germany |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=VG Potsdam |Court_Original_Name=Verwaltungsgericht Potsdam |Court_English_Name=Administrative Court Potsdam |Court_With_Country=VG Potsdam (Germany) |Case_Number_Name=VG 3 K 1458/19 |ECLI=ECLI: DE: VGPOTSD: 2023: 1214.3K1458.19.00 |Original_Source_Name_1=Recht des Landes Brandenburg |Original_Source_Link_1=https://gerichtsentscheidungen.brandenburg.de/gerichtsentsc..."</p>
<hr />
<div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=Germany<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=VG Potsdam<br />
|Court_Original_Name=Verwaltungsgericht Potsdam<br />
|Court_English_Name=Administrative Court Potsdam<br />
|Court_With_Country=VG Potsdam (Germany)<br />
<br />
|Case_Number_Name=VG 3 K 1458/19<br />
|ECLI=ECLI: DE: VGPOTSD: 2023: 1214.3K1458.19.00<br />
<br />
|Original_Source_Name_1=Recht des Landes Brandenburg<br />
|Original_Source_Link_1=https://gerichtsentscheidungen.brandenburg.de/gerichtsentscheidung/22662<br />
|Original_Source_Language_1=German<br />
|Original_Source_Language__Code_1=DE<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Date_Decided=14.12.2023<br />
|Date_Published=<br />
|Year=2023<br />
<br />
|GDPR_Article_1=Article 17 GDPR<br />
|GDPR_Article_Link_1=Article 17 GDPR<br />
|GDPR_Article_2=<br />
|GDPR_Article_Link_2=<br />
|GDPR_Article_3=<br />
|GDPR_Article_Link_3=<br />
<br />
|EU_Law_Name_1=Article 24(1) Regulation 2018/1861<br />
|EU_Law_Link_1=https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%253A32018R1861<br />
|EU_Law_Name_2=Article 24(2) Regulation 2018/1861<br />
|EU_Law_Link_2=https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%253A32018R1861<br />
|EU_Law_Name_3=<br />
|EU_Law_Link_3=<br />
|EU_Law_Name_4=<br />
|EU_Law_Link_4=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=A Pakistani national, the plaintiff<br />
|Party_Link_1=<br />
|Party_Name_2=Federal Police Presidium, the defendant<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
<br />
|Appeal_From_Body=<br />
|Appeal_From_Case_Number_Name=<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Norman.aasma<br />
|<br />
}}<br />
<br />
The Administrative Court of Potsdam ruled that the GDPR does not give the data subject the right to require the controller to immediately delete personal data relating to them, provided that they have not been processed illegally.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
A data subject, a Pakistani national, here also the plaintiff, appealed the decision of the Italian Federal Police Presidium, according to which the data subject was refused entry to Italy due to an alert by the Federal Police Headquarters related to refusal of entry in the Schengen Information System (SIS). According to factual circumstances, the plaintiff was suspected of having killed a person together with his brother and other persons in Pakistan, where he is wanted by warrant. The plaintiff requested the deletion of the alert.<br />
<br />
=== Holding ===<br />
The court held that the plaintiff's request was unfounded and dismissed it. The court ruled that the plaintiff is reasonably suspected of being involved in a killing offence committed in Pakistan. The court held that the plaintiff posed a threat to public order or security and thus police did not act wrong. Furthermore, according to the court, the plaintiff cannot request the police to delete personal data about them due to the fact that his personal data was not processed unlawfully. The court also ordered the plaintiff to pay the costs.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the German original. Please refer to the German original for more details.<br />
<br />
<pre><br />
The admissible lawsuit is unsuccessful. It is unfounded.<br />
1. The plaintiff is not entitled to have the entry refusal alert deleted from the SIS.<br />
a) The basis for this claim is now Article 17 letter d Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data, on the free movement of such data and repealing Directive 95/ 46/EC (General Data Protection Regulation, OJ L 119 of May 4, 2016, p. 1, hereinafter: GDPR) in conjunction with Art. 53 Para. 1 Regulation (EU) 2018/1861 of the European Parliament and of the Council of 28. November 2018 on the establishment, operation and use of the SIS in the field of border control, amending the Convention implementing the Schengen Agreement and amending and repealing Regulation (EC) No 1987/2006.<br />
According to Article 66 paragraph 5, Regulation (EU) No. 2018/1861 applies from the date set in accordance with paragraph 2, i.e. with the entry into operation of the so-called third generation SIS on March 7, 2023 in accordance with Article 1 of the implementing decision (EU ) 2023/201 of the Commission of 30 January 2023 (OJ L 27 of 31 March 2023, p. 29). With effect from the same time, Regulation (EC) No. 1987/2006, on which those involved had previously relied, was repealed, see Article 65 (1) of Regulation (EU) 2018/1861.<br />
b) The requirements of Article 17 letter d GDPR, to which Article 53 paragraph 1 of Regulation (EU) 2018/1861 refers, are not met.<br />
According to Article 17 letter d of the GDPR, the data subject has the right to demand that the person responsible delete personal data concerning him or her immediately if they have been processed unlawfully, which also includes the storage of the data, cf. Article 4 No .2 GDPR.<br />
The plaintiff's data was not processed unlawfully.<br />
Data processing is unlawful if there is neither the consent of the data subject nor any other legal basis for it (Herbst, in: Kühling/Buchner/Herbst, GDPR, 4th edition 2024, Art. 17 Rn. 28), whereby the legal basis may be justified in Union law or in the national law of the respective member state, Art. 6 Para. 3 Sentence 1 GDPR. The relevant time for assessing the legality of data processing is the time of the oral hearing (see Herbst, in: Kühling/Buchner, GDPR, 4th edition 2024, Art. 17 Rn. 28a: “current time”).<br />
In this case, the legal basis for the plaintiff's alert to refuse entry is Article 24 Paragraph 1 Letter a, Paragraph 2 Letter b Regulation (EU) 2018/1861 (corresponds to Article 24 Paragraph 1, Paragraph 2 Letter b Regulation ( EC) No. 1987/2006) in conjunction with Section 30 Paragraph 5 of the Federal Police Act [BPolG]). According to Article 24(1)(a) of Regulation (EU) 2018/1861, Member States shall issue an alert for refusal of entry and stay if the Member State, on the basis of an individual assessment, which includes an assessment of the personal circumstances of the third-country national concerned and the consequences of the refusal of entry and stay for the third-country national concerned, concludes that the presence of that third-country national in its territory constitutes a threat to public policy or to public security or national security in its territory, and the Member State is therefore in accordance has issued a judicial or administrative decision to refuse entry and stay with its national legislation and has issued a national alert for the refusal of entry and stay. The situations according to paragraph 1 letter a are given in accordance with Article 24 paragraph 2 letter b of Regulation (EU) 2018/1861, among other things, if there is reasonable suspicion that a third-country national has committed a serious crime. Such a situation exists here.<br />
aa) There is reasonable suspicion against the plaintiff that he was involved in a homicide committed in Pakistan.<br />
When there is a “threat to public order or security” within the meaning of Article 24 Paragraph 1 Letter a of Regulation (EU) 2018/1861 and a “reasonable suspicion” within the meaning of Article 24 Paragraph 2 Letter b Regulation ( EU) 2018/1861, the existence of which justifies the assumption of a danger within the meaning of paragraph 1, is not explained in more detail either in the regulation or elsewhere.<br />
The statements of the European Court of Justice in the judgment of December 12, 2019 (C-380/18) on the interpretation of the concept of danger within the meaning of Article 6 Paragraph 1 Letter e of Regulation (EU) 2016/399 of the European Court of Justice provide clues for the interpretation of the terms European Parliament and of the Council of March 9, 2016 on a Union code for the movement of persons across borders (Schengen Borders Code - SBC). According to this provision, the entry of a third-country national into the territory of the Union requires, among other things, that he or she does not pose a threat to public order. In the preliminary proceedings the question arose as to whether the mere suspicion of the commission of a crime could be viewed as a threat to public order. The Court stated that when interpreting the concept of danger in Article 6(1)(e) of the SBC, the national authorities have a wide margin of appreciation based on the wording, context and objectives of the regulation (see ibid., paragraph 33) ( ibid., paragraph 37). The provision should be viewed in connection with the further entry requirement according to Article 6 Paragraph 1 Letter d SGK (see ibid., paras. 35, 40), according to which a third-country national who wants to enter the Union territory is not advertised in the SIS may be. The provision of Article 24 Paragraph 1 of Regulation (EC) No. 1987/2006 (now Article 24 Paragraph 1 Letter a of Regulation (EU) 2018/1861), which is relevant for the assessment, shows that, according to the will of the Union legislature mere suspicion of a committed crime could constitute a threat to public order (ibid., para. 31). The danger concepts in Article 6 Paragraph 1 Letters d and e SGK should be interpreted in the same way (ibid., paragraph 43). However, since the principle of proportionality must be observed here, a threat to public order can only be established if the crime that the third-country national is suspected of having committed is of sufficient gravity in view of its nature and the threat of punishment (ibid., para. 48 ) and there was consistent, objective and clear evidence that the third-country national in question had committed such a crime (ibid., para. 49).<br />
Since, according to the above, the danger concepts in Article 6 Paragraph 1 Letter e SGK and Article 6 Paragraph 1 Letter d SGK in conjunction with (now) Article 24 Paragraph 1 Letter a Regulation (EU) 2018/1861 are to be interpreted with the same content the requirements formulated by the European Court of Justice regarding the degree of suspicion exceeding the threshold of a threat to public order can also be transferred to Article 24 Paragraph 2 Letter a of Regulation (EU) 2018/1861. A “well-founded” suspicion within the meaning of Article 24 Paragraph 1 Letter a of Regulation (EU) 2018/1861 can therefore be concluded if there is consistent, objective and clear evidence that the third-country national has committed a serious crime.<br />
This must be answered in the affirmative in the plaintiff's case.<br />
According to the search request from the Interpol central office in Pakistan, which the defendant, according to her uncontradicted statements, checked to ensure it was up to date the day before the oral hearing, the plaintiff is suspected of having been involved in a homicide in Pakistan. According to the defendant's assessment, the mere existence of the search request, which sufficiently individualizes the plaintiff and sufficiently specifies the accusation with the time of the crime, the crime scene, the victim and witnesses, justifies the conclusion that the suspicion in the plaintiff's case is justified. This is enough.<br />
To the extent that the plaintiff claims that the content of the wanted letter is contradictory, the defendant is not (was) obliged to investigate the contradictions and examine the content of the wanted letter. With regard to the question of whether there is a justified suspicion and thus a danger to public order, the authority has a wide scope for assessment, which is directly dictated by EU law and can only be reviewed to a limited extent by the chamber. The wording of Article 24 Paragraph 1 Letter a of Regulation (EU) 2018/1861, according to which the assumption of a threat to public order is based on an “individual assessment” by the Member State, speaks in favor of such an understanding. The European Court of Justice also accepted in its decision of December 19, 2013 (C-84/12 - Koushkaki) that the competent authorities of the Member States have a wide margin of appreciation when examining an application for the issuance of a visa, which applies to both requirements for the application of the relevant regulations as well as the assessment of the facts (ibid., tenor to 1, paras. 55, 63). In the decision of the European Court of Justice cited above on the interpretation of Article 6(1)(e) of the SBC, the Court referred to the decision of December 19, 2013 (C-84) by stating that the law granted to the authorities of the Member States broad scope of assessment must also be given when they determine whether a third-country national poses a threat to public order within the meaning of Article 6 Paragraph 1 Letter e SBC (C-380/18 –, juris para. 37). Since the risk concepts in Article 6 Paragraph 1 Letters d and e SGK and Article 24 Paragraph 1 Letter a of Regulation (EU) 2018/1861 must be interpreted in context, this leads to the conclusion that the responsible authorities Further scope for assessment is also granted with regard to the requirements of Article 24 Paragraph 1 Letter a of Regulation (EU) 2018/1861.<br />
Since EU law itself does not set any requirements for the extent of judicial review of the official scope for decision-making, which is referred to as the “wide scope of assessment”, the control standards are based on the principles that the Federal Administrative Court has developed for the judicial review of scope for assessment under German administrative law (as the Federal Administrative Court subsequently stated to the Koushkaki decision: judgment of September 17, 2015 - 1 C 37/14 -, juris para. 21 with further references). According to this, the exercise of discretion on the factual side is only checked to see whether the authority has complied with the valid procedural provisions, has assumed a correct understanding of the applicable legal concept, has fully and accurately determined the relevant facts and has adhered to generally applicable assessment standards in the actual assessment , in particular the prohibition of arbitrariness has not been violated (ibid. with further references).<br />
Such an error of assessment is not apparent in the present case. The defendant stated that it based the assumption of reasonable suspicion on the findings of the Pakistani search request, in which the plaintiff was sufficiently identified individually and the accusation was substantiated in sufficient detail with the time of the crime, the crime scene, the victim and witnesses. There is no evidence of an arbitrary decision that deviates from their usual procedure or of an inadequate investigation of the facts.<br />
In addition, it should be noted that the (supposed) contradictions asserted by the plaintiff do not exist with regard to the content of the wanted letter circulating via Interpol. The plaintiff states that his brother, Zahid Hussein, is or has been wanted for the same crime, but that he, the plaintiff, is not named as an accomplice in the identical wanted letter concerning his brother. On the one hand, he overlooks the fact that the “summary of the facts” states that “nine other […] people” were involved in the crime, but then only eight accomplices are listed by name. There remains room for the assumption that the plaintiff is the ninth accomplice. On the other hand, it is noticeable that ...in the wanted letter concerning him, he is not only listed as the perpetrator, but also as an accomplice, so that even two other suspects were not named. The wanted letter concerning the brother therefore does not force the conclusion that the plaintiff could not have been involved in the crime. There are no doubts about the existence of a well-founded suspicion of a crime due to the fact that the search request mentions other criminal offenses that at first glance have no connection with a homicide. On the one hand, due to the lack of a detailed description of the facts, it is unclear which behavior the plaintiff is specifically accused of. In particular, it cannot be ruled out that the plaintiff not only committed manslaughter but also facilitated the crime. To the extent that he suspects in this context that the alleged homicide is just a pretext to persecute him for other motives, the plaintiff has not stated, nor is it otherwise apparent, why the Pakistani state should have any other interest in him . Furthermore, the General Secretariat of Interpol examines a search request before its publication for compatibility with, among other things, Article 3 of the Constitution of the ICPO - Interpol (Interpol Statutes). According to this, the organization is prohibited from taking action in matters that have a political, military, religious and racist character. Furthermore, if the plaintiff considers the search request to be unlawful, it is the responsibility of the plaintiff to submit a request for its deletion to Interpol (via the internal legal remedy of the so-called red notice challenge) or Pakistan. The presumption of innocence on which the plaintiff relies does not apply to measures to avert danger, including the alert for refusal of entry in accordance with Article 24 (1) of Regulation (EU) 2018/1861.<br />
Even to the extent that the plaintiff claims that the cancellation of the arrest warrant issued in Italy shows that the suspicion against the plaintiff has been removed, the objection does not apply. The cancellation of the arrest warrant and the extradition of the plaintiff to Pakistan failed because Pakistan did not respond to Italy's request to send documents to examine the reasons for his arrest and did not submit an extradition request. Formal reasons were therefore the cause, but the suspicion of the crime was not examined by the Italian judiciary.<br />
bb) Homicide is a serious crime as it is punishable by at least one year's imprisonment (see Article 24 Paragraph 2 Letter a of Regulation (EU) 2018/1861).<br />
cc) The existence of a reasonable suspicion of the commission of a serious crime leads to the assumption of a situation in accordance with paragraph 24 paragraph 1 letter a of Regulation (EU) 2018/1861, i.e. a danger to public order, Article 24 paragraph 2 letter b Regulation (EU) 2018/1861.<br />
dd) This assumption is based on an individual assessment of the defendant, in which the personal circumstances of the plaintiff and the effects of the refusal of entry were taken into account, cf. Article 24 (1) (a) of Regulation (EU) 2018/1861. This element of the offense is an expression of the principle of proportionality according to Article 21 of Regulation (EU) 2018/1861, which, according to paragraph 1, requires that the appropriateness, relevance and importance of the case sufficiently justify an alert in the SIS. In this respect, the defendant correctly stated that the measure was appropriate in view of the danger to public order resulting from entry. In this respect, it should be noted that a homicide is a particularly serious crime and the dangers associated with the plaintiff's entry and stay are therefore particularly significant (cf. BVerfG, Chamber decision of October 24, 2006 - 2 BvR 1908/03 –, juris paragraph 27). The defense against this danger outweighs the plaintiff's interest in entering and staying in the federal territory. To the extent that he claims that he wants to enter the federal territory in order to be able to visit his brother who lives here, nothing different arises, even taking into account his rights under Article 6 of the Basic Law. It should be noted here that, unlike the wife and children, the brother is not part of the nuclear family and the plaintiff can maintain contact with him in other ways, such as by telephone or video call. In any case, personal meetings are possible outside the Schengen area, if not even in France, where the plaintiff is currently staying. According to the defendant's risk forecasts of February 16, 2021, March 4, 2022 and February 15, 2023, the extensions of the alert for refusal of entry for another year are also based on an individual assessment and are proportionate.<br />
2. The cost decision is based on Section 154 Paragraph 1 VwGO. The subsidiary decision on provisional enforceability follows from Section 167 VwGO in conjunction with Sections 708 No. 11, 711 ZPO.<br />
<br />
decision<br />
<br />
The amount in dispute is set at 5,000 euros.<br />
<br />
Reasons:<br />
<br />
The determination of the amount in dispute is based on Section 52 Paragraph 2 GKG.<br />
</pre></div>Norman.aasmahttps://gdprhub.eu/index.php?title=User:Norman.aasma&diff=34058User:Norman.aasma2023-07-17T17:58:10Z<p>Norman.aasma: </p>
<hr />
<div>'''Norman Aasma''', Country reporter for Estonia & Germany<br />
<br />
LL.M. student at University of Oslo<br />
<br />
Junior Data Protection Associate<br />
<br />
'''CV''': [https://linkedin.com/in/norman-aasma-0256b21a5 linkedin.com/in/norman-aasma-0256b21a5]<br />
<br />
<br />
<br />
<br />
'''My contributions''':<br />
<br />
[[AKI (Estonia) - 2.1.-4/22/2585]]<br />
<br />
[[AKI (Estonia) - 2.1.-5/22/22012]] <br />
<br />
[[BlnBDI (Berlin) - C-807/21 - Deutsche Wohnen]]<br />
<br />
[[The FG München - Auskunftsanspruch nach Art. 15 DSGVO]]<br />
<br />
[[AKI (Estonia) - 2.1-3/22/2542]]<br />
<br />
[[AKI (Estonia) - 2.1.-1/23/2891-5]]<br />
<br />
[[LG Köln - 33 O 376/22]]<br />
<br />
[[BVwG - W245 2252208-1/36E and W245 2252221-1/30E]]<br />
<br />
[[BfDI (Germany) - 9 O 1571/20]]<br />
<br />
[[OVG Sachsen-Anhalt - 1 M 49/23]]</div>Norman.aasmahttps://gdprhub.eu/index.php?title=User:Norman.aasma&diff=34012User:Norman.aasma2023-07-16T21:27:05Z<p>Norman.aasma: </p>
<hr />
<div>'''Norman Aasma''', Country reporter for Estonia & Germany<br />
<br />
LL.M. student at University of Oslo<br />
<br />
Junior Data Protection Associate<br />
<br />
'''CV''': [https://linkedin.com/in/norman-aasma-0256b21a5 linkedin.com/in/norman-aasma-0256b21a5]<br />
<br />
<br />
<br />
<br />
'''My contributions''':<br />
<br />
[[AKI (Estonia) - 2.1.-4/22/2585]]<br />
<br />
[[AKI (Estonia) - 2.1.-5/22/22012]] <br />
<br />
[[BlnBDI (Berlin) - C-807/21 - Deutsche Wohnen]]<br />
<br />
[[The FG München - Auskunftsanspruch nach Art. 15 DSGVO]]<br />
<br />
[[AKI (Estonia) - 2.1-3/22/2542]]<br />
<br />
[[AKI (Estonia) - 2.1.-1/23/2891-5]]<br />
<br />
[[LG Köln - 33 O 376/22]]<br />
<br />
[[BVwG - W245 2252208-1/36E and W245 2252221-1/30E]]<br />
<br />
[[BfDI (Germany) - 9 O 1571/20]]<br />
<br />
[[LfD (Saxony-Anhalt) - 1 M 49/23]]</div>Norman.aasmahttps://gdprhub.eu/index.php?title=OVG_Sachsen-Anhalt_-_1_M_49/23&diff=34011OVG Sachsen-Anhalt - 1 M 49/232023-07-16T21:25:28Z<p>Norman.aasma: Created page with "{{DPAdecisionBOX |Jurisdiction=Germany |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoDE-ST.jpg |DPA_Abbrevation=LfD |DPA_With_Country=LfD (Saxony-Anhalt) |Case_Number_Name=1 M 49/23 |ECLI= |Original_Source_Name_1=openJur |Original_Source_Link_1=https://openjur.de/u/2471519.html |Original_Source_Language_1=German |Original_Source_Language__Code_1=DE |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language__Code_2=..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Germany<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoDE-ST.jpg<br />
|DPA_Abbrevation=LfD<br />
|DPA_With_Country=LfD (Saxony-Anhalt)<br />
<br />
|Case_Number_Name=1 M 49/23<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=openJur<br />
|Original_Source_Link_1=https://openjur.de/u/2471519.html<br />
|Original_Source_Language_1=German<br />
|Original_Source_Language__Code_1=DE<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Other<br />
|Outcome=<br />
|Date_Started=27.06.2023<br />
|Date_Decided=28.06.2023<br />
|Date_Published=06.07.2023<br />
|Year=2023<br />
|Fine=<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 53(1) GDPR<br />
|GDPR_Article_Link_1=Article 53 GDPR#1<br />
|GDPR_Article_2=Article 54(1) GDPR<br />
|GDPR_Article_Link_2=Article 54 GDPR#1<br />
|GDPR_Article_3=<br />
|GDPR_Article_Link_3=<br />
|GDPR_Article_4=<br />
|GDPR_Article_Link_4=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=§ 123 (1)(2)<br />
|National_Law_Link_1=https://www.gesetze-im-internet.de/englisch_vwgo/index.html#gl_p0012<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
|National_Law_Name_3=<br />
|National_Law_Link_3=<br />
<br />
|Party_Name_1=Magdeburg Administrative Court <br />
|Party_Link_1=https://lg-md.sachsen-anhalt.de/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Not appealed<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Norman Aasma<br />
|<br />
}}<br />
<br />
Higher Administrative Court of Saxony-Anhalt held that the election procedure for the position of the state commissioner for data protection in Saxony-Anhalt was carried out transparently and in compliance with the GDPR.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
An applicant appealed against the decision of Magdeburg Administrative Court. The judgement concerned a case, where the applicant had challenged the procedure of the election of the state commissioner for data protection in Saxony-Anhalt. According to the applicant, the election procedure for the position of the state commissioner for data protection in Saxony-Anhalt was not transparent and thus is contrary to the requirements stipulated in article 53(1) GDPR. Furthermore, article 54(1) of GDPR puts an obligation on all EU member states to put in place a regulation, which would provide more legal clarity into the election procedures of the heads of public authorities. The applicant wished that the court halt the election procedures and refer the case to the Court of Justice of the European Union with specific questions.<br />
<br />
=== Holding ===<br />
The Higher Administrative Court of Saxony-Anhalt found the applicant's appeal lodged with the court inadmissible. More specifically, the court held that the applicant shall not be eligible to bring such a claim before the court, because there is no sufficient and proven violations of the applicant's own subjective rights. Due to this reason, the applicant cannot also rely on existing case law, because the factual circumstances of the cases differ a lot. Furthermore, the court was of the opinion, that the applicant had wrongly referred to specific domestic law as that law was not applicable to the case at hand. Among other things, the court noted that offices at state level have staff chosen through democratic elections by voters or by an election of electoral bodies elected by them. At the same time, the court highlighted that all of the Member States of the European Union are under an obligation to ensure that each member of their supervisory authorities is appointed through a transparent process.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the German original. Please refer to the German original for more details.<br />
<br />
<pre><br />
Rubrum<br />
<br />
HIGHER ADMINISTRATIVE COURT OF THE STATE OF SAXONY-ANHALT Decision in the administrative legal matter of the ..., ... ..., ... ..., applicant and complainant, - legal representative: lawyers ... - areas of the state parliament of Saxony-Anhalt, represented by the president of the state parliament , Domplatz 6 - 9, 39104 Magdeburg, Respondent and Respondent, because of the election of the State Commissioner for Data Protection - here: preliminary legal protection according to § 123 VwGO (complaint) - the Higher Administrative Court of the State of Saxony-Anhalt - 1st Senate - on June 28th decided in 2023:<br />
<br />
tenor<br />
The applicant's appeal against the decision of the Magdeburg Administrative Court - 5th chamber - of June 27, 2023 is rejected. The applicant must bear the costs of the appeal procedure. The value in dispute for the appeal procedure is set at a value of up to € 65,000.00.<br />
reasons<br />
1. The applicant's admissible appeal against the decision of the Magdeburg Administrative Court - 5th chamber - of June 27, 2023, the examination of which is limited to the reasons set out in accordance with Section 146 (4) sentences 1 and 6 VwGO, has no Success. The complaint submission does not justify the requested amendment of the contested decision. In the given case, the Senate decides on the complaint before the expiry of the deadline for substantiating the complaint, based on the implicitly declared interest of the complaint and in the well-understood interest of the applicant, because the choice sought by the applicant is to be prevented of the State Commissioner for Data Protection is to be carried out today (at 2.20 p.m.) by the respondent. Pursuant to Section 123 (1) sentence 2 VwGO, the court can issue an interim order to regulate a provisional situation with regard to the disputed legal relationship in order to to avert significant disadvantages or to prevent imminent violence or if the regulation appears necessary for other reasons. The asserted claim (order claim) and the need for the provisional regulation (order reason) must be made credible in accordance with § 123 Para. 3 VwGO in conjunction with §§ 920 Para. 2, 294 ZPO. If the main thing is wholly or partially anticipated with a regulatory arrangement according to § 123 para. 1 sentence 2 VwGO and this usually creates a factually final state, a regulation can only be made if the applicant has at least overriding prospects of success in the main thing and absolutely would be exposed to unreasonable, otherwise unavoidable disadvantages if he had to be referred to the legally binding conclusion of legal proceedings. On the other hand, there are only overriding prospects in the main case if the asserted claim is most likely justified and will in all probability also be confirmed in the main case (cf. OVG LSA, decision of January 5, 2007 - 1 M 1/07 -, juris [m. w. N.]). Based on this, the applicant has neither made his application authority analogous to § 42 para acceptance of the applicant, the case law of the Federal Constitutional Court has clarified that the provision of Art. 33 Para elected constituency (BVerfG, decision of September 20, 2016 - 2 BvR 2453/15 -, juris para. 21 [m. w.n.]). The Office of the State Commissioner for Data Protection is one at state level (Art. 63 Verf LSA). Contrary to the view of the complaint, the disputed election does not lack the essential element for democratic elections, namely to always take place for a limited period of time (see Art. 54 Para. 1 lit. d] GDPR, Art. 63 Para. 2 Verf LSA, § 21 Paragraph 2 sentence 1 DSAG LSA). The disputed office is - contrary to the further assumption of the complaint - one that belongs organizationally and functionally to the area of the highest (state) organs - not, as the complaint correctly complains, as part of such. Because the supervisory authority acts completely independently in the fulfillment of its tasks and in the exercise of its powers in accordance with Art. 52 Para indirect external influence and neither seeks nor accepts instructions (Article 52 (2) GDPR). The fact that the disputed office is supposed to be an "administrative authority sui generis" and that the state commissioner is appointed to a civil service (temporary) does not change the fact asserted by the complaint (as already Art. 63 Para. 3 Verf LSA for state law). Finally, the composition and interaction of the organs involved in the appointment procedure (parliamentary groups and state parliament) do not preclude an exemption from Article 33(2) of the Basic Law (cf. on this: BVerfG, loc.cit., para. 21). The position of the office of the State Commissioner is not relevant because it is not itself the supervisory authority (see § 22 DSAG LSA). His application is therefore not able to give the applicant, as the administrative court correctly explained in detail, no claim to the application process. The procedure in question is - contrary to the assumption of the complaint - not contrary to European law, since Art. 53 Para. 1 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons in processing of personal data, on the free movement of data and on the repeal of Directive 95/46/EC (General Data Protection Regulation - Regulation (EU) 2016/679 - GDPR) just as expressly opens up the possibility of appointment by Parliament. Accordingly, recital 121 states: "The general requirements for the member or members of the supervisory authority should be regulated by legislation of each Member State and in particular provide that these members, through a transparent procedure, either - on a proposal from the government, a member of the government , Parliament or a Chamber of Parliament - be appointed by the Parliament, the Government or the Head of State of the Member State or by an independent body entrusted with the appointment under the law of the Member State." The EU legislator therefore expressly considers the right of proposal by a parliament, whose sub-organs are the parliamentary groups, to be permissible. Contrary to the further acceptance of the applicant, Art. 53 Para. 1 DSGVO (in conjunction with Art. 54 Para . 1 lit. b] GDPR) obviously (acte clair) no subjective (public) right for an applicant, because the regulations are addressed to the Member States and are not intended to "protect competitors", but solely to serve their public interests. Thereafter, the Member States provide that each member of their supervisory authorities is appointed through a transparent process. Whether such a procedure is followed and whether the minimum requirements for the appointment (e.g. pursuant to Art. 53 Para. 2 GDPR) are met is the responsibility of the respondent, in accordance with Art. 54 Para. 1 lit. a) GDPR, which has to monitor and enforce the application of this regulation in accordance with Article 57 (1) (a) GDPR and which has the powers in accordance with Article 58 GDPR. For this reason alone, there was no need for a submission under Art. 267 TFEU. Irrespective of this, the legal questions raised by the applicant regarding the GDPR were not relevant to the decision for the following reasons. However, it does not guarantee itself (cf.: BVerfG, decision of January 9, 1991 - 1 BvR 207/87 -, juris para. 44). The complaint also did not explain that the procedure regulated in § 21 DSAG LSA is not transparent i . S.v. Art. 53 Para. 2 GDPR is. The procedure itself is in this respect simple law in the DSAG LSA and otherwise by the regulations in Art. 45 (convening), Art. 50 (publicity of the negotiations) and Art. 51 (voting) Verf LSA i. V. m. Art. 63 Verf LSA constitutionally standardized. According to this, it is readily recognizable (transparent) which person(s) was (were) nominated by whom and who is to be or was elected in a publicly announced and publicly conducted election act pursuant to Art. 53 GDPR requires an invitation to tender from the disputed body. Since he applied through the respondent before the upcoming election and forwarded his application to the state parliament and its parliamentary groups himself, the respondent can consider the applicant's application and take note of his application documents. The applicant cannot ask for more, even in the event that an advertisement would have had to be issued, Art. 33 Para. 1 M 158/10 -, resolution of September 14, 2012 - 1 M 94/12 - and resolution of October 25, 2012 - 1 M 103/12 -, each juris). The application procedure claim as a subjective right, if it were to come into play here, does not serve a general error or legality check of the final (selection) selection decision made by the unsuccessful applicant (see: OVG LSA, decision of July 25, 2022 - 1 M 79/22 -, juris para. 12). Irrespective of the above, the complaint ultimately fails because it seems impossible that the respondent would elect the applicant as state commissioner for data protection in the event of a new (selection) decision (cf . on this: OVG LSA, decision of December 7, 2021 - 1 M 90/21 -, juris [with w. N.]), since his application was already known to the parliamentary groups in the state parliament, but none of them saw his application as a proposal (§ 21 para. 1 sentence 1 and 2 DSAG LSA) has adopted.2. The decision on costs follows from Section 154 (2) VwGO.3. The decision to determine the amount in dispute for the complaints procedure is based on § 53 Para. 2 No. 1 GKG i. V. m. §§ 47, 52 paragraph 6 sentence 1 No. 1, sentence 2 to 4 GKG and corresponds to the applicable first instance value determination.4. This decision is incontestable (Section 152 (1) VwGO, Section 68 (1) sentence 5 GKG in conjunction with Section 66 (3) sentence 3 GKG).<br />
</pre></div>Norman.aasmahttps://gdprhub.eu/index.php?title=User:Norman.aasma&diff=33804User:Norman.aasma2023-07-03T07:49:08Z<p>Norman.aasma: </p>
<hr />
<div>'''Norman Aasma''', Country reporter for Estonia & Germany<br />
<br />
LL.M. student at University of Oslo<br />
<br />
Junior Data Protection Associate<br />
<br />
'''CV''': [https://linkedin.com/in/norman-aasma-0256b21a5 linkedin.com/in/norman-aasma-0256b21a5]<br />
<br />
<br />
<br />
<br />
'''My contributions''':<br />
<br />
[[AKI (Estonia) - 2.1.-4/22/2585]]<br />
<br />
[[AKI (Estonia) - 2.1.-5/22/22012]] <br />
<br />
[[BlnBDI (Berlin) - C-807/21 - Deutsche Wohnen]]<br />
<br />
[[The FG München - Auskunftsanspruch nach Art. 15 DSGVO]]<br />
<br />
[[AKI (Estonia) - 2.1-3/22/2542]]<br />
<br />
[[AKI (Estonia) - 2.1.-1/23/2891-5]]<br />
<br />
[[LG Köln - 33 O 376/22]]<br />
<br />
[[BVwG - W245 2252208-1/36E and W245 2252221-1/30E]]<br />
<br />
[[BfDI (Germany) - 9 O 1571/20]]</div>Norman.aasmahttps://gdprhub.eu/index.php?title=LG_Magdeburg_-_9_O_1571/20&diff=33802LG Magdeburg - 9 O 1571/202023-07-03T07:47:07Z<p>Norman.aasma: Created page with "{{DPAdecisionBOX |Jurisdiction=Germany |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoDE.jpg |DPA_Abbrevation=BfDI |DPA_With_Country=BfDI (Germany) |Case_Number_Name=9 O 1571/20 |ECLI= |Original_Source_Name_1=openJur |Original_Source_Link_1=https://openjur.de/u/2470822.ppdf |Original_Source_Language_1=German |Original_Source_Language__Code_1=DE |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language__Code_2= |Typ..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Germany<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoDE.jpg<br />
|DPA_Abbrevation=BfDI<br />
|DPA_With_Country=BfDI (Germany)<br />
<br />
|Case_Number_Name=9 O 1571/20<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=openJur<br />
|Original_Source_Link_1=https://openjur.de/u/2470822.ppdf<br />
|Original_Source_Language_1=German<br />
|Original_Source_Language__Code_1=DE<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Other<br />
|Outcome=<br />
|Date_Started=04.11.2020<br />
|Date_Decided=24.05.2023<br />
|Date_Published=22.06.2023<br />
|Year=2023<br />
|Fine=4000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 6(1) GDPR<br />
|GDPR_Article_Link_1=Article 6 GDPR#1<br />
|GDPR_Article_2=Article 82(1) GDPR<br />
|GDPR_Article_Link_2=Article 82 GDPR#1<br />
|GDPR_Article_3=<br />
|GDPR_Article_Link_3=<br />
|GDPR_Article_4=<br />
|GDPR_Article_Link_4=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=§ 276 BGB<br />
|National_Law_Link_1=https://www.gesetze-im-internet.de/englisch_bgb/englisch_bgb.html#p0854<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
|National_Law_Name_3=<br />
|National_Law_Link_3=<br />
<br />
|Party_Name_1=Energie AG<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Norman Aasma<br />
|<br />
}}<br />
<br />
Regional Court of Magdeburg partially upheld plaintiff's claim for non-material damages under [[Article 82 GDPR|Article 82 GDPR]] for wrong entry into Schufa credit ranking agency.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
Th case entailed a dispute between plaintiff (data subject) and a defendant (controller). In this particular case, the defendant had made an unlawful registration with the Schufa, the German credit ranking system, about the plaintiff. As a result of the registration, the credit score value of the plaintiff was negatively impacted. The plaintiff received a letter informing him about the registration upon which a letter was sent to the defendant to remove the wrong registration. Furthermore, the defendant was ordered to sign a cease-and-desist letter. Consequently the registration at Schufa was deleted. Due to the fact that the plaintiff had still suffered both material and non-material damage, he filed a claim with the court. <br />
In the lawsuit, the plaintiff brought a claim against the defendant for damages in the amount of EUR 4000 on the basis of Article 82 (1) & (2) GDPR. The plaintiff also argued that he had suffered non-material damage and sought compensation for that too under Article 82 (1) & (2) GDPR. In total, the plaintiff sought for compensation in the amount of EUR 10,000.<br />
<br />
=== Holding ===<br />
The court partially upheld the complaint. The court held that the defendant has to pay plaintiff damages in the amount of EUR 4000. <br />
The court highlighted that under Article 82 (1) & (2) GDPR, any person who has suffered material or immaterial damage as a result of a violation of this regulation is entitled to compensation for damages from the person responsible or the processor and any controller involved in the processing is liable for the damage caused by the processing, which does not comply with the GDPR. <br />
The court noted that the plaintiff was successful in proving that the had suffered non-material damages. The chamber of the court found that the plaintiff had provided convincing arguments for proving that the wrong entry into credit registry on him had affected his health. <br />
Furthermore, the court agreed that the wrong entry to the Schufa registry had also made the plaintiff subject to negative impact on his professional and private situation. Moreover, the court was of the opinion, that provided evidence indicates that there was a causal relationship between wrong entry to the credit score system and the mental suffering of the plaintiff. The court consequently found that the plaintiff had indeed suffered non-material damage due to the entry to Schufa having an impact on his anyway weak health. <br />
The court disregarded the plaintiff's additional claim for material damages is unfounded. The court highlighted that claim for material damages was too high and it should not be used to enforce claim for non-material damages.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the German original. Please refer to the German original for more details.<br />
<br />
<pre><br />
LG Magdeburg, judgment of May 24th, 2022 - 9 O 1571/20<br />
<br />
<br />
<br />
<br />
Source openJur 2023, 6512 Rkr: AmtlSlg: <br />
<br />
hereinafter: Az. 4 U<br />
Procedure 81/22<br />
<br />
Civil Law Data Protection Law<br />
<br />
<br />
tenor<br />
<br />
11. The defendant is sentenced to pay the plaintiff compensation for pain and suffering in the amount of EUR 4,000.00 plus interest in the amount of<br />
<br />
5 percentage points above the base interest rate since December 11th, 2020.<br />
2<br />
Moreover, the application is dismissed.<br />
<br />
32. The costs of the litigation will be awarded 60% to the plaintiff and 40% to the defendant.<br />
<br />
43. The judgment is provisionally enforceable, but for the plaintiff only against security of 110% of the<br />
<br />
each amount to be enforced. The plaintiff can enforce the enforcement on the part of the defendant by providing security<br />
<br />
in the amount of 110% of the enforceable amount based on the judgment if the defendant does not<br />
Enforcement security of 110% of the amount to be enforced.<br />
<br />
5And decided:<br />
<br />
6<br />
The value in dispute is set at EUR 10,000.00.<br />
<br />
facts<br />
7<br />
With the lawsuit, the plaintiff seeks non-pecuniary damages from the defendant in tort,<br />
specifically because of illegal registration with a credit agency.<br />
<br />
8th<br />
The defendant has an open claim from R2 under account number A... on 20.08.2018. Energie AG in the amount of<br />
2,159.00 EUR at the Sch. H. AG registered.<br />
<br />
9<br />
The defendant filed a complaint, although the claim had already been settled by the plaintiff in 2013.<br />
The defendant had already registered the same claim in the plaintiff's database in 2012<br />
<br />
at the Sch. H. AG, based on a title in 1991. In 2012, the parties had this<br />
<br />
settled the claim before the plaintiff eventually settled.<br />
10<br />
The plaintiff found out about the registration on December 1, 2019.<br />
<br />
11With a letter from a lawyer dated December 4th, 2019, the defendant was asked to revoke the illegal Schufa entry,<br />
<br />
with a deadline of December 9th, 2019, to Sch. H. AG requested, as well as to restore the<br />
Plaintiff's score. In addition, the defendant was requested, setting a deadline of December 9th, 2019, to<br />
<br />
Sign the attached cease-and-desist letter and send it back.<br />
<br />
12There was no reaction from the defendant, whereupon the letter dated December 4th, 2019, with a deadline of<br />
<br />
January 3, 2020, was sent again to the defendant.<br />
<br />
13 The defendant then asked, in a letter dated January 6th, 2020, for an extension of the deadline for a statement.<br />
<br />
14In a letter dated January 8th, 2020, the defendant then communicated the following in excerpts:<br />
<br />
15<br />
,,[...] We already have a request for deletion of the accidental Schufa registration in question<br />
sent to the Schufa. We regret the oversight and sincerely apologize."<br />
<br />
16The disputed entry was then made with the Sch. H. AG deleted.<br />
<br />
17<br />
In a brief dated November 4th, 2020, the plaintiff brought an action before the M. District Court. This was given to the defendant on<br />
Delivered on December 10th, 2020.<br />
<br />
18 The plaintiff claims that due to the illegal entry by the defendant, he suffered damage of far more than<br />
<br />
EUR 40,000.00 was incurred. Due to the financing refusal, the plaintiff intended to purchase one<br />
<br />
unable to purchase property. Such transactions are for him as a self-employed person in the real estate industry<br />
<br />
however, financial support is essential. The damage of more than EUR 40,000.00 was caused by the fact that<br />
the actual value of the targeted property exceeded the purchase price by more than EUR 40,000.00.<br />
<br />
<br />
<br />
<br />
<br />
<br />
The plaintiff further claims that because of the notification he did not have a more favorable energy supply contract for<br />
<br />
his apartment building in 3... S.hausen B. was able to be completed. The Schufa entry has this to<br />
<br />
rejection of an application for the conclusion of a contract. Because a switch to a new energy supply contract<br />
<br />
was also awarded by the company Mediamarkt, the plaintiff received a bonus in the form of a<br />
Shopping vouchers over 180.00 EUR escaped.<br />
<br />
20 The plaintiff was massively restricted overall in his freedom of action and discretion. So got - what on<br />
<br />
factual level is undisputed - the C.bank AG with inquiries from 22.07.2019 in the plaintiff's database<br />
<br />
the sh H. AG requested. The same applies to the company I. AG, which inquired on September 11, 2019. From this it is evident<br />
<br />
that false or incorrect data about the plaintiff had been disclosed several times. Also, due to the<br />
unlawful negative entry significantly worsens his score.<br />
<br />
21Financing agreements for the purpose of debt restructuring could therefore no longer have been concluded.<br />
<br />
22<br />
In addition, according to the plaintiff, who has been unable to work since November 11, 2019, he is<br />
Overall circumstances and the pressure he had to experience through the registration, massively in terms of health<br />
<br />
had been affected.<br />
<br />
23The claim under Art. 82 Para. 1, 2 GDPR is in addition to the claim for violation of the<br />
<br />
Personal rights opened up, says the plaintiff.<br />
<br />
24 Following on from this, compensation for pain and suffering in the amount of at least EUR 10,000.00 is to be considered appropriate.<br />
<br />
25The plaintiff requests<br />
<br />
26 to order the defendant to pay the plaintiff compensation for pain and suffering, which is at the discretion of the court<br />
<br />
will, however, be at least EUR 10,000.00, plus interest at a rate of 5 percentage points above that<br />
<br />
Base interest rate to be paid since pendency.<br />
<br />
27 The defendant requests that<br />
<br />
28 to dismiss the lawsuit.<br />
<br />
29 With the order of December 2nd, 2020, the court has an appointment for the conciliation hearing and, if necessary, afterwards<br />
<br />
at that early first date determined and given to the defendant, by a licensed attorney<br />
<br />
submit a response to the complaint to a regional or district court within a period of three weeks,<br />
<br />
which began with the service of the order. A statement of defense was served on the court on February 23, 2021.<br />
30<br />
The defendant takes the view that the legal prosecution as a whole was abusive.<br />
<br />
31 The claim for damages is also unfounded. Because the necessary causality is missing<br />
<br />
of the damage or already on a substantiated explanation and a corresponding proof of such.<br />
32<br />
The plaintiff merely submitted that the unlawful processing and transmission or<br />
<br />
publication of the personal data concerning him, immaterial damage had occurred. One<br />
specific impairment of the person was neither described nor proven. An intangible<br />
<br />
Damage was not specifically shown. However, this must actually have been suffered.<br />
<br />
33Any alleged material losses that are said to be related to the registration would be included<br />
<br />
ignorance denied. With a view to the reported amount of the claim, losses in commercial transactions would be considered<br />
<br />
considered unlikely.<br />
34<br />
Effects and influence of the registration on the score formula of the Schufa would also be disputed with ignorance.<br />
<br />
35 The plaintiff complains that the defendant's submission was too late and thus precluded.<br />
<br />
36The court took evidence in its original composition in accordance with the evidence resolution of August 24, 2021<br />
<br />
unsworn questioning of witness M3., witness K2. and the witness Dr. L.. On top of that, the court has the plaintiff<br />
<br />
in accordance with § 141 ZPO. With regard to the result of this taking of evidence, reference is made to<br />
Minutes of 07/13/2021 and 11/16/2021. The single judge who is now responsible has the evidence with him<br />
<br />
Evidence decision of March 21, 2022 repeated and the witnesses K2. and dr L. heard. Moreover, the<br />
<br />
Plaintiff heard again for information. The court relies on the result of this taking of evidence<br />
the minutes of the meeting from May 10, 2022.<br />
<br />
37<br />
Due to the further submissions of the parties, reference is made to the pleadings exchanged between them together with the annexes<br />
as well as their submissions to the minutes of the oral hearing.<br />
<br />
<br />
reasons<br />
<br />
<br />
I.38I.<br />
<br />
39The action is admissible.<br />
<br />
40The court appealed to has local jurisdiction in particular, Section 44 (1) sentence 2 BDSG. After that, lawsuits can<br />
<br />
data subject against a controller or processor for breach of<br />
data protection regulations within the scope of the GDPR or the rights contained therein<br />
<br />
data subject may also be raised at the court of the place where the data subject has his usual<br />
<br />
whereabouts. This is how things are for M. here.<br />
41<br />
In this case, the lawsuit is only partially successful.<br />
42<br />
The defendant has to pay the plaintiff damages in the amount of EUR 4,000.00. As far as the plaintiff beyond that<br />
Claims damages totaling EUR 10,000.00, the lawsuit is unfounded because neither a<br />
<br />
recoverable material damage is pursued, nor the ascertainable non-material damage<br />
<br />
claim for compensation of more than EUR 4,000.00 is justified.<br />
43<br />
In this context, the court does not preclude or exclude the opponent's submission<br />
from, § 296 ZPO. The determination of a delay in the legal dispute depends solely on whether the process<br />
<br />
it would take longer if the late submission were admitted than if it were rejected. Although is after<br />
<br />
clearly expressed will of the legislature, the early first appointment is a full appointment for oral<br />
Negotiation, which not only prepares the further proceedings, but in suitable cases already at the - contentious -<br />
<br />
to judge. However, such a procedure is only ensured if the parties fulfill their obligations to cooperate<br />
comply and cannot ignore the orders of the court without consequences. § 296 paragraph 1 ZPO<br />
<br />
therefore expressly clarifies by referring to Section 275 (1) sentence 1 ZPO that late submissions also<br />
<br />
is to be rejected if the deadline set for the preparation of the early first hearing has expired<br />
unexcused and delays the process (Federal Court of Justice, judgment of December 2nd, 1982, case no.: VII ZR 71/82). Something else<br />
<br />
only applies if a dispute cannot be settled in this date due to a lack of maturity for a decision. That's how it is<br />
<br />
here, since the early first appointment was primarily designed as an appointment for conciliation negotiations, especially at first<br />
no offers of evidence, be it in the sense of procedural measures, were followed up by the judge<br />
<br />
became. Last but not least, the specific why was relocated several times for internal court reasons. For the sake of fairness<br />
Procedural design was also to refrain from a rejection according to §§ 296 paragraph 2.282 paragraph 1 ZPO. General<br />
<br />
Legal statements, about which the parties are significantly arguing in this case, do not fall under the concept of a<br />
<br />
means of attack and defence.<br />
44<br />
A claim by the plaintiff against the defendant for damages in the amount of EUR 4,000.00 is based on Art. 82 Para. 1, 2<br />
GDPR justified.<br />
<br />
45According to Art. 82 Para. 1, 2 DSGVO, every person who, because of a violation of this regulation, has a material<br />
<br />
or immaterial damage has occurred, claim for damages against the person responsible or against the<br />
<br />
processor. Any controller involved in processing is liable for the damage caused by a non-<br />
processing in accordance with this Regulation has been caused. The person responsible is exempted from liability in accordance with<br />
<br />
Paragraph 3 exempt only if he proves that he is in no way responsible for the circumstance by which the damage<br />
occurred is responsible.<br />
<br />
46The Sch. H. AG represents a credit agency, whereby the report by the defendant on October 20, 2018 to Sch. H AG too<br />
<br />
constituted a transfer of personal data.<br />
<br />
47The data transfer was based on Art.6 Para. 1 GDPR, which stipulates the legality of<br />
<br />
Data processing determined, unlawful. The defendant was in the role of the person responsible, Art. 4 No. 7<br />
GDPR. In particular, the requirements of Art. 6 Para. 1 S.1 f) GDPR are not met. Legally, the<br />
<br />
Authorization to transmit data from debtors to credit agencies, according to Art. 6 Para. 1 S. 1 f and Para. 4 DSGVO.<br />
<br />
According to this, the perception of a legitimate interest is required for the transmission. In addition, one<br />
to weigh up whether the legitimate interests of the data subject outweigh the interests of the<br />
<br />
Data users prevail in individual cases (LG Lüneburg, judgment of July 14, 2020, Az.: 9 O 145/19). At a<br />
<br />
Registration of a claim that has already been settled reduces the interest of the data user to zero. The<br />
Inadvertently, the defendant was also undisputedly responsible, § 276 Para. 2 BGB. The defendant would have given the<br />
<br />
Can and must recognize with due diligence that the claim no longer existed.<br />
<br />
<br />
<br />
<br />
<br />
<br />
The plaintiff has also suffered non-material damage that can be compensated for under Art. 82 (1) and (2) GDPR. Requirement48 The plaintiff has also suffered non-material damage that can be compensated for under Art. 82 Para. 1, 2 DSGVO. Pre-condition<br />
for a claim for damages for immaterial damage according to § 82 para. 1, 2 DSGVO is a nameable and<br />
<br />
actual personal injury. The demanded in the previous German case law for compensation for pain and suffering<br />
However, the prerequisite for a serious violation of privacy is not compatible with Art. 82 (1) and (2).<br />
<br />
GDPR, it is neither intended nor covered by its goal and history. The claim is hereof<br />
<br />
basically independent. Recital 146 p. 6 also supports a broad interpretation of the concept of damage<br />
of the GDPR, according to which the person concerned is entitled to full and effective compensation for the damage suffered<br />
<br />
shall receive. Against this background, serious personal injury cannot be taken as the lower limit<br />
an amount of compensation for pain and suffering. Rather, the immaterial damage is to be comprehensively compensated.<br />
<br />
A serious personal injury will regularly lead to high compensation for pain and suffering. With this<br />
Restrictions apply to the immaterial damages according to Art. 82 Para. 1, 2 DSGVO within the scope of §253<br />
<br />
BGB developed principles. The investigation is the responsibility of the court according to § 287 ZPO. When measuring the<br />
"full and effective compensation for the damage suffered" is also the indemnity and<br />
<br />
The deterrent function of the claim from Art. 82 Para. 1, 2 GDPR must be taken into account (LG Mainz, judgment of<br />
November 12, 2021, Ref.: 3 O 12/20). In principle, the disputed data is sensitive and worthy of protection<br />
<br />
sensitive data of the plaintiff. They can have a significant negative impact on participation in economic<br />
<br />
Intercourse by failing credit or not entering into contracts. This allows indirectly<br />
Fundamental rights such as freedom of occupation and general freedom of action are impaired, so that this circumstance<br />
<br />
can already be qualified as a nameable and actual violation of privacy (LG Lüneburg, judgment of<br />
July 14, 2020, Ref.: 9 O 145/19).<br />
<br />
49An immaterial damage as an expression of the personal injury of the plaintiff is also in the<br />
<br />
Loss of control over their personal data. By transmitting the data to the Schufa, the<br />
Defendant personal data passed on to an uninvolved and unauthorized third party. This will make the<br />
<br />
Plaintiff exposed and there is also an indirect threat of potential stigmatization that would result from an entry in the<br />
Schufa can arise (LG Lüneburg, judgment of July 14, 2020, loc.cit.). It is according to general life experience<br />
<br />
in addition to assume that the negative initial registration of the defendant to the Sch. H. AG in the there<br />
determined score value has been included. This value is obviously of great importance in economic life,<br />
<br />
since "financial reputation and monetary reputation" stand and fall with him.<br />
50<br />
The criteria of Article 83 (2) GDPR can be used to assess the amount of damage. Thereafter<br />
When making a decision, the type, severity and duration of the violation must be taken into account, taking into account the type,<br />
<br />
The scope or purpose of the processing in question and the number of people affected by the processing<br />
persons and the extent of the harm suffered by them, willful intent or negligence of the breach,<br />
<br />
any measures taken by the controller to mitigate the harm caused to data subjects<br />
damage, degree of responsibility of the person responsible, taking into account the technical made by them<br />
<br />
and organizational measures, any relevant previous breaches by the controller, categories<br />
<br />
personal data affected by the breach and any other aggravating or mitigating<br />
Circumstances in each case, such as financial benefits obtained directly or indirectly from the violation or<br />
<br />
avoided losses, fully appreciated.<br />
51<br />
After taking evidence, the Chamber is convinced that the plaintiff's entry as<br />
professional burden, which also affected him on a health level, § 286 ZPO. The one in charge now<br />
<br />
A single judge has namely from the plaintiff in the context of a new informational hearing<br />
creates a personal and direct impression, Sections 128 (1), 355 (1) sentence 1,309 ZPO. The plaintiff could<br />
<br />
explain plausibly and impressively that the entry is principally based on his professional and private situation and<br />
subjective perception of its negative influence. That the circumstances are also detrimental to the mental<br />
<br />
constitution has also been outlined in a comprehensible manner. The latter is supported by the<br />
Statements from the treating neurologist. This credibly announced that the Schufa entry with the<br />
<br />
related problems was a regular topic of conversation in the consultation hours. The statement was solely because of that<br />
extremely rich in content because the witness was able to describe her perceptions in great detail and meticulously. out of it<br />
<br />
to derive a sufficiently reliable causal relationship between the entry and mental suffering, albeit<br />
the witness was not authorized in her civil procedural function to provide any diagnoses in a competent manner and<br />
<br />
way in correlation with the Schufa entry or to set in relation. The court was aware of this<br />
<br />
Clear up. The statements of the plaintiff and the witness finally related to the complex of the psychic<br />
congruent with each other, which underpins the overall impression of the court.<br />
<br />
<br />
The court took the position that the plaintiff's filing abstractly constituted a professional threat52The court took the position that the plaintiff's filing abstractedly constituted a professional threat<br />
<br />
was perceived, which also burdened the already poor health. This fails at the<br />
Consideration of Art. 82 Para. 1, 2 GDPR significantly.<br />
<br />
53 When assessing the overall circumstances, the material losses objected to by the plaintiff had to be specifically<br />
<br />
Senses, however, are disregarded as possible parameters for the claim for compensation for pain and suffering, simply because the plaintiff<br />
has not asserted any substantive claims with its lawsuit. Another sign of impairment<br />
<br />
of personality rights they already have - insofar as they are assumed to be true for a legal second - in that<br />
<br />
Just said impact found and would be covered by the considerations already made, so it depends on the<br />
concrete material losses did not arrive further and accordingly neither did the further offers of evidence<br />
<br />
was more to pursue. This applies in particular to the allegation of refusal to finance a property. It is<br />
namely the data transfer to the Schufa immanent that it has a restrictive influence on the participation in the<br />
<br />
economic transactions, in particular when concluding credit or banking transactions and other contracts,<br />
comes along. These considerations are thus per se already included in the overall assessment and consideration of a<br />
<br />
immaterial damage, due to data protection violations from a previous, illegal Schufa<br />
<br />
Register Entry. The same applies to the question of rejecting a cheaper energy contract, especially since the statement<br />
of the witness K2. was not fruitful here, since in the specific case there was no reliable connection between<br />
<br />
contract refusal and Schufa entry. With regard to further material losses<br />
The plaintiff has not conclusively and substantiated the spillover effect on the immaterial damages<br />
<br />
submitted, to which he was also informed by decision of December 14, 2021, § 139 para. 1, 4 ZPO. The<br />
<br />
In any case, compensation for immaterial damage items must not be used to compensate for material losses<br />
to sue behind the scenes and, if necessary, to enforce.<br />
<br />
54 The court was also guided by the following considerations on the question of the amount of compensation for pain and suffering:<br />
<br />
55In favor of the defendant, it was to be weighed that it was a slightly to moderately high level<br />
<br />
claim amount that was entered.<br />
56<br />
However, it is particularly disadvantageous that the parties have a common<br />
The past connects and that the defendant once again makes clear a claim that has already been paid off<br />
<br />
has registered negligently, although at this point it can be left open whether the first registration was illegal<br />
<br />
was. The registration period of just over a year is also to be regarded as a not inconsiderable time window. The<br />
The fact that the strict regulatory regime of the GDPR has long since claimed validity is also negative<br />
<br />
appreciate.<br />
57<br />
However, it also had to be taken into account that the non-pecuniary damages should not be so high<br />
that in the future no registrations will be made at all because the risk for the registering company<br />
<br />
organizational or human misconduct no longer bears any relation to the economic importance of the<br />
thing stands. The registration serves not only the registering and the information services<br />
<br />
companies, but also to protect consumers from excessive indebtedness. So can high<br />
<br />
immaterial compensation for pain and suffering in individual cases may be suitable for the preventive protection of consumers as a whole<br />
to endanger (OLG Koblenz, decision of March 23, 2022, Az.: 5 U 2141/21). Finally, must not be ignored<br />
<br />
that the plaintiff was also the debtor of the claim at any time.<br />
<br />
58 For the violation of the plaintiff's general personality rights, the Chamber considers a<br />
Claim for damages in the total amount of EUR 4,000.00 as appropriate, but also sufficient.<br />
<br />
The defendant does not get through with the objection of abusive legal prosecution. The court can<br />
<br />
there are no indications of the legal prosecution involved in determining the amount of compensation for pain and suffering<br />
<br />
could have a detrimental effect.<br />
60<br />
Further claims for damages by the plaintiff are not justified on any other legal grounds. A<br />
Claim from § 823 paragraph 1 BGB in conjunction with the principles of the right to informational self-determination as<br />
<br />
Manifestation of the general right of personality, Article 2 Paragraph 1 GG in conjunction with Article 1 Paragraph 1 GG, or from Section 823 Paragraph 2<br />
BGB in connection with data protection regulations would not cover any further damage than<br />
<br />
the one that the plaintiff can demand from Art. 82 GDPR replaced. The same applies to a claim under §824<br />
<br />
Civil Code.<br />
61<br />
Insofar as the plaintiff's claim for damages is justified, it is, according to the application, 5 percentage points above the<br />
The base interest rate has been subject to interest since December 11, 2020, §§ 291, 288 Paragraph 1, 187 Paragraph 1 BGB in conjunction with §§ 253 Paragraph 1, 261 Paragraph 1,<br />
<br />
222 para. 1 ZPO.<br />
<br />
II.62<br />
II.<br />
<br />
63 The decision on costs is based on Sections 91 (1) sentence 1, 92 (1) sentence 1 ZPO. Due to a deviation from the<br />
<br />
There was no room for the plaintiff's idea of the amount of the compensation for pain and suffering being down by more than 20%<br />
<br />
more for Section 92 Paragraph 2 No. 1 ZPO.<br />
<br />
64 III.<br />
<br />
65<br />
The statement on provisional enforceability is based on §§708 No. 11,711, 709 S. 2,108 ZPO.<br />
<br />
66 IV.<br />
<br />
67 The decision on the determination of the amount in dispute is justified by §3 ZPO in conjunction with §§48, 63 GKG.<br />
</pre></div>Norman.aasmahttps://gdprhub.eu/index.php?title=User:Norman.aasma&diff=33236User:Norman.aasma2023-06-06T11:27:14Z<p>Norman.aasma: </p>
<hr />
<div>'''Norman Aasma''', Country reporter for Estonia & Germany<br />
<br />
LL.M. student at University of Oslo<br />
<br />
Junior Data Protection Associate<br />
<br />
'''CV''': [https://linkedin.com/in/norman-aasma-0256b21a5 linkedin.com/in/norman-aasma-0256b21a5]<br />
<br />
<br />
<br />
<br />
'''My contributions''':<br />
<br />
[[AKI (Estonia) - 2.1.-4/22/2585]]<br />
<br />
[[AKI (Estonia) - 2.1.-5/22/22012]] <br />
<br />
[[BlnBDI (Berlin) - C-807/21 - Deutsche Wohnen]]<br />
<br />
[[The FG München - Auskunftsanspruch nach Art. 15 DSGVO]]<br />
<br />
[[AKI (Estonia) - 2.1-3/22/2542]]<br />
<br />
[[AKI (Estonia) - 2.1.-1/23/2891-5]]<br />
<br />
[[LG Köln - 33 O 376/22]]<br />
<br />
[[BVwG - W245 2252208-1/36E and W245 2252221-1/30E]]</div>Norman.aasmahttps://gdprhub.eu/index.php?title=User:Norman.aasma&diff=33213User:Norman.aasma2023-06-06T08:43:48Z<p>Norman.aasma: </p>
<hr />
<div>'''Norman Aasma''', Country reporter for Estonia & Germany<br />
<br />
LL.M. student at University of Oslo<br />
<br />
Junior Data Protection Associate<br />
<br />
'''CV''': [https://linkedin.com/in/norman-aasma-0256b21a5 linkedin.com/in/norman-aasma-0256b21a5]<br />
<br />
<br />
<br />
<br />
'''My contributions''':<br />
<br />
[[AKI (Estonia) - 2.1.-4/22/2585]]<br />
<br />
[[AKI (Estonia) - 2.1.-5/22/22012]] <br />
<br />
[[BlnBDI (Berlin) - C-807/21 - Deutsche Wohnen]]<br />
<br />
[[The FG München - Auskunftsanspruch nach Art. 15 DSGVO]]<br />
<br />
[[AKI (Estonia) - 2.1-3/22/2542]]<br />
<br />
[[AKI (Estonia) - 2.1.-1/23/2891-5]]<br />
<br />
[[LG Köln - 33 O 376/22]]<br />
<br />
[[DSB (Austria) - W245 2252208-1/36E & W245 2252221-1/30E]]</div>Norman.aasmahttps://gdprhub.eu/index.php?title=User:Norman.aasma&diff=33212User:Norman.aasma2023-06-06T08:43:01Z<p>Norman.aasma: </p>
<hr />
<div>'''Norman Aasma''', Country reporter for Estonia & Germany<br />
<br />
LL.M. student at University of Oslo<br />
<br />
Junior Data Protection Associate<br />
<br />
'''CV''': [https://linkedin.com/in/norman-aasma-0256b21a5 linkedin.com/in/norman-aasma-0256b21a5]<br />
<br />
<br />
<br />
<br />
'''My contributions''':<br />
<br />
[[AKI (Estonia) - 2.1.-4/22/2585]]<br />
<br />
[[AKI (Estonia) - 2.1.-5/22/22012]] <br />
<br />
[[BlnBDI (Berlin) - C-807/21 - Deutsche Wohnen]]<br />
<br />
[[The FG München - Auskunftsanspruch nach Art. 15 DSGVO]]<br />
<br />
[[AKI (Estonia) - 2.1-3/22/2542]]<br />
<br />
[[AKI (Estonia) - 2.1.-1/23/2891-5]]<br />
<br />
[[LG Köln - 33 O 376/22]]<br />
<br />
DSB (Austria) - W245 2252208-1/36E & W245 2252221-1/[https://gdprhub.eu/index.php?title=DSB_(Austria)_-_W245_2252208-1/36E_%26_W245_2252221-1/30E&redirect=no 30E]</div>Norman.aasmahttps://gdprhub.eu/index.php?title=User:Norman.aasma&diff=33211User:Norman.aasma2023-06-06T08:41:20Z<p>Norman.aasma: </p>
<hr />
<div>'''Norman Aasma''', Country reporter for Estonia & Germany<br />
<br />
LL.M. student at University of Oslo<br />
<br />
Junior Data Protection Associate<br />
<br />
'''CV''': [https://linkedin.com/in/norman-aasma-0256b21a5 linkedin.com/in/norman-aasma-0256b21a5]<br />
<br />
<br />
<br />
<br />
'''My contributions''':<br />
<br />
[[AKI (Estonia) - 2.1.-4/22/2585]]<br />
<br />
[[AKI (Estonia) - 2.1.-5/22/22012]] <br />
<br />
[[BlnBDI (Berlin) - C-807/21 - Deutsche Wohnen]]<br />
<br />
[[The FG München - Auskunftsanspruch nach Art. 15 DSGVO]]<br />
<br />
[[AKI (Estonia) - 2.1-3/22/2542]]<br />
<br />
[[AKI (Estonia) - 2.1.-1/23/2891-5]]<br />
<br />
[[LG Köln - 33 O 376/22]]<br />
<br />
DSB (Austria) - W245 2252208-1/36E & W245 2252221-1/30E</div>Norman.aasmahttps://gdprhub.eu/index.php?title=User:Norman.aasma&diff=33210User:Norman.aasma2023-06-06T08:40:55Z<p>Norman.aasma: </p>
<hr />
<div>'''Norman Aasma''', Country reporter for Estonia & Germany<br />
<br />
LL.M. student at University of Oslo<br />
<br />
Junior Data Protection Associate<br />
<br />
'''CV''': [https://linkedin.com/in/norman-aasma-0256b21a5 linkedin.com/in/norman-aasma-0256b21a5]<br />
<br />
<br />
<br />
<br />
'''My contributions''':<br />
<br />
[[AKI (Estonia) - 2.1.-4/22/2585]]<br />
<br />
[[AKI (Estonia) - 2.1.-5/22/22012]] <br />
<br />
[[BlnBDI (Berlin) - C-807/21 - Deutsche Wohnen]]<br />
<br />
[[The FG München - Auskunftsanspruch nach Art. 15 DSGVO]]<br />
<br />
[[AKI (Estonia) - 2.1-3/22/2542]]<br />
<br />
[[AKI (Estonia) - 2.1.-1/23/2891-5]]<br />
<br />
[[LG Köln - 33 O 376/22]]<br />
<br />
https://gdprhub.eu/index.php?title=DSB_(Austria)_-_W245_2252208-1/36E_%26_W245_2252221-1/30E&redirect=no</div>Norman.aasmahttps://gdprhub.eu/index.php?title=BVwG_-_W245_2252208-1/36E_and_W245_2252221-1/30E&diff=33209BVwG - W245 2252208-1/36E and W245 2252221-1/30E2023-06-06T08:39:37Z<p>Norman.aasma: </p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Austria<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoAT.png<br />
|DPA_Abbrevation=DSB<br />
|DPA_With_Country=DSB (Austria)<br />
<br />
|Case_Number_Name=W245 2252208-1/36E & W245 2252221-1/30E<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Bundesverwaltungsgericht Republik Österreich<br />
|Original_Source_Link_1=https://www.ris.bka.gv.at/Dokumente/Bvwg/BVWGT_20230512_W245_2252208_1_00/BVWGT_20230512_W245_2252208_1_00.pdf<br />
|Original_Source_Language_1=German<br />
|Original_Source_Language__Code_1=DE<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Other<br />
|Outcome=<br />
|Date_Started=18.08.2020<br />
|Date_Decided=12.05.2023<br />
|Date_Published=12.05.2023<br />
|Year=2023<br />
|Fine=<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 44 GDPR<br />
|GDPR_Article_Link_1=Article 44 GDPR<br />
|GDPR_Article_2=Article 46(2)(c) GDPR<br />
|GDPR_Article_Link_2=Article 46 GDPR#2c<br />
|GDPR_Article_3=Article 46(2)(d) GDPR<br />
|GDPR_Article_Link_3=Article 46 GDPR#2d<br />
|GDPR_Article_4=<br />
|GDPR_Article_Link_4=<br />
|GDPR_Article_5=<br />
|GDPR_Article_Link_5=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=Österreichischen Datenschutzbehörde (Austrian data protection authority)<br />
|Party_Link_1=https://www.dsb.gv.at/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Norman Aasma<br />
|<br />
}}<br />
<br />
The Federal Administrative Court of Austria held that data transfer by a website provider to Google Analytics was unlawful.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
Natural persons brought an action against a partial decision of the Austrian data protection authority from December 2021.<br />
In its 2021 decision, the Austrian DPA found that the use of Google Analytics by an Austrian website led to a transfer of personal data to Google LLC, which is in violation of Chapter V of the GDPR. <br />
<br />
The legal dispute before the Federal Administrative Court of Austria concerned the violation of the core principles of GDPR with regard to data transmission. <br />
<br />
The complainant questioned the lawfulness of the data processing with regard to data transmission principles. <br />
<br />
Firstly, the complainant website provider questioned the DPA's decision with regard to transfer of personal data to Google LLC and with regard to adequate protection provided by the SCC, which were concluded between the respondents. <br />
<br />
Secondly, the complainant website provider questioned in its action brought before the court the level of protection provided by the SCCs. <br />
<br />
Therefore, the website provider asked the court to consider whether there was a violation of core data protection principles of GDPR.<br />
<br />
=== Holding ===<br />
The court held that the data transmission from a website to Google on August 14, 2020, which was not based on the consent was unlawful.<br />
Within the decision, the court analysed the organisational and technical measures taken by the Google LLC. <br />
<br />
First of all, the court noted that even after Schrems II ruling by the Court of Justice of the European Union, Google LLC and also the website operator in this case based its actions on the standard contractual clauses, which actually were questioned by the very same Schrems II ruling. The court highlighted that even though Google LLC had implemented certain organisational and technical measures, they were not good enough to comply with or prevent the requirements set forth by the US security authorities. Furthermore, Google LLC's own report indicates that there are a lot of requests made by the security authorities. <br />
The court held that standard contractual clauses can be considered effective only as long as they on their own or in combination with other technical and organisational measures are able to close the loopholes of data protection requirements with regard to data transfers to third countries. If the data transferer is not able to meet these requirements, then these kinds of data transmissions are unlawful and cannot take place. <br />
<br />
Moreover, the court provided that compliance with the requirements of the US security authorities will lead to violation of fundamental rights enjoyed by the EU citizens. The court held that EU law does not provide any efficient remedy to the disclosure of personal data of EU citizens to the US intelligence authorities. <br />
As part of the decision, the court referenced the DPO, who also stated that the technical measures taken by Google LLC are not functional anyway as Google LLC is still able to access the personal data of EU citizens. The encryption used during the data transmission is not working, because this kind of data transmission includes an obligation to provide compulsory backdoor access to the personal data for the US security authorities. The court also mentioned that the article 44 GDPR, which was part of the decision is not based on risk-based approach, which is absolutely crucial for the aforementioned data transmission to third countries. <br />
<br />
Consequently, the court rejected all complaints lodged by the website provided and held that data transfer to Google LLC is unlawful and violates the article 44 GDPR.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the German original. Please refer to the German original for more details.<br />
<br />
<pre><br />
Postal address:<br />
Erdbergstrasse 192 – 196<br />
1030 Vienna<br />
Phone: +43 1 601 49-0<br />
<br />
Fax: + 43 1 711 23-889 15 41<br />
Email: einlaufstelle@bvwg.gv.at<br />
www.bvwg.gv.at<br />
<br />
decision date<br />
<br />
05/12/2023<br />
business number<br />
<br />
<br />
<br />
<br />
W245 2252208-1/36E<br />
<br />
W245 2252221-1/30E<br />
<br />
<br />
Written copy of the verbal decision announced on March 31, 2023<br />
<br />
<br />
I M N A M E N D E R E P U B L I K !<br />
<br />
<br />
<br />
The Federal Administrative Court, judged by Mag. Bernhard SCHILDBERGER, LL.M.<br />
<br />
as chairperson and Mag. Viktoria HAIDINGER as a competent lay judge and Mag.<br />
<br />
Thomas GSCHAAR represented as a competent lay judge on the complaints of XXXX<br />
by XXXX and XXXX, represented by Baker & McKenzie Rechtsanwälte LLP & Co KG,<br />
<br />
Schottenring 25, 1010 Vienna against the partial decision of the Austrian<br />
<br />
Data protection authority from December 22nd, 2021, GZ 2021-0.586.257 (DSB-D155.027), concerning the<br />
Violation of the general principles of data transmission in accordance with Art. 44 GDPR, after<br />
<br />
Carrying out an oral hearing, rightly recognised:<br />
<br />
<br />
a)<br />
<br />
I. XXXX's complaint against point 2 of the disputed partial decision is<br />
<br />
rejected.<br />
<br />
II. The revision is permissible according to Art. 133 Para. 4 B-VG.<br />
<br />
<br />
<br />
b)<br />
<br />
I. XXXX's complaint against point 3 of the disputed partial decision is<br />
rejected.<br />
<br />
<br />
II. The revision is permissible according to Art. 133 Para. 4 B-VG. - 2 -<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Reasons for decision:<br />
<br />
<br />
Subject of the proceedings:<br />
<br />
Complainant XXXX (hereinafter also “BF1”) visited a website on August 14, 2020<br />
<br />
XXXX of those involved XXXX (hereinafter also "MB"). On the MB website was the<br />
Web analysis service XXXX Analytics of complainant XXXX (hereinafter also "BF2")<br />
<br />
embedded. With the embedded web analysis service, personal data of the<br />
BF1 transferred to a third country. The present decision addresses the question of whether<br />
<br />
with the processing at issue to a violation of the general<br />
<br />
Principles of data transmission in accordance with Art. 44 GDPR.<br />
<br />
<br />
I. Procedure:<br />
<br />
I.1. With a submission dated August 18, 2020, the BF1 lodged a complaint against the BF2 and the MB<br />
(VWA ./01, see point II.2).<br />
<br />
The reason given by the BF1 was that on August 14, 2020, at 10:45 a.m., the website of the MB<br />
<br />
visited XXXX. While visiting the MB website, the BF1 was on a XXXX -<br />
<br />
account was logged in. This account is linked to the email address of BF1 (XXXX<br />
been. The MB has on its website the HTML code for XXXX services (including<br />
<br />
XXXX -Analytics) embedded.<br />
<br />
During the visit to the MB website, the BF1 received personal data from the<br />
<br />
BF1 (at least the IP address of the BF1 and cookie data) processed. Apparently these are<br />
been transmitted to the BF2 (VWA ./04).<br />
<br />
According to point 10 of the order data processing conditions, the MB agreed that<br />
<br />
the BF2 personal data of the BF1 in the United States of America or in<br />
<br />
another country where XXXX or XXXX sub-processors have facilities<br />
maintain, store and process. Such a transfer of<br />
<br />
personal data of the BF1 from the MB to the BF2 require a legal basis<br />
<br />
according to Art. 44 ff GDPR.<br />
<br />
After the European Court of Justice declared the "EU-US Privacy Shield" with the decision of<br />
16.07.2020, C-311/18 (Schrems II) declared invalid, the MB could<br />
<br />
Data transmission to the BF2 in the United States is no longer limited to one<br />
<br />
Support adequacy decision according to Art. 45 GDPR. Nevertheless, the MB and - 3 -<br />
<br />
<br />
the BF2 still had to wait almost four weeks after the judgment for the “EU-US Privacy<br />
Shield”. This can be done from point 10.2 of the order data processing conditions<br />
<br />
for XXXX advertising products, version 01.01.2020 (VWA ./03).<br />
<br />
In addition, the MB cannot base the data transmission on standard data protection clauses<br />
<br />
in accordance with Article 46 (2) (c) and (d) GDPR if the third country of destination<br />
<br />
Union law no adequate protection of the on the basis of<br />
Standard data protection clauses guarantee transmitted personal data (ECJ<br />
<br />
July 16, 2020, C-311/18 (Schrems II), para. 134 f). The ECJ expressly stated that<br />
other transfers to entities falling under 50U.S. Code §1881a, not just<br />
<br />
against the relevant articles in Chapter V GDPR, but also against Art. 7 and 8 GRC<br />
<br />
would violate the essence of Art. 47 GRC (ECJ 06.10.2015, C-<br />
362/14 (Schrems), para. 95). Any further transmission therefore violates the fundamental right<br />
<br />
to privacy and data protection and the right to an effective remedy<br />
<br />
a fair process.<br />
<br />
BF2 is a provider of electronic communications services within the meaning of 50 U.S. code §<br />
<br />
1881a (b) (49) and as such is subject to supervision by U.S.<br />
Intelligence agencies under 50 U.S. Code § 1881a ("FISA 702"): As from the " XXXX " (VWA ./06)<br />
<br />
and from the transparency report of the BF2 (see XXXX, the BF2 of the US<br />
Government pursuant to 50 U.S. Code Section 1881a actively provides personal information. Before<br />
<br />
Against this background, the MB was unable to adequately protect the<br />
<br />
personal data of BF1, which are transmitted to BF2.<br />
<br />
From August 12th, 2020, the MB and the BF2 have agreed on data transmissions to the United<br />
<br />
States rely on default data protection clauses. This could be point 10.2 of<br />
Order data processing conditions for XXXX advertising products, version 08/12/2020,<br />
<br />
(VWA ./04). However, this procedure ignores the judgment of the European<br />
Court of Justice (ECJ July 16, 2020, C-311/18 (Schrems II), para. 134 f). Accordingly, the MB<br />
<br />
obliged to the transfer of personal data to the BF2 in the United<br />
<br />
states to refrain from.<br />
<br />
Finally accept the BF2 despite the clear judgment of the European Court of Justice<br />
<br />
and in violation of Articles 44 to 49 GDPR, data transfers from the<br />
EU/EEA under the data protection clauses. In addition, give the BF2<br />
<br />
EU/EEA personal data to the US government in violation<br />
against Art. 48 GDPR. - 4 -<br />
<br />
<br />
According to Art. 58 Para. 1 GDPR, the BF1 requested that it be determined which<br />
personal data from the MB to the BF2 in the United States or to a<br />
<br />
another third country or an international organization on which<br />
<br />
Transmission mechanism according to Art. 44 ff GDPR, the MB supports the data transmission<br />
and whether the provisions of the applicable XXXX Analytics Terms of Use<br />
<br />
and the (new) order data processing conditions for XXXX advertising products<br />
<br />
Requirements of Art. 28 GDPR in relation to the transfer of personal data<br />
fulfill or not.<br />
<br />
Furthermore, the BF1 applied for this immediately in accordance with Art. 58 (2) lit. d, f and j GDPR<br />
<br />
Ban or suspension of any data transfer from the MB to the BF2 in the<br />
<br />
United States imposed and the return of this data to the EU/EEA or a<br />
another country that guarantees adequate protection.<br />
<br />
<br />
Finally, the BF1 requested the imposition of an effective, proportionate and<br />
deterrent fine against the MB and the BF2.<br />
<br />
In his complaint to the BA, the BF1 submitted the Terms of Use for XXXX Analytics (VWA<br />
<br />
./02, see point II.2), the order data processing conditions for XXXX advertising products,<br />
<br />
Version 01.01.2020 (VWA ./03, see point II.2), the order data processing conditions<br />
for XXXX advertising products, version 08/12/2020 (VWA./04, see point II.2), the HAR data of the<br />
<br />
Website visit (VWA ./05, see point II.2), the XXXX (VWA ./06, see point II.2) and<br />
<br />
a certificate of representation (VWA ./07, see point II.2).<br />
<br />
I.2. As a result, the BA continued the procedure until the responsible person was determined<br />
supervisory authority and until the decision of the lead supervisory authority or the<br />
<br />
European data protection committee with decision of 02.10.2020, Zl2020-0.527.385 (DSB-<br />
<br />
D155.027) from (VWA ./08 and ./09, see point II.2). Furthermore, the bB called for the MB<br />
Opinion on (VWA ./10, see point II.2).<br />
<br />
I.3. In the statement of December 16, 2020, the MB stated (VWA ./11, see point II.2) that<br />
<br />
she herself decided to edit the program code for XXXX -Analytics (hereinafter<br />
<br />
also called "tool") on your XXXX. The tool is used to<br />
to enable statistical evaluations of the behavior of website visitors (see<br />
<br />
Point II.1.8) to organize the content of the website according to general topic interests<br />
<br />
to adjust. Since the evaluation is carried out anonymously, the tool can be used<br />
the content cannot be adapted to the specific website user. Based on the<br />
<br />
Website usage and article views of anonymous users receive an aggregated MB<br />
<br />
statistical evaluation. - 5 -<br />
<br />
<br />
For the general user statistics and the already mentioned purpose no personal reference<br />
is necessary, the MB was aware of the embedding of the anonymous version<br />
<br />
determined. From the still embedded code it can be seen that the function<br />
<br />
"anonymizeIp" was set to "true". Therefore, the tool only processes anonymous<br />
Data. In the case of user IP addresses of the IPv4 type, the last octet and in the case of IPV6<br />
<br />
addresses the last 80 of the 128 bits in memory are set to zero. With that find<br />
<br />
before the data is saved or transmitted. Therefore, an access<br />
therefore not to personal data by BF2 in the United States<br />
<br />
possible.<br />
<br />
In addition to anonymized IP addresses, the tool processes the user agent string. The user agent<br />
<br />
String is used to tell the server which system specification the user used to access the<br />
server access. Without personal reference, only the device, the operating system, the<br />
<br />
Operating system version, the browser, the browser version and the device type are displayed<br />
<br />
become. Since this information lacks a personal IP address or anything else<br />
Identifiers cannot be assigned to an identifiable user, would not be personal<br />
<br />
data available. Since the anonymization is already in the working memory of the respective<br />
<br />
website user takes place, no processing takes place on servers of BF2 and sohin<br />
not in a third country outside the EU.<br />
<br />
Even before the cookie is finally set, the anonymization process finds the IP address<br />
<br />
instead of. Only from this point in time would the statistical information about the<br />
<br />
Website usage can be collected via the respective - now anonymous - cookie. The<br />
The evaluations collected would accordingly only be carried out with the anonymous data<br />
<br />
carried out and could therefore not be assigned to any person. on the<br />
<br />
the process presented – namely the collection and evaluation of merely anonymous data<br />
and information - would find neither the GDPR nor the DSG due to the lack of personal reference<br />
<br />
Application. Accordingly, the consent of a website user is not required.<br />
<br />
The concrete anonymization process initially accesses the IP address in order to access it immediately<br />
<br />
anonymize. However, this required initial recording of the IP address takes place<br />
regardless of the use of XXXX -Analytics and be always for the<br />
<br />
functionality is mandatory. This survey is not for the purpose of the MB<br />
<br />
(see point II.1.8), but inevitably with every website that can be called up on the Internet. This<br />
takes place, as with any other website, on the basis of legitimate interest<br />
<br />
Operation of a functioning, user-friendly and secure website in accordance with Art. 6 para.<br />
<br />
1 lit. f GDPR. - 6 -<br />
<br />
<br />
The BF2 process the data on behalf of and on the instructions of the MB. The MB take the role<br />
of the person responsible, BF2 assumes the role of processor. The MB have<br />
<br />
extensive decision-making power over the means of processing. You decide initially<br />
<br />
about whether she wants to embed the tool at all and she also has the option to<br />
Adjusting the tool to determine the needs and purposes of processing<br />
<br />
or change as needed. Furthermore, the MB determines the storage period (26 months) as well as<br />
<br />
the fate of the data after the termination of the contract. To secure any future<br />
The MB<br />
<br />
therefore concluded an order data processing agreement with BF2 (see VWA<br />
<br />
./16).<br />
<br />
According to the judgment of the European Court of Justice of July 16, 2020, C-311/18 (Schrems II).<br />
the MB checked the settings of the tool and made sure that the so far<br />
<br />
data protection-friendly implementation by anonymizing the IP addresses<br />
<br />
is active. Therefore, the judgment of the ECJ is not on the contractual relationship between the MB and<br />
the BF2 applicable. In order, however, also for any provision of personal data<br />
<br />
To take data to the BF2 precautions, the MB with the BF2 have one as a precaution<br />
<br />
Processor agreement concluded on August 12th, 2020 (see VWA ./16) and<br />
Standard safeguard clauses included (see VWA ./22). With regard to the<br />
<br />
The MB did not carry out a proactive review of standard safeguard clauses. This<br />
<br />
because due to the transmission of anonymized IP addresses, a transmission<br />
of personal data is not successful. Finally, arising from the processing<br />
<br />
of anonymous data, which are subsequently only evaluated for general statistics,<br />
<br />
no risks.<br />
<br />
BF2 also took further technical and organizational measures (no<br />
Backdoor access for authorities, information obligations of BF2 towards those responsible,<br />
<br />
when a request from a competent authority arrives, publication of<br />
<br />
transparency reports, examination of requests for information and appeals) to a high level<br />
To provide a level of data protection for the data processed via the tool.<br />
<br />
In its statement (VWA ./11) to the BA, the MB submitted reports from the tool (VWA ./12,<br />
<br />
see point II.2), information on IP anonymization (VWA ./13, see point II.2),<br />
<br />
Screenshot of the set storage period (VWA ./14, see point II.2), list of<br />
Server locations (VWA ./15, see point II.2), order data processing conditions for<br />
<br />
XXXX advertising products, version 08/16/2020 (VWA ./16, see point II.2),<br />
<br />
Order data processing conditions for XXXX advertising products, version 08/12/2020<br />
(VWA ./17, see point II.2), order data processing conditions for XXXX - 7 -<br />
<br />
<br />
Advertising products, version 01.01.2020 (VWA ./18, see point II.2), comparison version AVV dated<br />
01/01/2020 vs 08/12/2020 (VWA./19, see point II.2), comparison version AVV from 08/12/2020<br />
<br />
vs 08/16/2020 (VWA ./20, see point II.2), screenshot for settings (VWA ./21, see<br />
<br />
Point II.2), standard data protection clauses (VWA ./22, see point II.2), information on<br />
Safety measures (VWA ./23, see point II.2) and a processing sheet for XXXX<br />
<br />
Analytics (VWA ./24, see point II.2) at.<br />
<br />
I.4. At the request of the bB of January 22, 2021 (VWA ./25, see point II.2), the BF1 in the<br />
<br />
Follow an opinion (VWA ./26, see point II.2). In it he explained, although in code<br />
the function "anonymizeIP" was set to "true", this did not result in his<br />
<br />
anonymized IP address was transmitted. This is for data transfers in the World Wide<br />
<br />
Web technically impossible. Referring to statements by BF2, BF1 stated that<br />
the IP address only after it enters the Analytics data collection network,<br />
<br />
anonymized or masked before being stored or processed.<br />
<br />
In addition, the BF1 pointed out that at the time of the website visit, he was in his private<br />
XXXX account was logged in and also cookie data (_ga, __gads, _gid, _gat,<br />
<br />
_gat_UA-259349-11, _gat_UA-259349-1) were transferred. So in the result be<br />
<br />
Contrary to the statements of the MB, it is clear that personal data (such as cookies and<br />
IP addresses) were processed and transmitted to BF2 in the United States.<br />
<br />
In addition, with a processor in a third country, there is a breach of anonymization<br />
<br />
not enforceable or ascertainable<br />
of the European Court of Justice (ECJ 19.10.2016, C-582/14 (Breyer)) at least by one<br />
<br />
assignability to a specific natural person.<br />
<br />
In order to prevent a violation of Art. 44 ff GDPR, a complete removal of the<br />
<br />
Tools necessary and a change to another tool that does not transfer data to the<br />
USA require to recommend. As far as the MB is convinced that no<br />
<br />
personal data would be processed is a conclusion of<br />
<br />
Order processing conditions contradictory. Also the fact that the MB<br />
to be on the safe side, conclude standard data protection clauses with the BF2, point out that<br />
<br />
she herself assumes that data will be transferred to the USA. Also that from<br />
<br />
The processing directory (VWA ./24) submitted to the MB indicates that<br />
personal data would be transmitted to BF2.<br />
<br />
Contrary to statements by the MB, the sole purpose of collecting the IP address is not<br />
<br />
carrying out the transmission of a message over a communications network,<br />
<br />
rather, it is also collected for the use of XXXX analytics. As a result of possible<br />
data tapping by US secret services can still be assumed that interests or - 8 -<br />
<br />
<br />
Fundamental rights and freedoms of data subjects requiring protection<br />
require personal data prevail. Like the European Court of Justice<br />
<br />
stated that the existing system of access options from US<br />
<br />
Secret services on personal data of EU citizens with Art. 7, 8 and 47 GRC<br />
incompatible (ECJ July 16, 2020, C-311/18 (Schrems II)).<br />
<br />
<br />
In its statement (VWA./26), the BF1 placed the attachments of third-party partners in the cookie banner<br />
MB (VWA ./27, see point II.2), contacts from XXXX with US server (VWA ./28, see point<br />
<br />
II.2), and contacts of XXXX with US server, reference to fingerprint technology (VWA ./29,<br />
see point II.2) at.<br />
<br />
<br />
I.5. In a letter dated February 26, 2021, the BA asked the BF2 to comment (VWA ./30,<br />
see point II.2). With the submission of April 9th, 2021, the BF2 complied with this request (VWA<br />
<br />
./31, see point II.2). In its statement, the BF2 describes, among other things, the<br />
<br />
Web analysis service XXXX -Analytics (see point II.1.3.3), the implementation and the<br />
Functionality of XXXX -Analytics (see point II.1.5), the embedding of the program code<br />
<br />
for XXXX analytics on a website (see point II.1.6), the legal basis for use<br />
<br />
of XXXX -Analytics (see point II.1.7), the measures which, according to the judgment of<br />
European Court of Justice of July 16, 2020 in case C-311/18<br />
<br />
(see point II.1.9), the additional measures that come with the introduction of the<br />
standard contractual clauses have been set (see point II.1.10) and the effects if<br />
<br />
a user of a XXXX account visits a website that uses XXXX analytics.<br />
<br />
I.6. The entry of the BF2 (VWA ./32) transmitted the bB within the scope of the hearing of the parties<br />
<br />
MB and the BF1 for comments.<br />
<br />
I.7. With a statement of May 4th, 2021 (VWA ./33, see point II.2), the MB stated that they<br />
<br />
only use the free version of XXXX Analytics. Both the<br />
Order data processing conditions (terms of use) as well as the<br />
<br />
Standard Contractual Clauses (SDK) have been agreed. The BF2 will only as<br />
<br />
Contract processor used. The instructions are given by the MB about the settings of XXXX<br />
-Analytics user interface and via the global website tag. It is the data release<br />
<br />
Setting has not been activated. The code is embedded with the anonymization function<br />
<br />
been. XXXX signals are also not used. The MB does not have its own<br />
authentication system and also do not use user ID function. Currently support<br />
<br />
does not refer to the exception rule of Art. 49 Para. 1 GDPR.<br />
<br />
I.8. With a statement dated May 5th, 2021 (VWA ./34, see point II.2), the BF1 stated that<br />
<br />
XXXX is not a party to the proceedings and is the sole object of the appeal with regard to BF2, - 9 -<br />
<br />
<br />
that the transmission and receipt of the data Art. 44 ff DSGVO is pursued or the<br />
thereafter unlawful processing in the United States. According to Art. 44 GDPR<br />
<br />
"Responsible persons and processors" would have to comply with Chapter V GDPR<br />
<br />
retain. As a processor, BF2 is the norm addressee of Chapter V GDPR. The bB be<br />
directly responsible for BF2, which violated Art. 44 ff GDPR. Regarding<br />
<br />
The GDPR is applicable to the processing carried out by BF2, since the factual<br />
<br />
Scope of application according to Art. 2 Para. 1 and the geographical scope according to Art.<br />
3 paragraph 2 lit. b leg.cit. be fulfilled.<br />
<br />
With reference to the opinion of BF2 (VWA ./31, see point I.5), BF1 stated that<br />
<br />
the data transmission to BF2 in the United States and the personal reference of<br />
<br />
transmitted data is undisputed. The BF2 put out of dispute that all through XXXX -<br />
Analytics collected would be hosted in the United States.<br />
<br />
According to the explanations of the BF1, the MB and the BF2 themselves would assume that<br />
<br />
that there is a processing of personal data, including their transmission in<br />
a third country, otherwise a contract data processing contract will be concluded<br />
<br />
including standard contractual clauses would be completely meaningless. Also state the BF2 itself,<br />
<br />
that based on a "user ID" ("user identifer") a data subject for the purpose<br />
of deletion can be identified. There is thus the possibility of<br />
<br />
Identifiability within the meaning of Art.4 Para.1 GDPR. Furthermore, the BF itself states that XXXX<br />
<br />
-Analytics unique identifiers associated with a specific user<br />
use. As far as the BF2 explain that the data transmitted to her sometimes only<br />
<br />
"Pseudonymous data" would be, on the one hand this is factually wrong and on the other hand it is closed<br />
<br />
note that even pseudonymised data (Art. 4 Para. 5 GDPR) from the term<br />
personal data are recorded in accordance with Art. 4 Para. 1 GDPR.<br />
<br />
It is undeniable that the MB and the BF2 process personal data and in<br />
<br />
the United States had submitted. At least some of the ones on the occasion of<br />
<br />
Cookies set on the website visit on August 14, 2020 would be unique user<br />
Identification numbers included. In the transaction between the browser of the BF1 and<br />
<br />
https://tracking. XXXX , which was started on the specified date, are the user<br />
<br />
Identification numbers _gads, _ga and _gid have been set. These numbers are in sequence<br />
at https://www. XXXX -analytics.com/ has been transmitted. It's about the numbers<br />
<br />
to online identifiers that serve to identify natural persons and a<br />
Users would be specifically assigned (see also point II.1.3). In terms of<br />
<br />
IP address, it should be noted that Chapter V GDPR no exceptions for subsequent<br />
<br />
provide for anonymized data. It can be assumed that the IP address of the BF1 is not - 10 -<br />
<br />
<br />
was once made anonymous in all transactions. The application for the imposition of a<br />
Fine will be withdrawn, this is now a suggestion.<br />
<br />
<br />
The additional measures put forward by the BF2 (see point II.1.10) are irrelevant.<br />
In this regard, the European Court of Justice found the following elements of the US<br />
<br />
Legislation than with the European fundamental rights according to Art. 7, 8 and 47 EU<br />
<br />
Charter of Fundamental Rights (GRC) considered incompatible (ECJ July 16, 2020, C-311/18 (Schrems II), para<br />
175 ff): The lack of any legal protection before US courts under Art. 47 GRC; the lack<br />
<br />
any precise legal basis for monitoring, specifying the scope and<br />
scope of the encroachment on fundamental rights itself and the requirement of<br />
<br />
proportionality is sufficient; the lack of any individual ex ante decision of a<br />
<br />
court, but the sole review of a surveillance system as a whole and that<br />
Absence of any subsequent judicial control and finally the lack of any<br />
<br />
Legal Protection for "Non-US Persons". Against this background, the additional<br />
<br />
Measures (see point II.1.10) not suitable by the European Court of Justice<br />
solve the problems presented. With comprehensive justification, the BF1 explained that no<br />
<br />
of the supposed "additional measures" above the normal standard of the<br />
<br />
Data processing pursuant to Art. 32 GDPR goes beyond or is relevant with regard to<br />
U.S. Government data access pursuant to 50 U.S. Code § 1881a and/or EO 12.333.<br />
<br />
In its statement (VWA ./34), the BF1 included the enclosures "XXXX -Analytics Cookie,<br />
<br />
Use on website" (VWA ./35, see point II.2), "How XXXX uses cookies" (VWA<br />
<br />
./36, see point II.2), and "Measurement Protocol Parameter Reference" (VWA ./37, see<br />
Point II.2) at.<br />
<br />
<br />
I.9. As a result, the bB asked the parties to the procedure to submit a new statement (VWA<br />
./38, ./39 and ./40, see point II.2). With an e-mail dated May 12, 2021, BF2 applied for one<br />
<br />
Extension of the period for comments (VWA ./41, see point II.2), which subsequently<br />
was granted by the BA (VWA ./42, see point II.2).<br />
<br />
<br />
I.10. In its statement of June 10, 2021 (VWA ./43, see point II.2), BF2 stated that<br />
that the BF1's legitimacy to act had not been established because it had not been proven<br />
<br />
had been stated that the data transmitted was personal data of BF1<br />
<br />
act. In order to process the data (cookies, IP address) as a<br />
To be able to qualify personal data of the BF1, he would have to on the basis of this<br />
<br />
data are identifiable.<br />
<br />
With regard to the _gid and cid numbers, it should be noted that these are first-party cookies,<br />
<br />
which were set under the domain XXXX. It is therefore not cookies of BF2, - 11 -<br />
<br />
<br />
but cookies of the website owner, and the cookie values are different for each user on each<br />
site different. The BF1 stated that the numbers "_gid" and "cid" an<br />
<br />
https://www. XXXX -analytics.com/ were transmitted. "_gid" has the value<br />
<br />
1284433117.1597223478 and cid is 929316258.1597394734. To assess the<br />
Active legitimation must therefore be determined whether these numbers (values) the BF1<br />
<br />
make identifiable.<br />
<br />
Considering that a single user may have different cid numbers for<br />
<br />
have different websites and the cid numbers are randomly generated,<br />
such a cid number cannot in itself identify a user. The<br />
<br />
Number929316258.1597394734simplydon'tidentifytheBF1.TheBF1don'tbring<br />
<br />
suggest that subsequent visits to the site would have taken place, let alone that data<br />
in connection with such subsequent visits to the website in connection with the cid<br />
<br />
929316258.1597394734 would have been recorded. There were no circumstances<br />
<br />
on the basis of which one could argue that in connection with the cid number<br />
929316258.1597394734 information collected would make the BF1 identifiable.<br />
<br />
These statements essentially apply to the _gid numbers.<br />
<br />
With regard to the IP address, it should be checked whether the IP address of the Internet<br />
<br />
connected device is actually assigned to the BF1 and whether the person responsible or<br />
another person has the legal means to obtain subscriber information from the<br />
<br />
relevant internet access provider.<br />
<br />
Even if it were determined that the MB or another person theoretically such<br />
<br />
legal means within the meaning of recital 26 have to<br />
<br />
Subscriber information related to the B1 from the internet access provider<br />
received, it must also be determined whether, within the meaning of recital 26<br />
<br />
GDPR reasonably likely that these means will be used<br />
would. In general, it is not likely that the MB or any other<br />
<br />
Person within the meaning of recital 26 legal means (if such available to them<br />
<br />
standing) would use. In particular in the situation at issue, it would be<br />
generally unlikely that such legal means will be used<br />
<br />
would to identify any visitor to a website like the BF1 if<br />
<br />
one considers the objective factors, such as the cost and time required for such means<br />
identification (see recital 26).<br />
<br />
As a processor, BF2 provides the website operator with numerous<br />
<br />
XXXX -Analytics configuration options are available. The<br />
<br />
Anonymization function is according to the declarations of the MB from December 16th, 2020 (VWA - 12 -<br />
<br />
<br />
./11) and 05/04/2021 (VWA ./33) have been configured. However, due to a possible<br />
Due to a configuration error on the part of the MB, the anonymization function does not work in all cases<br />
<br />
been activated.<br />
<br />
Under normal operating conditions and as far as users based in the EU are concerned,<br />
<br />
there is a web server in the EEA, which is why the IP anonymization is always within<br />
<br />
of the EEA. In the present case, normal operating conditions existed.<br />
<br />
On August 14, 2020, the XXXX account of the BF1 ( XXXX ) has the Web & App activity<br />
setting enabled. However, the account has not chosen activities of<br />
<br />
Include websites using XXXX services. Since the MB according to its own information also<br />
<br />
XXXX signal, the BF2 is not (was) able to determine that<br />
the user of the XXXX account XXXX visited the XXXX.<br />
<br />
With regard to international data traffic, it should be noted that even under the<br />
<br />
Assumption that the complainant's personal data is concerned, this<br />
<br />
are limited by their nature in terms of quantity and quality<br />
data are to be qualified as personal data at all, it would also be<br />
<br />
trade pseudonymous data.<br />
<br />
Standard contractual clauses were concluded with the MB, in addition<br />
<br />
additional measures have been implemented. The BF2 does not store user data according to EO<br />
12333 open. FISA § 702 is in the present case given the encryption and the<br />
<br />
Anonymization of IP addresses irrelevant.<br />
<br />
Art. 44ff GDPR could not be the subject of a complaints procedure according to Art. 77 para.<br />
<br />
1 GDPR, which is why the complaint should be rejected.<br />
<br />
Finally, Art. 44 et seq. GDPR are also relevant with regard to BF2 as a data importer<br />
<br />
not applicable.<br />
<br />
I.11. The BF2 was entered by the bB, the BF1 and the MB as part of the<br />
heard by the parties (VWA ./44, see point II.2). To that end, the BF1 applied<br />
<br />
an extension of the period for comments (VWA ./45, see point II.2). Further demanded<br />
<br />
the bB to announce the MB by letter dated June 16, 2021, whether there are legal<br />
there have been changes and legal representation still exists (VWA ./46,<br />
<br />
see point II.2).<br />
<br />
I.12. With a statement dated June 18, 2021, the MB announced the change in its company name and the<br />
<br />
Transfer of the website to another legal entity (see point II.1.2, as well as<br />
VWA ./47, see point II.2). - 13 -<br />
<br />
<br />
I.13.With a further statement of June 18, 2021 (VWA ./48, see point II.2). led the MB<br />
assumes that the intended IP anonymization was not due to a programming error<br />
<br />
had been activated. Due to the change made, now for all XXXX -<br />
<br />
Analytics Properties activated IP anonymization on the XXXX website (VWA ./50, see<br />
Point II.2). As a result, BF2 was instructed to use all of the XXXX -Analytics-<br />
<br />
Properties collected data immediately delete. The BF2 have the deletion meanwhile<br />
<br />
confirmed (VWA ./49, ./52 and ./53 see point II.2). Due to the deletion made<br />
process neither the MB nor the BF2 data of the BF1. It will therefore be in accordance with Section 24 (6) DSG<br />
<br />
encouraged the informal termination of the proceedings. The statement of the MB was the BF1<br />
<br />
submitted for information (VWA ./51, see point II.2).<br />
<br />
I.14. In the submission of July 9th, 2021 (VWA ./54, see point II.2), the BF2 stated that the<br />
Appropriateness assessment according to the recommendations 01/2020 for supplementary measures<br />
<br />
of transmission tools to ensure the level of protection under Union law for<br />
<br />
personal data, version 2.0 of the European Data Protection Board (“EDPB-<br />
Recommendations”) is not limited to examining the legislation of the third country.<br />
<br />
It must also include any specific circumstances surrounding the transfer in question<br />
<br />
be taken into account. In the present case, the processed personal data<br />
To treat data differently than that due to the limited nature and low sensitivity<br />
<br />
Data that are the subject of the Schrems I and Schrems II judgments. This is for him<br />
<br />
relevant to the case at hand. As a result, the European Data Protection Board<br />
a risk-taking approach is recommended.<br />
<br />
They also include the actual probability of official access to the data<br />
<br />
relevant factor for the adequacy assessment. Even in the presence of more problematic<br />
<br />
Legislation may allow the data transfer to continue (even without<br />
Implementation of additional measures) if the exporter has no reason to believe<br />
<br />
that the problematic legislation was interpreted and/or applied in practice<br />
<br />
could be that they are the transferred data and the specific data importer<br />
In addition, the assessment is no longer exclusively based on the legislation of<br />
<br />
third country, but also the question of whether or not this is applied in practice<br />
<br />
not. For example, the white paper “Information on U.S. Privacy Safeguards Relevant to SCCs<br />
and Other EU Legal Basis for EU-U.S. Data Transfers after Schrems ll" that the<br />
<br />
most companies operating in the EU do not process data required for US<br />
secret services are of interest.<br />
<br />
<br />
When a data exporter transfers personal data in a way that the<br />
personal data without the combination with other data no longer one - 14 -<br />
<br />
<br />
can be assigned to a specific data subject, according to the EDSA<br />
Recommendations that the pseudonymization carried out is an effective supplementary measure.<br />
<br />
It is not to be expected that US authorities will have additional information that<br />
<br />
would allow them to be stored behind the first party cookie values _gid and cid, respectively<br />
to identify data subjects who have an IP address.<br />
<br />
<br />
Finally, the BF1 did not apply for a finding that his rights in the<br />
been injured in the past.<br />
<br />
I.15. In its statement of 09.07.2021 (VWA ./55, see point II.2) the BF1 stated,<br />
<br />
that personal data is being processed. This is through the<br />
<br />
submitted documents (VWA ./5 and VWA ./34, point 5.3) have been verified. Also would<br />
Contract documents (order data processing conditions or<br />
<br />
Standard data protection clauses) do not create a personal reference, but these are<br />
<br />
Documents an important indication that both the BF2 and the MB of a<br />
Personal reference would go out. The BF2 itself also assumes that the<br />
<br />
BF1 off. If it is ultimately for the identification of a website visitor only requirement<br />
<br />
be whether he makes a certain declaration of intent in his XXXX account (such as the<br />
Activation of "Ad personalisation"), for the BF2 all possibilities of<br />
<br />
identifiability exist. Otherwise, the BF2 can in the account settings<br />
expressed wishes of a user for "personalization" of the received<br />
<br />
Promotional information does not match.<br />
<br />
The universally unique identifier (UUID) in the _gid cookie with the UNIX timestamp<br />
<br />
1597223478 is set on Wednesday 12 August 2020 at 11:11 and 18 seconds CET<br />
<br />
those in the cid cookie with UNIX timestamp 1597394734 on Friday 14 August<br />
2020 at 10:45 and 34 seconds CET. It follows that these cookies were already in place before<br />
<br />
were used for the visit that is the subject of the complaint and also a longer-term one<br />
tracking has taken place. To his knowledge, the BF1 does not have these cookies either<br />
<br />
immediately deleted and the website XXXX also visited repeatedly.<br />
<br />
The BF2 misjudges the broad understanding of the GDPR when assessing its existence<br />
<br />
personal data. The specific IP address used is also no longer available for the BF1<br />
<br />
detectable. However, this is irrelevant, since the UUID in the cookies gives a clear indication anyway<br />
personal reference exists. Specifically allow the combination of cookie data and IP address<br />
<br />
Tracking and evaluation of geographic localization, internet connection and context<br />
of the visitor, which can be linked to the cookie data already described. For this<br />
<br />
but would also include data such as the browser used, the screen resolution or the<br />
<br />
operating system (“device fingerprinting”). - 15 -<br />
<br />
<br />
In the context of the complaint, it is more relevant that US authorities are responsible for secret services<br />
easily ascertainable data, such as IP address, as a starting point for monitoring<br />
<br />
would use by individuals. It is the standard procedure for secret services to<br />
<br />
to 'hang on' from one date to another. When the BF1's computer is about always<br />
appears again on the Internet via the IP address of XXXX, this can be used<br />
<br />
to spy on the work of the XXXX club and to target the BF1. in one<br />
<br />
In a further step, other identifiers would then be searched for in the data, such as the ones mentioned<br />
UUIDs, which in turn are an identification of the individual person for a surveillance<br />
<br />
allow other places. The US secret services are in this context<br />
<br />
thus an "other person" within the meaning of Recital 26 GDPR. The BF1 works<br />
not only for XXXX , but also have a relevant role as a model complainant in<br />
<br />
these efforts. Thus, according to US law, monitoring of BF1 according to 50 USC §<br />
<br />
1881a (as well as by all other persons entrusted with this complaint) at any time<br />
legally possible. Even with the application of the supposed "risk-based approach".<br />
<br />
This case is a prime example of high risk.<br />
<br />
The e-mail address XXXX is assigned to BF1, who until his marriage<br />
<br />
Surname "XXXX". However, the old XXXX account is still in use.<br />
The BF2 have not explained to what extent the undisputed data are linked, evaluated<br />
<br />
or the result of an evaluation is simply not displayed to the user.<br />
<br />
In addition, Chapter V GDPR does not recognize a "risk-based approach". This can only be found<br />
<br />
in certain articles of the GDPR, such as in Art. 32 leg.cit. The new<br />
Standard contractual clauses in the Implementing Decision (EU) 2021/914 are for the<br />
<br />
Facts not relevant due to lack of temporal validity. A "transmission" is not<br />
<br />
unilateral action of a data exporter, every "transfer" also requires one<br />
receiving the data. Accordingly, Chapter V of the GDPR is also applicable to BF2, it<br />
<br />
is a joint action by data exporter and importer.<br />
<br />
If the BF2 has not violated Art. 44 ff GDPR, the provisions according to Art.<br />
<br />
28 Para. 3 lit. a and Art. 29 GDPR to be taken into account as a "catch-all rule". Bar the BF2<br />
following a corresponding instruction of a US secret service, he hits the<br />
<br />
Decision, personal data about the specific order of the MB according to Art. 28<br />
<br />
and Art. 29 GDPR and the corresponding contractual documents.<br />
As a result, BF2 itself becomes the controller in accordance with Art. 28 (10) GDPR.<br />
<br />
As a result, BF2 is also entitled to the provisions of Art. 5 et seq. GDPR<br />
<br />
follow. A clandestine disclosure of data to US intelligence agencies under US law - 16 -<br />
<br />
<br />
be without a doubt not with Art. 5 Para. 1 lit. f GDPR, Art. 5 Para. 1 lit. a GDPR and Art<br />
compatible.<br />
<br />
<br />
I.16. After being asked to comment (VWA ./56, see point II.2), BF2 took the lead<br />
their submission of August 12, 2021 (VWA ./57, see point II.2) that the BF1 his<br />
<br />
I have not shown any legitimacy to lodge a complaint. He has no part of the<br />
<br />
BF2 raised questions about the identifiability of his person based on the IP address<br />
answered. Regarding the _gid number and cid number, it should be noted that no<br />
<br />
directory is available in order to make the BF2 identifiable. The fact that<br />
in ErwGr 26 GDPR the "separation" is mentioned as a possible means of identification,<br />
<br />
however, do not change the understanding of the words "identify" or "identification" or<br />
<br />
“identifiability”.<br />
<br />
The identifiability of the BF1 requires at least that his identification on<br />
<br />
The basis of the data in question and with means that are possible according to general<br />
discretion would likely be used. This has not been established and cannot<br />
<br />
assumed and, on the contrary, improbable, if not impossible.<br />
<br />
Also the fact that the BF2 contract data processing conditions are completed<br />
have, does not mean that the data that are the subject of this procedure are different<br />
<br />
personal data, nor that it is the data of BF1.<br />
<br />
BF1's view that the data transfer should not be based on a risk-based approach<br />
<br />
evaluate ("all or nothing"), do not follow. This is not consistent with the<br />
GDPR and adhere to Recital 20 of the Implementing Decision (EU) 2021/914 of the European<br />
<br />
see commission. This is also due to the different versions of the EDSA<br />
<br />
Recommendation recognizable. Even if access to the above numbers by US<br />
Authorities "legally" possible at any time, should be checked how likely this is. The BF1<br />
<br />
have not provided any convincing arguments as to why or how the "cookie<br />
Data” related to his visit to a publicly accessible, and by many<br />
<br />
Austrian website used, such as the one in question, “Foreign Intelligence<br />
<br />
Information" and thus to the goal of purpose-restricted data collection according to § 702<br />
could become.<br />
<br />
<br />
I.17. With the decision that is the subject of the proceedings (VWA ./59, see point II.2), the BA remedied<br />
Point 1. first the notice of 02.10.2020, Zl 2020-0.527.385 (DSB-D155.027)<br />
<br />
(see point I.2).<br />
<br />
With point 2, the BA upheld the complaint against the MB and found that (a)<br />
<br />
the MB as responsible by implementing the tool "XXXX -Analytics" on their - 17 -<br />
<br />
<br />
Website under XXXX at least on August 14, 2020 personal data of BF1 (this<br />
are at least unique user identification numbers, IP address and<br />
<br />
browser parameters) to the BF2, (b) the standard data protection clauses that the<br />
<br />
MB concluded with the BF2, no adequate level of protection according to Art. 44 DSGVO<br />
would offer, since (i) the BF2 as a provider of electronic communication services within the meaning<br />
<br />
from 50 US code § 1881(b)(4) and as such subject to surveillance by U.S.<br />
<br />
Intelligence agencies under 50 U.S. Code § 1881a (“FISA 702”), and (ii) the actions,<br />
in addition to the standard data protection clauses mentioned in clause 2. b).<br />
<br />
were not effective, as these are the monitoring and<br />
<br />
would not eliminate access opportunities by US intelligence services and (c) in<br />
present case no other instrument according to Chapter V of the GDPR for the in Spruchpunkt<br />
<br />
(2.a) mentioned data transmission can be used and the MB therefore for the<br />
<br />
in the context of the data transfer mentioned in point 2.a) no appropriate<br />
have guaranteed a level of protection in accordance with Art. 44 GDPR.<br />
<br />
With point 3. the bB rejected the complaint because of a violation of the general<br />
<br />
Principles of data transmission in accordance with Art. 44 GDPR against BF2.<br />
<br />
In its legal justification, the bB first deals with its competence and its<br />
<br />
Determination competency (see point II.3.4) apart. She also describes that Art.<br />
44 DSGVO as a subjective right (see point II.3.4). In connection with<br />
<br />
Paragraph 2.led the construction that the transmitted data (see point II.1.3 or II.1.3.1)<br />
<br />
at least in combination, personal data according to Art. 4 Z 1 DSGVO. For the<br />
lack of an appropriate level of protection in accordance with Art. 44 GDPR, the bB stated that the<br />
<br />
European Court of Justice the "EU-US Privacy Shield" with the decision of July 16, 2020, C-<br />
<br />
311/18 (Schrems II) declared invalid. The subject of the proceedings could also<br />
Data transmission not only on the completed between the MB and the BF2<br />
<br />
Standard data protection clauses in accordance with Article 46 (2) (c) GDPR are supported. also be<br />
<br />
the additional measures identified by the BF2 are not suitable in the judgment<br />
identified gaps in legal protection - inappropriate access and<br />
<br />
Surveillance capabilities of US intelligence services and insufficient effective<br />
<br />
Legal remedy for those affected – to close.<br />
<br />
The rejection in point 3. justified the bB with the fact that the requirements of Art.<br />
44 GDPR to which BF2 would not apply. The BF2 lay the personal data of<br />
<br />
BF1 not open, just keep it. The requirements of Chapter V GDPR are dated<br />
<br />
data exporter and not also by a data importer (in a third country). - 18 -<br />
<br />
<br />
The notification was delivered to BF1 on January 12th, 2022, to BF2 and MB on January 13th<br />
point 3 of the decision, the BF1 lodged a complaint on February 7th, 2022<br />
<br />
(see point I.20). On February 9th, 2022, the BF2 filed a complaint against point 2 of the decision<br />
<br />
Complaint (see point I.17I.18). The MB did not<br />
complaint.<br />
<br />
<br />
I.18. In its complaint (VWA ./62, see point II.2) the BF2 first gave reasons<br />
their right to complain. Furthermore, BF2 stated that between the subject matter of<br />
<br />
contested partial decision and the subject matter of the planned second decision<br />
Partial notice of no separability according to § 59 paragraph 1 AVG. There is also a violation<br />
<br />
of a data subject's right. In addition, a finding of alleged, in the<br />
<br />
Past lying, injuries are not made. Also lie one<br />
Class action entitlement according to Art. 80 Para. 2 GDPR does not exist.<br />
<br />
<br />
Contrary to the view of the BB, the data at issue in the proceedings are not<br />
personal i.S.d. GDPR. The BF2 explained that from the<br />
<br />
processed data is not related to a natural person. According to the<br />
<br />
Case law of the European Court of Justice (ECJ December 20, 2017, C-434/16 (Nowak), Rn<br />
35) there is neither a content element, a purpose element nor a result element. Further<br />
<br />
there is no identifiability of a natural person. From the specified IP<br />
address, the XXXX -specific random numbers, the browser parameters and the page<br />
<br />
A specific person cannot be identified from the data obtained. Also from one<br />
<br />
Combination of this data is not possible identification. Furthermore, the BF2 has none<br />
technical possibilities to identify the BF1 via his XXXX account.<br />
<br />
<br />
BF2 also emphasized a risk-based approach. Even if you<br />
subject to the proceedings a personal reference, so is under<br />
<br />
Consideration of the low threshold of the transmitted data and the very<br />
low basis risk, the inapplicability of and the fact that FISA 702 anyway<br />
<br />
no practical application, no disclosure of data according to EO 12.333.<br />
<br />
Since extensive supplementary measures had been implemented, a<br />
appropriate level of protection for the procedural transmission of the data more<br />
<br />
as given and these are permissible according to Art. 44 ff DSGVO.<br />
<br />
In its complaint, BF2 enclosed the cookies and user identification (VWA<br />
<br />
./63, see point II.2),Linker (VWA ./64, see point II.2),Report from XXXX (VWA ./65, see<br />
Point II.2) and New EU-US data transfer framework (VWA ./66, see point II.2). - 19 -<br />
<br />
<br />
I.19. In the statement (VWA ./67, see<br />
Point II.2) in the course of the filing that the BF2 had no legitimacy to lodge a complaint, since<br />
<br />
since the end of April 2021 the product XXXX -Analytics is now offered by XXXX. Also<br />
<br />
the bB explained that it has a determination competence in complaint procedures because of<br />
alleged violations of the DSG or the GDPR.<br />
<br />
<br />
Furthermore, the DA stated that the BF2 was obviously involved in an agreement itself<br />
personal data. This can be recognized by the fact that the BF2 with the MB<br />
<br />
undisputedly a processor agreement in accordance with Art. 28 Para. 2 GDPR and a<br />
Standard data protection clause according to Art. 46 Para. 2 lit. cDSGVO<br />
<br />
the BF2 stated that a website operator in all cases standard data protection clauses<br />
<br />
finish with the BF2 (VWA ./31, page 3). Also declare the BF2 itself that online<br />
Labels are personal data (see point II.1.3.6). Irrespective of<br />
<br />
these declarations or behavior of BF2 would be the subject of the proceedings<br />
<br />
Consideration of the case law of the European Court of Justice and explanations of the<br />
European data protection officer (VWA./68) personal data available. Also<br />
<br />
In the present case, an assignment can be made via the IP address.<br />
<br />
In addition, a combination can also be made with browser information. In<br />
In this context, the DA referred to the definition of "fingerprinting": This is a<br />
<br />
Process by which an observer connects a device or application instance with sufficient<br />
<br />
Probability based on multiple pieces of information.<br />
<br />
Finally, the BA extensively refuted the demonstrated risk-based approach of BF2 and<br />
pointed out that economic interests played no role in the decision of the<br />
<br />
European Court of Justice on July 16, 2020, C-311/18 (Schrems II).<br />
<br />
His opinion presented the bB a decision of the European<br />
<br />
Data protection officer of January 5th, 2022 (VWA ./68, see point II.2), a decision<br />
of the LG Munich (VWA ./69, see point II.2), an expert opinion on the current status of the US<br />
<br />
Surveillance law (VWA ./70, see point II.2) and essential findings of the report<br />
<br />
on the current status of US surveillance law (VWA ./71, see point II.2).<br />
<br />
I.20. In his complaint (VWA ./60, see point II.2) the BF1 stated that the<br />
<br />
bB the rejection in point 3. with a misinterpretation of the word Art. 44<br />
justify GDPR. As far as the bB justify their rejection with the fact that the BF2 as recipient<br />
<br />
of personal data in the third country United States (data importer) the data<br />
do not disclose it, but (only) receive it, the DA misunderstands that Art. 44 GDPR uses the term<br />
<br />
Don't use "disclosure". Art. 44 GDPR uses the term "transfer". The<br />
<br />
The distinction between these terms is objectively decisive: in contrast to - 20 -<br />
<br />
<br />
a “disclosure” that can also occur without a designated recipient (e.g<br />
by publication on a website) require a "submission" (or a<br />
<br />
"Disclosure by transmission") namely always a recipient and also his<br />
<br />
(at least minimal) assistance. While a "disclosure" with the act of<br />
"Making available" has been completed, a "transmission" also requires one<br />
<br />
Receipt by the recipient.<br />
<br />
From a legal point of view, the design of Chapter V GDPR clarifies the technical one<br />
<br />
Reality (meaning that for the transmission on the Internet there is always an interaction of a<br />
transmitter and a receiver is required). Already Art. 44 GDPR generally requires<br />
<br />
"Controller and the Processor" compliance with the provisions of the<br />
<br />
chapter, without referring to the "person responsible for exporting the data or<br />
order processor”. Also the guarantees mentioned in Art. 46(2) GDPR<br />
<br />
consistently require cooperation between data exporter and data importer and<br />
<br />
include in particular the obligations of the data importer. rightly be<br />
also here both the data exporter and the data importer to comply with the<br />
<br />
The provisions mentioned are obligatory, as they jointly transfer data out of the EU into the<br />
<br />
third country and from the third country to the EU.<br />
<br />
It should also be noted that obligations from the standard contractual clauses<br />
(Implementing decision of the European Commission 2010/87/EU of February 5, 2010<br />
<br />
about standard contractual clauses for the transfer of personal data<br />
<br />
Processors in third countries according to Directive 95/46/EG of the European Parliament<br />
and of the Council) for the data importer. Clause 3(2) clearly contains<br />
<br />
a subsidiary obligation of the data importer, clauses 5(a) to (e), 6, 7, 8(2) and 9<br />
<br />
to 12 to comply with the standard contractual clauses given to the data subject if the<br />
company of the data exporter no longer exists in fact or in law and no<br />
<br />
legal successor has assumed the obligations of the data exporter. Would Chapter V<br />
<br />
GDPR not also applicable to the data importer would be the enforcement of the<br />
subjective rights of the person concerned from the standard contractual clauses towards the<br />
<br />
Data importer impossible.<br />
<br />
I.21. In the statement (VWA ./61, see<br />
<br />
Point II.2) in the course of the filing that it was correct from a technical point of view that a<br />
Transmission (unlike disclosure to an indefinite group of addressees, e.g. in<br />
<br />
form of publication on a website) assume that there is a recipient.<br />
<br />
However, as already stated in the contested decision, one<br />
Processing operation (here both "transmission") different from a legal point of view - 21 -<br />
<br />
<br />
Duties and degrees of responsibility result (VWA ./59, page 40). In line with the<br />
"Guidelines 5/2021 of the EDPB on the relationship between the scope of Art.3 and<br />
<br />
the specifications for international data traffic in accordance with Chapter V GDPR” go the bB<br />
<br />
assumes that the data importer does not have the legal obligation to comply with the requirements<br />
of Art. 44 GDPR.<br />
<br />
<br />
Finally, it should be noted that the data importer naturally also receives the corresponding<br />
duties would meet. In the case of the conclusion of standard contractual clauses according to Art. 46<br />
<br />
Paragraph 2 lit. c GDPR, a data importer has all contractual obligations<br />
to be complied with, which had been concluded between the latter and his contractual partner.<br />
<br />
However, these obligations are of a contractual nature. On the other hand, (only) the<br />
<br />
Data exporter to comply with the obligations under Art. 44 GDPR, which also includes that<br />
a suitable instrument - such as the conclusion of standard contractual clauses -<br />
<br />
is in place to ensure an adequate level of protection.<br />
<br />
I.22. With a submission dated July 8th, 2022, BF2 sent a reply to the complaint<br />
<br />
of BF1 (OZ 4 to W245 2252208-1). In it, BF2 explained in detail that Art. 44 ff<br />
<br />
GDPR is not applicable to XXXX as a data importer.<br />
<br />
I.23. In its statement of January 13, 2022 (OZ 4 to W245 2252208-1), the BF2 referred<br />
repeatedly points out that the subject of the proceedings is processing personal data<br />
<br />
had been. In addition, the BF2 explained that Art. 44 ff GDPR requires a risk-based approach<br />
<br />
is not to be taken.Furthermore, the BF2 explained with more justification that the BF1<br />
as a data importer is directly covered by Chapter V GDPR.<br />
<br />
I.24. With a statement dated February 14, 2023 (OZ 15 to W245 2252208-1), BF2 stated that<br />
<br />
there is a binding effect on the basis of the asserted statements. In particular,<br />
<br />
that the verdict stated that personal data had been transferred<br />
are, have obvious effects on further proceedings at the bB. The BF2 could<br />
<br />
not refute this fact in further proceedings.<br />
<br />
With regard to personal reference, BF2 repeatedly stated that this was not available<br />
<br />
also submitted two affidavits to prove that the BF2 is not in<br />
was able to access MB's website via BF1's XXXX account<br />
<br />
prove. It is also legally required to take a risk-based approach into account.<br />
<br />
I.25. In preparation for the complaint hearing, the bB (OZ 23 to W245<br />
<br />
2252208-1), the BF1 (OZ 24 to W245 2252208-1) and BF2 (OZ 25 to W245 2252208-1)<br />
Observations. In these observations, the parties reiterated their positions so far in the proceedings<br />
<br />
represented points of view. - 22 -<br />
<br />
<br />
I.26. In the case at hand, the BVwG conducted a public<br />
Oral hearing attended by the BF1 in the presence of his authorized representative<br />
<br />
attended personally. A representative of the BA and BF2 also took part in the hearing.<br />
<br />
After the conclusion of the oral hearing, an oral announcement of the<br />
knowledge. The BF1 and the BF2 requested the BVwG in writing within the deadline<br />
<br />
Execution of the orally announced knowledge.<br />
<br />
<br />
II. The Federal Administrative Court considered:<br />
<br />
II.1. Findings:<br />
<br />
The facts relevant to the decision are clear.<br />
<br />
II.1.1. About the procedure:<br />
<br />
The course of the procedure presented under point I is determined and the decision made<br />
laid the foundation.<br />
<br />
<br />
II.1.2. About the owner of the website XXXX :<br />
The XXXX has the website XXXX as part of an asset deal with effect from 02/01/2021<br />
<br />
transferred to XXXX , Munich. The XXXX was then renamed to XXXX.<br />
<br />
Until August 2021, XXXX continued to manage on behalf of and under the direction of XXXX,<br />
<br />
Munich the website XXXX .<br />
<br />
In August 2021, the XXXX website was completely transferred to the IT environment<br />
the XXXX Munich. After the transfer, XXXX -Analytics will be preceded by a<br />
<br />
Proxy server used. This even allows the IP addresses to be transmitted to the BF2<br />
<br />
completely prevented.<br />
<br />
II.1.3. For the data processing that is the subject of the procedure:<br />
<br />
The BF1 visited the MB XXXX website at least on August 14, 2020, at 10:45 a.m.<br />
<br />
In the transaction between the browser of the BF1 and https://tracking. XXXX were born on 14.<br />
August 2020 at 12:46:19.344 CET unique user identification numbers at least<br />
<br />
set in the “_ga” and “_gid” cookies. As a result, these identification numbers on August 14<br />
<br />
2020 at 12:46:19.948 CET to https://www. XXXX -analytics.com/ and thus to the BF2<br />
transmitted.<br />
<br />
Specifically, the following user identification numbers, which are in the browser of the BF1<br />
<br />
are transmitted to the BF2 (same values, each in different transactions<br />
<br />
occurred are shown in italics or marked in orange and green):<br />
<br />
Domain Name Value Purpose - 23 -<br />
<br />
<br />
<br />
https://tracXXXX. _ga GA1.2.1284433117.1597223478 XXXX<br />
Analytics<br />
<br />
https://tracXXXX. _gid GA1.2.929316258.1597394734 XXXX<br />
Analytics<br />
<br />
ID=d77676ed5b074d05:T=1597223569: XXXX<br />
https://tracXXXX. _gads S=ALNI_MZcJ9EjC13lsaY1Sn8Qu5ovyKMhPw<br />
Advertising<br />
XXXX<br />
https://wwXXXX-analytics.com/gid 929316258.1597394734<br />
Analytics<br />
XXXX<br />
https://wwXXXX-analytics.com/id 1284433117.1597223478<br />
Analytics<br />
<br />
These identification numbers each contain a preceding random number and a trailing one<br />
<br />
UNIX timestamp showing when each cookie was set. The<br />
<br />
Identifier in the _gid cookie with UNIX timestamp "1597394734" was set on Wednesday,<br />
<br />
August 14, 2020 at 11:11 and 18 seconds CET, those in the cid cookie with the UNIX<br />
Timestamp "1597223478" on Friday 12 August 2020 at 10:45 and 34 seconds CET.<br />
<br />
<br />
With the help of these identification numbers it is possible for the BF2 to differentiate between website visitors<br />
<br />
and also to get the information whether it is a new one or an old one<br />
returning website visitors from www. XXXX trades. However, a website<br />
<br />
Comprehensive analysis of behavior based on this key figure is not possible.<br />
<br />
<br />
In addition, the following information (parameters) about the<br />
BF1 browser in the course of requests to https://www. XXXX -<br />
<br />
analytics.com/collect transmitted to the BF2 (excerpt from the HAR file, request URL<br />
<br />
https://www. XXXX -analytics.com/collect, request excerpt with timestamp 2020-08-<br />
<br />
14T10:46:19.924+02:00):<br />
<br />
general<br />
<br />
Request URL https://www. XXXX-analytics.com/collect<br />
<br />
Request Method GET<br />
<br />
<br />
HTTP Version HTTP/2<br />
<br />
Remote Address XXXX<br />
headers<br />
<br />
Accept: image/webp,*/*<br />
<br />
Accept encoding: gzip, deflate, br<br />
<br />
Accept-Language: en-US,de;q=0.7,en;q=0.3<br />
<br />
<br />
Connection: keep alive - 24 -<br />
<br />
<br />
Host: www. XXXX-analytics.com<br />
<br />
Referer: https://www. XXXX .at/<br />
<br />
TE: Trailers<br />
<br />
User agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101<br />
Firefox/79.0<br />
<br />
Query Arguments<br />
<br />
_gid: 929316258.1597394734<br />
<br />
_s: 1<br />
<br />
_u: QACAAEAB~<br />
<br />
_v: j83<br />
<br />
a: 443943525<br />
<br />
cid: 1284433117.1597223478<br />
<br />
de: UTF-8<br />
<br />
dl: https://www. XXXX .at/<br />
<br />
dt: XXXX .at Home - XXXX<br />
ea: /<br />
<br />
ec: scroll depth<br />
<br />
el: 25<br />
<br />
gjid:<br />
<br />
gtm: 2wg871PHBM94Q<br />
<br />
each: 0<br />
<br />
jid:<br />
<br />
ni: 0<br />
sd: 24-bit<br />
<br />
sr: 1280x1024<br />
<br />
t: event<br />
<br />
tid: UA-259349-1<br />
<br />
ul: en-us<br />
<br />
v: 1<br />
<br />
vp: 1263x882<br />
<br />
z: 1764878454 - 25 -<br />
<br />
<br />
Size<br />
<br />
Headers 677 bytes<br />
<br />
Body 0 bytes<br />
<br />
Total 677 bytes<br />
<br />
These parameters can therefore be used to draw conclusions about the browser used<br />
Browser settings, language selection, the website visited, the color depth, the<br />
<br />
Screen resolution and the AdSense linking number are drawn.<br />
<br />
The remote address XXXX is that of the BF2.<br />
<br />
The IP address of the BF1 device is sent to https://www. XXXX -<br />
<br />
analytics.com/collect transmitted to BF2. The IP address became the subject of the proceedings<br />
of BF1 transmitted to BF2.<br />
<br />
<br />
The BF1 worked in the home office on August 14th, 2020. In the home office, the BF2 uses one<br />
Screen with a resolution of 1280x1024 (sr value). In addition, the visible part<br />
<br />
of the web window transmits a size of 1263x882 (vp value).<br />
<br />
II.1.3.1. For a summary of the information that was published on August 14th, 2020<br />
<br />
were transmitted to BF2:<br />
As a result of the implementation of the XXXX -Analytics tool, on 08/14/2020 -<br />
<br />
summarized - the following information from the browser of the BF1, which is the website XXXX<br />
<br />
visited, transmitted to the servers of BF2:<br />
<br />
unique online identifiers (uniqueidentifier) that identify both the browser and the device<br />
of the BF1 as well as the MB (through the XXXX analytics account ID of the MB as<br />
<br />
identify website operator);<br />
<br />
the address and HTML title of the website and the sub-pages visited by the BF1<br />
<br />
has;<br />
<br />
Information about the browser, operating system, screen resolution, language selection and<br />
<br />
date and time of website visit;<br />
<br />
the IP address of the device that the BF1 used.<br />
<br />
II.1.3.2. For information on the cookies used:<br />
<br />
For Universal Analytics, the JavaScript library analytics.js or the JavaScript<br />
library gtag.js are used. In both cases, the libraries use first-party-<br />
<br />
Cookies to:<br />
<br />
Distinguish unique users and - 26 -<br />
<br />
<br />
<br />
Throttle the request rate<br />
<br />
When using the recommended JavaScript snippet, cookies on the<br />
<br />
highest possible domain level. If their website address for example<br />
<br />
blog.example.co.uk, analytics.js and gtag.js set the cookie domain<br />
<br />
at.example.co.uk. Setting cookies at the highest possible domain level<br />
allows measurement across subdomains without requiring any additional configuration<br />
<br />
is required.<br />
<br />
<br />
Note: gtag.js and analytics.js do not require cookies to be set to send data to XXXX -<br />
transmit analytics.<br />
<br />
<br />
gtag.js and analytics.js set the following cookies:<br />
<br />
Cookie name Default expiry time Description<br />
<br />
_ga 2 years Used to distinguish users.<br />
_gid 24 hours Used to distinguish users.<br />
<br />
_gat 1 minute Used to throttle request rate. WXXXX<br />
<br />
Analytics is used via the XXXX Tag Manager<br />
named this cookie _dc_gtm_<property-id>.<br />
<br />
AMP_TOKEN 30 seconds to 1 year Contains a token used to retrieve a client ID from the AMP client<br />
ID service can be used. Show other possible values<br />
<br />
Optout, inflight request, or an error retrieving an<br />
Client ID from AMP Client ID service.<br />
_gac_<property-id> 90 days Contains campaign-related information for the user.<br />
<br />
If you linked yourXXXX Analytics andXXXX Ads accounts<br />
<br />
have the Website Conversion TagXXXXn Ads read this<br />
Cookie unless you opt out.<br />
<br />
<br />
II.1.3.3. To link to the BF1's XXXX account:<br />
During the visit to the XXXX website, the BF1 was logged into his XXXX account,<br />
<br />
which is linked to the email address XXXX. This email address belongs to BF1.<br />
<br />
<br />
A XXXX account is a user account used for authentication<br />
<br />
at various XXXX online services that BF2 serves. A XXXX account is something like this<br />
Prerequisite for the use of services such as " XXXX " or " XXXX Drive" (a file hosting<br />
<br />
Service).<br />
<br />
<br />
On August 14, 2020, the web & app activities were set in the XXXX account of BF1 ( XXXX ).<br />
activated. However, the BF1's XXXX account has opted not to record activities from<br />
<br />
Include websites that use XXXX services. - 27 -<br />
<br />
<br />
Contrary to BF2's own statements, it is technically able to provide the information<br />
get that a specific XXXX account user visited the XXXX website (on the XXXX -<br />
<br />
Analytics is implemented) if this XXXX account user during the<br />
<br />
was logged into the XXXX account when visiting the XXXX website.<br />
<br />
Metadata from XXXX applications (such as from XXXX account) that the BF1 on 08/14/2020<br />
<br />
used was stored on servers in the United States.<br />
<br />
II.1.3.4. For (non)anonymized processing of the IP address of the BF1:<br />
The IP anonymization function on the MB XXXX website was faulty<br />
<br />
implemented. This did not ensure that on August 14, 2020 after transmission<br />
<br />
of data to which BF2 the IP address was anonymized.<br />
<br />
II.1.3.5. Regarding the deleted information:<br />
The MB has instructed the BF2 in the course of the administrative procedure, all over<br />
<br />
Delete the XXXX -Analytics Properties collected data for the XXXX website. The BF2<br />
<br />
performed the deletion.<br />
<br />
II.1.3.6. For the declaration of personal data by BF2:<br />
<br />
On the page "Data processing terms for XXXX advertising products: Information on<br />
the services", BF2 states that as part of the order processing service, "XXXX<br />
<br />
Analytics" the data "online identifiers (including cookie identifiers), internet<br />
Protocol addresses and device identifiers and identifiers assigned by the customer"<br />
<br />
can be personal data.<br />
<br />
II.1.4. About the web analysis service XXXX -Analytics:<br />
<br />
XXXX -Analytics is a measurement service that allows customers to track traffic to properties<br />
<br />
measure, including traffic from visitors visiting a website owner's website<br />
visit. Web analytics services are a popular category of services used by several<br />
<br />
Providers are offered and are considered an essential tool for running a<br />
site.<br />
<br />
<br />
Website owners rely on web analytics services like XXXX Analytics to help them<br />
help to understand how website visitors interact with their website and services<br />
<br />
to interact. XXXX -Analytics helps them to create more engaging content and the<br />
<br />
Monitor and maintain the stability of their websites.<br />
<br />
In addition, website owners can set up dashboards that provide an overview of reports<br />
and give metrics that customers care about the most, e.g. in real time the number of<br />
<br />
Monitor visitors on a website. XXXX -Analytics can also help determine effectiveness - 28 -<br />
<br />
<br />
from advertising campaigns run by website owners on XXXX ad services<br />
measure and optimize.<br />
<br />
<br />
All data collected by XXXX Analytics is hosted in the United States<br />
(saved and processed).<br />
<br />
II.1.5. About the implementation and functionality of XXXX -Analytics:<br />
<br />
The web analytics service XXXX -Analytics becomes a<br />
<br />
JavaScript codes embedded on the website owner's side. If user one<br />
View a page on the website, this JavaScript code refers to a previous one on the device<br />
<br />
user's downloaded JavaScript file which then enables tracking operation for XXXX -<br />
<br />
runs analytics. The tracking operation retrieves data about the page request<br />
various means and sends this information to via a list of parameters<br />
<br />
the analytics servers connected to a single pixel GIF image request.<br />
<br />
The data that XXXX -Analytics collects on behalf of the website owner comes from these<br />
<br />
Sources:<br />
<br />
The user's HTTP request<br />
<br />
Browser/System Information<br />
<br />
First party cookies<br />
<br />
An HTTP request for each web page contains details about the browser and computer,<br />
<br />
who makes the request, such as host name, browser type, referrer and language. Over and beyond<br />
<br />
Most browsers' Document Object Model (DOM) provides access to more detailed<br />
Browser and system information, such as Java and Flash support and<br />
<br />
screen resolution. XXXX -Analytics uses this information. XXXX -Analytics sets and<br />
<br />
also reads first-party cookies on a user's browsers, which measure the<br />
Allow user session and other information from page request.<br />
<br />
When all this information is collected, it is sent to the analytics servers in the form<br />
<br />
a long list of parameters sent to a single GIF image request to the<br />
<br />
Domain XXXX-analytics.com. The data contained in the GIF request is<br />
the data that is sent to the XXXX Analytics servers, which then further processes<br />
<br />
and end up in the reports of the website owner.<br />
<br />
II.1.6. To embed the program code for XXXX -Analytics on the XXXX website<br />
<br />
Associates:<br />
Due to a decision by the MB, the program code for XXXX -Analytics was stored on their<br />
<br />
site embedded. - 29 -<br />
<br />
<br />
By configuring the tags or activating or deactivating various XXXX -<br />
Analytics functions through the user interface determined the use of the MB<br />
<br />
collected data. For example, the MB could set the retention period for data<br />
<br />
specify, instruct that the IP address be anonymized after receipt by BF2,<br />
determine who is allowed to receive data, etc.<br />
<br />
<br />
II.1.7. The legal basis for the use of XXXX -Analytics by the participants:<br />
The use of XXXX -Analytics requires a contract.<br />
<br />
The MB and BF2 have an agreement entitled “Order data processing conditions<br />
<br />
for XXXX advertising products”. This contract had the version dated August 12, 2020<br />
<br />
(VWA ./18) valid at least on August 14, 2020. The contract regulates<br />
Order data processing conditions for XXXX advertising products. It applies to them<br />
<br />
Provision of data processing services and related thereto<br />
<br />
technical support services for customers (MB) of BF2. The MB used the free one<br />
Version of XXXX -Analytics.<br />
<br />
The web analysis service XXXX -Analytics falls under the scope of the<br />
<br />
"Order data processing conditions for XXXX advertising products".<br />
<br />
With regard to the order data processing conditions for XXXX advertising products<br />
<br />
in connection with the web analysis service XXXX -Analytics online identifiers<br />
(including cookie identifiers), internet protocol addresses and device identifiers as well<br />
<br />
Labels assigned by the customer Personal data of the customer (MB)<br />
<br />
represent.<br />
<br />
In addition, these order data processing conditions in point 10.2. the application<br />
<br />
of standard data protection clauses before a transmission of personal<br />
Customer data is transferred from the EEA to a third country that is not one<br />
<br />
adequacy decision under European data protection legislation.<br />
Based on this, MB and BF2 signed a second contract on August 12th, 2020 with the<br />
<br />
Title "XXXXAdsDataProcessingTerms:ModelContractClauses,StandardContractualClauses<br />
<br />
for Processors” (VWA./22). These are standard contractual clauses<br />
for international data traffic (based on an implementation decision of the<br />
<br />
European Commission 2010/87/EU of February 5, 2010 on Standard Contractual Clauses<br />
<br />
for the transfer of personal data to processors in third countries<br />
of Directive 95/46/EC of the European Parliament and of the Council, OJ L 2010/39, p. 5.).<br />
<br />
In addition to implementing XXXX analytics, a website owner can<br />
<br />
Share analytics data to XXXX by changing XXXX's data sharing setting - 30 -<br />
<br />
<br />
products and services activated and the privacy policy for XXXX<br />
Measurement Controller controllers that apply to the use of this setting,<br />
<br />
accepted separately.<br />
<br />
The data sharing setting has not been activated by the MB. Also, the MB XXXX<br />
<br />
-Signal not on. The MB did not have its own authentication system and used<br />
<br />
also no user ID function.<br />
<br />
II.1.8. For the purpose of processing by the collaborators:<br />
XXXX -Analytics is used to perform the following general statistical evaluations about the<br />
<br />
Enable website visitor behavior:<br />
<br />
Reach measurement (i.e. how many users access the site);<br />
<br />
Evaluation of which articles have the greatest traffic (i.e. which articles have the most<br />
<br />
were called),<br />
<br />
Average session duration,<br />
<br />
Evaluation of the average number of pages viewed per session<br />
<br />
become.<br />
<br />
II.1.9. Regarding the measures taken by BF2 after the judgment of the European Court of Justice of<br />
<br />
07/16/2020 in Case C-311/18:<br />
<br />
After the decision of the European Court of Justice, BF2 assumed that the verdict<br />
also applies to the use of XXXX -Analytics by website owners. After the decision<br />
<br />
of the European Court of Justice, the BF2 immediately began amending the<br />
Data Processing Terms (DTPS) to replace the Standard Contractual Clauses (SCC) for<br />
<br />
to make all affected contracts applicable. This included updating a<br />
<br />
Variety of contracts, transmission of communications to website owners on<br />
08/03/2020, the translations and the publication of the corresponding ones<br />
<br />
Terms of Contract. These changes to the order data processing conditions<br />
<br />
(DTPS) came into force on August 12, 2020.<br />
<br />
Section 10 of the updated Order Data Processing Terms (DTPS) provides that<br />
that, insofar as the storage and/or processing of personal data of customers,<br />
<br />
including personal data in XXXX -Analytics data, the submission<br />
<br />
personal data of customers from the EEA to a third country that is not one<br />
subject to an adequacy decision under the GDPR, the website owner (as<br />
<br />
data exporter) at XXXX (as data importer) for the transfer of personal<br />
<br />
Data to processors in third countries who do not have adequate data protection - 31 -<br />
<br />
<br />
ensure Standard Contractual Clauses (SCCs) are used. The Standard Contractual Clauses<br />
(SCCs) are made available at XXXX. These Standard Contractual Clauses (SCCs)<br />
<br />
would the European Commission in its Decision 2010/87/EU<br />
<br />
comply with published clauses.<br />
<br />
II.1.10.Regarding the additional measures that come with the introduction of the standard contractual clauses<br />
<br />
were set by the BF2:<br />
The following measures were in place before the decision of the European Court of Justice<br />
<br />
Case C-311/18 in force and therefore also existed during the period in which the<br />
Conditions were updated by 08/12/2020. According to the statements of the BF2<br />
<br />
these measures are suitable to ensure an adequate level of protection.<br />
<br />
II.1.10.1.Legal and organizational measures:<br />
<br />
The BF2 evaluates every request made by the state authorities for user data<br />
<br />
receives to ensure they comply with applicable laws and XXXX policies.<br />
<br />
BF2 notifies customers before any of their information is disclosed unless<br />
unless such notice is prohibited by law or the request involves an emergency.<br />
<br />
<br />
The BF2 publishes a transparency report.<br />
<br />
The BF2 publishes its policy on dealing with government requests.<br />
<br />
II.1.10.2.Technical measures:<br />
BF2 uses robust technical measures to protect personal data during the<br />
<br />
to protect transmission (default use of HTTP Strict Transport Security<br />
<br />
(HSTS), encryption of data on one or more network layers (protection of the<br />
Communication between XXXX services, protection of data in transit between<br />
<br />
Data centers and protection of communications between users and websites)).<br />
<br />
The BF2 uses robust technical measures to protect stored personal data<br />
<br />
(The BF2 encrypts XXXX analytics data stored in their data centers<br />
get saved; BF2 builds servers exclusively for their data centers and maintains them<br />
<br />
an industry-leading security team, XXXX analytics data is only accessible to<br />
<br />
employees who need the data for their work).<br />
<br />
II.1.10.3. Pseudonymity of data from XXXX -Analytics:<br />
<br />
The BF2 believes that the data for measurement by website owners<br />
are personal data, they would have to be considered as pseudonymous. The BF2 is<br />
<br />
of the opinion that if a third party accesses the XXXX -Analytics data, this - 32 -<br />
<br />
<br />
will in principle not be able to identify the data subject on the basis of this data<br />
identify.<br />
<br />
<br />
II.1.10.4.Optional technical measure - IP anonymization:<br />
In addition to the measures mentioned, website owners can use "IP anonymization"<br />
<br />
use to instruct BF2 to delete all IP addresses immediately after collection<br />
<br />
anonymize and thus contribute to data minimization. If this is used,<br />
at no time the full IP address is written to disk, as all<br />
<br />
Anonymization in memory occurs almost instantly after the request to the BF2<br />
has been received.<br />
<br />
<br />
II.1.11.The BF2 as an electronic communication service:<br />
BF2 is a provider of electronic communications services within the meaning of Section 50 of the U.S. Code<br />
<br />
1881(b)(4) and as such is subject to supervision by U.S.<br />
<br />
Intelligence agencies under 50 U.S. Code § 1881a (“FISA 702”). The BF2 transmitted the US<br />
Government personal information under U.S. Code § 1881a. It can be from the US<br />
<br />
Government metadata and content data are requested.<br />
<br />
II.2. Evidence assessment:<br />
<br />
Evidence was collected through inspection of the administrative file of the bB [hereinafter referred to as "VWA"<br />
with the components ./01 - data protection complaint of the BF1 from 08/18/2020 (see point<br />
<br />
I.1), ./02 - Data protection complaint of the BF1 from August 18th, 2020 - Attachment -<br />
<br />
XXXX Analytics Terms of Use (see point I.1), ./03 – Privacy Complaint<br />
of the BF1 from 18.08.2020 - Supplement - Terms of Use for<br />
<br />
Order data processing conditions for XXXX advertising products, version 01.01.2020<br />
<br />
(see point I.1), ./04 - data protection complaint of the BF1 from August 18th, 2020 - enclosure -<br />
Terms of Use for Order Data Processing Terms for XXXX<br />
<br />
Advertising products, version 08/12/2020 (see point I.1),./05 - data protection complaint of the BF1<br />
dated 08/18/2020 - Attachment - HAR data of the website visit (see point I.1), ./06 -<br />
<br />
Data protection complaint of the BF1 from August 18th, 2020 - Enclosure - XXXX (see point I.1), ./07 -<br />
<br />
Data protection complaint of the BF1 from August 18th, 2020 - attachment - certificate of representation (see<br />
Point I.1), ./08 - Identification of lead responsibility (see point I.2), ./09 -<br />
<br />
Decision of the BA regarding the suspension of the procedure (see point I.2), ./10 - request<br />
<br />
the bB for the statement to the MB (see point I.2), ./11 - Statement of the MB from<br />
December 16, 2020 (see point I.3), ./12 - Statement of the MB of December 16, 2020 - Enclosure -<br />
<br />
Reports from the tool (see point I.3), ./13 - Statement of the MB from 16.12.2020 -<br />
<br />
Enclosure - Information on IP anonymization (see point I.3), ./14 - Statement of<br />
MB from December 16th, 2020 - Attachment - Screenshot of the set storage period (see point I.3), - 33 -<br />
<br />
<br />
./15 - Statement of the MB of 16.12.2020 - Attachment - List of server locations (see<br />
Point I.3), ./16 - Statement of the MB from 16.12.2020 - Enclosure -<br />
<br />
Order data processing conditions for XXXX advertising products, version 08/16/2020<br />
<br />
(see point I.3), ./17 - statement of the MB from 16.12.2020 - enclosure -<br />
Order data processing conditions for XXXX advertising products, version 08/12/2020<br />
<br />
(see point I.3), ./18 - statement of the MB from 16.12.2020 - enclosure -<br />
<br />
Order data processing conditions for XXXX advertising products, version 01.01.2020<br />
(see point I.3), ./19 - Statement of the MB from 16.12.2020 - Enclosure - Comparative version<br />
<br />
AVV from January 1st, 2020 vs. August 12th, 2020 (see point I.3), ./20 - Statement of the MB from<br />
<br />
12/16/2020 - Enclosure - Comparative version AVV from 08/12/2020 vs 08/16/2020 (see point I.3),<br />
./21 - Statement of the MB from 16.12.2020 - Enclosure - Screenshot of settings (see<br />
<br />
Point I.3), ./22 - Statement of the MB from 16.12.2020 - Enclosure -<br />
<br />
Standard data protection clauses (see point I.3), ./23 - Statement of the MB of 16.12.2020<br />
- Annex - Information on security measures (see point I.3), ./24 - Opinion<br />
<br />
the MB from 16.12.2020 - Enclosure - List of processing activities for XXXX<br />
<br />
Analytics (see point I.3), ./25 - Request from the bB for a statement to BF1 from<br />
December 21, 2020 (see point I.4), ./26 – Opinion of the BF1 from January 22, 2021 (see point I.4),<br />
<br />
./27 - Opinion of the BF1 from 22.01.2021 - Attachment - Third party in the cookie banner of<br />
MB (see point I.4), ./28 - Opinion of the BF1 from 22.01.2021 - Attachment - Contacts of<br />
<br />
XXXX with US server (see point I.4), ./29 - Opinion of BF1 from 01/22/2021 - Attachment<br />
<br />
- Contacts of XXXX with US server, reference to fingerprint technology (see point I.4),./30<br />
- Request of the bB for a statement to BF2 from February 26th, 2021 (see point I.5), ./31 -<br />
<br />
Statement of the BF2 from April 9th, 2021 (see point I.5), ./32 - request of the bB to<br />
<br />
Statement to BF1 and MB of April 14, 2021 (see point I.6), ./33 - statement of<br />
MB from 05/04/2021 (see point I.7), ./34 - Statement of the BF1 from 05/05/2021 (see<br />
<br />
Point I.8), ./35 - Opinion of the BF1 from May 5th, 2021 - Enclosure - XXXX -Analytics Cookie,<br />
<br />
Use on website (see point I.8), ./36 - Opinion of BF1 from 05/05/2021 -<br />
Enclosure - How XXXX uses cookies (see point I.8), ./37 - Opinion of the BF1 from<br />
<br />
05/05/2021 - Attachment - Measurement Protocol Parameter Reference (see point I.8), ./38 -<br />
<br />
Request of the bB for a statement to BF1 from 06.05.2021 (see point I.9), ./39 -<br />
Request of the bB for a statement to BF2 from 06.05.2021 (see point I.9), ./40 -<br />
<br />
Request of the bB for a statement to the MB of May 10th, 2021 (see point I.9),./41-application<br />
BF2 to extend the deadline for comments from May 12, 2021 (see point I.9), ./42<br />
<br />
– Granting of the requested extension of the deadline by the BB from May 14, 2021 (see point I.9),<br />
<br />
./43 - Opinion of BF2 from May 14th, 2021 (see point I.10), ./44 - Request of the BA<br />
on the statement to BF1 and MB of June 11, 2021 (see point I.11), ./45 - application of the BF1 - 34 -<br />
<br />
<br />
on extension of the deadline for comments from June 11, 2021 (see point I.11), ./46 -<br />
Request from the bB for a statement to the MB of June 16, 2021 (see point I.11), ./47 -<br />
<br />
Statement of the MB (transfer) of June 18, 2021 (see point I.12), ./48 -<br />
<br />
Statement of the MB (configuration error, deletion of data) from 06/18/2021 (see<br />
Point I.13), ./49 - Statement of the MB (configuration error, deletion of data) from<br />
<br />
06/18/2021 - Attachment - Notification of BF2 about the deletion of information (see point<br />
<br />
I.13), ./50 - Statement of the MB (configuration error, deletion of data) from<br />
06/18/2021 - Attachment - Presentation of the wrong and correct implementation of the<br />
<br />
Anonymization function (see point I.13), ./51 - Transmission of the SO's opinion<br />
<br />
(VWA ./48 to ./50) to BF1 (see point I.13), ./52 - notification from the MB of 06/24/2021 (see<br />
Item I.13), ./53 - notification from the MB of 06/24/2021 - enclosure - confirmation of deletion<br />
<br />
BF2 (see point I.13), ./54 - Statement of BF2 from 09.07.2021 (see point I.14), ./55<br />
<br />
- Opinion of the BF1 from 09.07.2021 (see point I.15), ./56 - request of the bB to<br />
Statement to BF1 from 22.07.2021 (see point I.16), ./57 - Statement from BF2 from<br />
<br />
08/12/2021 (see point I.16),./58 - WebsiteEvidence Collection regarding the website of the MB,<br />
<br />
./59 - Partial decision of the Federal Civil Service of December 22nd, 2021, delivered on January 12th and 13th, 2022 (see point<br />
I.17), ./60 - Complaint by the BF1 from February 7th, 2022 (see point I.20), ./61 -<br />
<br />
Statement of the bB on the complaint of the BF1 from February 15th, 2022, ./62 -<br />
Complaint by the BF2 of February 9th, 2022 (see point I.18), ./63 - Complaint<br />
<br />
the BF2 from 09.02.2022 - Enclosure - Cookies and User Identification (see point I.18), ./64 -<br />
<br />
Complaint of the BF2 from 09.02.2022 - Attachment - Linker (see point I.18), ./65 -<br />
Notice of complaint from the BF2 of 09.02.2022 - Enclosure - Report XXXX (see point I.18),./66<br />
<br />
- Complaint of the BF2 from 09.02.2022 - Attachment - New EU-US data transfer<br />
<br />
Framework (see point I.18), ./67 – Statement by the BA on the complaint by the BF2<br />
from February 17th, 2022 (see point I.19), ./68 - Statement of the bB on the complaint of the<br />
<br />
BF2 of 02/17/2022 - Attachment - Decision of the European Data Protection Supervisor<br />
<br />
from 05.01.2022 (see point I.19), ./69 - Statement of the bB on the complaint of the<br />
BF2 from February 17th, 2022 - Attachment - Decision of the LG Munich from February 20th, 2022 (see point<br />
<br />
I.19),./70 - Opinion of the bB on the decision of the BF2 of 17.02.2022 - Attachment<br />
<br />
– Opinion on the current status of US surveillance law (see point I.19) and ./71 –<br />
Statement of the bB on the complaint of the BF2 from February 17th, 2022 - Attachment -<br />
<br />
Key findings of the report on the current status of US surveillance law (see<br />
Point I.19)] as well as in the court act of the BVwG (file components are with ordinal number,<br />
<br />
marked "OZ" for short).<br />
<br />
II.2.1. About the procedure: - 35 -<br />
<br />
<br />
The above procedure results from the harmless and<br />
undoubted file content of the submitted administrative file of the bB and the court file<br />
<br />
of the BVwG.<br />
<br />
II.2.2. To the owner of the website XXXX<br />
The findings in this regard result without a doubt from the statement by the MB<br />
<br />
from June 18, 2021 (VWA ./47).<br />
<br />
II.2.3. For the data processing that is the subject of the procedure:<br />
<br />
The findings in this regard result without a doubt from the findings of the<br />
contested decision (VWA ./59, page 18 ff), the statement of the BF1 from May 5th, 2021<br />
<br />
(VWA ./34) and the complaint by the BF2 (VWA ./62, page 6).<br />
<br />
The determination that the IP address of BF1 is transmitted to BF2 in the course of the proceedings<br />
<br />
was, results from the explanations of the BF1 or his representative in the<br />
<br />
Complaints hearing. In this context, the representative of BF1<br />
VPN solution shown is understandable and was subsequently used by the BF2 in the<br />
<br />
Complaint hearing no longer in question. In addition, the BF1 on 14.08.2020<br />
<br />
credibly worked in the home office. This follows from the credible statements of<br />
BF1 that in 2020 he mainly worked in the home office due to the corona and<br />
<br />
due to the use of a high/narrow monitor (negotiation protocol from<br />
March 31, 2022, OZ 29 to W245 2252208, page 14). Sohin were pertinent statements<br />
<br />
meet.<br />
<br />
II.2.3.1. For a summary of the information that was published on August 14th, 2020<br />
<br />
were transmitted to BF2:<br />
<br />
The pertinent findings result without a doubt from the explanations of the bB im<br />
disputed decision (VWA ./59, page 27).<br />
<br />
II.2.3.2. For information on the cookies used:<br />
<br />
The findings in this regard result without a doubt from statements by the BF1 in the<br />
<br />
administrative procedures (VWA ./05) and from the findings of the contested<br />
decision (VWA ./59, page 15).<br />
<br />
II.2.3.3. To link to the BF1's XXXX account:<br />
<br />
The findings in this regard result without a doubt from the findings of the<br />
<br />
contested decision (VWA ./59, page 18 ff) and the statement of the BF2 (VWA ./43,<br />
page 10f).<br />
<br />
In his statement of April 9th, 2021, the BF2 submitted in question 9 that he<br />
<br />
only receives such information if certain conditions are met, such as - 36 -<br />
<br />
<br />
such as the activation of specific settings in the XXXX account. He disproved this<br />
BF1 or the bB in the process with the following comprehensible argument: If namely<br />
<br />
a XXXX account user's request for "personalization" of the received<br />
<br />
Advertising information can be met on the basis of a declaration of intent in the account, so<br />
From a purely technical point of view, there is the possibility of obtaining information about the website visited<br />
<br />
of the XXXX account user.<br />
<br />
Irrespective of this, numerous metadata were available to BF2 on August 14, 2020 (OZ<br />
<br />
25 to W2452252208-1, page 3), which is displayed when an application (e.g. XXXX account) is called up<br />
be transmitted. At the time of the proceedings (08/14/2020) the BF1 also<br />
<br />
used his XXXX account. With the metadata that is generated when using the XXXX account<br />
<br />
were transmitted, was a link to the transmitted metadata in the course of the<br />
XXXX (via XXXX -analytics) possible.<br />
<br />
<br />
In addition, a link to the IP address was undoubtedly possible. The BF1 has on<br />
08/14/2020 worked in the home office. In this context, the IP address was direct<br />
<br />
transmitted by BF1 to BF2 (negotiation protocol of March 31, 2022, OZ 29 to W245<br />
<br />
2252208, page 14). Since the BF1 visited the website XXXX (XXXX -Analytics)<br />
If you were signed into the XXXX account at the same time, you can easily switch between these applications<br />
<br />
a link can be established via the IP address. In both applications, the<br />
IP address already transferred for technical reasons. Against this background, on<br />
<br />
Reason for the transmission of the IP address via the XXXX -Analytics application<br />
<br />
Personal reference to the XXXX account (or to the registration information of the BF1) established<br />
become. Since the BF1 was working in the home office at that time and he lives alone,<br />
<br />
only he could use the transmitted IP address.<br />
<br />
Due to the easy linkability of metadata and IP address between the<br />
<br />
individual applications ( XXXX -Account and XXXX -Analytics) can indisputably<br />
Personal reference (login data for XXXX) can be established.<br />
<br />
<br />
It was also found that metadata from XXXX applications (such as XXXX account)<br />
were transferred to the United States, which the BF1 used on 08/14/2020<br />
<br />
(Negotiation protocol from March 31, 2022, OZ 29 to W245 2252208, page 11 f).<br />
<br />
II.2.3.4. For (non)anonymized processing of the IP address of the BF1:<br />
<br />
The pertinent findings result without a doubt from the explanations of the MB in the<br />
administrative procedures (VWA ./48)<br />
<br />
II.2.3.5. About the deleted information: - 37 -<br />
<br />
<br />
The pertinent findings result beyond doubt from the explanations of the MB and<br />
the BF2 in administrative procedures (VWA ./48, ./49, ./50, ./52 and ./53).<br />
<br />
<br />
II.2.3.6. For the declaration of personal data by BF2:<br />
The relevant findings result from the explanations of the bB in the course of the<br />
<br />
File template (VWA ./67, page 4) and from an inspection of the BF2 XXXX website<br />
<br />
last accessed on March 26, 2023).<br />
<br />
II.2.4. About the web analysis service XXXX -Analytics:<br />
The pertinent findings result beyond doubt from explanations of the BF2 in the<br />
<br />
administrative procedures (VWA ./31, page 4).<br />
<br />
II.2.5. About the implementation and functionality of XXXX -Analytics:<br />
<br />
The pertinent findings result beyond doubt from explanations of the BF2 in the<br />
administrative procedures (VWA ./31, page 4 f).<br />
<br />
<br />
II.2.6. To embed the program code for XXXX -Analytics on the XXXX website<br />
Associates:<br />
<br />
The relevant findings result beyond doubt from the documents of the<br />
<br />
submitted administrative act (VWA ./10, page 1 and VWA ./31, page 7 f)<br />
<br />
II.2.7. The legal basis for the use of XXXX -Analytics by the participants:<br />
The relevant findings result beyond doubt from the documents of the<br />
<br />
submitted administrative act (VWA ./31, page 6).<br />
<br />
II.2.8. For the purpose of processing by the collaborators:<br />
<br />
The relevant findings result beyond doubt from the documents of the<br />
submitted administrative act (VWA ./10, page 2, ./11, page 11, ./18, ./21, ./22 partial decision,<br />
<br />
page 15 ff).<br />
<br />
II.2.9. Regarding the measures taken by BF2 after the judgment of the European Court of Justice of<br />
<br />
07/16/2020 in Case C-311/18:<br />
The pertinent findings result beyond doubt from explanations of the BF2 in the<br />
<br />
administrative procedures (VWA ./31, page 21 f).<br />
<br />
II.2.10.On the additional measures that come with the introduction of the standard contractual clauses<br />
<br />
were set by the BF2:<br />
<br />
The pertinent findings result beyond doubt from explanations of the BF2 in the<br />
administrative procedures (VWA ./31, page 24 ff and VWA ./43).<br />
<br />
II.2.11.The BF2 as an electronic communication service: - 38 -<br />
<br />
<br />
The findings in this regard result without a doubt from the expert opinion on<br />
current status of US surveillance law and surveillance powers as well as from<br />
<br />
the transparency report of BF2 XXXX last queried on 03/29/2023).<br />
<br />
II.3. Legal assessment:<br />
<br />
II.3.1. Regarding jurisdiction:<br />
<br />
According to § 6 BVwGG, the Federal Administrative Court decides through a single judge, provided that<br />
<br />
Federal or state laws do not provide for the decision to be made by senates.<br />
<br />
The contested decision is based on a decision of the bB in accordance with Article 44 GDPR.<br />
This matter is covered by Senate decisions in accordance with § 27 DSG.<br />
<br />
<br />
The procedure of the administrative courts with the exception of the Federal Finance Court is through<br />
the VwGVG, Federal Law Gazette I No. 33/2013 (§ 1 leg.cit.). According to § 58 Abs. 2 VwGVG stay<br />
<br />
conflicting provisions in force at the time this<br />
<br />
federal law already promulgated are in effect.<br />
<br />
According to § 17 VwGVG, unless otherwise specified in this federal law,<br />
Procedure for complaints according to Art. 130 Para. 1 B-VG with the provisions of the AVG<br />
<br />
Exception of §§ 1 to 5 as well as part IV, the provisions of the Federal Fiscal Code<br />
<br />
- BAO, Federal Law Gazette No. 194/1961, of the Agricultural Procedures Act - AgrVG, Federal Law Gazette No. 173/1950, and<br />
of the Service Law Procedure Act 1984 – DVG, Federal Law Gazette No. 29/1984, and otherwise those<br />
<br />
procedural provisions in federal or state laws mutatis mutandis<br />
<br />
apply, which the authority in the proceedings before the administrative court<br />
has applied or should have applied in previous proceedings.<br />
<br />
According to § 28 para. 1 VwGVG, the administrative courts have the legal matter by cognition<br />
<br />
to be dealt with if the complaint is not to be dismissed or the proceedings are to be discontinued.<br />
<br />
According to para. 2 leg.cit. the administrative court has on complaints according to Art. 130 para. 1 no. 1<br />
B-VG to decide in the matter itself, if<br />
<br />
1. the relevant facts have been established or<br />
<br />
<br />
2. the determination of the relevant facts by the administrative court itself<br />
is in the interest of speed or associated with significant cost savings.<br />
<br />
As stated above, the facts of the matter are relevant<br />
<br />
based on the records. The Federal Administrative Court therefore has its own say in the matter<br />
<br />
decide.<br />
<br />
II.3.2. Regarding the legal situation in the present complaints procedure:<br />
Art. 4 Z. 1 GDPR – Definitions – reads: - 39 -<br />
<br />
<br />
For the purposes of this Regulation, the term means:<br />
1.” any information relating to an identified or identifiable natural person<br />
<br />
(hereinafter "data subject"); as identifiable becomes a natural<br />
Person considered, directly or indirectly, in particular by means of assignment to a<br />
identifier such as a name, an identification number, location data, an online<br />
<br />
Identifier or one or more special characteristics expressing the<br />
physical, physiological, genetic, psychological, economic, cultural or<br />
<br />
social identity of that natural person can be identified;<br />
<br />
Art. 44 GDPR – general principles of data transmission – reads:<br />
Any transfer of personal data that is already being processed or after<br />
<br />
be processed before it is transmitted to a third country or an international organization<br />
is only permitted if the person responsible and the processor<br />
Comply with the conditions laid down in Chapter and also the other provisions of these<br />
<br />
regulation are complied with; this also applies to any further transmission<br />
personal data from the relevant third country or the relevant<br />
<br />
international organization to another third country or another international<br />
Organization. All provisions of this chapter shall be applied to ensure that<br />
the level of protection for natural persons guaranteed by this regulation<br />
<br />
is undermined.<br />
<br />
Art. 45 GDPR – Data transfer based on an adequacy decision –<br />
reads in part:<br />
<br />
(1) A transfer of personal data to a third country or an international<br />
Organization may be undertaken if the Commission has decided that the<br />
<br />
third country concerned, a territory or one or more specific sectors within it<br />
Third country or international organization concerned an adequate level of protection<br />
<br />
offers. Such data transmission does not require any special approval.<br />
(2) When examining the adequacy of the required level of protection, the<br />
Commission the following in particular:<br />
<br />
a) the rule of law, respect for human rights and fundamental freedoms contained in<br />
the country or international organization concerned<br />
<br />
relevant legislation in force, both general and sectoral<br />
– also in relation to public safety, defence, national security and<br />
Criminal law and access by authorities to personal data - as well as the<br />
<br />
Application of this legislation, data protection regulations, professional rules and<br />
Security rules including onward transmission rules<br />
<br />
personal data to another third country or another international<br />
organization, jurisdiction, and effective and enforceable rights of<br />
data subject and effective administrative and judicial<br />
<br />
Remedies for data subjects whose personal data is transferred<br />
become, - 40 -<br />
<br />
<br />
b) the existence and effective functioning of one or more independent<br />
Supervisory authorities in the third country concerned or those of an international<br />
<br />
Organization is subject to and responsible for compliance with and enforcement of<br />
Data protection rules, including appropriate enforcement powers, for<br />
the support and advice of the persons concerned in the exercise of their<br />
<br />
rights and for cooperation with the supervisory authorities of the Member States<br />
are responsible, and<br />
<br />
c) those of the third country concerned or the international one concerned<br />
Organization entered into international commitments or others<br />
Obligations arising from legally binding agreements or instruments<br />
<br />
as well as from the participation of the third country or the international organization<br />
multilateral or regional systems, particularly in relation to protection<br />
<br />
result in personal data.<br />
(3) After assessing the adequacy of the level of protection, the Commission may<br />
Ways of an implementing act decide that a third country, territory or a<br />
<br />
or several specific sectors in a third country or an international organization<br />
provide an adequate level of protection as referred to in paragraph 2 of this article.<br />
<br />
A mechanism for a periodic review is set out in the implementing act,<br />
which takes place at least every four years, at which all relevant<br />
developments in the third country or in the international organization<br />
<br />
will be carried. In the implementing act, the territorial and the sectoral<br />
Scope of application and, where applicable, those referred to in paragraph 2 letter b of the present<br />
<br />
Article-mentioned supervisory authority or supervisory authorities. The<br />
Implementing act shall be adopted in accordance with the examination procedure referred to in Article 93(2).<br />
enacted<br />
<br />
Art. 46 GDPR – data transmission subject to suitable guarantees – reads<br />
<br />
excerpts:<br />
<br />
(1) If there is no decision pursuant to Article 45 paragraph 3, a person responsible or a<br />
Processor personal data to a third country or an international<br />
Organization only transmit if the controller or the processor<br />
<br />
has provided appropriate safeguards and provided the data subjects have enforceable ones<br />
Rights and effective remedies are available.<br />
<br />
(2) The appropriate guarantees mentioned in paragraph 1 can, without a special<br />
approval of a supervisory authority would be required<br />
a) a legally binding and enforceable document between the authorities or<br />
<br />
public bodies<br />
b) Binding Corporate Rules pursuant to Article 47,<br />
<br />
c) standard data protection clauses adopted by the Commission in accordance with the examination procedure pursuant to<br />
Article 93 paragraph 2 are issued,<br />
d) standard data protection clauses adopted by a supervisory authority, issued by the<br />
<br />
have been approved by the Commission in accordance with the examination procedure set out in Article 93(2), - 41 -<br />
<br />
<br />
e) approved codes of conduct pursuant to Article 40 together with legally binding ones<br />
and enforceable obligations of the controller or the<br />
<br />
Processor in the third country to apply the appropriate guarantees,<br />
including in relation to the rights of data subjects, or<br />
<br />
(f) an approved certification mechanism in accordance with Article 42 together with<br />
legally binding and enforceable obligations of the controller or<br />
of the processor in the third country to apply the appropriate safeguards,<br />
<br />
including in relation to the rights of data subjects.<br />
<br />
Art. 7 Charter of Fundamental Rights of the European Union - Respect for the private and<br />
family life – reads:<br />
<br />
Everyone has the right to respect for their private and family life, their home and<br />
<br />
their communication.<br />
Art. 8 Charter of Fundamental Rights of the European Union - Protection of personal data -<br />
<br />
reads:<br />
<br />
Every person has the right to protection of their personal data. This<br />
<br />
Data may only be used in good faith for specified purposes and with the consent of<br />
<br />
data subject or on another legitimate basis regulated by law<br />
are processed. Every person has the right to information about the data collected about them<br />
<br />
Obtain data and obtain rectification of data. Compliance with this<br />
<br />
Regulations are monitored by an independent body.<br />
<br />
Art. 47 Charter of Fundamental Rights of the European Union – Right to an effective remedy<br />
<br />
and an impartial court – reads:<br />
<br />
Any person whose rights or freedoms guaranteed by Union law is violated<br />
have the right, subject to the conditions provided for in this article<br />
<br />
to seek an effective remedy before a court. Every person has the right to<br />
<br />
that their cause be established by an independent, impartial and previously established by law<br />
court in a fair trial, heard publicly and within a reasonable time<br />
<br />
is.Any person can consult, defend and be represented. Persons who do not have<br />
<br />
have sufficient funds, legal aid will be granted to the extent that this aid is necessary<br />
is to ensure effective access to justice.<br />
<br />
<br />
Recital 26 of the GDPR - No application to anonymized data - reads:<br />
1Principles of data protection should apply to all information relating to a<br />
2<br />
identified or identifiable natural person. A pseudonymization<br />
subjected personal data obtained by using additional information<br />
could be attributed to a natural person should be considered information about a<br />
<br />
identifiable natural person. To determine whether a natural - 42 -<br />
<br />
<br />
Person is identifiable, all means should be taken into account by that<br />
<br />
controller or another person reasonably likely<br />
be used to identify the natural person directly or indirectly, such as<br />
4<br />
for example, weeding out. In determining whether funds are discretionary<br />
likely to be used to identify the individual should all<br />
objective factors such as the cost of identification and the time required for it<br />
<br />
Time expended, which is available at the time of processing<br />
Technology and technological developments must be taken into account. The principles of<br />
<br />
Data protection should therefore not apply to anonymous information, i.e. information<br />
which do not relate to an identified or identifiable natural person, or<br />
<br />
personal data that has been anonymized in a way that the data subject<br />
person cannot or can no longer be identified. This regulation therefore does not apply<br />
<br />
the processing of such anonymous data, including for statistical or research purposes.<br />
<br />
GDPR Recital 30 – Online Identifiers for Profiling and Identification –<br />
reads:<br />
<br />
1Natural persons may be given online identifiers such as IP addresses and<br />
<br />
Cookie identifiers that his device or software applications and tools or protocols<br />
provide, or assigned other identifiers such as radio frequency identifiers. This can<br />
Leave traces, especially in combination with unique identifiers and<br />
<br />
other information received by the server can be used to profile the<br />
create and identify natural persons.<br />
<br />
II.3.3. Regarding the scope of Art. 44 ff GDPR:<br />
<br />
If the following three requirements are met, there is a transfer and<br />
<br />
Chapter V (Art. 44 ff) GDPR is applicable (Guidelines 05/2021 on the Interplay between the<br />
<br />
application of Article 3 and the provisions on international transfers as per Chapter V of the<br />
GDPR, version 2.0, adopted on 02/14/2023):<br />
<br />
1) A controller or processor ("Exporter")<br />
<br />
is subject to the GDPR in the respective processing.<br />
<br />
2) The exporter transmits personal data that are the subject of this processing<br />
<br />
are, to another controller, one common to the<br />
<br />
controller or a processor ("importer") or provides<br />
<br />
them available in other ways.<br />
<br />
3) The importer is located in a third country, regardless of whether this importer<br />
<br />
for the respective processing pursuant to Article 3 of the GDPR or a<br />
international organization is.<br />
<br />
Art. 8 para. 1 EU-GRC results in an obligation to perpetuate EU law<br />
<br />
Protection levels (ECJ 06.10.2015, C-362/14 (Schrems), para. 72). The objective - 43 -<br />
<br />
<br />
Provisions regulate the conditions, which allow a person responsible or<br />
<br />
Allow processors (exporters) to transfer personal data to a third country<br />
to transfer. The not legally defined term of transmission is within the scope of Art. 44 ff<br />
<br />
to be understood in terms of protection. It therefore includes any disclosure of<br />
<br />
personal data to a place outside the territory of the European Union<br />
or to an international organization (Kuhling/Buchner, DSGVO BDSG, Art. 44, Rn 16,<br />
<br />
Jahnel, Commentary on the General Data Protection Regulation Art. 44 GDPR (as of December 1st, 2020,<br />
<br />
rdb.at), para. 18). From Art. 44 GDPR it follows that the importer (recipient in the third country)<br />
is not covered by the scope of the standard because it does not cover the transmission<br />
<br />
driven by data. The term "transmission" describes an action of the<br />
<br />
data exporter, but not an action of the data importer. Furthermore, Art. 46 provides<br />
Para. 1 GDPR that a person responsible or a processor personal<br />
<br />
Data may only be transferred to a third country or an international organization if the<br />
<br />
The person responsible or the processor has provided appropriate guarantees and if<br />
enforceable rights and effective remedies for data subjects<br />
<br />
stand. As a result, the clear wording of Art. 44 et seq<br />
<br />
Requirements for data importers (also correctly the BF2, VWA ./43, page 19).<br />
Based on the case law of the European Court of Justice, the data exporter bears the responsibility<br />
<br />
Responsibilityforexaminingthepermissibilityofthespecifictransmission.Hemustatanytime<br />
3<br />
check whether the data is protected in the third country (Kuhling/Buchner, DSGVO BDSG,<br />
Art. 44, para. 16 with reference to ECJ July 16, 2020, C-311/18 (Schrems II)). Total are off<br />
<br />
Chapter V GDPR does not confer any subjective public rights/duties on a data importer<br />
<br />
remove.<br />
<br />
This must be distinguished, for example, from the contractual obligations of a data importer, e.g<br />
Example that he must inform the data exporter immediately if the for<br />
<br />
the law applicable to him no longer allows him to process the data in accordance with the<br />
<br />
to store and process special contractual clauses (Commission decision of<br />
05.02.2010 on standard contractual clauses for the transmission of personal data<br />
<br />
Processors in third countries according to the Directive 95/46/EG of the European Parliament<br />
<br />
and of the Council (2010/87/EU), Clause 5 - Obligations of the data importer). However, these are<br />
not the subject of administrative/judicial proceedings.<br />
<br />
<br />
II.3.4. On Art. 44 GDPR as a subjective right:<br />
Repeatedly, the BF2 stated in the proceedings that a violation of Art. 44ff GDPR was not a<br />
<br />
permissible object of a complaint according to Art. 77 GDPR (VWA ./54, page 6, VWA<br />
<br />
./62, page 36). This view cannot be followed for the following reasons: - 44 -<br />
<br />
<br />
§ 24 DSG grants the person whose basic personal right has been violated the opportunity<br />
<br />
to have the violation of rights committed against her determined. The<br />
The declaratory statement here concerns the legal position of a specific person in terms of their rights<br />
<br />
injured person and is dogmatic in its scope of legal force for this infringement<br />
<br />
limited. Based on this determination, the data subject should be able to<br />
further individual claims - such as claims for damages - to pursue (VwGH<br />
<br />
14.12.2021, Ro 2020/04/0032).<br />
<br />
A dependency in that the data protection authority only<br />
<br />
Infringement may be established if the data subject has a data subject right (Article 12ff GDPR)<br />
claims cannot be derived from § 24 DSG. In connection with Art. 77<br />
<br />
GDPR, the data protection authority is obliged to make a decision if the data subject<br />
<br />
person believes that the processing of personal data concerning them<br />
violates this regulation. Contrary to the view of BF2, however, Art. 77 GDPR is a<br />
<br />
Restriction on affected rights according to Art. 12ffDSGVO not to be taken (e.g. VWA<br />
<br />
./43, page 17). A data subject can base an infringement on any<br />
Support the provision of the GDPR, if the GDPR-violating processing of personal<br />
<br />
data also leads to a violation of the legal position of the person concerned (as does the<br />
<br />
Predominant lesson: Jahnel, Commentary on the General Data Protection Regulation Art. 77 GDPR<br />
(as of December 1, 2020, rdb.at), para. 11; Bergt in Kühling/Buchner, DSGVO BDSG, Art. 77, para. 10;<br />
<br />
Körffer in Paal/Pauly, General Data Protection Regulation · Federal Data Protection Act, Art. 77;<br />
4<br />
Moos/Schefzig in Taeger/Gabel, DSGVO BDSG TTDSG, Art. 77, para. 9; Boehm in<br />
Simitis | Hornung | Spiecker, data protection law, Art. 77, Rn6).<br />
<br />
Implementation of Art. 77 GDPR, the right to lodge a complaint with a supervisory authority and<br />
<br />
the principles of the procedure before the supervisory authority are regulated (1761 BlgNR 25. GP<br />
15). From the materials it is clearly recognizable that with § 24 DSG the right of a<br />
<br />
Affected parties to complain to a supervisory authority in accordance with Art. 77 GDPR<br />
<br />
is specified. It cannot be inferred from the materials that with Section 24 DSG the scope of the<br />
The rights of a person concerned to lodge a complaint are restricted.<br />
<br />
<br />
In accordance with Section 24 (1) DSG, every data subject has the right to lodge a complaint with the<br />
Data Protection Authority when it considers that the processing is relevant to you<br />
<br />
personal data - (among other things), meant among other things - against § 1 DSG, which also<br />
<br />
protects the right to secrecy. According to § 24 para. 2 Z 5 DSG, the complaint<br />
to refrain from seeking to establish the alleged infringement. As far as one<br />
<br />
If the complaint proves to be justified, it must be followed according to Section 24 (5) first sentence DSG<br />
<br />
Accordingly, the law provides a legal remedy in the event of a violation of data protection law - 45 -<br />
<br />
<br />
explicitly submit an application for a determination as part of the complaint, which pursuant to Section 24 (5) DSG<br />
It must be followed if it proves to be entitled (VwGH19.10.2022, Ro2022/04/0001).<br />
<br />
<br />
Therefore, a person considers that the processing concerns them<br />
personal data leads to a violation of their rights, according to § 24 DSG<br />
<br />
a right expressly provided for in law to have this determined. In this<br />
<br />
context, it should be noted that not only a finding of infringement<br />
according to § 1 DSG (right to secrecy) is possible. With the expression "among other things"<br />
<br />
the Administrative Court clearly indicates that not only violations of rights<br />
can be determined, which are based on § 1 DSG (right to secrecy). Also § 24<br />
<br />
Para. 2 DSG is no restriction to the effect that a data subject<br />
<br />
could only request a declaration of a violation of the right to secrecy.<br />
<br />
At the subject of the proceedings, the BF1 showed a violation of rights pursuant to Section 24 (2) DSG<br />
<br />
to the effect that the processing of his personal data violates the GDPR<br />
violates (Article 77 GDPR). Specifically, the BF1 requested a determination as to whether a violation of<br />
<br />
general principles of data transmission in accordance with Art. 44 GDPR.<br />
<br />
Without a doubt, every person has the subjective right if their personal data is processed by<br />
<br />
are processed by others, that the processing of the personal data of<br />
concerned in accordance with the GDPR. According to the jurisprudence of<br />
<br />
European Court of Justice must agree with any processing of personal data<br />
<br />
in line with the principles set out in Art. 5 of the GDPR for the processing of data<br />
and on the other hand related to one of the principles listed in Art. 6 of the GDPR<br />
<br />
comply with the lawfulness of the processing (ECJ 22.06.2021, C-439/19 (Latvijas<br />
<br />
Republikas Saeima), para. 96). To the extent that a data subject believes that the<br />
Processing of personal data does not comply with the GDPR, it is to that effect<br />
<br />
an individual complaint according to § 24 DSG admissible.<br />
<br />
It is particularly important to emphasize that the subject of the proceedings is that the European Court of Justice<br />
<br />
(ECJ July 16, 2020, C-311/18 (Schrems II), para. 158) it was assumed that the<br />
Noting that “[…] the law and practice of a country does not provide an adequate level of protection<br />
<br />
ensure [...]" and "[...] the compatibility of this (appropriateness) decision with<br />
<br />
the protection of privacy and the freedoms and fundamental rights of individuals […]” in<br />
Asserted as a subjective right as part of a complaint under Art. 77 (1) GDPR<br />
<br />
can be. In this context, the DA correctly stated that the question referred<br />
of the mentioned procedure does not cover the "extent of the right of appeal of Art. 77 Para. 1<br />
<br />
DSGVO "was the subject; the ECJ has the fact that also a violation of<br />
<br />
Provisions of chapter VDSGVO in the context of a complaint according to Art. 77 Para.1 DSGVO - 46 -<br />
<br />
<br />
can be invoked is evidently considered a necessary condition. At<br />
From a different point of view, the ECJ would have said that the question of the validity of a<br />
<br />
adequacy decision was not clarified at all in the context of a complaints procedure<br />
<br />
(VWA ./59, page 23 f).<br />
<br />
Overall, the bB is authorized to determine a violation of law according to Art. 44 ff DSGVO.<br />
<br />
II.3.5. About the distribution of roles:<br />
<br />
At the time of the proceedings, the MB, as the website owner,<br />
Decision made to implement the "XXXX -Analytics" tool on the XXXX website.<br />
<br />
Specifically, it has a JavaScript code ("tag") provided by BF2,<br />
<br />
inserted in the source code of your website, which means that this JavaScript code is used when you visit the<br />
website was running in the browser of the BF1. The MB has said tool for the purpose<br />
<br />
used for statistical evaluations of the behavior of website visitors. Since the<br />
<br />
MB about the purposes and means of those related to the tool<br />
has decided on data processing, she is the person responsible within the meaning of Art. 4 Z 7 DSGVO<br />
<br />
to watch.<br />
<br />
Subject matter of the proceedings is to be noted that the subject matter of the complaint relates only to the<br />
<br />
Data transfer to BF2 (United States). In connection with the<br />
Data transmission with the tool XXXX -Analytics should be noted that the BF2 the tool only<br />
<br />
makes available and has no influence on whether it is at all or to what extent the MB<br />
<br />
makes use of the tool functions and which specific settings it chooses.<br />
Insofar as BF2 XXXX only provides analytics (as a service), it has no influence<br />
<br />
on "purposes and means" of data processing and is therefore in accordance with SdArt. 4Z8DSGVO case-related<br />
<br />
to qualify as a processor.<br />
<br />
II.3.6. Regarding point A.I) - rejection of the complaint by the BF2:<br />
<br />
II.3.6.1. On the right to lodge a complaint with BF2:<br />
With the help of the findings in point 2. in the decision that is the subject of the proceedings<br />
<br />
clarified whether a violation of the general principles of data transmission according to Art. 44<br />
<br />
DSGVO by the MB is available. The judgment point 2. is according to § 59 paragraph 1 AVG of the rest<br />
Spell points separable because he stands alone without an inner connection with<br />
<br />
other parts of the procedure is accessible to a separate objection (cf. e.g. VwGH<br />
<br />
September 12, 2018, Ra 2015/08/0032). The bB correctly stated that the possible violation of<br />
Art. 5 ff in conjunction with Art. 38 Para. 3 lit. a and Art. 29 GDPR by the BF2 in no connection<br />
<br />
with the requirements of Art. 44 GDPR (VWA ./67, page 14). - 47 -<br />
<br />
<br />
The question of who has party status in a specific administrative procedure can be answered on the basis of<br />
of the AVG alone cannot be solved. Rather, the party position must derive from the<br />
<br />
substantive regulations are derived. On the ground of the material<br />
<br />
Administrative law it must according to the subject of the relevant administrative procedure<br />
and assessed according to the content of the applicable administrative regulations<br />
<br />
become. The constituent element of party status in administrative matters<br />
<br />
determined according to the normative content of the case to be applied<br />
regulations. The terms "legal claim" and "legal interest" are only gaining ground<br />
<br />
the applicable administrative regulation on a specific content,<br />
<br />
according to which only the question of party status can be answered (VwGH April 19, 2022, Ra<br />
2021/02/0251). Against this background, a party position in the administrative court<br />
<br />
Proceedings cannot be justified with it, because the results of the proceedings are different<br />
<br />
procedures may affect; the party status (or legal interests) is derived<br />
Rather, it depends on the relevant administrative regulation that is the subject of the<br />
<br />
administrative procedures.<br />
<br />
As explained under point II.3.3, Art. 44 GDPR regulates the admissibility of a<br />
<br />
Data transfer to a third country. Based on the case law of the European<br />
Court of Justice, the data exporter (the MB) is responsible for checking the<br />
<br />
Admissibility of the specific transmission. He must check at any time whether the data<br />
<br />
are protected in the third country. Against this background, it is clear that the<br />
Regulations in Chapter V GDPR without exception subject public rights/duties of the<br />
<br />
data exporters (thus the MB) have as their subject. In contrast, subjective<br />
<br />
public rights/duties for the data importer in a third country from Chapter V GDPR<br />
not to be taken. This is also evident from the fact that for the assessment of the<br />
<br />
Legal question as to whether a data exporter has violated obligations under Chapter V GDPR,<br />
in principle, the data importer does not have to participate in the procedure. Is<br />
<br />
therefore a data importer for example for a supervisory authority not at all<br />
<br />
reachable, this circumstance does not prevent the supervisory authority from<br />
Violation of the data exporter's rights to be determined in accordance with Chapter VDSGVO<br />
<br />
therefore the BF2 in connection with the assessment of the legal question of whether the data exporter<br />
<br />
(i.e. the MB) violated obligations under Chapter V GDPR in the procedure of the bB (VWA ./59,<br />
Point 2) no party status.<br />
<br />
In point 3 of the ruling at issue, the BF2 was a party to the<br />
<br />
Procedure because the bB clarified the legal question as to whether the BF2 violated obligations under Art. 44 GDPR<br />
<br />
has violated. However, since Art. 44 or Chapter V GDPR no public law - 48 -<br />
<br />
<br />
provides for obligations for a data importer in a third country, the BA has a<br />
BF1's request to that effect rejected. The BA confirmed to that effect<br />
<br />
Right view of the BF2 (see point II.3.3 above).<br />
<br />
As explained, the BF2 did not come in connection with ruling point 2 in the procedure of the DA<br />
<br />
party position. However, this party position in administrative procedures is<br />
<br />
essential prerequisite for filing a complaint against a decision<br />
administrative court. Party status in administrative proceedings and authority to<br />
<br />
Complaints are directly related according to the domestic legal situation<br />
(VwGH 05.04.2022, Ra 2022/03/0073). Since the BF2 in the administrative procedure to verdict point<br />
<br />
2. no party status was accorded to the decision at issue in the proceedings was hers<br />
<br />
dismiss the complaint to that effect.<br />
<br />
Furthermore, it is pointed out that a preliminary question-based assessment in decisions<br />
<br />
generally no binding effect for other authorities (or even the same authority in a<br />
other procedures), for whose decision the same question or one with content<br />
<br />
comparable (although not to be qualified as a preliminary question in the legal sense) question from<br />
<br />
(VwGH 01/20/2016, Ro 2014/04/0045). In addition, the main question<br />
the partial decision that is the subject of the proceedings, the agreement regarding a violation of<br />
<br />
Art. 44 GDPR, i.e. the question of whether the data transfer in question is in a<br />
third country was legally permissible. The main question, however, does not include individual statements<br />
<br />
some elements of the facts of Art. 44 ff GDPR, which are explained in point 2<br />
<br />
are.<br />
<br />
It should also be noted that BF2 acted as a processor for MB<br />
<br />
Attributable to actions of the MB (Art. 28 GDPR), which finally lead to a<br />
infringement of rights by the MB. In this context it is pointed out that<br />
<br />
that the MB did not appeal against the decision of the DA.<br />
<br />
II.3.6.2. On the lack of infringement of subjective rights of BF2:<br />
<br />
Regardless of the lack of party status (see point II.3.6.1), contrary to the<br />
Explanations of BF2 (VWA ./62, page 8), in the case of a violation of subjective<br />
<br />
Basically no rights. This is due to the following considerations:<br />
<br />
II.3.6.2.1. For the processing of personal data:<br />
<br />
According to Art. 2 Para. 1 GDPR, personal data are the starting point for this factual<br />
Applicability of the GDPR. In this regard, the European Court of Justice<br />
<br />
repeatedly stated that the scope of the GDPR should be understood very broadly<br />
<br />
(ECJ 06/22/2021, C-439/19 (Latvijas Republikas Saeima), para. 61; 12/20/2017, C-434/16 - 49 -<br />
<br />
<br />
(Peter Nowak), marginal note 59). This basic understanding is the further explanations<br />
to take as a basis. Against this background, the view of the BA is to be followed that an intervention<br />
<br />
in the fundamental right to data protection according to Art. 8 EU-GRC and § 1 DSG already exists,<br />
<br />
if certain measures are taken (e.g. assignment of identification numbers) to website<br />
individualize visitors.<br />
<br />
<br />
In the present case, BF2's own explanations and behavior indicate that<br />
that the information that is the subject of the proceedings (see point II.1.3.1)<br />
<br />
represent personal data. The BF2 itself explains that within the framework of the<br />
Order processing service "XXXX Analytics" the data "Online identifiers<br />
<br />
(including cookie identifiers), internet protocol addresses and device identifiers and<br />
<br />
identifiers assigned by the customer" can be personal data. In addition<br />
set the BF after the judgment of the European Court of Justice of July 16, 2020 in the<br />
<br />
Case C-311/18 several measures to ensure a legally compliant transfer of<br />
<br />
personal data to the United States (see point II.1.9) to allow.<br />
These explanations and behavior are the less convincing explanations<br />
<br />
the MB or the BF2 against that the change of<br />
<br />
Order data processing conditions (DTPS) from August 12th, 2020 including the<br />
Standard Contractual Clauses (SCCs) were only made for proactive reasons.<br />
<br />
In principle, it should be noted that from the information transmitted on August 14th, 2020<br />
<br />
(see point II.1.3 and II.1.3.1) no direct personal reference can be inferred.<br />
<br />
Online identifiers (IP address, cookies, etc.) identify on their own<br />
regularly no person, since from them directly neither the identity of the natural<br />
<br />
person who owns the end device (computer) from which a website was accessed,<br />
<br />
nor the identity of another person who could use this computer (ECJ<br />
October 19, 2016, C-582/14 (Breyer), para. 38). However, identifiability depends on the circumstances<br />
<br />
possible.<br />
<br />
A piece of information makes a natural person identifiable if through it alone the<br />
<br />
Although identification (i.e. recognition) itself is not directly possible, a<br />
corresponding identification but by means of linking to further information<br />
<br />
can be made. According to Art. 4 Z 1 DSGVO, a person is identified as identifiable<br />
<br />
viewed directly or indirectly, in particular by means of assignment to an identifier such as<br />
a name, identification number, location data, online identifier, or<br />
<br />
one or more special characteristics that express the physical, physiological,<br />
<br />
genetic, psychological, economic, cultural or social identity of these<br />
natural person can be identified. Knowing the name of the natural - 50 -<br />
<br />
<br />
However, a person is not absolutely necessary for identifiability (Art.-29-<br />
<br />
Data Protection Working Party, WP 136, page 16 f).<br />
<br />
To determine whether a natural person is identifiable, all means are to<br />
take into account that of the person responsible or another person according to general<br />
<br />
Discretion likely to be exercised directly or indirectly to the individual<br />
<br />
identify (recital 26, 3rd sentence). The purely hypothetical possibility of identifying the<br />
However, person is not sufficient for the person to be considered identifiable. It is however<br />
<br />
It is also not necessary for the person responsible to actually initiate or cross efforts<br />
<br />
already has the appropriate means to bring about identification, but it<br />
the probability that he initiates them or acquire corresponding funds is sufficient<br />
<br />
becomes. For the assessment of the question of identifiability, it is therefore not important whether<br />
<br />
a controller has actually attempted identification<br />
to do. It is sufficient that utilizing a means under purely abstract too<br />
<br />
judging point of view is likely.<br />
<br />
In determining whether funds are reasonably likely to identify<br />
<br />
of the natural person are used in the context of a risk analysis or forecast<br />
<br />
(according to recital 26, 4th sentence) all objective factors, such as the cost of identification and the<br />
time required for this, which is at the time of processing<br />
<br />
available technology and technological development must be taken into account.<br />
<br />
According to the case law of the European Court of Justice, this is a factual one<br />
Risk of creating a personal reference required (ECJ 19.10.2016, C-582/14<br />
<br />
(Breyer), para. 38). To determine whether such a risk exists, it is - in addition to the in ErwG<br />
<br />
26, 3rd sentence expressly mentioned factors – also to consider whether the purpose of<br />
Processing requires identification, whether identification to a<br />
<br />
Increase in usage and whether the identification is contractual and/or organizational<br />
4<br />
Obstacles (e.g. contractual penalties) (Taeger/Gabel, GDPR BDSG TTDSG, Art. 4,<br />
31). In the present case, an increase in use can be assumed because<br />
<br />
e.g. through the online identifiers used (IP address, cookies) a distinction from<br />
<br />
website visitors is allowed. Also, in the context of big data applications, the<br />
Threshold for assuming a personal reference is simply low (Kuhling/Buchner,<br />
<br />
DSGVO BDSG, Art. 4 No. 1, Rn 22). For example, does a company have two different<br />
<br />
Databases store information about people (however, viewed in isolation, none<br />
enable clear assignment to a person), their merging into one<br />
<br />
Identification would lead and considering the typical way on the market<br />
<br />
available data analysis tools with a reasonable amount of time and money - 51 -<br />
<br />
<br />
would be, the identifiability of the not (yet) merged databases would be too<br />
4<br />
affirm (Taeger/Gabel, GDPR BDSG TTDSG , Art. 4, Rn31).<br />
already a "digital footprint" that allows devices - and subsequently the<br />
<br />
specific user - to be clearly individualized, represents a personal date<br />
<br />
(cf. KarglinSimits/Hornung/Spiecker, data protection law, Art. 4Z1, Rn52mwN).<br />
Fingerprinting (RFC6973) can be used by an observer using a device or application instance<br />
<br />
sufficient probability on the basis of several information elements (online<br />
<br />
identifiers, IP address, browser information, etc.).<br />
<br />
In addition, the argumentation of the bB is to be followed that the implementation of XXXX-Analytics<br />
on XXXX results in segregation within the meaning of ErwG 26. In other words: who a tool<br />
<br />
used, which makes such a segregation possible in the first place, cannot refer to the<br />
<br />
position not to use any means to obtain natural<br />
to make people identifiable. It can be assumed that without using the<br />
<br />
procedural information (see point II.1.3.1) the BF2 not able<br />
<br />
would be to offer a usable measurement service (see point II.1.4), because for example the BF2 without<br />
Cookies would not be able to provide traceable measurements of website visits<br />
<br />
to perform.<br />
<br />
Due to the circumstances at hand – big data, benefit increases, the purpose and the<br />
<br />
Functionality of the web analytics service XXXX -Analytics and Fingerprinting - is from a<br />
<br />
factual risk that the BF2 as the processor of the MB<br />
reasonably likely means of identifying the individual<br />
<br />
uses.<br />
<br />
With the information transmitted to the BF2 (see point II.2.3 or II.2.3.1), a<br />
<br />
"digital footprint" of the BF1 generated, which the BF2 as the processor of the MB<br />
allows to identify the BF1.<br />
<br />
<br />
With regard to online identifiers, it should be noted that the cookies in question<br />
"_ga" or "cid" (client ID) and "_gid" (user ID) unique XXXX -Analytics identifiers<br />
<br />
contained and stored on the end device or in the browser of the BF1. With these<br />
<br />
Identifiers, it is sometimes possible for the BF2 to distinguish website visitors and also the<br />
Receive information about a new or returning website<br />
<br />
XXXX visitors. Without these identification numbers is therefore a distinction from<br />
<br />
Website visitors not possible. In this context, the European<br />
Data protection officers consider that all records containing identifiers<br />
<br />
contain, with which users can be singled out, according to the regulation (meant - 52 -<br />
<br />
<br />
Regulation (EU) 2018/1725) are considered personal data and treated as such<br />
must be protected (VWA ./68).<br />
<br />
<br />
With regard to the IP address, it should be noted that the "anonymization function" of the IP<br />
Address was not correctly implemented at the time of data transmission to the BF2<br />
<br />
and was therefore completely saved by the BF2. In this context is to<br />
<br />
note that the general storage of IP addresses constitutes a serious intrusion into the in<br />
fundamental rights enshrined in Articles 7 and 8 of the Charter, since it is possible with IP addresses<br />
<br />
is accurate conclusions about the private life of the user of the relevant electronic<br />
to draw means of communication. This can be a deterrent to the<br />
<br />
exercise the freedom of expression guaranteed in Article 11 of the Charter (ECJ<br />
<br />
20.09.2022 in joined cases C-793/19 and C-794/19 (SpaceNetAG/Telekom<br />
Germany GmbH), para. 100). It also doesn't matter who my IP address actually belongs to:<br />
<br />
The decisive factor is whether the IP address can be used to draw conclusions about the data subject<br />
<br />
(User) can be drawn. Therefore, the statements of BF2 no<br />
Justification value if it considers that the IP address used<br />
<br />
possibly owned by BF1's employer. Regardless, the procedure<br />
<br />
revealed that the IP address of BF1 was transmitted directly to BF2.<br />
<br />
Already from the combination of the transmitted information (see point II.1.3.1) - online<br />
identifiers, IP address, browser information, operating system, screen resolution,<br />
<br />
language selection, etc. - a "digital footprint" can be generated that allows<br />
<br />
To clearly individualize the end device and subsequently the specific user.<br />
Irrespective of this, in the present case for BF2 as the processor<br />
<br />
Traceability to the BF1 possible:<br />
<br />
So the BF1 was XXXX on his XXXX account at the time he visited the website<br />
<br />
logged in. The BF2 explained that due to the fact that the tool XXXX -<br />
Analytics is implemented on a website that receives information. This includes the<br />
<br />
Information that a specific XXXX account user visited a specific website<br />
<br />
(VWA ./31, Question 9). In this context, BF2 explained that this only applies to<br />
Activation of specific settings in the XXXX account is possible (activation of<br />
<br />
"Personalized Advertising" and "Web and App Activity" through the XXXX -Account-<br />
<br />
users and activation of XXXX signals on the target website). The BB led to this<br />
understandable from the fact that the identifiability of a website visitor does not depend on it<br />
<br />
may depend on whether certain declarations of intent are made in the XXXX account, since<br />
<br />
from a technical point of view, all possibilities for identification would still be available.<br />
On the other hand, the BF2 could - 53 -<br />
<br />
<br />
User after personalization of the received advertising information do not match.<br />
In this regard, it must be taken into account that Art. 4 Z 1 GDPR is linked to “can”.<br />
<br />
("can be identified") and not whether an identification ultimately also<br />
<br />
is made.<br />
<br />
Regardless of this, it should be noted that certain settings in a XXXX account<br />
<br />
or by activating XXXX signals on a website merely adapting to the<br />
personal needs of users of XXXX applications. The adjustments<br />
<br />
by the users do not give any conclusions about the processing of<br />
Meta information by the BF2, which in the course of calling up an application ( XXXX -<br />
<br />
Analytics, XXXX account, XXXX ,etc) are transmitted to BF2. In process is in this<br />
<br />
Connection of meta information and IP address between XXXX -<br />
Account and XXXX -Analytics emerged, which an undisputed personal reference<br />
<br />
enabled.<br />
<br />
Regardless of the BF2, there is a real risk that US authorities will<br />
<br />
Discretion likely to use means to identify the BF1. In this<br />
<br />
In this context, the BF1 understandably explained that US intelligence services online<br />
Identifiers (IP address or unique identifiers) as a starting point for the<br />
<br />
Engage surveillance of individuals. Thus, in particular, cannot be ruled out<br />
be that these intelligence services have already collected information with which<br />
<br />
Help the data transmitted here can be traced back to the person of BF1. This is how the<br />
<br />
BF2 due to data requests metadata and content data. The fact that it is<br />
This is not just a "theoretical danger", as can be seen from the judgment of the<br />
<br />
European Court of Justice from July 16th, 2020, C-311/18 (Schrems II), due to the<br />
<br />
Incompatibility of such methods and access possibilities of the US authorities with the<br />
Fundamental right to data protection according to Art. 8 EU-GRC ultimately also the EU-US<br />
<br />
adequacy decision (“Privacy Shield”) has been declared invalid. In this<br />
<br />
context, neither the BF1 nor the MB have the opportunity to verify whether US<br />
Authorities have already received personal data, or whether US authorities<br />
<br />
already have personal data from BF1. This circumstance may be of affected<br />
<br />
People like the BF1 are not to be blamed. So it was ultimately the MB and also<br />
the BF2, which despite the publication of the above-mentioned judgment of the European Court of Justice<br />
<br />
July 16, 2020 continued to use the XXXX -Analytics tool. After all, he is too<br />
To follow the reasoning of the bB that the MB is subject to accountability (Art. 5 para.<br />
<br />
2 in conjunction with Article 24 (1) in conjunction with Article 28 (1) GDPR) that processing is carried out in accordance with the regulation<br />
<br />
took place. In this context, the MB has its processor (BF2) in the process - 54 -<br />
<br />
<br />
no organizational or technical measures identified which are suitable,<br />
Methods and ways of accessing the US authorities to prevent it from happening<br />
<br />
Violation of the fundamental right to data protection according to Art. 8 EU-GRC.<br />
<br />
As a result, the transmitted information (see point II.1.3 or II.1.3.1) represents in any case<br />
<br />
in combination represents personal data in accordance with Art. 4 Z 1 DSGVO.<br />
<br />
II.3.6.2.2. On the lack of an appropriate level of protection in accordance with Art. 44 GDPR:<br />
<br />
Art. 44 GDPR sees a basic provision for international data transfer<br />
two-stage admissibility check. The first requirement that data is ever in a<br />
<br />
third country may be transmitted, is that the other provisions<br />
<br />
of the GDPR (such as Art. 5 f, Art. 13 f GDPR) are complied with. As part of the second<br />
At the first stage, it must be checked whether one of the requirements of Art. 45 – 49 GDPR is met. The first in<br />
<br />
According to Art. 45 GDPR, the admissibility in question is present if the<br />
<br />
Commission has determined in an adequacy decision for the third country concerned that<br />
that it offers an adequate level of protection. Is there such a thing?<br />
<br />
adequacy decision, no approval is required for data transfer in<br />
<br />
the respective third country. If there is no adequacy decision, it must be checked further whether the<br />
Requirements according to Art. 46, 47 or 49 GDPR are met.<br />
<br />
After the European Court of Justice declared the "EU-US Privacy Shield" with the decision of<br />
<br />
16.07.2020, C-311/18 (SchremsII) declared invalid, the procedural<br />
<br />
Data transmission on August 14, 2020 (see point II.1.3 or II.1.3.1) on the basis of a<br />
adequacy decision can no longer be justified. With the decision of<br />
<br />
European Court of Justice clarified that the United States until further notice<br />
<br />
are to be regarded as a "third country" and are currently privileged for the transmission of<br />
personal data according to Art. 45 GDPR does not exist.<br />
<br />
Since there is no adequacy decision according to Art. 45 Para. 3 GDPR, Art. 46<br />
<br />
GDPR further admissibility ("suitable guarantees"). If one of the in Art. 46<br />
<br />
Para. 2 GDPR listed guarantees, is international data traffic<br />
allowed without permission. The guarantees of Art. 3 GDPR exist subject to one<br />
<br />
Approval by the competent supervisory authority. If none of the provisions in Art. 46 Para. 2 and<br />
<br />
Para. 3 GDPR, it must be checked further whether one of the<br />
Exceptions for a permissible third-country transfer according to Art. 49 GDPR are fulfilled.<br />
<br />
At issue in the proceedings, the MB based the transfer on standard data protection clauses<br />
<br />
in accordance with Article 46 (2) (c) GDPR. For further "suitable guarantees" according to Art. 46 DSGVO<br />
<br />
the transfer of the data at issue in the proceedings was not supported by the MB. - 55 -<br />
<br />
<br />
Therefore, the admissibility of the data transmission according to Art. 46 Para. 2 lit. c<br />
GDPR examined.<br />
<br />
<br />
II.3.6.2.2.1. For data transfer based on standard data protection clauses in accordance with<br />
Article 46 (2) (c) GDPR:<br />
<br />
On August 12, 2020, the MB and the BF2 have in accordance with Article 46 (2) (c) GDPR<br />
<br />
Standard data protection clauses for the transfer of personal data to the<br />
United States completed. (“ XXXX Ads Data Processing Terms: Model Contract<br />
<br />
Clauses, Standard Contractual Clauses for Processors”). Specifically, it was about<br />
at the point in time at which the complaint is made by those clauses in the version of<br />
<br />
Implementing decision of the European Commission 2010/87/EU of February 5, 2010<br />
<br />
about standard contractual clauses for the transfer of personal data<br />
Processors in third countries according to the Directive 95/46/EG of the European Parliament<br />
<br />
and of the Council, OJ L 2010/39, p.<br />
<br />
When transferring personal data to a third country, the<br />
<br />
Standard Data Protection Clauses Enforceable Rights and Effective Remedies<br />
<br />
ensure that they enjoy a level of protection equivalent to that in the Union through the GDPR in<br />
The level guaranteed by the Charter is equivalent in substance. In this<br />
<br />
In connection with this, the contractual regulations must be taken into account in particular<br />
between the controller based in the Union and that in the third country concerned<br />
<br />
resident recipients of the transfer have been agreed, as well as what any<br />
<br />
Access of the authorities of this third country to the transmitted personal data<br />
concerns, the relevant elements of the legal system of that country, in particular the<br />
<br />
Article 45 (2) of the GDPR (ECJ July 16, 2020, C-311/18 (Schrems II), Rn<br />
<br />
105). The competent supervisory authority is obliged to draw up a standard data protection clause<br />
to suspend or permit the assisted transfer of personal data to a third country<br />
<br />
prohibit if that authority considers in light of all the circumstances of this transfer<br />
<br />
is that the clauses in this third country are not respected or not respected<br />
and that according to Union law, in particular according to Articles 45 and 46<br />
<br />
of the GDPR and according to the charter, the required protection of the transmitted data<br />
<br />
can be guaranteed by other means (ECJ July 16, 2020, C-311/18 (Schrems II), para<br />
121).<br />
<br />
In the present case, it should first be noted that the European Court of Justice used the “EU-US<br />
<br />
Privacy Shield” has therefore been declared invalid, as this with Articles 7, 8 and 47 of the Charter<br />
<br />
was incompatible (ECJ July 16, 2020, C-311/18 (Schrems II), para. 150 ff), since it was for US authorities<br />
(intelligence services) offered disproportionate access opportunities and no effective - 56 -<br />
<br />
<br />
Legal remedies for victims (non-US citizens) were available. That's how he led<br />
European Court of Justice guaranteed that regarding Art. 7 and 8 of the Charter<br />
<br />
Fundamental Rights neither Section 702 of FISA nor the E.O. 12333 in conjunction with the PPD-28<br />
<br />
those existing in Union law based on the principle of proportionality<br />
Meet the minimum requirements, so it cannot be assumed that the on these<br />
<br />
regulation-based surveillance programs to the extent absolutely necessary<br />
<br />
are limited. Also, with regard to those based on Section 702 of FISA as well<br />
with regard to the E.O. 12333 supported monitoring programs to note that<br />
<br />
neither the PPD-28 nor the E.O. 12333 confer rights on data subjects that<br />
<br />
can be legally enforced against the American authorities, so that<br />
these persons do not have an effective remedy. In this connection<br />
<br />
the ombudsman mechanism mentioned in the adequacy decision does not offer legal recourse<br />
<br />
to an entity that provides individuals whose data is transferred to the United States<br />
would offer guarantees equivalent to the guarantees of the thing required under Article 47 of the Charter<br />
<br />
after would be equivalent.<br />
<br />
These circumstances, which led to the lifting of the "EU-US Privacy Shield", are also at the<br />
<br />
assessment of a data transfer in accordance with Article 46 (2) (c) GDPR.<br />
In this regard, it should be noted that the standard data protection clauses are by their nature not<br />
<br />
Can offer guarantees that go beyond the contractual obligation, for compliance with the<br />
<br />
to ensure the level of protection required under Union law. In particular, they can<br />
due to the nature of the contract, no third-country authorities (such as US<br />
<br />
intelligence services) (ECJ July 16, 2020, C-311/18 (Schrems II), para. 132 f).<br />
<br />
These considerations can be applied to the present case. So is<br />
<br />
obvious that the BF2 as a provider of electronic communication services within the meaning of<br />
50 U.S. Code § 1881(b)(4) and thus subject to surveillance by U.S.<br />
<br />
Intelligence agencies are subject to 50 U.S. Code Section 1881a (“FISA 702”). Accordingly, the BF2<br />
<br />
the obligation to report to U.S. authorities under 50 U.S. Code § 1881a personal data<br />
to provide. The agreed between the MB and the BF2<br />
<br />
Standard data clauses do not offer any options in this context<br />
<br />
To meet requirements effectively or to prevent them. How from the<br />
transparency report of BF2, such inquiries are also regularly received from US<br />
<br />
authorities placed on them.<br />
<br />
The data transmission in question can therefore not solely be based on the between the MB and<br />
<br />
of the BF2 concluded standard data protection clauses in accordance with Article 46 (2) (c) GDPR<br />
be supported. - 57 -<br />
<br />
<br />
Because, by their very nature, these standard data protection clauses cannot provide any guarantees that<br />
about the contractual obligation to comply with what is required under Union law<br />
<br />
Levels of protection going beyond that may vary depending on the situation in a particular third country<br />
<br />
given situation, it may be necessary for the person responsible to take additional measures (see<br />
point II.3.6.2.2.2) to ensure compliance with this level of protection.<br />
<br />
<br />
II.3.6.2.2.2. Regarding the additional measures:<br />
In its "Recommendations 01/2020 on measures to supplement transmission tools for<br />
<br />
Ensuring the Union legal level of protection for personal data, version<br />
2.0 of the European Data Protection Board (“EDPB Recommendations”)” the EDPB<br />
<br />
stated that in the event that the law of the third country affects the effectiveness of<br />
<br />
appropriate safeguards (such as standard data protection clauses), the data exporter<br />
either suspend the data transfer or take additional measures<br />
<br />
implement (EDSA recommendations Rn 28 ff and Rn 52 or ECJ July 16, 2020, C-<br />
<br />
311/18 (Schrems II), para. 121).<br />
<br />
According to the recommendations of the EDPB, such “additional measures” can be contractual,<br />
<br />
be of a technical or organizational nature (EDSA recommendations, para. 52):<br />
<br />
With regard to contractual measures, it is stated that these "[...] the guarantees that<br />
provide the transmission tool and the relevant legislation in the third country,<br />
<br />
supplement and strengthen, as far as the guarantees, taking into account all circumstances<br />
<br />
of transmission, do not meet all the requirements necessary to register<br />
to ensure a level of protection essentially equivalent to that in the EU. Since the<br />
<br />
contractual measures, by their very nature, the authorities of the third country generally do not<br />
<br />
can bind, if they are not themselves a party to the contract, they must with others<br />
technical and organizational measures are combined to achieve the required<br />
<br />
to ensure a level of data protection. Just because you have one or more of these actions<br />
selected and applied does not necessarily mean that it is systematic<br />
<br />
it is ensured that the intended transfer meets the requirements of Union law<br />
<br />
(ensuring an essentially equivalent level of protection) is sufficient” (EDSA-<br />
Recommendations 01/2020, para. 99).<br />
<br />
<br />
With regard to organizational measures, it is stated that they are "[...] internal strategies,<br />
Organizational methods and standards act that those responsible and<br />
<br />
apply to processors themselves and to data importers in third countries<br />
could impose. These can be uniform throughout the processing cycle<br />
<br />
Protection of personal data. Organizational measures can also contribute to this<br />
<br />
help ensure that data exporters are aware of the risks related to data access in - 58 -<br />
<br />
<br />
Third countries and related access attempts are better aware and more alert<br />
can react. Just because you selected one or more of these measures and<br />
<br />
applied, this does not necessarily mean that it is systematically ensured that<br />
<br />
the intended transfer meets the requirements of Union law (ensuring a<br />
of items with equivalent levels of protection) is sufficient. Depending on the special circumstances of<br />
<br />
transmission and the assessment of the legal situation in the third country<br />
<br />
organizational measures to supplement the contractual and/or technical ones<br />
Measures required to ensure the protection of personal data<br />
<br />
is equivalent to the level of protection guaranteed in the EEA" (EDSA-<br />
<br />
Recommendations 01/2020, para. 128).<br />
<br />
Regarding the technical measures, it is stated that these "[...] guarantees that the<br />
offer transmission instruments in Art.l 46 DSGVO, can supplement to ensure<br />
<br />
that the protection required under Union law also applies to the transmission of personal data<br />
<br />
data to a third country is guaranteed. These measures are particularly<br />
required if the law of the third country in question tells the data importer<br />
<br />
Obligations imposed that correspond to the guarantees of the transmission instruments mentioned in Art.<br />
<br />
46 GDPR and are therefore suitable for the contractual guarantee of one thing<br />
according to equivalent levels of protection as far as official data access in the third country is concerned,<br />
<br />
to undermine" (EDSA Recommendations 01/2020, para. 77).<br />
<br />
An additional measure is only considered effective within the meaning of the judgment of the European<br />
<br />
Court of Justice (ECJ 16.07.2020, C-311/18 (Schrems II)), if and to the extent that they -<br />
alone or in connection with others - closes precisely the legal protection gaps,<br />
<br />
that of the data exporter in its review of the applicable to its transfer<br />
<br />
established legislation and practice in the third country. Should it be the data exporter<br />
ultimately not be possible to achieve an equivalent level of protection,<br />
<br />
he may not transmit the personal data (EDSA Recommendations 01/2020, Rn<br />
<br />
75).<br />
<br />
Applied to the present case, this means that it must be examined whether the<br />
"Additional measures taken" by BF2 (see point II.1.10 or VWA ./31, page 23 ff)<br />
<br />
within the framework of the judgment of the European Court of Justice (ECJ July 16, 2020, C-311/18<br />
<br />
(Schrems II)) identified gaps in legal protection - i.e. inappropriate access and<br />
Surveillance capabilities of US intelligence services and insufficient effective<br />
<br />
Legal remedy for those affected – close.<br />
<br />
Against this background, it must therefore be checked whether the additional measures taken by BF2<br />
<br />
Measures are suitable, the illegal circumstances - disproportionate - 59 -<br />
<br />
<br />
Possibilities of access by US authorities or the lack of effective legal remedies for<br />
Affected – to eliminate, so that the fundamental rights guaranteed in Articles 7, 8 and 47 of the Charter<br />
<br />
not get hurt.<br />
<br />
With regard to the contractual and organizational measures set out, is not<br />
<br />
recognizable to what extent through a review of a request from US authorities by XXXX -<br />
<br />
Attorneys or by specially trained personnel to comply with applicable laws and<br />
XXXX guidelines that do not violate the fundamental rights guaranteed in Articles 7, 8 and 47 of the Charter<br />
<br />
become. Compliance with US laws – i.e. the obligation to release data<br />
– leads precisely to the violation of the fundamental rights of the Union citizens concerned. As well<br />
<br />
there is no justification value for notifying customers before any of their<br />
<br />
Information US authorities will be announced. This is because a transfer of<br />
Information is disproportionate under European law and the data subject<br />
<br />
Union citizens have no effective legal remedies against disclosure. Also it comes to<br />
<br />
a violation of fundamental rights of EU citizens concerned, if a notification to<br />
customers are omitted for US legal reasons. Even if the request of a US<br />
<br />
authority is omitted due to an emergency, the disclosure is unlawful, since the<br />
<br />
Union citizens concerned do not have the opportunity to use an effective legal remedy<br />
to verify the emergency. Finally, the release of a<br />
<br />
transparency report and the publication of BF2's policy on dealing with<br />
<br />
Government requests do not remove the unlawful circumstances for the purposes set out in Art. 7, 8 and<br />
47 of the charter are not violated.<br />
<br />
The technical measures presented are also not suitable for preventing the violation of the<br />
<br />
eliminate fundamental rights. The technical measures listed in the<br />
<br />
Access options in connection with the transmission or storage of the data<br />
by US intelligence services based on US law neither prevent nor<br />
<br />
restrict. As correctly led by the bBaus, the technical measures cannot be considered<br />
<br />
be considered effective if the BF2 itself still has the ability to access the<br />
access data in plain text. As far as the BF2 refers to an encryption technology,<br />
<br />
it can be inferred from EDSA recommendations that a data importer (the BF2), the 50 U.S.<br />
<br />
Code is subject to Section 1881a (“FISA 702”) with respect to the imported data contained in its<br />
possession or custody or under his control, has a direct obligation to<br />
<br />
grant access to or release them. This obligation can<br />
also expressly extend to the cryptographic keys, without which the data cannot be processed<br />
<br />
are legible (margin no. 81). - 60 -<br />
<br />
<br />
Also, the explanations of the BF2 are that as far as XXXX -Analytics data for measurement by<br />
Website owners are personal data, should be considered as pseudonymous,<br />
<br />
not suitable as an "additional measure". In this context, the<br />
<br />
convincing view of the German Data Protection Conference, according to which "[...] the<br />
The fact that the users are made identifiable via IDs or identifiers, none<br />
<br />
pseudonymization measure within the meaning of the GDPR. In addition, it is not about<br />
<br />
appropriate guarantees to comply with data protection principles or to safeguard the<br />
Rights of data subjects if IP addresses, cookie<br />
<br />
IDs, advertising IDs, unique user IDs or other identifiers are used. Then,<br />
<br />
other than in cases where data is pseudonymized to the identifying data<br />
obscure or delete it so that the persons concerned are no longer addressed<br />
<br />
can, IDs or identifiers are used to distinguish the individual individuals<br />
<br />
and make it addressable. Consequently, there is no protective effect. It is about<br />
therefore not about pseudonymizations within the meaning of Recital 28, which the risks for those affected<br />
<br />
Lower people and those responsible and the processors in compliance<br />
<br />
support their data protection obligations" (cf. the guidance of the supervisory authorities<br />
for providers of telemedia from March 2019, p. 15).<br />
<br />
In addition, the arguments of BF2 cannot be followed because the XXXX -<br />
<br />
Analytics ID combined with other elements anyway and even with a dem<br />
<br />
BF2 indisputably attributable XXXX account can be connected.<br />
<br />
The "anonymization function of the IP address" mentioned is not relevant to the case<br />
Relevance because it was not implemented correctly (see point II.1.3.4).<br />
<br />
<br />
Overall, the additional measures identified by BF2 are not suitable<br />
Gaps in legal protection identified in the judgment – inappropriate access and<br />
<br />
Surveillance capabilities of US intelligence services and insufficient effective<br />
Legal remedy for those affected – close.<br />
<br />
<br />
II.3.6.2.2.3. Summary:<br />
Based on the decision of the European Court of Justice of July 16, 2020, C-311/18<br />
<br />
(Schrems II), the data transfer at issue was not with the "EU-US<br />
<br />
Privacy Shield". Also, the data transfer that is the subject of the proceedings cannot<br />
based solely on the standard data protection clauses concluded between MB and BF2<br />
<br />
in accordance with Article 46 (2) (c) GDPR. In addition, those of the BF2<br />
The additional measures identified are not suitable for those identified in the judgement<br />
<br />
Legal protection loopholes – inadequate access and monitoring options by US<br />
<br />
intelligence services and insufficient effective legal remedies for those affected - to - 61 -<br />
<br />
<br />
close. Overall, the data transmission that is the subject of the proceedings is not covered<br />
in Art. 46 GDPR.<br />
<br />
<br />
As far as the BF2 in administrative procedures a risk-based approach<br />
Assuming, it should be noted that this approach already differs from the wording of Art. 44 GDPR<br />
<br />
Article 44 GDPR covers any transmission of personal<br />
<br />
Data. The standard therefore does not differentiate between extremely low-threshold data<br />
are transferred for which there is only a very low basis risk. Although the GDPR sees in<br />
<br />
Individual provisions stipulate a risk-based approach (e.g. Art. 24 Para. 1 and Para. 2, Art.<br />
Article 25(1), Article 30(5), Article 32(1) and (2), Article 34(1), Article 35(1) and Article 35(3).<br />
<br />
or Art. 37 Para. 1 lit. b and lit. c GDPR), however, this circumstance does not mean that the<br />
<br />
risk-based approach is to be applied analogously to Art. 44 GDPR.<br />
<br />
The European Court of Justice (ECJ July 16, 2020, C-311/18 (Schrems II)) is in relation to the<br />
<br />
Legal position of the US now just assumes that due to the disproportionate<br />
Access possibilities of US authorities as well as insufficient effective legal remedies for<br />
<br />
Those affected cannot be assumed to have an “appropriate level of data protection”, which is why<br />
<br />
he finally also declared the EU-US adequacy decision to be invalid. The<br />
The European Court of Justice has expressly not aimed at the fact that the obligations<br />
<br />
which is a Privacy Shield certified company from the United States<br />
subject, may be appropriate in individual cases (e.g. because the certified<br />
<br />
Company only non-sensitive or non-criminal relevant personal data<br />
<br />
data received).<br />
<br />
With the help of the GDPR, the free movement of data should also be guaranteed. However, it stands<br />
<br />
free traffic in this context on the premise that the specifications of<br />
GDPR - and this also includes Chapter V - are fully complied with. A softening in the<br />
<br />
In the sense of a "business-friendly interpretation" of the specifications of Chapter V in favor<br />
however, free data traffic is not planned. Economic interests played<br />
<br />
also irrelevant in the judgment of the ECJ of July 16, 2020, C-311/18 (Schrems II).<br />
<br />
II.3.6.3. Regarding the exceptions for certain cases according to Art. 49 GDPR:<br />
<br />
According to the MB's own information, the exception was in accordance with Art. 49 GDPR<br />
<br />
not relevant for the data transfer in question (VWA ./11, page 13). also is<br />
In the process it did not come out that his consent according to Art. 49 Para. 1 lit. a DSGVO<br />
<br />
was caught. Since altogether no circumstances arose that a fact<br />
according to Art. 49 GDPR would be fulfilled, the data transfer that is the subject of the procedure<br />
<br />
are not based on Art. 49 GDPR. - 62 -<br />
<br />
<br />
II.3.6.4. Result:<br />
Since for the data transmission in question the MBan the BF2 (in the United States)<br />
<br />
no adequate level of protection guaranteed by an instrument of Chapter V of the GDPR<br />
<br />
there is a violation of Art. 44. The MB was (at least) for<br />
Complaint-relevant time - i.e. August 14th, 2020 - for the operation of the XXXX website<br />
<br />
responsible. The data protection violation of Art. 44 GDPR relevant here is<br />
<br />
therefore attributable to the MB.<br />
<br />
Overall, the BF2 was not in a position to rule that point 2. of the<br />
To justify the CB's decision which would have violated its legal interests. Also<br />
<br />
for this reason, the complaint by the BF2 was to be rejected.<br />
<br />
II.3.7. Regarding point A.II) – inadmissibility of the revision:<br />
<br />
According to § 25a Abs. 1 VwGG, the administrative court in the ruling of its knowledge or<br />
<br />
Pronounce a resolution as to whether the revision is permissible in accordance with Art. 133 Para. 4 B-VG. The<br />
Statement must be briefly justified.<br />
<br />
The revision is allowed because the question of whether a data recipient (data importer in<br />
<br />
a third country) in the procedure for establishing a violation of the general<br />
<br />
Principles of data transmission according to Art. 44 GDPR are not yet sufficient<br />
Judiciary of the Administrative Court exists.<br />
<br />
It was therefore to be decided accordingly.<br />
<br />
<br />
II.3.8. Regarding point B.I) - rejection of the complaint by the BF1:<br />
As explained under point II.3.3, there are no subjective public ones from Chapter V GDPR<br />
<br />
Rights/obligations to refer to BF2 as data importer. Against this background, the<br />
<br />
BF1's complaint about a decision to be dismissed.<br />
<br />
II.3.9. Re point B.II) - admissibility of the revision:<br />
According to § 25a Abs. 1 VwGG, the administrative court in the ruling of its knowledge or<br />
<br />
Pronounce a resolution as to whether the revision is permissible in accordance with Art. 133 Para. 4 B-VG. The<br />
<br />
Statement must be briefly justified.<br />
<br />
The revision is allowed because the legal questions shown here are not yet sufficient<br />
Judiciary of the Administrative Court exists.<br />
<br />
<br />
It was therefore to be decided accordingly.<br />
</pre></div>Norman.aasmahttps://gdprhub.eu/index.php?title=BVwG_-_W245_2252208-1/36E_and_W245_2252221-1/30E&diff=33204BVwG - W245 2252208-1/36E and W245 2252221-1/30E2023-06-06T08:36:41Z<p>Norman.aasma: Created page with "{{DPAdecisionBOX |Jurisdiction=Austria |DPA-BG-Color= |DPAlogo=LogoAT.png |DPA_Abbrevation=DSB |DPA_With_Country=DSB (Austria) |Case_Number_Name=W245 2252208-1/36E & W245 2252221-1/30E |ECLI= |Original_Source_Name_1=Bundesverwaltungsgericht Republik Österreich |Original_Source_Link_1=https://www.ris.bka.gv.at/Dokumente/Bvwg/BVWGT_20230512_W245_2252208_1_00/BVWGT_20230512_W245_2252208_1_00.pdf |Original_Source_Language_1=German |Original_Source_Language__Code_1=DE |Or..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Austria<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoAT.png<br />
|DPA_Abbrevation=DSB<br />
|DPA_With_Country=DSB (Austria)<br />
<br />
|Case_Number_Name=W245 2252208-1/36E & W245 2252221-1/30E<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Bundesverwaltungsgericht Republik Österreich<br />
|Original_Source_Link_1=https://www.ris.bka.gv.at/Dokumente/Bvwg/BVWGT_20230512_W245_2252208_1_00/BVWGT_20230512_W245_2252208_1_00.pdf<br />
|Original_Source_Language_1=German<br />
|Original_Source_Language__Code_1=DE<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Other<br />
|Outcome=<br />
|Date_Started=18.08.2020<br />
|Date_Decided=12.05.2023<br />
|Date_Published=12.05.2023<br />
|Year=2023<br />
|Fine=<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 44 GDPR<br />
|GDPR_Article_Link_1=Article 44 GDPR<br />
|GDPR_Article_2=Article 46(2)(c) GDPR<br />
|GDPR_Article_Link_2=Article 46 GDPR#2c<br />
|GDPR_Article_3=Article 46(2)(d) GDPR<br />
|GDPR_Article_Link_3=Article 46 GDPR#2d<br />
|GDPR_Article_4=<br />
|GDPR_Article_Link_4=<br />
|GDPR_Article_5=<br />
|GDPR_Article_Link_5=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=Österreichischen Datenschutzbehörde (Austrian data protection authority)<br />
|Party_Link_1=https://www.dsb.gv.at/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Norman Aasma<br />
|<br />
}}<br />
<br />
The Federal Administrative Court of Austria held that data transfer by a website provider to Google Analytics was unlawful.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
Natural persons brought an action against a partial decision of the Austrian data protection authority from December 2021.<br />
In its 2021 decision, the Austrian DPA found that the use of Google Analytics by an Austrian website led to a transfer of personal data to Google LLC, which is in violation of Chapter V of the GDPR. <br />
<br />
The legal dispute before the Federal Administrative Court of Austria concerned the violation of the core principles of GDPR with regard to data transmission. <br />
<br />
The complainant questioned the lawfulness of the data processing with regard to data transmission principles. <br />
<br />
Firstly, the complainant website provider questioned the DPA's decision with regard to transfer of personal data to Google LLC and with regard to adequate protection provided by the SCC, which were concluded between the respondents. <br />
<br />
Secondly, the complainant website provider questioned in its action brought before the court the level of protection provided by the SCCs. <br />
<br />
Therefore, the website provider asked the court to consider whether there was a violation of core data protection principles of GDPR.<br />
<br />
=== Holding ===<br />
The court held that the data transmission from a website to Google on August 14, 2020, which was not based on the consent was unlawful.<br />
Within the decision, the court analysed the organisational and technical measures taken by the Google LLC. <br />
First of all, the court noted that even after Schrems II ruling by the Court of Justice of the European Union, Google LLC and also the website operator in this case based its actions on the standard contractual clauses, which actually were questioned by the very same Schrems II ruling. The court highlighted that even though Google LLC had implemented certain organisational and technical measures, they were not good enough to comply with or prevent the requirements set forth by the US security authorities. Furthermore, Google LLC's own report indicates that there are a lot of requests made by the security authorities. <br />
The court held that standard contractual clauses can be considered effective only as long as they on their own or in combination with other technical and organisational measures are able to close the loopholes of data protection requirements with regard to data transfers to third countries. If the data transferer is not able to meet these requirements, then these kinds of data transmissions are unlawful and cannot take place. <br />
Moreover, the court provided that compliance with the requirements of the US security authorities will lead to violation of fundamental rights enjoyed by the EU citizens. The court held that EU law does not provide any efficient remedy to the disclosure of personal data of EU citizens to the US intelligence authorities. <br />
As part of the decision, the court referenced the DPO, who also stated that the technical measures taken by the Google LLC are not functional anyway as Google LLC is still able to access the personal data of EU citizens. The encryption used during the data transmission is not working, because this kind of data transmission includes an obligation to provide compulsory backdoor access to the personal data for the US security authorities. The court also mentioned that the article 44 GDPR, which was part of the decision is not based on risk-based approach, which is absolutely crucial for aforementioned data transmission to third countries. <br />
<br />
Consequently, the court rejected all complaints lodged by the website provided and held that data transfer to Google LLC is unlawful and violates the article 44 GDPR.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the German original. Please refer to the German original for more details.<br />
<br />
<pre><br />
Postal address:<br />
Erdbergstrasse 192 – 196<br />
1030 Vienna<br />
Phone: +43 1 601 49-0<br />
<br />
Fax: + 43 1 711 23-889 15 41<br />
Email: einlaufstelle@bvwg.gv.at<br />
www.bvwg.gv.at<br />
<br />
decision date<br />
<br />
05/12/2023<br />
business number<br />
<br />
<br />
<br />
<br />
W245 2252208-1/36E<br />
<br />
W245 2252221-1/30E<br />
<br />
<br />
Written copy of the verbal decision announced on March 31, 2023<br />
<br />
<br />
I M N A M E N D E R E P U B L I K !<br />
<br />
<br />
<br />
The Federal Administrative Court, judged by Mag. Bernhard SCHILDBERGER, LL.M.<br />
<br />
as chairperson and Mag. Viktoria HAIDINGER as a competent lay judge and Mag.<br />
<br />
Thomas GSCHAAR represented as a competent lay judge on the complaints of XXXX<br />
by XXXX and XXXX, represented by Baker & McKenzie Rechtsanwälte LLP & Co KG,<br />
<br />
Schottenring 25, 1010 Vienna against the partial decision of the Austrian<br />
<br />
Data protection authority from December 22nd, 2021, GZ 2021-0.586.257 (DSB-D155.027), concerning the<br />
Violation of the general principles of data transmission in accordance with Art. 44 GDPR, after<br />
<br />
Carrying out an oral hearing, rightly recognised:<br />
<br />
<br />
a)<br />
<br />
I. XXXX's complaint against point 2 of the disputed partial decision is<br />
<br />
rejected.<br />
<br />
II. The revision is permissible according to Art. 133 Para. 4 B-VG.<br />
<br />
<br />
<br />
b)<br />
<br />
I. XXXX's complaint against point 3 of the disputed partial decision is<br />
rejected.<br />
<br />
<br />
II. The revision is permissible according to Art. 133 Para. 4 B-VG. - 2 -<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Reasons for decision:<br />
<br />
<br />
Subject of the proceedings:<br />
<br />
Complainant XXXX (hereinafter also “BF1”) visited a website on August 14, 2020<br />
<br />
XXXX of those involved XXXX (hereinafter also "MB"). On the MB website was the<br />
Web analysis service XXXX Analytics of complainant XXXX (hereinafter also "BF2")<br />
<br />
embedded. With the embedded web analysis service, personal data of the<br />
BF1 transferred to a third country. The present decision addresses the question of whether<br />
<br />
with the processing at issue to a violation of the general<br />
<br />
Principles of data transmission in accordance with Art. 44 GDPR.<br />
<br />
<br />
I. Procedure:<br />
<br />
I.1. With a submission dated August 18, 2020, the BF1 lodged a complaint against the BF2 and the MB<br />
(VWA ./01, see point II.2).<br />
<br />
The reason given by the BF1 was that on August 14, 2020, at 10:45 a.m., the website of the MB<br />
<br />
visited XXXX. While visiting the MB website, the BF1 was on a XXXX -<br />
<br />
account was logged in. This account is linked to the email address of BF1 (XXXX<br />
been. The MB has on its website the HTML code for XXXX services (including<br />
<br />
XXXX -Analytics) embedded.<br />
<br />
During the visit to the MB website, the BF1 received personal data from the<br />
<br />
BF1 (at least the IP address of the BF1 and cookie data) processed. Apparently these are<br />
been transmitted to the BF2 (VWA ./04).<br />
<br />
According to point 10 of the order data processing conditions, the MB agreed that<br />
<br />
the BF2 personal data of the BF1 in the United States of America or in<br />
<br />
another country where XXXX or XXXX sub-processors have facilities<br />
maintain, store and process. Such a transfer of<br />
<br />
personal data of the BF1 from the MB to the BF2 require a legal basis<br />
<br />
according to Art. 44 ff GDPR.<br />
<br />
After the European Court of Justice declared the "EU-US Privacy Shield" with the decision of<br />
16.07.2020, C-311/18 (Schrems II) declared invalid, the MB could<br />
<br />
Data transmission to the BF2 in the United States is no longer limited to one<br />
<br />
Support adequacy decision according to Art. 45 GDPR. Nevertheless, the MB and - 3 -<br />
<br />
<br />
the BF2 still had to wait almost four weeks after the judgment for the “EU-US Privacy<br />
Shield”. This can be done from point 10.2 of the order data processing conditions<br />
<br />
for XXXX advertising products, version 01.01.2020 (VWA ./03).<br />
<br />
In addition, the MB cannot base the data transmission on standard data protection clauses<br />
<br />
in accordance with Article 46 (2) (c) and (d) GDPR if the third country of destination<br />
<br />
Union law no adequate protection of the on the basis of<br />
Standard data protection clauses guarantee transmitted personal data (ECJ<br />
<br />
July 16, 2020, C-311/18 (Schrems II), para. 134 f). The ECJ expressly stated that<br />
other transfers to entities falling under 50U.S. Code §1881a, not just<br />
<br />
against the relevant articles in Chapter V GDPR, but also against Art. 7 and 8 GRC<br />
<br />
would violate the essence of Art. 47 GRC (ECJ 06.10.2015, C-<br />
362/14 (Schrems), para. 95). Any further transmission therefore violates the fundamental right<br />
<br />
to privacy and data protection and the right to an effective remedy<br />
<br />
a fair process.<br />
<br />
BF2 is a provider of electronic communications services within the meaning of 50 U.S. code §<br />
<br />
1881a (b) (49) and as such is subject to supervision by U.S.<br />
Intelligence agencies under 50 U.S. Code § 1881a ("FISA 702"): As from the " XXXX " (VWA ./06)<br />
<br />
and from the transparency report of the BF2 (see XXXX, the BF2 of the US<br />
Government pursuant to 50 U.S. Code Section 1881a actively provides personal information. Before<br />
<br />
Against this background, the MB was unable to adequately protect the<br />
<br />
personal data of BF1, which are transmitted to BF2.<br />
<br />
From August 12th, 2020, the MB and the BF2 have agreed on data transmissions to the United<br />
<br />
States rely on default data protection clauses. This could be point 10.2 of<br />
Order data processing conditions for XXXX advertising products, version 08/12/2020,<br />
<br />
(VWA ./04). However, this procedure ignores the judgment of the European<br />
Court of Justice (ECJ July 16, 2020, C-311/18 (Schrems II), para. 134 f). Accordingly, the MB<br />
<br />
obliged to the transfer of personal data to the BF2 in the United<br />
<br />
states to refrain from.<br />
<br />
Finally accept the BF2 despite the clear judgment of the European Court of Justice<br />
<br />
and in violation of Articles 44 to 49 GDPR, data transfers from the<br />
EU/EEA under the data protection clauses. In addition, give the BF2<br />
<br />
EU/EEA personal data to the US government in violation<br />
against Art. 48 GDPR. - 4 -<br />
<br />
<br />
According to Art. 58 Para. 1 GDPR, the BF1 requested that it be determined which<br />
personal data from the MB to the BF2 in the United States or to a<br />
<br />
another third country or an international organization on which<br />
<br />
Transmission mechanism according to Art. 44 ff GDPR, the MB supports the data transmission<br />
and whether the provisions of the applicable XXXX Analytics Terms of Use<br />
<br />
and the (new) order data processing conditions for XXXX advertising products<br />
<br />
Requirements of Art. 28 GDPR in relation to the transfer of personal data<br />
fulfill or not.<br />
<br />
Furthermore, the BF1 applied for this immediately in accordance with Art. 58 (2) lit. d, f and j GDPR<br />
<br />
Ban or suspension of any data transfer from the MB to the BF2 in the<br />
<br />
United States imposed and the return of this data to the EU/EEA or a<br />
another country that guarantees adequate protection.<br />
<br />
<br />
Finally, the BF1 requested the imposition of an effective, proportionate and<br />
deterrent fine against the MB and the BF2.<br />
<br />
In his complaint to the BA, the BF1 submitted the Terms of Use for XXXX Analytics (VWA<br />
<br />
./02, see point II.2), the order data processing conditions for XXXX advertising products,<br />
<br />
Version 01.01.2020 (VWA ./03, see point II.2), the order data processing conditions<br />
for XXXX advertising products, version 08/12/2020 (VWA./04, see point II.2), the HAR data of the<br />
<br />
Website visit (VWA ./05, see point II.2), the XXXX (VWA ./06, see point II.2) and<br />
<br />
a certificate of representation (VWA ./07, see point II.2).<br />
<br />
I.2. As a result, the BA continued the procedure until the responsible person was determined<br />
supervisory authority and until the decision of the lead supervisory authority or the<br />
<br />
European data protection committee with decision of 02.10.2020, Zl2020-0.527.385 (DSB-<br />
<br />
D155.027) from (VWA ./08 and ./09, see point II.2). Furthermore, the bB called for the MB<br />
Opinion on (VWA ./10, see point II.2).<br />
<br />
I.3. In the statement of December 16, 2020, the MB stated (VWA ./11, see point II.2) that<br />
<br />
she herself decided to edit the program code for XXXX -Analytics (hereinafter<br />
<br />
also called "tool") on your XXXX. The tool is used to<br />
to enable statistical evaluations of the behavior of website visitors (see<br />
<br />
Point II.1.8) to organize the content of the website according to general topic interests<br />
<br />
to adjust. Since the evaluation is carried out anonymously, the tool can be used<br />
the content cannot be adapted to the specific website user. Based on the<br />
<br />
Website usage and article views of anonymous users receive an aggregated MB<br />
<br />
statistical evaluation. - 5 -<br />
<br />
<br />
For the general user statistics and the already mentioned purpose no personal reference<br />
is necessary, the MB was aware of the embedding of the anonymous version<br />
<br />
determined. From the still embedded code it can be seen that the function<br />
<br />
"anonymizeIp" was set to "true". Therefore, the tool only processes anonymous<br />
Data. In the case of user IP addresses of the IPv4 type, the last octet and in the case of IPV6<br />
<br />
addresses the last 80 of the 128 bits in memory are set to zero. With that find<br />
<br />
before the data is saved or transmitted. Therefore, an access<br />
therefore not to personal data by BF2 in the United States<br />
<br />
possible.<br />
<br />
In addition to anonymized IP addresses, the tool processes the user agent string. The user agent<br />
<br />
String is used to tell the server which system specification the user used to access the<br />
server access. Without personal reference, only the device, the operating system, the<br />
<br />
Operating system version, the browser, the browser version and the device type are displayed<br />
<br />
become. Since this information lacks a personal IP address or anything else<br />
Identifiers cannot be assigned to an identifiable user, would not be personal<br />
<br />
data available. Since the anonymization is already in the working memory of the respective<br />
<br />
website user takes place, no processing takes place on servers of BF2 and sohin<br />
not in a third country outside the EU.<br />
<br />
Even before the cookie is finally set, the anonymization process finds the IP address<br />
<br />
instead of. Only from this point in time would the statistical information about the<br />
<br />
Website usage can be collected via the respective - now anonymous - cookie. The<br />
The evaluations collected would accordingly only be carried out with the anonymous data<br />
<br />
carried out and could therefore not be assigned to any person. on the<br />
<br />
the process presented – namely the collection and evaluation of merely anonymous data<br />
and information - would find neither the GDPR nor the DSG due to the lack of personal reference<br />
<br />
Application. Accordingly, the consent of a website user is not required.<br />
<br />
The concrete anonymization process initially accesses the IP address in order to access it immediately<br />
<br />
anonymize. However, this required initial recording of the IP address takes place<br />
regardless of the use of XXXX -Analytics and be always for the<br />
<br />
functionality is mandatory. This survey is not for the purpose of the MB<br />
<br />
(see point II.1.8), but inevitably with every website that can be called up on the Internet. This<br />
takes place, as with any other website, on the basis of legitimate interest<br />
<br />
Operation of a functioning, user-friendly and secure website in accordance with Art. 6 para.<br />
<br />
1 lit. f GDPR. - 6 -<br />
<br />
<br />
The BF2 process the data on behalf of and on the instructions of the MB. The MB take the role<br />
of the person responsible, BF2 assumes the role of processor. The MB have<br />
<br />
extensive decision-making power over the means of processing. You decide initially<br />
<br />
about whether she wants to embed the tool at all and she also has the option to<br />
Adjusting the tool to determine the needs and purposes of processing<br />
<br />
or change as needed. Furthermore, the MB determines the storage period (26 months) as well as<br />
<br />
the fate of the data after the termination of the contract. To secure any future<br />
The MB<br />
<br />
therefore concluded an order data processing agreement with BF2 (see VWA<br />
<br />
./16).<br />
<br />
According to the judgment of the European Court of Justice of July 16, 2020, C-311/18 (Schrems II).<br />
the MB checked the settings of the tool and made sure that the so far<br />
<br />
data protection-friendly implementation by anonymizing the IP addresses<br />
<br />
is active. Therefore, the judgment of the ECJ is not on the contractual relationship between the MB and<br />
the BF2 applicable. In order, however, also for any provision of personal data<br />
<br />
To take data to the BF2 precautions, the MB with the BF2 have one as a precaution<br />
<br />
Processor agreement concluded on August 12th, 2020 (see VWA ./16) and<br />
Standard safeguard clauses included (see VWA ./22). With regard to the<br />
<br />
The MB did not carry out a proactive review of standard safeguard clauses. This<br />
<br />
because due to the transmission of anonymized IP addresses, a transmission<br />
of personal data is not successful. Finally, arising from the processing<br />
<br />
of anonymous data, which are subsequently only evaluated for general statistics,<br />
<br />
no risks.<br />
<br />
BF2 also took further technical and organizational measures (no<br />
Backdoor access for authorities, information obligations of BF2 towards those responsible,<br />
<br />
when a request from a competent authority arrives, publication of<br />
<br />
transparency reports, examination of requests for information and appeals) to a high level<br />
To provide a level of data protection for the data processed via the tool.<br />
<br />
In its statement (VWA ./11) to the BA, the MB submitted reports from the tool (VWA ./12,<br />
<br />
see point II.2), information on IP anonymization (VWA ./13, see point II.2),<br />
<br />
Screenshot of the set storage period (VWA ./14, see point II.2), list of<br />
Server locations (VWA ./15, see point II.2), order data processing conditions for<br />
<br />
XXXX advertising products, version 08/16/2020 (VWA ./16, see point II.2),<br />
<br />
Order data processing conditions for XXXX advertising products, version 08/12/2020<br />
(VWA ./17, see point II.2), order data processing conditions for XXXX - 7 -<br />
<br />
<br />
Advertising products, version 01.01.2020 (VWA ./18, see point II.2), comparison version AVV dated<br />
01/01/2020 vs 08/12/2020 (VWA./19, see point II.2), comparison version AVV from 08/12/2020<br />
<br />
vs 08/16/2020 (VWA ./20, see point II.2), screenshot for settings (VWA ./21, see<br />
<br />
Point II.2), standard data protection clauses (VWA ./22, see point II.2), information on<br />
Safety measures (VWA ./23, see point II.2) and a processing sheet for XXXX<br />
<br />
Analytics (VWA ./24, see point II.2) at.<br />
<br />
I.4. At the request of the bB of January 22, 2021 (VWA ./25, see point II.2), the BF1 in the<br />
<br />
Follow an opinion (VWA ./26, see point II.2). In it he explained, although in code<br />
the function "anonymizeIP" was set to "true", this did not result in his<br />
<br />
anonymized IP address was transmitted. This is for data transfers in the World Wide<br />
<br />
Web technically impossible. Referring to statements by BF2, BF1 stated that<br />
the IP address only after it enters the Analytics data collection network,<br />
<br />
anonymized or masked before being stored or processed.<br />
<br />
In addition, the BF1 pointed out that at the time of the website visit, he was in his private<br />
XXXX account was logged in and also cookie data (_ga, __gads, _gid, _gat,<br />
<br />
_gat_UA-259349-11, _gat_UA-259349-1) were transferred. So in the result be<br />
<br />
Contrary to the statements of the MB, it is clear that personal data (such as cookies and<br />
IP addresses) were processed and transmitted to BF2 in the United States.<br />
<br />
In addition, with a processor in a third country, there is a breach of anonymization<br />
<br />
not enforceable or ascertainable<br />
of the European Court of Justice (ECJ 19.10.2016, C-582/14 (Breyer)) at least by one<br />
<br />
assignability to a specific natural person.<br />
<br />
In order to prevent a violation of Art. 44 ff GDPR, a complete removal of the<br />
<br />
Tools necessary and a change to another tool that does not transfer data to the<br />
USA require to recommend. As far as the MB is convinced that no<br />
<br />
personal data would be processed is a conclusion of<br />
<br />
Order processing conditions contradictory. Also the fact that the MB<br />
to be on the safe side, conclude standard data protection clauses with the BF2, point out that<br />
<br />
she herself assumes that data will be transferred to the USA. Also that from<br />
<br />
The processing directory (VWA ./24) submitted to the MB indicates that<br />
personal data would be transmitted to BF2.<br />
<br />
Contrary to statements by the MB, the sole purpose of collecting the IP address is not<br />
<br />
carrying out the transmission of a message over a communications network,<br />
<br />
rather, it is also collected for the use of XXXX analytics. As a result of possible<br />
data tapping by US secret services can still be assumed that interests or - 8 -<br />
<br />
<br />
Fundamental rights and freedoms of data subjects requiring protection<br />
require personal data prevail. Like the European Court of Justice<br />
<br />
stated that the existing system of access options from US<br />
<br />
Secret services on personal data of EU citizens with Art. 7, 8 and 47 GRC<br />
incompatible (ECJ July 16, 2020, C-311/18 (Schrems II)).<br />
<br />
<br />
In its statement (VWA./26), the BF1 placed the attachments of third-party partners in the cookie banner<br />
MB (VWA ./27, see point II.2), contacts from XXXX with US server (VWA ./28, see point<br />
<br />
II.2), and contacts of XXXX with US server, reference to fingerprint technology (VWA ./29,<br />
see point II.2) at.<br />
<br />
<br />
I.5. In a letter dated February 26, 2021, the BA asked the BF2 to comment (VWA ./30,<br />
see point II.2). With the submission of April 9th, 2021, the BF2 complied with this request (VWA<br />
<br />
./31, see point II.2). In its statement, the BF2 describes, among other things, the<br />
<br />
Web analysis service XXXX -Analytics (see point II.1.3.3), the implementation and the<br />
Functionality of XXXX -Analytics (see point II.1.5), the embedding of the program code<br />
<br />
for XXXX analytics on a website (see point II.1.6), the legal basis for use<br />
<br />
of XXXX -Analytics (see point II.1.7), the measures which, according to the judgment of<br />
European Court of Justice of July 16, 2020 in case C-311/18<br />
<br />
(see point II.1.9), the additional measures that come with the introduction of the<br />
standard contractual clauses have been set (see point II.1.10) and the effects if<br />
<br />
a user of a XXXX account visits a website that uses XXXX analytics.<br />
<br />
I.6. The entry of the BF2 (VWA ./32) transmitted the bB within the scope of the hearing of the parties<br />
<br />
MB and the BF1 for comments.<br />
<br />
I.7. With a statement of May 4th, 2021 (VWA ./33, see point II.2), the MB stated that they<br />
<br />
only use the free version of XXXX Analytics. Both the<br />
Order data processing conditions (terms of use) as well as the<br />
<br />
Standard Contractual Clauses (SDK) have been agreed. The BF2 will only as<br />
<br />
Contract processor used. The instructions are given by the MB about the settings of XXXX<br />
-Analytics user interface and via the global website tag. It is the data release<br />
<br />
Setting has not been activated. The code is embedded with the anonymization function<br />
<br />
been. XXXX signals are also not used. The MB does not have its own<br />
authentication system and also do not use user ID function. Currently support<br />
<br />
does not refer to the exception rule of Art. 49 Para. 1 GDPR.<br />
<br />
I.8. With a statement dated May 5th, 2021 (VWA ./34, see point II.2), the BF1 stated that<br />
<br />
XXXX is not a party to the proceedings and is the sole object of the appeal with regard to BF2, - 9 -<br />
<br />
<br />
that the transmission and receipt of the data Art. 44 ff DSGVO is pursued or the<br />
thereafter unlawful processing in the United States. According to Art. 44 GDPR<br />
<br />
"Responsible persons and processors" would have to comply with Chapter V GDPR<br />
<br />
retain. As a processor, BF2 is the norm addressee of Chapter V GDPR. The bB be<br />
directly responsible for BF2, which violated Art. 44 ff GDPR. Regarding<br />
<br />
The GDPR is applicable to the processing carried out by BF2, since the factual<br />
<br />
Scope of application according to Art. 2 Para. 1 and the geographical scope according to Art.<br />
3 paragraph 2 lit. b leg.cit. be fulfilled.<br />
<br />
With reference to the opinion of BF2 (VWA ./31, see point I.5), BF1 stated that<br />
<br />
the data transmission to BF2 in the United States and the personal reference of<br />
<br />
transmitted data is undisputed. The BF2 put out of dispute that all through XXXX -<br />
Analytics collected would be hosted in the United States.<br />
<br />
According to the explanations of the BF1, the MB and the BF2 themselves would assume that<br />
<br />
that there is a processing of personal data, including their transmission in<br />
a third country, otherwise a contract data processing contract will be concluded<br />
<br />
including standard contractual clauses would be completely meaningless. Also state the BF2 itself,<br />
<br />
that based on a "user ID" ("user identifer") a data subject for the purpose<br />
of deletion can be identified. There is thus the possibility of<br />
<br />
Identifiability within the meaning of Art.4 Para.1 GDPR. Furthermore, the BF itself states that XXXX<br />
<br />
-Analytics unique identifiers associated with a specific user<br />
use. As far as the BF2 explain that the data transmitted to her sometimes only<br />
<br />
"Pseudonymous data" would be, on the one hand this is factually wrong and on the other hand it is closed<br />
<br />
note that even pseudonymised data (Art. 4 Para. 5 GDPR) from the term<br />
personal data are recorded in accordance with Art. 4 Para. 1 GDPR.<br />
<br />
It is undeniable that the MB and the BF2 process personal data and in<br />
<br />
the United States had submitted. At least some of the ones on the occasion of<br />
<br />
Cookies set on the website visit on August 14, 2020 would be unique user<br />
Identification numbers included. In the transaction between the browser of the BF1 and<br />
<br />
https://tracking. XXXX , which was started on the specified date, are the user<br />
<br />
Identification numbers _gads, _ga and _gid have been set. These numbers are in sequence<br />
at https://www. XXXX -analytics.com/ has been transmitted. It's about the numbers<br />
<br />
to online identifiers that serve to identify natural persons and a<br />
Users would be specifically assigned (see also point II.1.3). In terms of<br />
<br />
IP address, it should be noted that Chapter V GDPR no exceptions for subsequent<br />
<br />
provide for anonymized data. It can be assumed that the IP address of the BF1 is not - 10 -<br />
<br />
<br />
was once made anonymous in all transactions. The application for the imposition of a<br />
Fine will be withdrawn, this is now a suggestion.<br />
<br />
<br />
The additional measures put forward by the BF2 (see point II.1.10) are irrelevant.<br />
In this regard, the European Court of Justice found the following elements of the US<br />
<br />
Legislation than with the European fundamental rights according to Art. 7, 8 and 47 EU<br />
<br />
Charter of Fundamental Rights (GRC) considered incompatible (ECJ July 16, 2020, C-311/18 (Schrems II), para<br />
175 ff): The lack of any legal protection before US courts under Art. 47 GRC; the lack<br />
<br />
any precise legal basis for monitoring, specifying the scope and<br />
scope of the encroachment on fundamental rights itself and the requirement of<br />
<br />
proportionality is sufficient; the lack of any individual ex ante decision of a<br />
<br />
court, but the sole review of a surveillance system as a whole and that<br />
Absence of any subsequent judicial control and finally the lack of any<br />
<br />
Legal Protection for "Non-US Persons". Against this background, the additional<br />
<br />
Measures (see point II.1.10) not suitable by the European Court of Justice<br />
solve the problems presented. With comprehensive justification, the BF1 explained that no<br />
<br />
of the supposed "additional measures" above the normal standard of the<br />
<br />
Data processing pursuant to Art. 32 GDPR goes beyond or is relevant with regard to<br />
U.S. Government data access pursuant to 50 U.S. Code § 1881a and/or EO 12.333.<br />
<br />
In its statement (VWA ./34), the BF1 included the enclosures "XXXX -Analytics Cookie,<br />
<br />
Use on website" (VWA ./35, see point II.2), "How XXXX uses cookies" (VWA<br />
<br />
./36, see point II.2), and "Measurement Protocol Parameter Reference" (VWA ./37, see<br />
Point II.2) at.<br />
<br />
<br />
I.9. As a result, the bB asked the parties to the procedure to submit a new statement (VWA<br />
./38, ./39 and ./40, see point II.2). With an e-mail dated May 12, 2021, BF2 applied for one<br />
<br />
Extension of the period for comments (VWA ./41, see point II.2), which subsequently<br />
was granted by the BA (VWA ./42, see point II.2).<br />
<br />
<br />
I.10. In its statement of June 10, 2021 (VWA ./43, see point II.2), BF2 stated that<br />
that the BF1's legitimacy to act had not been established because it had not been proven<br />
<br />
had been stated that the data transmitted was personal data of BF1<br />
<br />
act. In order to process the data (cookies, IP address) as a<br />
To be able to qualify personal data of the BF1, he would have to on the basis of this<br />
<br />
data are identifiable.<br />
<br />
With regard to the _gid and cid numbers, it should be noted that these are first-party cookies,<br />
<br />
which were set under the domain XXXX. It is therefore not cookies of BF2, - 11 -<br />
<br />
<br />
but cookies of the website owner, and the cookie values are different for each user on each<br />
site different. The BF1 stated that the numbers "_gid" and "cid" an<br />
<br />
https://www. XXXX -analytics.com/ were transmitted. "_gid" has the value<br />
<br />
1284433117.1597223478 and cid is 929316258.1597394734. To assess the<br />
Active legitimation must therefore be determined whether these numbers (values) the BF1<br />
<br />
make identifiable.<br />
<br />
Considering that a single user may have different cid numbers for<br />
<br />
have different websites and the cid numbers are randomly generated,<br />
such a cid number cannot in itself identify a user. The<br />
<br />
Number929316258.1597394734simplydon'tidentifytheBF1.TheBF1don'tbring<br />
<br />
suggest that subsequent visits to the site would have taken place, let alone that data<br />
in connection with such subsequent visits to the website in connection with the cid<br />
<br />
929316258.1597394734 would have been recorded. There were no circumstances<br />
<br />
on the basis of which one could argue that in connection with the cid number<br />
929316258.1597394734 information collected would make the BF1 identifiable.<br />
<br />
These statements essentially apply to the _gid numbers.<br />
<br />
With regard to the IP address, it should be checked whether the IP address of the Internet<br />
<br />
connected device is actually assigned to the BF1 and whether the person responsible or<br />
another person has the legal means to obtain subscriber information from the<br />
<br />
relevant internet access provider.<br />
<br />
Even if it were determined that the MB or another person theoretically such<br />
<br />
legal means within the meaning of recital 26 have to<br />
<br />
Subscriber information related to the B1 from the internet access provider<br />
received, it must also be determined whether, within the meaning of recital 26<br />
<br />
GDPR reasonably likely that these means will be used<br />
would. In general, it is not likely that the MB or any other<br />
<br />
Person within the meaning of recital 26 legal means (if such available to them<br />
<br />
standing) would use. In particular in the situation at issue, it would be<br />
generally unlikely that such legal means will be used<br />
<br />
would to identify any visitor to a website like the BF1 if<br />
<br />
one considers the objective factors, such as the cost and time required for such means<br />
identification (see recital 26).<br />
<br />
As a processor, BF2 provides the website operator with numerous<br />
<br />
XXXX -Analytics configuration options are available. The<br />
<br />
Anonymization function is according to the declarations of the MB from December 16th, 2020 (VWA - 12 -<br />
<br />
<br />
./11) and 05/04/2021 (VWA ./33) have been configured. However, due to a possible<br />
Due to a configuration error on the part of the MB, the anonymization function does not work in all cases<br />
<br />
been activated.<br />
<br />
Under normal operating conditions and as far as users based in the EU are concerned,<br />
<br />
there is a web server in the EEA, which is why the IP anonymization is always within<br />
<br />
of the EEA. In the present case, normal operating conditions existed.<br />
<br />
On August 14, 2020, the XXXX account of the BF1 ( XXXX ) has the Web & App activity<br />
setting enabled. However, the account has not chosen activities of<br />
<br />
Include websites using XXXX services. Since the MB according to its own information also<br />
<br />
XXXX signal, the BF2 is not (was) able to determine that<br />
the user of the XXXX account XXXX visited the XXXX.<br />
<br />
With regard to international data traffic, it should be noted that even under the<br />
<br />
Assumption that the complainant's personal data is concerned, this<br />
<br />
are limited by their nature in terms of quantity and quality<br />
data are to be qualified as personal data at all, it would also be<br />
<br />
trade pseudonymous data.<br />
<br />
Standard contractual clauses were concluded with the MB, in addition<br />
<br />
additional measures have been implemented. The BF2 does not store user data according to EO<br />
12333 open. FISA § 702 is in the present case given the encryption and the<br />
<br />
Anonymization of IP addresses irrelevant.<br />
<br />
Art. 44ff GDPR could not be the subject of a complaints procedure according to Art. 77 para.<br />
<br />
1 GDPR, which is why the complaint should be rejected.<br />
<br />
Finally, Art. 44 et seq. GDPR are also relevant with regard to BF2 as a data importer<br />
<br />
not applicable.<br />
<br />
I.11. The BF2 was entered by the bB, the BF1 and the MB as part of the<br />
heard by the parties (VWA ./44, see point II.2). To that end, the BF1 applied<br />
<br />
an extension of the period for comments (VWA ./45, see point II.2). Further demanded<br />
<br />
the bB to announce the MB by letter dated June 16, 2021, whether there are legal<br />
there have been changes and legal representation still exists (VWA ./46,<br />
<br />
see point II.2).<br />
<br />
I.12. With a statement dated June 18, 2021, the MB announced the change in its company name and the<br />
<br />
Transfer of the website to another legal entity (see point II.1.2, as well as<br />
VWA ./47, see point II.2). - 13 -<br />
<br />
<br />
I.13.With a further statement of June 18, 2021 (VWA ./48, see point II.2). led the MB<br />
assumes that the intended IP anonymization was not due to a programming error<br />
<br />
had been activated. Due to the change made, now for all XXXX -<br />
<br />
Analytics Properties activated IP anonymization on the XXXX website (VWA ./50, see<br />
Point II.2). As a result, BF2 was instructed to use all of the XXXX -Analytics-<br />
<br />
Properties collected data immediately delete. The BF2 have the deletion meanwhile<br />
<br />
confirmed (VWA ./49, ./52 and ./53 see point II.2). Due to the deletion made<br />
process neither the MB nor the BF2 data of the BF1. It will therefore be in accordance with Section 24 (6) DSG<br />
<br />
encouraged the informal termination of the proceedings. The statement of the MB was the BF1<br />
<br />
submitted for information (VWA ./51, see point II.2).<br />
<br />
I.14. In the submission of July 9th, 2021 (VWA ./54, see point II.2), the BF2 stated that the<br />
Appropriateness assessment according to the recommendations 01/2020 for supplementary measures<br />
<br />
of transmission tools to ensure the level of protection under Union law for<br />
<br />
personal data, version 2.0 of the European Data Protection Board (“EDPB-<br />
Recommendations”) is not limited to examining the legislation of the third country.<br />
<br />
It must also include any specific circumstances surrounding the transfer in question<br />
<br />
be taken into account. In the present case, the processed personal data<br />
To treat data differently than that due to the limited nature and low sensitivity<br />
<br />
Data that are the subject of the Schrems I and Schrems II judgments. This is for him<br />
<br />
relevant to the case at hand. As a result, the European Data Protection Board<br />
a risk-taking approach is recommended.<br />
<br />
They also include the actual probability of official access to the data<br />
<br />
relevant factor for the adequacy assessment. Even in the presence of more problematic<br />
<br />
Legislation may allow the data transfer to continue (even without<br />
Implementation of additional measures) if the exporter has no reason to believe<br />
<br />
that the problematic legislation was interpreted and/or applied in practice<br />
<br />
could be that they are the transferred data and the specific data importer<br />
In addition, the assessment is no longer exclusively based on the legislation of<br />
<br />
third country, but also the question of whether or not this is applied in practice<br />
<br />
not. For example, the white paper “Information on U.S. Privacy Safeguards Relevant to SCCs<br />
and Other EU Legal Basis for EU-U.S. Data Transfers after Schrems ll" that the<br />
<br />
most companies operating in the EU do not process data required for US<br />
secret services are of interest.<br />
<br />
<br />
When a data exporter transfers personal data in a way that the<br />
personal data without the combination with other data no longer one - 14 -<br />
<br />
<br />
can be assigned to a specific data subject, according to the EDSA<br />
Recommendations that the pseudonymization carried out is an effective supplementary measure.<br />
<br />
It is not to be expected that US authorities will have additional information that<br />
<br />
would allow them to be stored behind the first party cookie values _gid and cid, respectively<br />
to identify data subjects who have an IP address.<br />
<br />
<br />
Finally, the BF1 did not apply for a finding that his rights in the<br />
been injured in the past.<br />
<br />
I.15. In its statement of 09.07.2021 (VWA ./55, see point II.2) the BF1 stated,<br />
<br />
that personal data is being processed. This is through the<br />
<br />
submitted documents (VWA ./5 and VWA ./34, point 5.3) have been verified. Also would<br />
Contract documents (order data processing conditions or<br />
<br />
Standard data protection clauses) do not create a personal reference, but these are<br />
<br />
Documents an important indication that both the BF2 and the MB of a<br />
Personal reference would go out. The BF2 itself also assumes that the<br />
<br />
BF1 off. If it is ultimately for the identification of a website visitor only requirement<br />
<br />
be whether he makes a certain declaration of intent in his XXXX account (such as the<br />
Activation of "Ad personalisation"), for the BF2 all possibilities of<br />
<br />
identifiability exist. Otherwise, the BF2 can in the account settings<br />
expressed wishes of a user for "personalization" of the received<br />
<br />
Promotional information does not match.<br />
<br />
The universally unique identifier (UUID) in the _gid cookie with the UNIX timestamp<br />
<br />
1597223478 is set on Wednesday 12 August 2020 at 11:11 and 18 seconds CET<br />
<br />
those in the cid cookie with UNIX timestamp 1597394734 on Friday 14 August<br />
2020 at 10:45 and 34 seconds CET. It follows that these cookies were already in place before<br />
<br />
were used for the visit that is the subject of the complaint and also a longer-term one<br />
tracking has taken place. To his knowledge, the BF1 does not have these cookies either<br />
<br />
immediately deleted and the website XXXX also visited repeatedly.<br />
<br />
The BF2 misjudges the broad understanding of the GDPR when assessing its existence<br />
<br />
personal data. The specific IP address used is also no longer available for the BF1<br />
<br />
detectable. However, this is irrelevant, since the UUID in the cookies gives a clear indication anyway<br />
personal reference exists. Specifically allow the combination of cookie data and IP address<br />
<br />
Tracking and evaluation of geographic localization, internet connection and context<br />
of the visitor, which can be linked to the cookie data already described. For this<br />
<br />
but would also include data such as the browser used, the screen resolution or the<br />
<br />
operating system (“device fingerprinting”). - 15 -<br />
<br />
<br />
In the context of the complaint, it is more relevant that US authorities are responsible for secret services<br />
easily ascertainable data, such as IP address, as a starting point for monitoring<br />
<br />
would use by individuals. It is the standard procedure for secret services to<br />
<br />
to 'hang on' from one date to another. When the BF1's computer is about always<br />
appears again on the Internet via the IP address of XXXX, this can be used<br />
<br />
to spy on the work of the XXXX club and to target the BF1. in one<br />
<br />
In a further step, other identifiers would then be searched for in the data, such as the ones mentioned<br />
UUIDs, which in turn are an identification of the individual person for a surveillance<br />
<br />
allow other places. The US secret services are in this context<br />
<br />
thus an "other person" within the meaning of Recital 26 GDPR. The BF1 works<br />
not only for XXXX , but also have a relevant role as a model complainant in<br />
<br />
these efforts. Thus, according to US law, monitoring of BF1 according to 50 USC §<br />
<br />
1881a (as well as by all other persons entrusted with this complaint) at any time<br />
legally possible. Even with the application of the supposed "risk-based approach".<br />
<br />
This case is a prime example of high risk.<br />
<br />
The e-mail address XXXX is assigned to BF1, who until his marriage<br />
<br />
Surname "XXXX". However, the old XXXX account is still in use.<br />
The BF2 have not explained to what extent the undisputed data are linked, evaluated<br />
<br />
or the result of an evaluation is simply not displayed to the user.<br />
<br />
In addition, Chapter V GDPR does not recognize a "risk-based approach". This can only be found<br />
<br />
in certain articles of the GDPR, such as in Art. 32 leg.cit. The new<br />
Standard contractual clauses in the Implementing Decision (EU) 2021/914 are for the<br />
<br />
Facts not relevant due to lack of temporal validity. A "transmission" is not<br />
<br />
unilateral action of a data exporter, every "transfer" also requires one<br />
receiving the data. Accordingly, Chapter V of the GDPR is also applicable to BF2, it<br />
<br />
is a joint action by data exporter and importer.<br />
<br />
If the BF2 has not violated Art. 44 ff GDPR, the provisions according to Art.<br />
<br />
28 Para. 3 lit. a and Art. 29 GDPR to be taken into account as a "catch-all rule". Bar the BF2<br />
following a corresponding instruction of a US secret service, he hits the<br />
<br />
Decision, personal data about the specific order of the MB according to Art. 28<br />
<br />
and Art. 29 GDPR and the corresponding contractual documents.<br />
As a result, BF2 itself becomes the controller in accordance with Art. 28 (10) GDPR.<br />
<br />
As a result, BF2 is also entitled to the provisions of Art. 5 et seq. GDPR<br />
<br />
follow. A clandestine disclosure of data to US intelligence agencies under US law - 16 -<br />
<br />
<br />
be without a doubt not with Art. 5 Para. 1 lit. f GDPR, Art. 5 Para. 1 lit. a GDPR and Art<br />
compatible.<br />
<br />
<br />
I.16. After being asked to comment (VWA ./56, see point II.2), BF2 took the lead<br />
their submission of August 12, 2021 (VWA ./57, see point II.2) that the BF1 his<br />
<br />
I have not shown any legitimacy to lodge a complaint. He has no part of the<br />
<br />
BF2 raised questions about the identifiability of his person based on the IP address<br />
answered. Regarding the _gid number and cid number, it should be noted that no<br />
<br />
directory is available in order to make the BF2 identifiable. The fact that<br />
in ErwGr 26 GDPR the "separation" is mentioned as a possible means of identification,<br />
<br />
however, do not change the understanding of the words "identify" or "identification" or<br />
<br />
“identifiability”.<br />
<br />
The identifiability of the BF1 requires at least that his identification on<br />
<br />
The basis of the data in question and with means that are possible according to general<br />
discretion would likely be used. This has not been established and cannot<br />
<br />
assumed and, on the contrary, improbable, if not impossible.<br />
<br />
Also the fact that the BF2 contract data processing conditions are completed<br />
have, does not mean that the data that are the subject of this procedure are different<br />
<br />
personal data, nor that it is the data of BF1.<br />
<br />
BF1's view that the data transfer should not be based on a risk-based approach<br />
<br />
evaluate ("all or nothing"), do not follow. This is not consistent with the<br />
GDPR and adhere to Recital 20 of the Implementing Decision (EU) 2021/914 of the European<br />
<br />
see commission. This is also due to the different versions of the EDSA<br />
<br />
Recommendation recognizable. Even if access to the above numbers by US<br />
Authorities "legally" possible at any time, should be checked how likely this is. The BF1<br />
<br />
have not provided any convincing arguments as to why or how the "cookie<br />
Data” related to his visit to a publicly accessible, and by many<br />
<br />
Austrian website used, such as the one in question, “Foreign Intelligence<br />
<br />
Information" and thus to the goal of purpose-restricted data collection according to § 702<br />
could become.<br />
<br />
<br />
I.17. With the decision that is the subject of the proceedings (VWA ./59, see point II.2), the BA remedied<br />
Point 1. first the notice of 02.10.2020, Zl 2020-0.527.385 (DSB-D155.027)<br />
<br />
(see point I.2).<br />
<br />
With point 2, the BA upheld the complaint against the MB and found that (a)<br />
<br />
the MB as responsible by implementing the tool "XXXX -Analytics" on their - 17 -<br />
<br />
<br />
Website under XXXX at least on August 14, 2020 personal data of BF1 (this<br />
are at least unique user identification numbers, IP address and<br />
<br />
browser parameters) to the BF2, (b) the standard data protection clauses that the<br />
<br />
MB concluded with the BF2, no adequate level of protection according to Art. 44 DSGVO<br />
would offer, since (i) the BF2 as a provider of electronic communication services within the meaning<br />
<br />
from 50 US code § 1881(b)(4) and as such subject to surveillance by U.S.<br />
<br />
Intelligence agencies under 50 U.S. Code § 1881a (“FISA 702”), and (ii) the actions,<br />
in addition to the standard data protection clauses mentioned in clause 2. b).<br />
<br />
were not effective, as these are the monitoring and<br />
<br />
would not eliminate access opportunities by US intelligence services and (c) in<br />
present case no other instrument according to Chapter V of the GDPR for the in Spruchpunkt<br />
<br />
(2.a) mentioned data transmission can be used and the MB therefore for the<br />
<br />
in the context of the data transfer mentioned in point 2.a) no appropriate<br />
have guaranteed a level of protection in accordance with Art. 44 GDPR.<br />
<br />
With point 3. the bB rejected the complaint because of a violation of the general<br />
<br />
Principles of data transmission in accordance with Art. 44 GDPR against BF2.<br />
<br />
In its legal justification, the bB first deals with its competence and its<br />
<br />
Determination competency (see point II.3.4) apart. She also describes that Art.<br />
44 DSGVO as a subjective right (see point II.3.4). In connection with<br />
<br />
Paragraph 2.led the construction that the transmitted data (see point II.1.3 or II.1.3.1)<br />
<br />
at least in combination, personal data according to Art. 4 Z 1 DSGVO. For the<br />
lack of an appropriate level of protection in accordance with Art. 44 GDPR, the bB stated that the<br />
<br />
European Court of Justice the "EU-US Privacy Shield" with the decision of July 16, 2020, C-<br />
<br />
311/18 (Schrems II) declared invalid. The subject of the proceedings could also<br />
Data transmission not only on the completed between the MB and the BF2<br />
<br />
Standard data protection clauses in accordance with Article 46 (2) (c) GDPR are supported. also be<br />
<br />
the additional measures identified by the BF2 are not suitable in the judgment<br />
identified gaps in legal protection - inappropriate access and<br />
<br />
Surveillance capabilities of US intelligence services and insufficient effective<br />
<br />
Legal remedy for those affected – to close.<br />
<br />
The rejection in point 3. justified the bB with the fact that the requirements of Art.<br />
44 GDPR to which BF2 would not apply. The BF2 lay the personal data of<br />
<br />
BF1 not open, just keep it. The requirements of Chapter V GDPR are dated<br />
<br />
data exporter and not also by a data importer (in a third country). - 18 -<br />
<br />
<br />
The notification was delivered to BF1 on January 12th, 2022, to BF2 and MB on January 13th<br />
point 3 of the decision, the BF1 lodged a complaint on February 7th, 2022<br />
<br />
(see point I.20). On February 9th, 2022, the BF2 filed a complaint against point 2 of the decision<br />
<br />
Complaint (see point I.17I.18). The MB did not<br />
complaint.<br />
<br />
<br />
I.18. In its complaint (VWA ./62, see point II.2) the BF2 first gave reasons<br />
their right to complain. Furthermore, BF2 stated that between the subject matter of<br />
<br />
contested partial decision and the subject matter of the planned second decision<br />
Partial notice of no separability according to § 59 paragraph 1 AVG. There is also a violation<br />
<br />
of a data subject's right. In addition, a finding of alleged, in the<br />
<br />
Past lying, injuries are not made. Also lie one<br />
Class action entitlement according to Art. 80 Para. 2 GDPR does not exist.<br />
<br />
<br />
Contrary to the view of the BB, the data at issue in the proceedings are not<br />
personal i.S.d. GDPR. The BF2 explained that from the<br />
<br />
processed data is not related to a natural person. According to the<br />
<br />
Case law of the European Court of Justice (ECJ December 20, 2017, C-434/16 (Nowak), Rn<br />
35) there is neither a content element, a purpose element nor a result element. Further<br />
<br />
there is no identifiability of a natural person. From the specified IP<br />
address, the XXXX -specific random numbers, the browser parameters and the page<br />
<br />
A specific person cannot be identified from the data obtained. Also from one<br />
<br />
Combination of this data is not possible identification. Furthermore, the BF2 has none<br />
technical possibilities to identify the BF1 via his XXXX account.<br />
<br />
<br />
BF2 also emphasized a risk-based approach. Even if you<br />
subject to the proceedings a personal reference, so is under<br />
<br />
Consideration of the low threshold of the transmitted data and the very<br />
low basis risk, the inapplicability of and the fact that FISA 702 anyway<br />
<br />
no practical application, no disclosure of data according to EO 12.333.<br />
<br />
Since extensive supplementary measures had been implemented, a<br />
appropriate level of protection for the procedural transmission of the data more<br />
<br />
as given and these are permissible according to Art. 44 ff DSGVO.<br />
<br />
In its complaint, BF2 enclosed the cookies and user identification (VWA<br />
<br />
./63, see point II.2),Linker (VWA ./64, see point II.2),Report from XXXX (VWA ./65, see<br />
Point II.2) and New EU-US data transfer framework (VWA ./66, see point II.2). - 19 -<br />
<br />
<br />
I.19. In the statement (VWA ./67, see<br />
Point II.2) in the course of the filing that the BF2 had no legitimacy to lodge a complaint, since<br />
<br />
since the end of April 2021 the product XXXX -Analytics is now offered by XXXX. Also<br />
<br />
the bB explained that it has a determination competence in complaint procedures because of<br />
alleged violations of the DSG or the GDPR.<br />
<br />
<br />
Furthermore, the DA stated that the BF2 was obviously involved in an agreement itself<br />
personal data. This can be recognized by the fact that the BF2 with the MB<br />
<br />
undisputedly a processor agreement in accordance with Art. 28 Para. 2 GDPR and a<br />
Standard data protection clause according to Art. 46 Para. 2 lit. cDSGVO<br />
<br />
the BF2 stated that a website operator in all cases standard data protection clauses<br />
<br />
finish with the BF2 (VWA ./31, page 3). Also declare the BF2 itself that online<br />
Labels are personal data (see point II.1.3.6). Irrespective of<br />
<br />
these declarations or behavior of BF2 would be the subject of the proceedings<br />
<br />
Consideration of the case law of the European Court of Justice and explanations of the<br />
European data protection officer (VWA./68) personal data available. Also<br />
<br />
In the present case, an assignment can be made via the IP address.<br />
<br />
In addition, a combination can also be made with browser information. In<br />
In this context, the DA referred to the definition of "fingerprinting": This is a<br />
<br />
Process by which an observer connects a device or application instance with sufficient<br />
<br />
Probability based on multiple pieces of information.<br />
<br />
Finally, the BA extensively refuted the demonstrated risk-based approach of BF2 and<br />
pointed out that economic interests played no role in the decision of the<br />
<br />
European Court of Justice on July 16, 2020, C-311/18 (Schrems II).<br />
<br />
His opinion presented the bB a decision of the European<br />
<br />
Data protection officer of January 5th, 2022 (VWA ./68, see point II.2), a decision<br />
of the LG Munich (VWA ./69, see point II.2), an expert opinion on the current status of the US<br />
<br />
Surveillance law (VWA ./70, see point II.2) and essential findings of the report<br />
<br />
on the current status of US surveillance law (VWA ./71, see point II.2).<br />
<br />
I.20. In his complaint (VWA ./60, see point II.2) the BF1 stated that the<br />
<br />
bB the rejection in point 3. with a misinterpretation of the word Art. 44<br />
justify GDPR. As far as the bB justify their rejection with the fact that the BF2 as recipient<br />
<br />
of personal data in the third country United States (data importer) the data<br />
do not disclose it, but (only) receive it, the DA misunderstands that Art. 44 GDPR uses the term<br />
<br />
Don't use "disclosure". Art. 44 GDPR uses the term "transfer". The<br />
<br />
The distinction between these terms is objectively decisive: in contrast to - 20 -<br />
<br />
<br />
a “disclosure” that can also occur without a designated recipient (e.g<br />
by publication on a website) require a "submission" (or a<br />
<br />
"Disclosure by transmission") namely always a recipient and also his<br />
<br />
(at least minimal) assistance. While a "disclosure" with the act of<br />
"Making available" has been completed, a "transmission" also requires one<br />
<br />
Receipt by the recipient.<br />
<br />
From a legal point of view, the design of Chapter V GDPR clarifies the technical one<br />
<br />
Reality (meaning that for the transmission on the Internet there is always an interaction of a<br />
transmitter and a receiver is required). Already Art. 44 GDPR generally requires<br />
<br />
"Controller and the Processor" compliance with the provisions of the<br />
<br />
chapter, without referring to the "person responsible for exporting the data or<br />
order processor”. Also the guarantees mentioned in Art. 46(2) GDPR<br />
<br />
consistently require cooperation between data exporter and data importer and<br />
<br />
include in particular the obligations of the data importer. rightly be<br />
also here both the data exporter and the data importer to comply with the<br />
<br />
The provisions mentioned are obligatory, as they jointly transfer data out of the EU into the<br />
<br />
third country and from the third country to the EU.<br />
<br />
It should also be noted that obligations from the standard contractual clauses<br />
(Implementing decision of the European Commission 2010/87/EU of February 5, 2010<br />
<br />
about standard contractual clauses for the transfer of personal data<br />
<br />
Processors in third countries according to Directive 95/46/EG of the European Parliament<br />
and of the Council) for the data importer. Clause 3(2) clearly contains<br />
<br />
a subsidiary obligation of the data importer, clauses 5(a) to (e), 6, 7, 8(2) and 9<br />
<br />
to 12 to comply with the standard contractual clauses given to the data subject if the<br />
company of the data exporter no longer exists in fact or in law and no<br />
<br />
legal successor has assumed the obligations of the data exporter. Would Chapter V<br />
<br />
GDPR not also applicable to the data importer would be the enforcement of the<br />
subjective rights of the person concerned from the standard contractual clauses towards the<br />
<br />
Data importer impossible.<br />
<br />
I.21. In the statement (VWA ./61, see<br />
<br />
Point II.2) in the course of the filing that it was correct from a technical point of view that a<br />
Transmission (unlike disclosure to an indefinite group of addressees, e.g. in<br />
<br />
form of publication on a website) assume that there is a recipient.<br />
<br />
However, as already stated in the contested decision, one<br />
Processing operation (here both "transmission") different from a legal point of view - 21 -<br />
<br />
<br />
Duties and degrees of responsibility result (VWA ./59, page 40). In line with the<br />
"Guidelines 5/2021 of the EDPB on the relationship between the scope of Art.3 and<br />
<br />
the specifications for international data traffic in accordance with Chapter V GDPR” go the bB<br />
<br />
assumes that the data importer does not have the legal obligation to comply with the requirements<br />
of Art. 44 GDPR.<br />
<br />
<br />
Finally, it should be noted that the data importer naturally also receives the corresponding<br />
duties would meet. In the case of the conclusion of standard contractual clauses according to Art. 46<br />
<br />
Paragraph 2 lit. c GDPR, a data importer has all contractual obligations<br />
to be complied with, which had been concluded between the latter and his contractual partner.<br />
<br />
However, these obligations are of a contractual nature. On the other hand, (only) the<br />
<br />
Data exporter to comply with the obligations under Art. 44 GDPR, which also includes that<br />
a suitable instrument - such as the conclusion of standard contractual clauses -<br />
<br />
is in place to ensure an adequate level of protection.<br />
<br />
I.22. With a submission dated July 8th, 2022, BF2 sent a reply to the complaint<br />
<br />
of BF1 (OZ 4 to W245 2252208-1). In it, BF2 explained in detail that Art. 44 ff<br />
<br />
GDPR is not applicable to XXXX as a data importer.<br />
<br />
I.23. In its statement of January 13, 2022 (OZ 4 to W245 2252208-1), the BF2 referred<br />
repeatedly points out that the subject of the proceedings is processing personal data<br />
<br />
had been. In addition, the BF2 explained that Art. 44 ff GDPR requires a risk-based approach<br />
<br />
is not to be taken.Furthermore, the BF2 explained with more justification that the BF1<br />
as a data importer is directly covered by Chapter V GDPR.<br />
<br />
I.24. With a statement dated February 14, 2023 (OZ 15 to W245 2252208-1), BF2 stated that<br />
<br />
there is a binding effect on the basis of the asserted statements. In particular,<br />
<br />
that the verdict stated that personal data had been transferred<br />
are, have obvious effects on further proceedings at the bB. The BF2 could<br />
<br />
not refute this fact in further proceedings.<br />
<br />
With regard to personal reference, BF2 repeatedly stated that this was not available<br />
<br />
also submitted two affidavits to prove that the BF2 is not in<br />
was able to access MB's website via BF1's XXXX account<br />
<br />
prove. It is also legally required to take a risk-based approach into account.<br />
<br />
I.25. In preparation for the complaint hearing, the bB (OZ 23 to W245<br />
<br />
2252208-1), the BF1 (OZ 24 to W245 2252208-1) and BF2 (OZ 25 to W245 2252208-1)<br />
Observations. In these observations, the parties reiterated their positions so far in the proceedings<br />
<br />
represented points of view. - 22 -<br />
<br />
<br />
I.26. In the case at hand, the BVwG conducted a public<br />
Oral hearing attended by the BF1 in the presence of his authorized representative<br />
<br />
attended personally. A representative of the BA and BF2 also took part in the hearing.<br />
<br />
After the conclusion of the oral hearing, an oral announcement of the<br />
knowledge. The BF1 and the BF2 requested the BVwG in writing within the deadline<br />
<br />
Execution of the orally announced knowledge.<br />
<br />
<br />
II. The Federal Administrative Court considered:<br />
<br />
II.1. Findings:<br />
<br />
The facts relevant to the decision are clear.<br />
<br />
II.1.1. About the procedure:<br />
<br />
The course of the procedure presented under point I is determined and the decision made<br />
laid the foundation.<br />
<br />
<br />
II.1.2. About the owner of the website XXXX :<br />
The XXXX has the website XXXX as part of an asset deal with effect from 02/01/2021<br />
<br />
transferred to XXXX , Munich. The XXXX was then renamed to XXXX.<br />
<br />
Until August 2021, XXXX continued to manage on behalf of and under the direction of XXXX,<br />
<br />
Munich the website XXXX .<br />
<br />
In August 2021, the XXXX website was completely transferred to the IT environment<br />
the XXXX Munich. After the transfer, XXXX -Analytics will be preceded by a<br />
<br />
Proxy server used. This even allows the IP addresses to be transmitted to the BF2<br />
<br />
completely prevented.<br />
<br />
II.1.3. For the data processing that is the subject of the procedure:<br />
<br />
The BF1 visited the MB XXXX website at least on August 14, 2020, at 10:45 a.m.<br />
<br />
In the transaction between the browser of the BF1 and https://tracking. XXXX were born on 14.<br />
August 2020 at 12:46:19.344 CET unique user identification numbers at least<br />
<br />
set in the “_ga” and “_gid” cookies. As a result, these identification numbers on August 14<br />
<br />
2020 at 12:46:19.948 CET to https://www. XXXX -analytics.com/ and thus to the BF2<br />
transmitted.<br />
<br />
Specifically, the following user identification numbers, which are in the browser of the BF1<br />
<br />
are transmitted to the BF2 (same values, each in different transactions<br />
<br />
occurred are shown in italics or marked in orange and green):<br />
<br />
Domain Name Value Purpose - 23 -<br />
<br />
<br />
<br />
https://tracXXXX. _ga GA1.2.1284433117.1597223478 XXXX<br />
Analytics<br />
<br />
https://tracXXXX. _gid GA1.2.929316258.1597394734 XXXX<br />
Analytics<br />
<br />
ID=d77676ed5b074d05:T=1597223569: XXXX<br />
https://tracXXXX. _gads S=ALNI_MZcJ9EjC13lsaY1Sn8Qu5ovyKMhPw<br />
Advertising<br />
XXXX<br />
https://wwXXXX-analytics.com/gid 929316258.1597394734<br />
Analytics<br />
XXXX<br />
https://wwXXXX-analytics.com/id 1284433117.1597223478<br />
Analytics<br />
<br />
These identification numbers each contain a preceding random number and a trailing one<br />
<br />
UNIX timestamp showing when each cookie was set. The<br />
<br />
Identifier in the _gid cookie with UNIX timestamp "1597394734" was set on Wednesday,<br />
<br />
August 14, 2020 at 11:11 and 18 seconds CET, those in the cid cookie with the UNIX<br />
Timestamp "1597223478" on Friday 12 August 2020 at 10:45 and 34 seconds CET.<br />
<br />
<br />
With the help of these identification numbers it is possible for the BF2 to differentiate between website visitors<br />
<br />
and also to get the information whether it is a new one or an old one<br />
returning website visitors from www. XXXX trades. However, a website<br />
<br />
Comprehensive analysis of behavior based on this key figure is not possible.<br />
<br />
<br />
In addition, the following information (parameters) about the<br />
BF1 browser in the course of requests to https://www. XXXX -<br />
<br />
analytics.com/collect transmitted to the BF2 (excerpt from the HAR file, request URL<br />
<br />
https://www. XXXX -analytics.com/collect, request excerpt with timestamp 2020-08-<br />
<br />
14T10:46:19.924+02:00):<br />
<br />
general<br />
<br />
Request URL https://www. XXXX-analytics.com/collect<br />
<br />
Request Method GET<br />
<br />
<br />
HTTP Version HTTP/2<br />
<br />
Remote Address XXXX<br />
headers<br />
<br />
Accept: image/webp,*/*<br />
<br />
Accept encoding: gzip, deflate, br<br />
<br />
Accept-Language: en-US,de;q=0.7,en;q=0.3<br />
<br />
<br />
Connection: keep alive - 24 -<br />
<br />
<br />
Host: www. XXXX-analytics.com<br />
<br />
Referer: https://www. XXXX .at/<br />
<br />
TE: Trailers<br />
<br />
User agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101<br />
Firefox/79.0<br />
<br />
Query Arguments<br />
<br />
_gid: 929316258.1597394734<br />
<br />
_s: 1<br />
<br />
_u: QACAAEAB~<br />
<br />
_v: j83<br />
<br />
a: 443943525<br />
<br />
cid: 1284433117.1597223478<br />
<br />
de: UTF-8<br />
<br />
dl: https://www. XXXX .at/<br />
<br />
dt: XXXX .at Home - XXXX<br />
ea: /<br />
<br />
ec: scroll depth<br />
<br />
el: 25<br />
<br />
gjid:<br />
<br />
gtm: 2wg871PHBM94Q<br />
<br />
each: 0<br />
<br />
jid:<br />
<br />
ni: 0<br />
sd: 24-bit<br />
<br />
sr: 1280x1024<br />
<br />
t: event<br />
<br />
tid: UA-259349-1<br />
<br />
ul: en-us<br />
<br />
v: 1<br />
<br />
vp: 1263x882<br />
<br />
z: 1764878454 - 25 -<br />
<br />
<br />
Size<br />
<br />
Headers 677 bytes<br />
<br />
Body 0 bytes<br />
<br />
Total 677 bytes<br />
<br />
These parameters can therefore be used to draw conclusions about the browser used<br />
Browser settings, language selection, the website visited, the color depth, the<br />
<br />
Screen resolution and the AdSense linking number are drawn.<br />
<br />
The remote address XXXX is that of the BF2.<br />
<br />
The IP address of the BF1 device is sent to https://www. XXXX -<br />
<br />
analytics.com/collect transmitted to BF2. The IP address became the subject of the proceedings<br />
of BF1 transmitted to BF2.<br />
<br />
<br />
The BF1 worked in the home office on August 14th, 2020. In the home office, the BF2 uses one<br />
Screen with a resolution of 1280x1024 (sr value). In addition, the visible part<br />
<br />
of the web window transmits a size of 1263x882 (vp value).<br />
<br />
II.1.3.1. For a summary of the information that was published on August 14th, 2020<br />
<br />
were transmitted to BF2:<br />
As a result of the implementation of the XXXX -Analytics tool, on 08/14/2020 -<br />
<br />
summarized - the following information from the browser of the BF1, which is the website XXXX<br />
<br />
visited, transmitted to the servers of BF2:<br />
<br />
unique online identifiers (uniqueidentifier) that identify both the browser and the device<br />
of the BF1 as well as the MB (through the XXXX analytics account ID of the MB as<br />
<br />
identify website operator);<br />
<br />
the address and HTML title of the website and the sub-pages visited by the BF1<br />
<br />
has;<br />
<br />
Information about the browser, operating system, screen resolution, language selection and<br />
<br />
date and time of website visit;<br />
<br />
the IP address of the device that the BF1 used.<br />
<br />
II.1.3.2. For information on the cookies used:<br />
<br />
For Universal Analytics, the JavaScript library analytics.js or the JavaScript<br />
library gtag.js are used. In both cases, the libraries use first-party-<br />
<br />
Cookies to:<br />
<br />
Distinguish unique users and - 26 -<br />
<br />
<br />
<br />
Throttle the request rate<br />
<br />
When using the recommended JavaScript snippet, cookies on the<br />
<br />
highest possible domain level. If their website address for example<br />
<br />
blog.example.co.uk, analytics.js and gtag.js set the cookie domain<br />
<br />
at.example.co.uk. Setting cookies at the highest possible domain level<br />
allows measurement across subdomains without requiring any additional configuration<br />
<br />
is required.<br />
<br />
<br />
Note: gtag.js and analytics.js do not require cookies to be set to send data to XXXX -<br />
transmit analytics.<br />
<br />
<br />
gtag.js and analytics.js set the following cookies:<br />
<br />
Cookie name Default expiry time Description<br />
<br />
_ga 2 years Used to distinguish users.<br />
_gid 24 hours Used to distinguish users.<br />
<br />
_gat 1 minute Used to throttle request rate. WXXXX<br />
<br />
Analytics is used via the XXXX Tag Manager<br />
named this cookie _dc_gtm_<property-id>.<br />
<br />
AMP_TOKEN 30 seconds to 1 year Contains a token used to retrieve a client ID from the AMP client<br />
ID service can be used. Show other possible values<br />
<br />
Optout, inflight request, or an error retrieving an<br />
Client ID from AMP Client ID service.<br />
_gac_<property-id> 90 days Contains campaign-related information for the user.<br />
<br />
If you linked yourXXXX Analytics andXXXX Ads accounts<br />
<br />
have the Website Conversion TagXXXXn Ads read this<br />
Cookie unless you opt out.<br />
<br />
<br />
II.1.3.3. To link to the BF1's XXXX account:<br />
During the visit to the XXXX website, the BF1 was logged into his XXXX account,<br />
<br />
which is linked to the email address XXXX. This email address belongs to BF1.<br />
<br />
<br />
A XXXX account is a user account used for authentication<br />
<br />
at various XXXX online services that BF2 serves. A XXXX account is something like this<br />
Prerequisite for the use of services such as " XXXX " or " XXXX Drive" (a file hosting<br />
<br />
Service).<br />
<br />
<br />
On August 14, 2020, the web & app activities were set in the XXXX account of BF1 ( XXXX ).<br />
activated. However, the BF1's XXXX account has opted not to record activities from<br />
<br />
Include websites that use XXXX services. - 27 -<br />
<br />
<br />
Contrary to BF2's own statements, it is technically able to provide the information<br />
get that a specific XXXX account user visited the XXXX website (on the XXXX -<br />
<br />
Analytics is implemented) if this XXXX account user during the<br />
<br />
was logged into the XXXX account when visiting the XXXX website.<br />
<br />
Metadata from XXXX applications (such as from XXXX account) that the BF1 on 08/14/2020<br />
<br />
used was stored on servers in the United States.<br />
<br />
II.1.3.4. For (non)anonymized processing of the IP address of the BF1:<br />
The IP anonymization function on the MB XXXX website was faulty<br />
<br />
implemented. This did not ensure that on August 14, 2020 after transmission<br />
<br />
of data to which BF2 the IP address was anonymized.<br />
<br />
II.1.3.5. Regarding the deleted information:<br />
The MB has instructed the BF2 in the course of the administrative procedure, all over<br />
<br />
Delete the XXXX -Analytics Properties collected data for the XXXX website. The BF2<br />
<br />
performed the deletion.<br />
<br />
II.1.3.6. For the declaration of personal data by BF2:<br />
<br />
On the page "Data processing terms for XXXX advertising products: Information on<br />
the services", BF2 states that as part of the order processing service, "XXXX<br />
<br />
Analytics" the data "online identifiers (including cookie identifiers), internet<br />
Protocol addresses and device identifiers and identifiers assigned by the customer"<br />
<br />
can be personal data.<br />
<br />
II.1.4. About the web analysis service XXXX -Analytics:<br />
<br />
XXXX -Analytics is a measurement service that allows customers to track traffic to properties<br />
<br />
measure, including traffic from visitors visiting a website owner's website<br />
visit. Web analytics services are a popular category of services used by several<br />
<br />
Providers are offered and are considered an essential tool for running a<br />
site.<br />
<br />
<br />
Website owners rely on web analytics services like XXXX Analytics to help them<br />
help to understand how website visitors interact with their website and services<br />
<br />
to interact. XXXX -Analytics helps them to create more engaging content and the<br />
<br />
Monitor and maintain the stability of their websites.<br />
<br />
In addition, website owners can set up dashboards that provide an overview of reports<br />
and give metrics that customers care about the most, e.g. in real time the number of<br />
<br />
Monitor visitors on a website. XXXX -Analytics can also help determine effectiveness - 28 -<br />
<br />
<br />
from advertising campaigns run by website owners on XXXX ad services<br />
measure and optimize.<br />
<br />
<br />
All data collected by XXXX Analytics is hosted in the United States<br />
(saved and processed).<br />
<br />
II.1.5. About the implementation and functionality of XXXX -Analytics:<br />
<br />
The web analytics service XXXX -Analytics becomes a<br />
<br />
JavaScript codes embedded on the website owner's side. If user one<br />
View a page on the website, this JavaScript code refers to a previous one on the device<br />
<br />
user's downloaded JavaScript file which then enables tracking operation for XXXX -<br />
<br />
runs analytics. The tracking operation retrieves data about the page request<br />
various means and sends this information to via a list of parameters<br />
<br />
the analytics servers connected to a single pixel GIF image request.<br />
<br />
The data that XXXX -Analytics collects on behalf of the website owner comes from these<br />
<br />
Sources:<br />
<br />
The user's HTTP request<br />
<br />
Browser/System Information<br />
<br />
First party cookies<br />
<br />
An HTTP request for each web page contains details about the browser and computer,<br />
<br />
who makes the request, such as host name, browser type, referrer and language. Over and beyond<br />
<br />
Most browsers' Document Object Model (DOM) provides access to more detailed<br />
Browser and system information, such as Java and Flash support and<br />
<br />
screen resolution. XXXX -Analytics uses this information. XXXX -Analytics sets and<br />
<br />
also reads first-party cookies on a user's browsers, which measure the<br />
Allow user session and other information from page request.<br />
<br />
When all this information is collected, it is sent to the analytics servers in the form<br />
<br />
a long list of parameters sent to a single GIF image request to the<br />
<br />
Domain XXXX-analytics.com. The data contained in the GIF request is<br />
the data that is sent to the XXXX Analytics servers, which then further processes<br />
<br />
and end up in the reports of the website owner.<br />
<br />
II.1.6. To embed the program code for XXXX -Analytics on the XXXX website<br />
<br />
Associates:<br />
Due to a decision by the MB, the program code for XXXX -Analytics was stored on their<br />
<br />
site embedded. - 29 -<br />
<br />
<br />
By configuring the tags or activating or deactivating various XXXX -<br />
Analytics functions through the user interface determined the use of the MB<br />
<br />
collected data. For example, the MB could set the retention period for data<br />
<br />
specify, instruct that the IP address be anonymized after receipt by BF2,<br />
determine who is allowed to receive data, etc.<br />
<br />
<br />
II.1.7. The legal basis for the use of XXXX -Analytics by the participants:<br />
The use of XXXX -Analytics requires a contract.<br />
<br />
The MB and BF2 have an agreement entitled “Order data processing conditions<br />
<br />
for XXXX advertising products”. This contract had the version dated August 12, 2020<br />
<br />
(VWA ./18) valid at least on August 14, 2020. The contract regulates<br />
Order data processing conditions for XXXX advertising products. It applies to them<br />
<br />
Provision of data processing services and related thereto<br />
<br />
technical support services for customers (MB) of BF2. The MB used the free one<br />
Version of XXXX -Analytics.<br />
<br />
The web analysis service XXXX -Analytics falls under the scope of the<br />
<br />
"Order data processing conditions for XXXX advertising products".<br />
<br />
With regard to the order data processing conditions for XXXX advertising products<br />
<br />
in connection with the web analysis service XXXX -Analytics online identifiers<br />
(including cookie identifiers), internet protocol addresses and device identifiers as well<br />
<br />
Labels assigned by the customer Personal data of the customer (MB)<br />
<br />
represent.<br />
<br />
In addition, these order data processing conditions in point 10.2. the application<br />
<br />
of standard data protection clauses before a transmission of personal<br />
Customer data is transferred from the EEA to a third country that is not one<br />
<br />
adequacy decision under European data protection legislation.<br />
Based on this, MB and BF2 signed a second contract on August 12th, 2020 with the<br />
<br />
Title "XXXXAdsDataProcessingTerms:ModelContractClauses,StandardContractualClauses<br />
<br />
for Processors” (VWA./22). These are standard contractual clauses<br />
for international data traffic (based on an implementation decision of the<br />
<br />
European Commission 2010/87/EU of February 5, 2010 on Standard Contractual Clauses<br />
<br />
for the transfer of personal data to processors in third countries<br />
of Directive 95/46/EC of the European Parliament and of the Council, OJ L 2010/39, p. 5.).<br />
<br />
In addition to implementing XXXX analytics, a website owner can<br />
<br />
Share analytics data to XXXX by changing XXXX's data sharing setting - 30 -<br />
<br />
<br />
products and services activated and the privacy policy for XXXX<br />
Measurement Controller controllers that apply to the use of this setting,<br />
<br />
accepted separately.<br />
<br />
The data sharing setting has not been activated by the MB. Also, the MB XXXX<br />
<br />
-Signal not on. The MB did not have its own authentication system and used<br />
<br />
also no user ID function.<br />
<br />
II.1.8. For the purpose of processing by the collaborators:<br />
XXXX -Analytics is used to perform the following general statistical evaluations about the<br />
<br />
Enable website visitor behavior:<br />
<br />
Reach measurement (i.e. how many users access the site);<br />
<br />
Evaluation of which articles have the greatest traffic (i.e. which articles have the most<br />
<br />
were called),<br />
<br />
Average session duration,<br />
<br />
Evaluation of the average number of pages viewed per session<br />
<br />
become.<br />
<br />
II.1.9. Regarding the measures taken by BF2 after the judgment of the European Court of Justice of<br />
<br />
07/16/2020 in Case C-311/18:<br />
<br />
After the decision of the European Court of Justice, BF2 assumed that the verdict<br />
also applies to the use of XXXX -Analytics by website owners. After the decision<br />
<br />
of the European Court of Justice, the BF2 immediately began amending the<br />
Data Processing Terms (DTPS) to replace the Standard Contractual Clauses (SCC) for<br />
<br />
to make all affected contracts applicable. This included updating a<br />
<br />
Variety of contracts, transmission of communications to website owners on<br />
08/03/2020, the translations and the publication of the corresponding ones<br />
<br />
Terms of Contract. These changes to the order data processing conditions<br />
<br />
(DTPS) came into force on August 12, 2020.<br />
<br />
Section 10 of the updated Order Data Processing Terms (DTPS) provides that<br />
that, insofar as the storage and/or processing of personal data of customers,<br />
<br />
including personal data in XXXX -Analytics data, the submission<br />
<br />
personal data of customers from the EEA to a third country that is not one<br />
subject to an adequacy decision under the GDPR, the website owner (as<br />
<br />
data exporter) at XXXX (as data importer) for the transfer of personal<br />
<br />
Data to processors in third countries who do not have adequate data protection - 31 -<br />
<br />
<br />
ensure Standard Contractual Clauses (SCCs) are used. The Standard Contractual Clauses<br />
(SCCs) are made available at XXXX. These Standard Contractual Clauses (SCCs)<br />
<br />
would the European Commission in its Decision 2010/87/EU<br />
<br />
comply with published clauses.<br />
<br />
II.1.10.Regarding the additional measures that come with the introduction of the standard contractual clauses<br />
<br />
were set by the BF2:<br />
The following measures were in place before the decision of the European Court of Justice<br />
<br />
Case C-311/18 in force and therefore also existed during the period in which the<br />
Conditions were updated by 08/12/2020. According to the statements of the BF2<br />
<br />
these measures are suitable to ensure an adequate level of protection.<br />
<br />
II.1.10.1.Legal and organizational measures:<br />
<br />
The BF2 evaluates every request made by the state authorities for user data<br />
<br />
receives to ensure they comply with applicable laws and XXXX policies.<br />
<br />
BF2 notifies customers before any of their information is disclosed unless<br />
unless such notice is prohibited by law or the request involves an emergency.<br />
<br />
<br />
The BF2 publishes a transparency report.<br />
<br />
The BF2 publishes its policy on dealing with government requests.<br />
<br />
II.1.10.2.Technical measures:<br />
BF2 uses robust technical measures to protect personal data during the<br />
<br />
to protect transmission (default use of HTTP Strict Transport Security<br />
<br />
(HSTS), encryption of data on one or more network layers (protection of the<br />
Communication between XXXX services, protection of data in transit between<br />
<br />
Data centers and protection of communications between users and websites)).<br />
<br />
The BF2 uses robust technical measures to protect stored personal data<br />
<br />
(The BF2 encrypts XXXX analytics data stored in their data centers<br />
get saved; BF2 builds servers exclusively for their data centers and maintains them<br />
<br />
an industry-leading security team, XXXX analytics data is only accessible to<br />
<br />
employees who need the data for their work).<br />
<br />
II.1.10.3. Pseudonymity of data from XXXX -Analytics:<br />
<br />
The BF2 believes that the data for measurement by website owners<br />
are personal data, they would have to be considered as pseudonymous. The BF2 is<br />
<br />
of the opinion that if a third party accesses the XXXX -Analytics data, this - 32 -<br />
<br />
<br />
will in principle not be able to identify the data subject on the basis of this data<br />
identify.<br />
<br />
<br />
II.1.10.4.Optional technical measure - IP anonymization:<br />
In addition to the measures mentioned, website owners can use "IP anonymization"<br />
<br />
use to instruct BF2 to delete all IP addresses immediately after collection<br />
<br />
anonymize and thus contribute to data minimization. If this is used,<br />
at no time the full IP address is written to disk, as all<br />
<br />
Anonymization in memory occurs almost instantly after the request to the BF2<br />
has been received.<br />
<br />
<br />
II.1.11.The BF2 as an electronic communication service:<br />
BF2 is a provider of electronic communications services within the meaning of Section 50 of the U.S. Code<br />
<br />
1881(b)(4) and as such is subject to supervision by U.S.<br />
<br />
Intelligence agencies under 50 U.S. Code § 1881a (“FISA 702”). The BF2 transmitted the US<br />
Government personal information under U.S. Code § 1881a. It can be from the US<br />
<br />
Government metadata and content data are requested.<br />
<br />
II.2. Evidence assessment:<br />
<br />
Evidence was collected through inspection of the administrative file of the bB [hereinafter referred to as "VWA"<br />
with the components ./01 - data protection complaint of the BF1 from 08/18/2020 (see point<br />
<br />
I.1), ./02 - Data protection complaint of the BF1 from August 18th, 2020 - Attachment -<br />
<br />
XXXX Analytics Terms of Use (see point I.1), ./03 – Privacy Complaint<br />
of the BF1 from 18.08.2020 - Supplement - Terms of Use for<br />
<br />
Order data processing conditions for XXXX advertising products, version 01.01.2020<br />
<br />
(see point I.1), ./04 - data protection complaint of the BF1 from August 18th, 2020 - enclosure -<br />
Terms of Use for Order Data Processing Terms for XXXX<br />
<br />
Advertising products, version 08/12/2020 (see point I.1),./05 - data protection complaint of the BF1<br />
dated 08/18/2020 - Attachment - HAR data of the website visit (see point I.1), ./06 -<br />
<br />
Data protection complaint of the BF1 from August 18th, 2020 - Enclosure - XXXX (see point I.1), ./07 -<br />
<br />
Data protection complaint of the BF1 from August 18th, 2020 - attachment - certificate of representation (see<br />
Point I.1), ./08 - Identification of lead responsibility (see point I.2), ./09 -<br />
<br />
Decision of the BA regarding the suspension of the procedure (see point I.2), ./10 - request<br />
<br />
the bB for the statement to the MB (see point I.2), ./11 - Statement of the MB from<br />
December 16, 2020 (see point I.3), ./12 - Statement of the MB of December 16, 2020 - Enclosure -<br />
<br />
Reports from the tool (see point I.3), ./13 - Statement of the MB from 16.12.2020 -<br />
<br />
Enclosure - Information on IP anonymization (see point I.3), ./14 - Statement of<br />
MB from December 16th, 2020 - Attachment - Screenshot of the set storage period (see point I.3), - 33 -<br />
<br />
<br />
./15 - Statement of the MB of 16.12.2020 - Attachment - List of server locations (see<br />
Point I.3), ./16 - Statement of the MB from 16.12.2020 - Enclosure -<br />
<br />
Order data processing conditions for XXXX advertising products, version 08/16/2020<br />
<br />
(see point I.3), ./17 - statement of the MB from 16.12.2020 - enclosure -<br />
Order data processing conditions for XXXX advertising products, version 08/12/2020<br />
<br />
(see point I.3), ./18 - statement of the MB from 16.12.2020 - enclosure -<br />
<br />
Order data processing conditions for XXXX advertising products, version 01.01.2020<br />
(see point I.3), ./19 - Statement of the MB from 16.12.2020 - Enclosure - Comparative version<br />
<br />
AVV from January 1st, 2020 vs. August 12th, 2020 (see point I.3), ./20 - Statement of the MB from<br />
<br />
12/16/2020 - Enclosure - Comparative version AVV from 08/12/2020 vs 08/16/2020 (see point I.3),<br />
./21 - Statement of the MB from 16.12.2020 - Enclosure - Screenshot of settings (see<br />
<br />
Point I.3), ./22 - Statement of the MB from 16.12.2020 - Enclosure -<br />
<br />
Standard data protection clauses (see point I.3), ./23 - Statement of the MB of 16.12.2020<br />
- Annex - Information on security measures (see point I.3), ./24 - Opinion<br />
<br />
the MB from 16.12.2020 - Enclosure - List of processing activities for XXXX<br />
<br />
Analytics (see point I.3), ./25 - Request from the bB for a statement to BF1 from<br />
December 21, 2020 (see point I.4), ./26 – Opinion of the BF1 from January 22, 2021 (see point I.4),<br />
<br />
./27 - Opinion of the BF1 from 22.01.2021 - Attachment - Third party in the cookie banner of<br />
MB (see point I.4), ./28 - Opinion of the BF1 from 22.01.2021 - Attachment - Contacts of<br />
<br />
XXXX with US server (see point I.4), ./29 - Opinion of BF1 from 01/22/2021 - Attachment<br />
<br />
- Contacts of XXXX with US server, reference to fingerprint technology (see point I.4),./30<br />
- Request of the bB for a statement to BF2 from February 26th, 2021 (see point I.5), ./31 -<br />
<br />
Statement of the BF2 from April 9th, 2021 (see point I.5), ./32 - request of the bB to<br />
<br />
Statement to BF1 and MB of April 14, 2021 (see point I.6), ./33 - statement of<br />
MB from 05/04/2021 (see point I.7), ./34 - Statement of the BF1 from 05/05/2021 (see<br />
<br />
Point I.8), ./35 - Opinion of the BF1 from May 5th, 2021 - Enclosure - XXXX -Analytics Cookie,<br />
<br />
Use on website (see point I.8), ./36 - Opinion of BF1 from 05/05/2021 -<br />
Enclosure - How XXXX uses cookies (see point I.8), ./37 - Opinion of the BF1 from<br />
<br />
05/05/2021 - Attachment - Measurement Protocol Parameter Reference (see point I.8), ./38 -<br />
<br />
Request of the bB for a statement to BF1 from 06.05.2021 (see point I.9), ./39 -<br />
Request of the bB for a statement to BF2 from 06.05.2021 (see point I.9), ./40 -<br />
<br />
Request of the bB for a statement to the MB of May 10th, 2021 (see point I.9),./41-application<br />
BF2 to extend the deadline for comments from May 12, 2021 (see point I.9), ./42<br />
<br />
– Granting of the requested extension of the deadline by the BB from May 14, 2021 (see point I.9),<br />
<br />
./43 - Opinion of BF2 from May 14th, 2021 (see point I.10), ./44 - Request of the BA<br />
on the statement to BF1 and MB of June 11, 2021 (see point I.11), ./45 - application of the BF1 - 34 -<br />
<br />
<br />
on extension of the deadline for comments from June 11, 2021 (see point I.11), ./46 -<br />
Request from the bB for a statement to the MB of June 16, 2021 (see point I.11), ./47 -<br />
<br />
Statement of the MB (transfer) of June 18, 2021 (see point I.12), ./48 -<br />
<br />
Statement of the MB (configuration error, deletion of data) from 06/18/2021 (see<br />
Point I.13), ./49 - Statement of the MB (configuration error, deletion of data) from<br />
<br />
06/18/2021 - Attachment - Notification of BF2 about the deletion of information (see point<br />
<br />
I.13), ./50 - Statement of the MB (configuration error, deletion of data) from<br />
06/18/2021 - Attachment - Presentation of the wrong and correct implementation of the<br />
<br />
Anonymization function (see point I.13), ./51 - Transmission of the SO's opinion<br />
<br />
(VWA ./48 to ./50) to BF1 (see point I.13), ./52 - notification from the MB of 06/24/2021 (see<br />
Item I.13), ./53 - notification from the MB of 06/24/2021 - enclosure - confirmation of deletion<br />
<br />
BF2 (see point I.13), ./54 - Statement of BF2 from 09.07.2021 (see point I.14), ./55<br />
<br />
- Opinion of the BF1 from 09.07.2021 (see point I.15), ./56 - request of the bB to<br />
Statement to BF1 from 22.07.2021 (see point I.16), ./57 - Statement from BF2 from<br />
<br />
08/12/2021 (see point I.16),./58 - WebsiteEvidence Collection regarding the website of the MB,<br />
<br />
./59 - Partial decision of the Federal Civil Service of December 22nd, 2021, delivered on January 12th and 13th, 2022 (see point<br />
I.17), ./60 - Complaint by the BF1 from February 7th, 2022 (see point I.20), ./61 -<br />
<br />
Statement of the bB on the complaint of the BF1 from February 15th, 2022, ./62 -<br />
Complaint by the BF2 of February 9th, 2022 (see point I.18), ./63 - Complaint<br />
<br />
the BF2 from 09.02.2022 - Enclosure - Cookies and User Identification (see point I.18), ./64 -<br />
<br />
Complaint of the BF2 from 09.02.2022 - Attachment - Linker (see point I.18), ./65 -<br />
Notice of complaint from the BF2 of 09.02.2022 - Enclosure - Report XXXX (see point I.18),./66<br />
<br />
- Complaint of the BF2 from 09.02.2022 - Attachment - New EU-US data transfer<br />
<br />
Framework (see point I.18), ./67 – Statement by the BA on the complaint by the BF2<br />
from February 17th, 2022 (see point I.19), ./68 - Statement of the bB on the complaint of the<br />
<br />
BF2 of 02/17/2022 - Attachment - Decision of the European Data Protection Supervisor<br />
<br />
from 05.01.2022 (see point I.19), ./69 - Statement of the bB on the complaint of the<br />
BF2 from February 17th, 2022 - Attachment - Decision of the LG Munich from February 20th, 2022 (see point<br />
<br />
I.19),./70 - Opinion of the bB on the decision of the BF2 of 17.02.2022 - Attachment<br />
<br />
– Opinion on the current status of US surveillance law (see point I.19) and ./71 –<br />
Statement of the bB on the complaint of the BF2 from February 17th, 2022 - Attachment -<br />
<br />
Key findings of the report on the current status of US surveillance law (see<br />
Point I.19)] as well as in the court act of the BVwG (file components are with ordinal number,<br />
<br />
marked "OZ" for short).<br />
<br />
II.2.1. About the procedure: - 35 -<br />
<br />
<br />
The above procedure results from the harmless and<br />
undoubted file content of the submitted administrative file of the bB and the court file<br />
<br />
of the BVwG.<br />
<br />
II.2.2. To the owner of the website XXXX<br />
The findings in this regard result without a doubt from the statement by the MB<br />
<br />
from June 18, 2021 (VWA ./47).<br />
<br />
II.2.3. For the data processing that is the subject of the procedure:<br />
<br />
The findings in this regard result without a doubt from the findings of the<br />
contested decision (VWA ./59, page 18 ff), the statement of the BF1 from May 5th, 2021<br />
<br />
(VWA ./34) and the complaint by the BF2 (VWA ./62, page 6).<br />
<br />
The determination that the IP address of BF1 is transmitted to BF2 in the course of the proceedings<br />
<br />
was, results from the explanations of the BF1 or his representative in the<br />
<br />
Complaints hearing. In this context, the representative of BF1<br />
VPN solution shown is understandable and was subsequently used by the BF2 in the<br />
<br />
Complaint hearing no longer in question. In addition, the BF1 on 14.08.2020<br />
<br />
credibly worked in the home office. This follows from the credible statements of<br />
BF1 that in 2020 he mainly worked in the home office due to the corona and<br />
<br />
due to the use of a high/narrow monitor (negotiation protocol from<br />
March 31, 2022, OZ 29 to W245 2252208, page 14). Sohin were pertinent statements<br />
<br />
meet.<br />
<br />
II.2.3.1. For a summary of the information that was published on August 14th, 2020<br />
<br />
were transmitted to BF2:<br />
<br />
The pertinent findings result without a doubt from the explanations of the bB im<br />
disputed decision (VWA ./59, page 27).<br />
<br />
II.2.3.2. For information on the cookies used:<br />
<br />
The findings in this regard result without a doubt from statements by the BF1 in the<br />
<br />
administrative procedures (VWA ./05) and from the findings of the contested<br />
decision (VWA ./59, page 15).<br />
<br />
II.2.3.3. To link to the BF1's XXXX account:<br />
<br />
The findings in this regard result without a doubt from the findings of the<br />
<br />
contested decision (VWA ./59, page 18 ff) and the statement of the BF2 (VWA ./43,<br />
page 10f).<br />
<br />
In his statement of April 9th, 2021, the BF2 submitted in question 9 that he<br />
<br />
only receives such information if certain conditions are met, such as - 36 -<br />
<br />
<br />
such as the activation of specific settings in the XXXX account. He disproved this<br />
BF1 or the bB in the process with the following comprehensible argument: If namely<br />
<br />
a XXXX account user's request for "personalization" of the received<br />
<br />
Advertising information can be met on the basis of a declaration of intent in the account, so<br />
From a purely technical point of view, there is the possibility of obtaining information about the website visited<br />
<br />
of the XXXX account user.<br />
<br />
Irrespective of this, numerous metadata were available to BF2 on August 14, 2020 (OZ<br />
<br />
25 to W2452252208-1, page 3), which is displayed when an application (e.g. XXXX account) is called up<br />
be transmitted. At the time of the proceedings (08/14/2020) the BF1 also<br />
<br />
used his XXXX account. With the metadata that is generated when using the XXXX account<br />
<br />
were transmitted, was a link to the transmitted metadata in the course of the<br />
XXXX (via XXXX -analytics) possible.<br />
<br />
<br />
In addition, a link to the IP address was undoubtedly possible. The BF1 has on<br />
08/14/2020 worked in the home office. In this context, the IP address was direct<br />
<br />
transmitted by BF1 to BF2 (negotiation protocol of March 31, 2022, OZ 29 to W245<br />
<br />
2252208, page 14). Since the BF1 visited the website XXXX (XXXX -Analytics)<br />
If you were signed into the XXXX account at the same time, you can easily switch between these applications<br />
<br />
a link can be established via the IP address. In both applications, the<br />
IP address already transferred for technical reasons. Against this background, on<br />
<br />
Reason for the transmission of the IP address via the XXXX -Analytics application<br />
<br />
Personal reference to the XXXX account (or to the registration information of the BF1) established<br />
become. Since the BF1 was working in the home office at that time and he lives alone,<br />
<br />
only he could use the transmitted IP address.<br />
<br />
Due to the easy linkability of metadata and IP address between the<br />
<br />
individual applications ( XXXX -Account and XXXX -Analytics) can indisputably<br />
Personal reference (login data for XXXX) can be established.<br />
<br />
<br />
It was also found that metadata from XXXX applications (such as XXXX account)<br />
were transferred to the United States, which the BF1 used on 08/14/2020<br />
<br />
(Negotiation protocol from March 31, 2022, OZ 29 to W245 2252208, page 11 f).<br />
<br />
II.2.3.4. For (non)anonymized processing of the IP address of the BF1:<br />
<br />
The pertinent findings result without a doubt from the explanations of the MB in the<br />
administrative procedures (VWA ./48)<br />
<br />
II.2.3.5. About the deleted information: - 37 -<br />
<br />
<br />
The pertinent findings result beyond doubt from the explanations of the MB and<br />
the BF2 in administrative procedures (VWA ./48, ./49, ./50, ./52 and ./53).<br />
<br />
<br />
II.2.3.6. For the declaration of personal data by BF2:<br />
The relevant findings result from the explanations of the bB in the course of the<br />
<br />
File template (VWA ./67, page 4) and from an inspection of the BF2 XXXX website<br />
<br />
last accessed on March 26, 2023).<br />
<br />
II.2.4. About the web analysis service XXXX -Analytics:<br />
The pertinent findings result beyond doubt from explanations of the BF2 in the<br />
<br />
administrative procedures (VWA ./31, page 4).<br />
<br />
II.2.5. About the implementation and functionality of XXXX -Analytics:<br />
<br />
The pertinent findings result beyond doubt from explanations of the BF2 in the<br />
administrative procedures (VWA ./31, page 4 f).<br />
<br />
<br />
II.2.6. To embed the program code for XXXX -Analytics on the XXXX website<br />
Associates:<br />
<br />
The relevant findings result beyond doubt from the documents of the<br />
<br />
submitted administrative act (VWA ./10, page 1 and VWA ./31, page 7 f)<br />
<br />
II.2.7. The legal basis for the use of XXXX -Analytics by the participants:<br />
The relevant findings result beyond doubt from the documents of the<br />
<br />
submitted administrative act (VWA ./31, page 6).<br />
<br />
II.2.8. For the purpose of processing by the collaborators:<br />
<br />
The relevant findings result beyond doubt from the documents of the<br />
submitted administrative act (VWA ./10, page 2, ./11, page 11, ./18, ./21, ./22 partial decision,<br />
<br />
page 15 ff).<br />
<br />
II.2.9. Regarding the measures taken by BF2 after the judgment of the European Court of Justice of<br />
<br />
07/16/2020 in Case C-311/18:<br />
The pertinent findings result beyond doubt from explanations of the BF2 in the<br />
<br />
administrative procedures (VWA ./31, page 21 f).<br />
<br />
II.2.10.On the additional measures that come with the introduction of the standard contractual clauses<br />
<br />
were set by the BF2:<br />
<br />
The pertinent findings result beyond doubt from explanations of the BF2 in the<br />
administrative procedures (VWA ./31, page 24 ff and VWA ./43).<br />
<br />
II.2.11.The BF2 as an electronic communication service: - 38 -<br />
<br />
<br />
The findings in this regard result without a doubt from the expert opinion on<br />
current status of US surveillance law and surveillance powers as well as from<br />
<br />
the transparency report of BF2 XXXX last queried on 03/29/2023).<br />
<br />
II.3. Legal assessment:<br />
<br />
II.3.1. Regarding jurisdiction:<br />
<br />
According to § 6 BVwGG, the Federal Administrative Court decides through a single judge, provided that<br />
<br />
Federal or state laws do not provide for the decision to be made by senates.<br />
<br />
The contested decision is based on a decision of the bB in accordance with Article 44 GDPR.<br />
This matter is covered by Senate decisions in accordance with § 27 DSG.<br />
<br />
<br />
The procedure of the administrative courts with the exception of the Federal Finance Court is through<br />
the VwGVG, Federal Law Gazette I No. 33/2013 (§ 1 leg.cit.). According to § 58 Abs. 2 VwGVG stay<br />
<br />
conflicting provisions in force at the time this<br />
<br />
federal law already promulgated are in effect.<br />
<br />
According to § 17 VwGVG, unless otherwise specified in this federal law,<br />
Procedure for complaints according to Art. 130 Para. 1 B-VG with the provisions of the AVG<br />
<br />
Exception of §§ 1 to 5 as well as part IV, the provisions of the Federal Fiscal Code<br />
<br />
- BAO, Federal Law Gazette No. 194/1961, of the Agricultural Procedures Act - AgrVG, Federal Law Gazette No. 173/1950, and<br />
of the Service Law Procedure Act 1984 – DVG, Federal Law Gazette No. 29/1984, and otherwise those<br />
<br />
procedural provisions in federal or state laws mutatis mutandis<br />
<br />
apply, which the authority in the proceedings before the administrative court<br />
has applied or should have applied in previous proceedings.<br />
<br />
According to § 28 para. 1 VwGVG, the administrative courts have the legal matter by cognition<br />
<br />
to be dealt with if the complaint is not to be dismissed or the proceedings are to be discontinued.<br />
<br />
According to para. 2 leg.cit. the administrative court has on complaints according to Art. 130 para. 1 no. 1<br />
B-VG to decide in the matter itself, if<br />
<br />
1. the relevant facts have been established or<br />
<br />
<br />
2. the determination of the relevant facts by the administrative court itself<br />
is in the interest of speed or associated with significant cost savings.<br />
<br />
As stated above, the facts of the matter are relevant<br />
<br />
based on the records. The Federal Administrative Court therefore has its own say in the matter<br />
<br />
decide.<br />
<br />
II.3.2. Regarding the legal situation in the present complaints procedure:<br />
Art. 4 Z. 1 GDPR – Definitions – reads: - 39 -<br />
<br />
<br />
For the purposes of this Regulation, the term means:<br />
1.” any information relating to an identified or identifiable natural person<br />
<br />
(hereinafter "data subject"); as identifiable becomes a natural<br />
Person considered, directly or indirectly, in particular by means of assignment to a<br />
identifier such as a name, an identification number, location data, an online<br />
<br />
Identifier or one or more special characteristics expressing the<br />
physical, physiological, genetic, psychological, economic, cultural or<br />
<br />
social identity of that natural person can be identified;<br />
<br />
Art. 44 GDPR – general principles of data transmission – reads:<br />
Any transfer of personal data that is already being processed or after<br />
<br />
be processed before it is transmitted to a third country or an international organization<br />
is only permitted if the person responsible and the processor<br />
Comply with the conditions laid down in Chapter and also the other provisions of these<br />
<br />
regulation are complied with; this also applies to any further transmission<br />
personal data from the relevant third country or the relevant<br />
<br />
international organization to another third country or another international<br />
Organization. All provisions of this chapter shall be applied to ensure that<br />
the level of protection for natural persons guaranteed by this regulation<br />
<br />
is undermined.<br />
<br />
Art. 45 GDPR – Data transfer based on an adequacy decision –<br />
reads in part:<br />
<br />
(1) A transfer of personal data to a third country or an international<br />
Organization may be undertaken if the Commission has decided that the<br />
<br />
third country concerned, a territory or one or more specific sectors within it<br />
Third country or international organization concerned an adequate level of protection<br />
<br />
offers. Such data transmission does not require any special approval.<br />
(2) When examining the adequacy of the required level of protection, the<br />
Commission the following in particular:<br />
<br />
a) the rule of law, respect for human rights and fundamental freedoms contained in<br />
the country or international organization concerned<br />
<br />
relevant legislation in force, both general and sectoral<br />
– also in relation to public safety, defence, national security and<br />
Criminal law and access by authorities to personal data - as well as the<br />
<br />
Application of this legislation, data protection regulations, professional rules and<br />
Security rules including onward transmission rules<br />
<br />
personal data to another third country or another international<br />
organization, jurisdiction, and effective and enforceable rights of<br />
data subject and effective administrative and judicial<br />
<br />
Remedies for data subjects whose personal data is transferred<br />
become, - 40 -<br />
<br />
<br />
b) the existence and effective functioning of one or more independent<br />
Supervisory authorities in the third country concerned or those of an international<br />
<br />
Organization is subject to and responsible for compliance with and enforcement of<br />
Data protection rules, including appropriate enforcement powers, for<br />
the support and advice of the persons concerned in the exercise of their<br />
<br />
rights and for cooperation with the supervisory authorities of the Member States<br />
are responsible, and<br />
<br />
c) those of the third country concerned or the international one concerned<br />
Organization entered into international commitments or others<br />
Obligations arising from legally binding agreements or instruments<br />
<br />
as well as from the participation of the third country or the international organization<br />
multilateral or regional systems, particularly in relation to protection<br />
<br />
result in personal data.<br />
(3) After assessing the adequacy of the level of protection, the Commission may<br />
Ways of an implementing act decide that a third country, territory or a<br />
<br />
or several specific sectors in a third country or an international organization<br />
provide an adequate level of protection as referred to in paragraph 2 of this article.<br />
<br />
A mechanism for a periodic review is set out in the implementing act,<br />
which takes place at least every four years, at which all relevant<br />
developments in the third country or in the international organization<br />
<br />
will be carried. In the implementing act, the territorial and the sectoral<br />
Scope of application and, where applicable, those referred to in paragraph 2 letter b of the present<br />
<br />
Article-mentioned supervisory authority or supervisory authorities. The<br />
Implementing act shall be adopted in accordance with the examination procedure referred to in Article 93(2).<br />
enacted<br />
<br />
Art. 46 GDPR – data transmission subject to suitable guarantees – reads<br />
<br />
excerpts:<br />
<br />
(1) If there is no decision pursuant to Article 45 paragraph 3, a person responsible or a<br />
Processor personal data to a third country or an international<br />
Organization only transmit if the controller or the processor<br />
<br />
has provided appropriate safeguards and provided the data subjects have enforceable ones<br />
Rights and effective remedies are available.<br />
<br />
(2) The appropriate guarantees mentioned in paragraph 1 can, without a special<br />
approval of a supervisory authority would be required<br />
a) a legally binding and enforceable document between the authorities or<br />
<br />
public bodies<br />
b) Binding Corporate Rules pursuant to Article 47,<br />
<br />
c) standard data protection clauses adopted by the Commission in accordance with the examination procedure pursuant to<br />
Article 93 paragraph 2 are issued,<br />
d) standard data protection clauses adopted by a supervisory authority, issued by the<br />
<br />
have been approved by the Commission in accordance with the examination procedure set out in Article 93(2), - 41 -<br />
<br />
<br />
e) approved codes of conduct pursuant to Article 40 together with legally binding ones<br />
and enforceable obligations of the controller or the<br />
<br />
Processor in the third country to apply the appropriate guarantees,<br />
including in relation to the rights of data subjects, or<br />
<br />
(f) an approved certification mechanism in accordance with Article 42 together with<br />
legally binding and enforceable obligations of the controller or<br />
of the processor in the third country to apply the appropriate safeguards,<br />
<br />
including in relation to the rights of data subjects.<br />
<br />
Art. 7 Charter of Fundamental Rights of the European Union - Respect for the private and<br />
family life – reads:<br />
<br />
Everyone has the right to respect for their private and family life, their home and<br />
<br />
their communication.<br />
Art. 8 Charter of Fundamental Rights of the European Union - Protection of personal data -<br />
<br />
reads:<br />
<br />
Every person has the right to protection of their personal data. This<br />
<br />
Data may only be used in good faith for specified purposes and with the consent of<br />
<br />
data subject or on another legitimate basis regulated by law<br />
are processed. Every person has the right to information about the data collected about them<br />
<br />
Obtain data and obtain rectification of data. Compliance with this<br />
<br />
Regulations are monitored by an independent body.<br />
<br />
Art. 47 Charter of Fundamental Rights of the European Union – Right to an effective remedy<br />
<br />
and an impartial court – reads:<br />
<br />
Any person whose rights or freedoms guaranteed by Union law is violated<br />
have the right, subject to the conditions provided for in this article<br />
<br />
to seek an effective remedy before a court. Every person has the right to<br />
<br />
that their cause be established by an independent, impartial and previously established by law<br />
court in a fair trial, heard publicly and within a reasonable time<br />
<br />
is.Any person can consult, defend and be represented. Persons who do not have<br />
<br />
have sufficient funds, legal aid will be granted to the extent that this aid is necessary<br />
is to ensure effective access to justice.<br />
<br />
<br />
Recital 26 of the GDPR - No application to anonymized data - reads:<br />
1Principles of data protection should apply to all information relating to a<br />
2<br />
identified or identifiable natural person. A pseudonymization<br />
subjected personal data obtained by using additional information<br />
could be attributed to a natural person should be considered information about a<br />
<br />
identifiable natural person. To determine whether a natural - 42 -<br />
<br />
<br />
Person is identifiable, all means should be taken into account by that<br />
<br />
controller or another person reasonably likely<br />
be used to identify the natural person directly or indirectly, such as<br />
4<br />
for example, weeding out. In determining whether funds are discretionary<br />
likely to be used to identify the individual should all<br />
objective factors such as the cost of identification and the time required for it<br />
<br />
Time expended, which is available at the time of processing<br />
Technology and technological developments must be taken into account. The principles of<br />
<br />
Data protection should therefore not apply to anonymous information, i.e. information<br />
which do not relate to an identified or identifiable natural person, or<br />
<br />
personal data that has been anonymized in a way that the data subject<br />
person cannot or can no longer be identified. This regulation therefore does not apply<br />
<br />
the processing of such anonymous data, including for statistical or research purposes.<br />
<br />
GDPR Recital 30 – Online Identifiers for Profiling and Identification –<br />
reads:<br />
<br />
1Natural persons may be given online identifiers such as IP addresses and<br />
<br />
Cookie identifiers that his device or software applications and tools or protocols<br />
provide, or assigned other identifiers such as radio frequency identifiers. This can<br />
Leave traces, especially in combination with unique identifiers and<br />
<br />
other information received by the server can be used to profile the<br />
create and identify natural persons.<br />
<br />
II.3.3. Regarding the scope of Art. 44 ff GDPR:<br />
<br />
If the following three requirements are met, there is a transfer and<br />
<br />
Chapter V (Art. 44 ff) GDPR is applicable (Guidelines 05/2021 on the Interplay between the<br />
<br />
application of Article 3 and the provisions on international transfers as per Chapter V of the<br />
GDPR, version 2.0, adopted on 02/14/2023):<br />
<br />
1) A controller or processor ("Exporter")<br />
<br />
is subject to the GDPR in the respective processing.<br />
<br />
2) The exporter transmits personal data that are the subject of this processing<br />
<br />
are, to another controller, one common to the<br />
<br />
controller or a processor ("importer") or provides<br />
<br />
them available in other ways.<br />
<br />
3) The importer is located in a third country, regardless of whether this importer<br />
<br />
for the respective processing pursuant to Article 3 of the GDPR or a<br />
international organization is.<br />
<br />
Art. 8 para. 1 EU-GRC results in an obligation to perpetuate EU law<br />
<br />
Protection levels (ECJ 06.10.2015, C-362/14 (Schrems), para. 72). The objective - 43 -<br />
<br />
<br />
Provisions regulate the conditions, which allow a person responsible or<br />
<br />
Allow processors (exporters) to transfer personal data to a third country<br />
to transfer. The not legally defined term of transmission is within the scope of Art. 44 ff<br />
<br />
to be understood in terms of protection. It therefore includes any disclosure of<br />
<br />
personal data to a place outside the territory of the European Union<br />
or to an international organization (Kuhling/Buchner, DSGVO BDSG, Art. 44, Rn 16,<br />
<br />
Jahnel, Commentary on the General Data Protection Regulation Art. 44 GDPR (as of December 1st, 2020,<br />
<br />
rdb.at), para. 18). From Art. 44 GDPR it follows that the importer (recipient in the third country)<br />
is not covered by the scope of the standard because it does not cover the transmission<br />
<br />
driven by data. The term "transmission" describes an action of the<br />
<br />
data exporter, but not an action of the data importer. Furthermore, Art. 46 provides<br />
Para. 1 GDPR that a person responsible or a processor personal<br />
<br />
Data may only be transferred to a third country or an international organization if the<br />
<br />
The person responsible or the processor has provided appropriate guarantees and if<br />
enforceable rights and effective remedies for data subjects<br />
<br />
stand. As a result, the clear wording of Art. 44 et seq<br />
<br />
Requirements for data importers (also correctly the BF2, VWA ./43, page 19).<br />
Based on the case law of the European Court of Justice, the data exporter bears the responsibility<br />
<br />
Responsibilityforexaminingthepermissibilityofthespecifictransmission.Hemustatanytime<br />
3<br />
check whether the data is protected in the third country (Kuhling/Buchner, DSGVO BDSG,<br />
Art. 44, para. 16 with reference to ECJ July 16, 2020, C-311/18 (Schrems II)). Total are off<br />
<br />
Chapter V GDPR does not confer any subjective public rights/duties on a data importer<br />
<br />
remove.<br />
<br />
This must be distinguished, for example, from the contractual obligations of a data importer, e.g<br />
Example that he must inform the data exporter immediately if the for<br />
<br />
the law applicable to him no longer allows him to process the data in accordance with the<br />
<br />
to store and process special contractual clauses (Commission decision of<br />
05.02.2010 on standard contractual clauses for the transmission of personal data<br />
<br />
Processors in third countries according to the Directive 95/46/EG of the European Parliament<br />
<br />
and of the Council (2010/87/EU), Clause 5 - Obligations of the data importer). However, these are<br />
not the subject of administrative/judicial proceedings.<br />
<br />
<br />
II.3.4. On Art. 44 GDPR as a subjective right:<br />
Repeatedly, the BF2 stated in the proceedings that a violation of Art. 44ff GDPR was not a<br />
<br />
permissible object of a complaint according to Art. 77 GDPR (VWA ./54, page 6, VWA<br />
<br />
./62, page 36). This view cannot be followed for the following reasons: - 44 -<br />
<br />
<br />
§ 24 DSG grants the person whose basic personal right has been violated the opportunity<br />
<br />
to have the violation of rights committed against her determined. The<br />
The declaratory statement here concerns the legal position of a specific person in terms of their rights<br />
<br />
injured person and is dogmatic in its scope of legal force for this infringement<br />
<br />
limited. Based on this determination, the data subject should be able to<br />
further individual claims - such as claims for damages - to pursue (VwGH<br />
<br />
14.12.2021, Ro 2020/04/0032).<br />
<br />
A dependency in that the data protection authority only<br />
<br />
Infringement may be established if the data subject has a data subject right (Article 12ff GDPR)<br />
claims cannot be derived from § 24 DSG. In connection with Art. 77<br />
<br />
GDPR, the data protection authority is obliged to make a decision if the data subject<br />
<br />
person believes that the processing of personal data concerning them<br />
violates this regulation. Contrary to the view of BF2, however, Art. 77 GDPR is a<br />
<br />
Restriction on affected rights according to Art. 12ffDSGVO not to be taken (e.g. VWA<br />
<br />
./43, page 17). A data subject can base an infringement on any<br />
Support the provision of the GDPR, if the GDPR-violating processing of personal<br />
<br />
data also leads to a violation of the legal position of the person concerned (as does the<br />
<br />
Predominant lesson: Jahnel, Commentary on the General Data Protection Regulation Art. 77 GDPR<br />
(as of December 1, 2020, rdb.at), para. 11; Bergt in Kühling/Buchner, DSGVO BDSG, Art. 77, para. 10;<br />
<br />
Körffer in Paal/Pauly, General Data Protection Regulation · Federal Data Protection Act, Art. 77;<br />
4<br />
Moos/Schefzig in Taeger/Gabel, DSGVO BDSG TTDSG, Art. 77, para. 9; Boehm in<br />
Simitis | Hornung | Spiecker, data protection law, Art. 77, Rn6).<br />
<br />
Implementation of Art. 77 GDPR, the right to lodge a complaint with a supervisory authority and<br />
<br />
the principles of the procedure before the supervisory authority are regulated (1761 BlgNR 25. GP<br />
15). From the materials it is clearly recognizable that with § 24 DSG the right of a<br />
<br />
Affected parties to complain to a supervisory authority in accordance with Art. 77 GDPR<br />
<br />
is specified. It cannot be inferred from the materials that with Section 24 DSG the scope of the<br />
The rights of a person concerned to lodge a complaint are restricted.<br />
<br />
<br />
In accordance with Section 24 (1) DSG, every data subject has the right to lodge a complaint with the<br />
Data Protection Authority when it considers that the processing is relevant to you<br />
<br />
personal data - (among other things), meant among other things - against § 1 DSG, which also<br />
<br />
protects the right to secrecy. According to § 24 para. 2 Z 5 DSG, the complaint<br />
to refrain from seeking to establish the alleged infringement. As far as one<br />
<br />
If the complaint proves to be justified, it must be followed according to Section 24 (5) first sentence DSG<br />
<br />
Accordingly, the law provides a legal remedy in the event of a violation of data protection law - 45 -<br />
<br />
<br />
explicitly submit an application for a determination as part of the complaint, which pursuant to Section 24 (5) DSG<br />
It must be followed if it proves to be entitled (VwGH19.10.2022, Ro2022/04/0001).<br />
<br />
<br />
Therefore, a person considers that the processing concerns them<br />
personal data leads to a violation of their rights, according to § 24 DSG<br />
<br />
a right expressly provided for in law to have this determined. In this<br />
<br />
context, it should be noted that not only a finding of infringement<br />
according to § 1 DSG (right to secrecy) is possible. With the expression "among other things"<br />
<br />
the Administrative Court clearly indicates that not only violations of rights<br />
can be determined, which are based on § 1 DSG (right to secrecy). Also § 24<br />
<br />
Para. 2 DSG is no restriction to the effect that a data subject<br />
<br />
could only request a declaration of a violation of the right to secrecy.<br />
<br />
At the subject of the proceedings, the BF1 showed a violation of rights pursuant to Section 24 (2) DSG<br />
<br />
to the effect that the processing of his personal data violates the GDPR<br />
violates (Article 77 GDPR). Specifically, the BF1 requested a determination as to whether a violation of<br />
<br />
general principles of data transmission in accordance with Art. 44 GDPR.<br />
<br />
Without a doubt, every person has the subjective right if their personal data is processed by<br />
<br />
are processed by others, that the processing of the personal data of<br />
concerned in accordance with the GDPR. According to the jurisprudence of<br />
<br />
European Court of Justice must agree with any processing of personal data<br />
<br />
in line with the principles set out in Art. 5 of the GDPR for the processing of data<br />
and on the other hand related to one of the principles listed in Art. 6 of the GDPR<br />
<br />
comply with the lawfulness of the processing (ECJ 22.06.2021, C-439/19 (Latvijas<br />
<br />
Republikas Saeima), para. 96). To the extent that a data subject believes that the<br />
Processing of personal data does not comply with the GDPR, it is to that effect<br />
<br />
an individual complaint according to § 24 DSG admissible.<br />
<br />
It is particularly important to emphasize that the subject of the proceedings is that the European Court of Justice<br />
<br />
(ECJ July 16, 2020, C-311/18 (Schrems II), para. 158) it was assumed that the<br />
Noting that “[…] the law and practice of a country does not provide an adequate level of protection<br />
<br />
ensure [...]" and "[...] the compatibility of this (appropriateness) decision with<br />
<br />
the protection of privacy and the freedoms and fundamental rights of individuals […]” in<br />
Asserted as a subjective right as part of a complaint under Art. 77 (1) GDPR<br />
<br />
can be. In this context, the DA correctly stated that the question referred<br />
of the mentioned procedure does not cover the "extent of the right of appeal of Art. 77 Para. 1<br />
<br />
DSGVO "was the subject; the ECJ has the fact that also a violation of<br />
<br />
Provisions of chapter VDSGVO in the context of a complaint according to Art. 77 Para.1 DSGVO - 46 -<br />
<br />
<br />
can be invoked is evidently considered a necessary condition. At<br />
From a different point of view, the ECJ would have said that the question of the validity of a<br />
<br />
adequacy decision was not clarified at all in the context of a complaints procedure<br />
<br />
(VWA ./59, page 23 f).<br />
<br />
Overall, the bB is authorized to determine a violation of law according to Art. 44 ff DSGVO.<br />
<br />
II.3.5. About the distribution of roles:<br />
<br />
At the time of the proceedings, the MB, as the website owner,<br />
Decision made to implement the "XXXX -Analytics" tool on the XXXX website.<br />
<br />
Specifically, it has a JavaScript code ("tag") provided by BF2,<br />
<br />
inserted in the source code of your website, which means that this JavaScript code is used when you visit the<br />
website was running in the browser of the BF1. The MB has said tool for the purpose<br />
<br />
used for statistical evaluations of the behavior of website visitors. Since the<br />
<br />
MB about the purposes and means of those related to the tool<br />
has decided on data processing, she is the person responsible within the meaning of Art. 4 Z 7 DSGVO<br />
<br />
to watch.<br />
<br />
Subject matter of the proceedings is to be noted that the subject matter of the complaint relates only to the<br />
<br />
Data transfer to BF2 (United States). In connection with the<br />
Data transmission with the tool XXXX -Analytics should be noted that the BF2 the tool only<br />
<br />
makes available and has no influence on whether it is at all or to what extent the MB<br />
<br />
makes use of the tool functions and which specific settings it chooses.<br />
Insofar as BF2 XXXX only provides analytics (as a service), it has no influence<br />
<br />
on "purposes and means" of data processing and is therefore in accordance with SdArt. 4Z8DSGVO case-related<br />
<br />
to qualify as a processor.<br />
<br />
II.3.6. Regarding point A.I) - rejection of the complaint by the BF2:<br />
<br />
II.3.6.1. On the right to lodge a complaint with BF2:<br />
With the help of the findings in point 2. in the decision that is the subject of the proceedings<br />
<br />
clarified whether a violation of the general principles of data transmission according to Art. 44<br />
<br />
DSGVO by the MB is available. The judgment point 2. is according to § 59 paragraph 1 AVG of the rest<br />
Spell points separable because he stands alone without an inner connection with<br />
<br />
other parts of the procedure is accessible to a separate objection (cf. e.g. VwGH<br />
<br />
September 12, 2018, Ra 2015/08/0032). The bB correctly stated that the possible violation of<br />
Art. 5 ff in conjunction with Art. 38 Para. 3 lit. a and Art. 29 GDPR by the BF2 in no connection<br />
<br />
with the requirements of Art. 44 GDPR (VWA ./67, page 14). - 47 -<br />
<br />
<br />
The question of who has party status in a specific administrative procedure can be answered on the basis of<br />
of the AVG alone cannot be solved. Rather, the party position must derive from the<br />
<br />
substantive regulations are derived. On the ground of the material<br />
<br />
Administrative law it must according to the subject of the relevant administrative procedure<br />
and assessed according to the content of the applicable administrative regulations<br />
<br />
become. The constituent element of party status in administrative matters<br />
<br />
determined according to the normative content of the case to be applied<br />
regulations. The terms "legal claim" and "legal interest" are only gaining ground<br />
<br />
the applicable administrative regulation on a specific content,<br />
<br />
according to which only the question of party status can be answered (VwGH April 19, 2022, Ra<br />
2021/02/0251). Against this background, a party position in the administrative court<br />
<br />
Proceedings cannot be justified with it, because the results of the proceedings are different<br />
<br />
procedures may affect; the party status (or legal interests) is derived<br />
Rather, it depends on the relevant administrative regulation that is the subject of the<br />
<br />
administrative procedures.<br />
<br />
As explained under point II.3.3, Art. 44 GDPR regulates the admissibility of a<br />
<br />
Data transfer to a third country. Based on the case law of the European<br />
Court of Justice, the data exporter (the MB) is responsible for checking the<br />
<br />
Admissibility of the specific transmission. He must check at any time whether the data<br />
<br />
are protected in the third country. Against this background, it is clear that the<br />
Regulations in Chapter V GDPR without exception subject public rights/duties of the<br />
<br />
data exporters (thus the MB) have as their subject. In contrast, subjective<br />
<br />
public rights/duties for the data importer in a third country from Chapter V GDPR<br />
not to be taken. This is also evident from the fact that for the assessment of the<br />
<br />
Legal question as to whether a data exporter has violated obligations under Chapter V GDPR,<br />
in principle, the data importer does not have to participate in the procedure. Is<br />
<br />
therefore a data importer for example for a supervisory authority not at all<br />
<br />
reachable, this circumstance does not prevent the supervisory authority from<br />
Violation of the data exporter's rights to be determined in accordance with Chapter VDSGVO<br />
<br />
therefore the BF2 in connection with the assessment of the legal question of whether the data exporter<br />
<br />
(i.e. the MB) violated obligations under Chapter V GDPR in the procedure of the bB (VWA ./59,<br />
Point 2) no party status.<br />
<br />
In point 3 of the ruling at issue, the BF2 was a party to the<br />
<br />
Procedure because the bB clarified the legal question as to whether the BF2 violated obligations under Art. 44 GDPR<br />
<br />
has violated. However, since Art. 44 or Chapter V GDPR no public law - 48 -<br />
<br />
<br />
provides for obligations for a data importer in a third country, the BA has a<br />
BF1's request to that effect rejected. The BA confirmed to that effect<br />
<br />
Right view of the BF2 (see point II.3.3 above).<br />
<br />
As explained, the BF2 did not come in connection with ruling point 2 in the procedure of the DA<br />
<br />
party position. However, this party position in administrative procedures is<br />
<br />
essential prerequisite for filing a complaint against a decision<br />
administrative court. Party status in administrative proceedings and authority to<br />
<br />
Complaints are directly related according to the domestic legal situation<br />
(VwGH 05.04.2022, Ra 2022/03/0073). Since the BF2 in the administrative procedure to verdict point<br />
<br />
2. no party status was accorded to the decision at issue in the proceedings was hers<br />
<br />
dismiss the complaint to that effect.<br />
<br />
Furthermore, it is pointed out that a preliminary question-based assessment in decisions<br />
<br />
generally no binding effect for other authorities (or even the same authority in a<br />
other procedures), for whose decision the same question or one with content<br />
<br />
comparable (although not to be qualified as a preliminary question in the legal sense) question from<br />
<br />
(VwGH 01/20/2016, Ro 2014/04/0045). In addition, the main question<br />
the partial decision that is the subject of the proceedings, the agreement regarding a violation of<br />
<br />
Art. 44 GDPR, i.e. the question of whether the data transfer in question is in a<br />
third country was legally permissible. The main question, however, does not include individual statements<br />
<br />
some elements of the facts of Art. 44 ff GDPR, which are explained in point 2<br />
<br />
are.<br />
<br />
It should also be noted that BF2 acted as a processor for MB<br />
<br />
Attributable to actions of the MB (Art. 28 GDPR), which finally lead to a<br />
infringement of rights by the MB. In this context it is pointed out that<br />
<br />
that the MB did not appeal against the decision of the DA.<br />
<br />
II.3.6.2. On the lack of infringement of subjective rights of BF2:<br />
<br />
Regardless of the lack of party status (see point II.3.6.1), contrary to the<br />
Explanations of BF2 (VWA ./62, page 8), in the case of a violation of subjective<br />
<br />
Basically no rights. This is due to the following considerations:<br />
<br />
II.3.6.2.1. For the processing of personal data:<br />
<br />
According to Art. 2 Para. 1 GDPR, personal data are the starting point for this factual<br />
Applicability of the GDPR. In this regard, the European Court of Justice<br />
<br />
repeatedly stated that the scope of the GDPR should be understood very broadly<br />
<br />
(ECJ 06/22/2021, C-439/19 (Latvijas Republikas Saeima), para. 61; 12/20/2017, C-434/16 - 49 -<br />
<br />
<br />
(Peter Nowak), marginal note 59). This basic understanding is the further explanations<br />
to take as a basis. Against this background, the view of the BA is to be followed that an intervention<br />
<br />
in the fundamental right to data protection according to Art. 8 EU-GRC and § 1 DSG already exists,<br />
<br />
if certain measures are taken (e.g. assignment of identification numbers) to website<br />
individualize visitors.<br />
<br />
<br />
In the present case, BF2's own explanations and behavior indicate that<br />
that the information that is the subject of the proceedings (see point II.1.3.1)<br />
<br />
represent personal data. The BF2 itself explains that within the framework of the<br />
Order processing service "XXXX Analytics" the data "Online identifiers<br />
<br />
(including cookie identifiers), internet protocol addresses and device identifiers and<br />
<br />
identifiers assigned by the customer" can be personal data. In addition<br />
set the BF after the judgment of the European Court of Justice of July 16, 2020 in the<br />
<br />
Case C-311/18 several measures to ensure a legally compliant transfer of<br />
<br />
personal data to the United States (see point II.1.9) to allow.<br />
These explanations and behavior are the less convincing explanations<br />
<br />
the MB or the BF2 against that the change of<br />
<br />
Order data processing conditions (DTPS) from August 12th, 2020 including the<br />
Standard Contractual Clauses (SCCs) were only made for proactive reasons.<br />
<br />
In principle, it should be noted that from the information transmitted on August 14th, 2020<br />
<br />
(see point II.1.3 and II.1.3.1) no direct personal reference can be inferred.<br />
<br />
Online identifiers (IP address, cookies, etc.) identify on their own<br />
regularly no person, since from them directly neither the identity of the natural<br />
<br />
person who owns the end device (computer) from which a website was accessed,<br />
<br />
nor the identity of another person who could use this computer (ECJ<br />
October 19, 2016, C-582/14 (Breyer), para. 38). However, identifiability depends on the circumstances<br />
<br />
possible.<br />
<br />
A piece of information makes a natural person identifiable if through it alone the<br />
<br />
Although identification (i.e. recognition) itself is not directly possible, a<br />
corresponding identification but by means of linking to further information<br />
<br />
can be made. According to Art. 4 Z 1 DSGVO, a person is identified as identifiable<br />
<br />
viewed directly or indirectly, in particular by means of assignment to an identifier such as<br />
a name, identification number, location data, online identifier, or<br />
<br />
one or more special characteristics that express the physical, physiological,<br />
<br />
genetic, psychological, economic, cultural or social identity of these<br />
natural person can be identified. Knowing the name of the natural - 50 -<br />
<br />
<br />
However, a person is not absolutely necessary for identifiability (Art.-29-<br />
<br />
Data Protection Working Party, WP 136, page 16 f).<br />
<br />
To determine whether a natural person is identifiable, all means are to<br />
take into account that of the person responsible or another person according to general<br />
<br />
Discretion likely to be exercised directly or indirectly to the individual<br />
<br />
identify (recital 26, 3rd sentence). The purely hypothetical possibility of identifying the<br />
However, person is not sufficient for the person to be considered identifiable. It is however<br />
<br />
It is also not necessary for the person responsible to actually initiate or cross efforts<br />
<br />
already has the appropriate means to bring about identification, but it<br />
the probability that he initiates them or acquire corresponding funds is sufficient<br />
<br />
becomes. For the assessment of the question of identifiability, it is therefore not important whether<br />
<br />
a controller has actually attempted identification<br />
to do. It is sufficient that utilizing a means under purely abstract too<br />
<br />
judging point of view is likely.<br />
<br />
In determining whether funds are reasonably likely to identify<br />
<br />
of the natural person are used in the context of a risk analysis or forecast<br />
<br />
(according to recital 26, 4th sentence) all objective factors, such as the cost of identification and the<br />
time required for this, which is at the time of processing<br />
<br />
available technology and technological development must be taken into account.<br />
<br />
According to the case law of the European Court of Justice, this is a factual one<br />
Risk of creating a personal reference required (ECJ 19.10.2016, C-582/14<br />
<br />
(Breyer), para. 38). To determine whether such a risk exists, it is - in addition to the in ErwG<br />
<br />
26, 3rd sentence expressly mentioned factors – also to consider whether the purpose of<br />
Processing requires identification, whether identification to a<br />
<br />
Increase in usage and whether the identification is contractual and/or organizational<br />
4<br />
Obstacles (e.g. contractual penalties) (Taeger/Gabel, GDPR BDSG TTDSG, Art. 4,<br />
31). In the present case, an increase in use can be assumed because<br />
<br />
e.g. through the online identifiers used (IP address, cookies) a distinction from<br />
<br />
website visitors is allowed. Also, in the context of big data applications, the<br />
Threshold for assuming a personal reference is simply low (Kuhling/Buchner,<br />
<br />
DSGVO BDSG, Art. 4 No. 1, Rn 22). For example, does a company have two different<br />
<br />
Databases store information about people (however, viewed in isolation, none<br />
enable clear assignment to a person), their merging into one<br />
<br />
Identification would lead and considering the typical way on the market<br />
<br />
available data analysis tools with a reasonable amount of time and money - 51 -<br />
<br />
<br />
would be, the identifiability of the not (yet) merged databases would be too<br />
4<br />
affirm (Taeger/Gabel, GDPR BDSG TTDSG , Art. 4, Rn31).<br />
already a "digital footprint" that allows devices - and subsequently the<br />
<br />
specific user - to be clearly individualized, represents a personal date<br />
<br />
(cf. KarglinSimits/Hornung/Spiecker, data protection law, Art. 4Z1, Rn52mwN).<br />
Fingerprinting (RFC6973) can be used by an observer using a device or application instance<br />
<br />
sufficient probability on the basis of several information elements (online<br />
<br />
identifiers, IP address, browser information, etc.).<br />
<br />
In addition, the argumentation of the bB is to be followed that the implementation of XXXX-Analytics<br />
on XXXX results in segregation within the meaning of ErwG 26. In other words: who a tool<br />
<br />
used, which makes such a segregation possible in the first place, cannot refer to the<br />
<br />
position not to use any means to obtain natural<br />
to make people identifiable. It can be assumed that without using the<br />
<br />
procedural information (see point II.1.3.1) the BF2 not able<br />
<br />
would be to offer a usable measurement service (see point II.1.4), because for example the BF2 without<br />
Cookies would not be able to provide traceable measurements of website visits<br />
<br />
to perform.<br />
<br />
Due to the circumstances at hand – big data, benefit increases, the purpose and the<br />
<br />
Functionality of the web analytics service XXXX -Analytics and Fingerprinting - is from a<br />
<br />
factual risk that the BF2 as the processor of the MB<br />
reasonably likely means of identifying the individual<br />
<br />
uses.<br />
<br />
With the information transmitted to the BF2 (see point II.2.3 or II.2.3.1), a<br />
<br />
"digital footprint" of the BF1 generated, which the BF2 as the processor of the MB<br />
allows to identify the BF1.<br />
<br />
<br />
With regard to online identifiers, it should be noted that the cookies in question<br />
"_ga" or "cid" (client ID) and "_gid" (user ID) unique XXXX -Analytics identifiers<br />
<br />
contained and stored on the end device or in the browser of the BF1. With these<br />
<br />
Identifiers, it is sometimes possible for the BF2 to distinguish website visitors and also the<br />
Receive information about a new or returning website<br />
<br />
XXXX visitors. Without these identification numbers is therefore a distinction from<br />
<br />
Website visitors not possible. In this context, the European<br />
Data protection officers consider that all records containing identifiers<br />
<br />
contain, with which users can be singled out, according to the regulation (meant - 52 -<br />
<br />
<br />
Regulation (EU) 2018/1725) are considered personal data and treated as such<br />
must be protected (VWA ./68).<br />
<br />
<br />
With regard to the IP address, it should be noted that the "anonymization function" of the IP<br />
Address was not correctly implemented at the time of data transmission to the BF2<br />
<br />
and was therefore completely saved by the BF2. In this context is to<br />
<br />
note that the general storage of IP addresses constitutes a serious intrusion into the in<br />
fundamental rights enshrined in Articles 7 and 8 of the Charter, since it is possible with IP addresses<br />
<br />
is accurate conclusions about the private life of the user of the relevant electronic<br />
to draw means of communication. This can be a deterrent to the<br />
<br />
exercise the freedom of expression guaranteed in Article 11 of the Charter (ECJ<br />
<br />
20.09.2022 in joined cases C-793/19 and C-794/19 (SpaceNetAG/Telekom<br />
Germany GmbH), para. 100). It also doesn't matter who my IP address actually belongs to:<br />
<br />
The decisive factor is whether the IP address can be used to draw conclusions about the data subject<br />
<br />
(User) can be drawn. Therefore, the statements of BF2 no<br />
Justification value if it considers that the IP address used<br />
<br />
possibly owned by BF1's employer. Regardless, the procedure<br />
<br />
revealed that the IP address of BF1 was transmitted directly to BF2.<br />
<br />
Already from the combination of the transmitted information (see point II.1.3.1) - online<br />
identifiers, IP address, browser information, operating system, screen resolution,<br />
<br />
language selection, etc. - a "digital footprint" can be generated that allows<br />
<br />
To clearly individualize the end device and subsequently the specific user.<br />
Irrespective of this, in the present case for BF2 as the processor<br />
<br />
Traceability to the BF1 possible:<br />
<br />
So the BF1 was XXXX on his XXXX account at the time he visited the website<br />
<br />
logged in. The BF2 explained that due to the fact that the tool XXXX -<br />
Analytics is implemented on a website that receives information. This includes the<br />
<br />
Information that a specific XXXX account user visited a specific website<br />
<br />
(VWA ./31, Question 9). In this context, BF2 explained that this only applies to<br />
Activation of specific settings in the XXXX account is possible (activation of<br />
<br />
"Personalized Advertising" and "Web and App Activity" through the XXXX -Account-<br />
<br />
users and activation of XXXX signals on the target website). The BB led to this<br />
understandable from the fact that the identifiability of a website visitor does not depend on it<br />
<br />
may depend on whether certain declarations of intent are made in the XXXX account, since<br />
<br />
from a technical point of view, all possibilities for identification would still be available.<br />
On the other hand, the BF2 could - 53 -<br />
<br />
<br />
User after personalization of the received advertising information do not match.<br />
In this regard, it must be taken into account that Art. 4 Z 1 GDPR is linked to “can”.<br />
<br />
("can be identified") and not whether an identification ultimately also<br />
<br />
is made.<br />
<br />
Regardless of this, it should be noted that certain settings in a XXXX account<br />
<br />
or by activating XXXX signals on a website merely adapting to the<br />
personal needs of users of XXXX applications. The adjustments<br />
<br />
by the users do not give any conclusions about the processing of<br />
Meta information by the BF2, which in the course of calling up an application ( XXXX -<br />
<br />
Analytics, XXXX account, XXXX ,etc) are transmitted to BF2. In process is in this<br />
<br />
Connection of meta information and IP address between XXXX -<br />
Account and XXXX -Analytics emerged, which an undisputed personal reference<br />
<br />
enabled.<br />
<br />
Regardless of the BF2, there is a real risk that US authorities will<br />
<br />
Discretion likely to use means to identify the BF1. In this<br />
<br />
In this context, the BF1 understandably explained that US intelligence services online<br />
Identifiers (IP address or unique identifiers) as a starting point for the<br />
<br />
Engage surveillance of individuals. Thus, in particular, cannot be ruled out<br />
be that these intelligence services have already collected information with which<br />
<br />
Help the data transmitted here can be traced back to the person of BF1. This is how the<br />
<br />
BF2 due to data requests metadata and content data. The fact that it is<br />
This is not just a "theoretical danger", as can be seen from the judgment of the<br />
<br />
European Court of Justice from July 16th, 2020, C-311/18 (Schrems II), due to the<br />
<br />
Incompatibility of such methods and access possibilities of the US authorities with the<br />
Fundamental right to data protection according to Art. 8 EU-GRC ultimately also the EU-US<br />
<br />
adequacy decision (“Privacy Shield”) has been declared invalid. In this<br />
<br />
context, neither the BF1 nor the MB have the opportunity to verify whether US<br />
Authorities have already received personal data, or whether US authorities<br />
<br />
already have personal data from BF1. This circumstance may be of affected<br />
<br />
People like the BF1 are not to be blamed. So it was ultimately the MB and also<br />
the BF2, which despite the publication of the above-mentioned judgment of the European Court of Justice<br />
<br />
July 16, 2020 continued to use the XXXX -Analytics tool. After all, he is too<br />
To follow the reasoning of the bB that the MB is subject to accountability (Art. 5 para.<br />
<br />
2 in conjunction with Article 24 (1) in conjunction with Article 28 (1) GDPR) that processing is carried out in accordance with the regulation<br />
<br />
took place. In this context, the MB has its processor (BF2) in the process - 54 -<br />
<br />
<br />
no organizational or technical measures identified which are suitable,<br />
Methods and ways of accessing the US authorities to prevent it from happening<br />
<br />
Violation of the fundamental right to data protection according to Art. 8 EU-GRC.<br />
<br />
As a result, the transmitted information (see point II.1.3 or II.1.3.1) represents in any case<br />
<br />
in combination represents personal data in accordance with Art. 4 Z 1 DSGVO.<br />
<br />
II.3.6.2.2. On the lack of an appropriate level of protection in accordance with Art. 44 GDPR:<br />
<br />
Art. 44 GDPR sees a basic provision for international data transfer<br />
two-stage admissibility check. The first requirement that data is ever in a<br />
<br />
third country may be transmitted, is that the other provisions<br />
<br />
of the GDPR (such as Art. 5 f, Art. 13 f GDPR) are complied with. As part of the second<br />
At the first stage, it must be checked whether one of the requirements of Art. 45 – 49 GDPR is met. The first in<br />
<br />
According to Art. 45 GDPR, the admissibility in question is present if the<br />
<br />
Commission has determined in an adequacy decision for the third country concerned that<br />
that it offers an adequate level of protection. Is there such a thing?<br />
<br />
adequacy decision, no approval is required for data transfer in<br />
<br />
the respective third country. If there is no adequacy decision, it must be checked further whether the<br />
Requirements according to Art. 46, 47 or 49 GDPR are met.<br />
<br />
After the European Court of Justice declared the "EU-US Privacy Shield" with the decision of<br />
<br />
16.07.2020, C-311/18 (SchremsII) declared invalid, the procedural<br />
<br />
Data transmission on August 14, 2020 (see point II.1.3 or II.1.3.1) on the basis of a<br />
adequacy decision can no longer be justified. With the decision of<br />
<br />
European Court of Justice clarified that the United States until further notice<br />
<br />
are to be regarded as a "third country" and are currently privileged for the transmission of<br />
personal data according to Art. 45 GDPR does not exist.<br />
<br />
Since there is no adequacy decision according to Art. 45 Para. 3 GDPR, Art. 46<br />
<br />
GDPR further admissibility ("suitable guarantees"). If one of the in Art. 46<br />
<br />
Para. 2 GDPR listed guarantees, is international data traffic<br />
allowed without permission. The guarantees of Art. 3 GDPR exist subject to one<br />
<br />
Approval by the competent supervisory authority. If none of the provisions in Art. 46 Para. 2 and<br />
<br />
Para. 3 GDPR, it must be checked further whether one of the<br />
Exceptions for a permissible third-country transfer according to Art. 49 GDPR are fulfilled.<br />
<br />
At issue in the proceedings, the MB based the transfer on standard data protection clauses<br />
<br />
in accordance with Article 46 (2) (c) GDPR. For further "suitable guarantees" according to Art. 46 DSGVO<br />
<br />
the transfer of the data at issue in the proceedings was not supported by the MB. - 55 -<br />
<br />
<br />
Therefore, the admissibility of the data transmission according to Art. 46 Para. 2 lit. c<br />
GDPR examined.<br />
<br />
<br />
II.3.6.2.2.1. For data transfer based on standard data protection clauses in accordance with<br />
Article 46 (2) (c) GDPR:<br />
<br />
On August 12, 2020, the MB and the BF2 have in accordance with Article 46 (2) (c) GDPR<br />
<br />
Standard data protection clauses for the transfer of personal data to the<br />
United States completed. (“ XXXX Ads Data Processing Terms: Model Contract<br />
<br />
Clauses, Standard Contractual Clauses for Processors”). Specifically, it was about<br />
at the point in time at which the complaint is made by those clauses in the version of<br />
<br />
Implementing decision of the European Commission 2010/87/EU of February 5, 2010<br />
<br />
about standard contractual clauses for the transfer of personal data<br />
Processors in third countries according to the Directive 95/46/EG of the European Parliament<br />
<br />
and of the Council, OJ L 2010/39, p.<br />
<br />
When transferring personal data to a third country, the<br />
<br />
Standard Data Protection Clauses Enforceable Rights and Effective Remedies<br />
<br />
ensure that they enjoy a level of protection equivalent to that in the Union through the GDPR in<br />
The level guaranteed by the Charter is equivalent in substance. In this<br />
<br />
In connection with this, the contractual regulations must be taken into account in particular<br />
between the controller based in the Union and that in the third country concerned<br />
<br />
resident recipients of the transfer have been agreed, as well as what any<br />
<br />
Access of the authorities of this third country to the transmitted personal data<br />
concerns, the relevant elements of the legal system of that country, in particular the<br />
<br />
Article 45 (2) of the GDPR (ECJ July 16, 2020, C-311/18 (Schrems II), Rn<br />
<br />
105). The competent supervisory authority is obliged to draw up a standard data protection clause<br />
to suspend or permit the assisted transfer of personal data to a third country<br />
<br />
prohibit if that authority considers in light of all the circumstances of this transfer<br />
<br />
is that the clauses in this third country are not respected or not respected<br />
and that according to Union law, in particular according to Articles 45 and 46<br />
<br />
of the GDPR and according to the charter, the required protection of the transmitted data<br />
<br />
can be guaranteed by other means (ECJ July 16, 2020, C-311/18 (Schrems II), para<br />
121).<br />
<br />
In the present case, it should first be noted that the European Court of Justice used the “EU-US<br />
<br />
Privacy Shield” has therefore been declared invalid, as this with Articles 7, 8 and 47 of the Charter<br />
<br />
was incompatible (ECJ July 16, 2020, C-311/18 (Schrems II), para. 150 ff), since it was for US authorities<br />
(intelligence services) offered disproportionate access opportunities and no effective - 56 -<br />
<br />
<br />
Legal remedies for victims (non-US citizens) were available. That's how he led<br />
European Court of Justice guaranteed that regarding Art. 7 and 8 of the Charter<br />
<br />
Fundamental Rights neither Section 702 of FISA nor the E.O. 12333 in conjunction with the PPD-28<br />
<br />
those existing in Union law based on the principle of proportionality<br />
Meet the minimum requirements, so it cannot be assumed that the on these<br />
<br />
regulation-based surveillance programs to the extent absolutely necessary<br />
<br />
are limited. Also, with regard to those based on Section 702 of FISA as well<br />
with regard to the E.O. 12333 supported monitoring programs to note that<br />
<br />
neither the PPD-28 nor the E.O. 12333 confer rights on data subjects that<br />
<br />
can be legally enforced against the American authorities, so that<br />
these persons do not have an effective remedy. In this connection<br />
<br />
the ombudsman mechanism mentioned in the adequacy decision does not offer legal recourse<br />
<br />
to an entity that provides individuals whose data is transferred to the United States<br />
would offer guarantees equivalent to the guarantees of the thing required under Article 47 of the Charter<br />
<br />
after would be equivalent.<br />
<br />
These circumstances, which led to the lifting of the "EU-US Privacy Shield", are also at the<br />
<br />
assessment of a data transfer in accordance with Article 46 (2) (c) GDPR.<br />
In this regard, it should be noted that the standard data protection clauses are by their nature not<br />
<br />
Can offer guarantees that go beyond the contractual obligation, for compliance with the<br />
<br />
to ensure the level of protection required under Union law. In particular, they can<br />
due to the nature of the contract, no third-country authorities (such as US<br />
<br />
intelligence services) (ECJ July 16, 2020, C-311/18 (Schrems II), para. 132 f).<br />
<br />
These considerations can be applied to the present case. So is<br />
<br />
obvious that the BF2 as a provider of electronic communication services within the meaning of<br />
50 U.S. Code § 1881(b)(4) and thus subject to surveillance by U.S.<br />
<br />
Intelligence agencies are subject to 50 U.S. Code Section 1881a (“FISA 702”). Accordingly, the BF2<br />
<br />
the obligation to report to U.S. authorities under 50 U.S. Code § 1881a personal data<br />
to provide. The agreed between the MB and the BF2<br />
<br />
Standard data clauses do not offer any options in this context<br />
<br />
To meet requirements effectively or to prevent them. How from the<br />
transparency report of BF2, such inquiries are also regularly received from US<br />
<br />
authorities placed on them.<br />
<br />
The data transmission in question can therefore not solely be based on the between the MB and<br />
<br />
of the BF2 concluded standard data protection clauses in accordance with Article 46 (2) (c) GDPR<br />
be supported. - 57 -<br />
<br />
<br />
Because, by their very nature, these standard data protection clauses cannot provide any guarantees that<br />
about the contractual obligation to comply with what is required under Union law<br />
<br />
Levels of protection going beyond that may vary depending on the situation in a particular third country<br />
<br />
given situation, it may be necessary for the person responsible to take additional measures (see<br />
point II.3.6.2.2.2) to ensure compliance with this level of protection.<br />
<br />
<br />
II.3.6.2.2.2. Regarding the additional measures:<br />
In its "Recommendations 01/2020 on measures to supplement transmission tools for<br />
<br />
Ensuring the Union legal level of protection for personal data, version<br />
2.0 of the European Data Protection Board (“EDPB Recommendations”)” the EDPB<br />
<br />
stated that in the event that the law of the third country affects the effectiveness of<br />
<br />
appropriate safeguards (such as standard data protection clauses), the data exporter<br />
either suspend the data transfer or take additional measures<br />
<br />
implement (EDSA recommendations Rn 28 ff and Rn 52 or ECJ July 16, 2020, C-<br />
<br />
311/18 (Schrems II), para. 121).<br />
<br />
According to the recommendations of the EDPB, such “additional measures” can be contractual,<br />
<br />
be of a technical or organizational nature (EDSA recommendations, para. 52):<br />
<br />
With regard to contractual measures, it is stated that these "[...] the guarantees that<br />
provide the transmission tool and the relevant legislation in the third country,<br />
<br />
supplement and strengthen, as far as the guarantees, taking into account all circumstances<br />
<br />
of transmission, do not meet all the requirements necessary to register<br />
to ensure a level of protection essentially equivalent to that in the EU. Since the<br />
<br />
contractual measures, by their very nature, the authorities of the third country generally do not<br />
<br />
can bind, if they are not themselves a party to the contract, they must with others<br />
technical and organizational measures are combined to achieve the required<br />
<br />
to ensure a level of data protection. Just because you have one or more of these actions<br />
selected and applied does not necessarily mean that it is systematic<br />
<br />
it is ensured that the intended transfer meets the requirements of Union law<br />
<br />
(ensuring an essentially equivalent level of protection) is sufficient” (EDSA-<br />
Recommendations 01/2020, para. 99).<br />
<br />
<br />
With regard to organizational measures, it is stated that they are "[...] internal strategies,<br />
Organizational methods and standards act that those responsible and<br />
<br />
apply to processors themselves and to data importers in third countries<br />
could impose. These can be uniform throughout the processing cycle<br />
<br />
Protection of personal data. Organizational measures can also contribute to this<br />
<br />
help ensure that data exporters are aware of the risks related to data access in - 58 -<br />
<br />
<br />
Third countries and related access attempts are better aware and more alert<br />
can react. Just because you selected one or more of these measures and<br />
<br />
applied, this does not necessarily mean that it is systematically ensured that<br />
<br />
the intended transfer meets the requirements of Union law (ensuring a<br />
of items with equivalent levels of protection) is sufficient. Depending on the special circumstances of<br />
<br />
transmission and the assessment of the legal situation in the third country<br />
<br />
organizational measures to supplement the contractual and/or technical ones<br />
Measures required to ensure the protection of personal data<br />
<br />
is equivalent to the level of protection guaranteed in the EEA" (EDSA-<br />
<br />
Recommendations 01/2020, para. 128).<br />
<br />
Regarding the technical measures, it is stated that these "[...] guarantees that the<br />
offer transmission instruments in Art.l 46 DSGVO, can supplement to ensure<br />
<br />
that the protection required under Union law also applies to the transmission of personal data<br />
<br />
data to a third country is guaranteed. These measures are particularly<br />
required if the law of the third country in question tells the data importer<br />
<br />
Obligations imposed that correspond to the guarantees of the transmission instruments mentioned in Art.<br />
<br />
46 GDPR and are therefore suitable for the contractual guarantee of one thing<br />
according to equivalent levels of protection as far as official data access in the third country is concerned,<br />
<br />
to undermine" (EDSA Recommendations 01/2020, para. 77).<br />
<br />
An additional measure is only considered effective within the meaning of the judgment of the European<br />
<br />
Court of Justice (ECJ 16.07.2020, C-311/18 (Schrems II)), if and to the extent that they -<br />
alone or in connection with others - closes precisely the legal protection gaps,<br />
<br />
that of the data exporter in its review of the applicable to its transfer<br />
<br />
established legislation and practice in the third country. Should it be the data exporter<br />
ultimately not be possible to achieve an equivalent level of protection,<br />
<br />
he may not transmit the personal data (EDSA Recommendations 01/2020, Rn<br />
<br />
75).<br />
<br />
Applied to the present case, this means that it must be examined whether the<br />
"Additional measures taken" by BF2 (see point II.1.10 or VWA ./31, page 23 ff)<br />
<br />
within the framework of the judgment of the European Court of Justice (ECJ July 16, 2020, C-311/18<br />
<br />
(Schrems II)) identified gaps in legal protection - i.e. inappropriate access and<br />
Surveillance capabilities of US intelligence services and insufficient effective<br />
<br />
Legal remedy for those affected – close.<br />
<br />
Against this background, it must therefore be checked whether the additional measures taken by BF2<br />
<br />
Measures are suitable, the illegal circumstances - disproportionate - 59 -<br />
<br />
<br />
Possibilities of access by US authorities or the lack of effective legal remedies for<br />
Affected – to eliminate, so that the fundamental rights guaranteed in Articles 7, 8 and 47 of the Charter<br />
<br />
not get hurt.<br />
<br />
With regard to the contractual and organizational measures set out, is not<br />
<br />
recognizable to what extent through a review of a request from US authorities by XXXX -<br />
<br />
Attorneys or by specially trained personnel to comply with applicable laws and<br />
XXXX guidelines that do not violate the fundamental rights guaranteed in Articles 7, 8 and 47 of the Charter<br />
<br />
become. Compliance with US laws – i.e. the obligation to release data<br />
– leads precisely to the violation of the fundamental rights of the Union citizens concerned. As well<br />
<br />
there is no justification value for notifying customers before any of their<br />
<br />
Information US authorities will be announced. This is because a transfer of<br />
Information is disproportionate under European law and the data subject<br />
<br />
Union citizens have no effective legal remedies against disclosure. Also it comes to<br />
<br />
a violation of fundamental rights of EU citizens concerned, if a notification to<br />
customers are omitted for US legal reasons. Even if the request of a US<br />
<br />
authority is omitted due to an emergency, the disclosure is unlawful, since the<br />
<br />
Union citizens concerned do not have the opportunity to use an effective legal remedy<br />
to verify the emergency. Finally, the release of a<br />
<br />
transparency report and the publication of BF2's policy on dealing with<br />
<br />
Government requests do not remove the unlawful circumstances for the purposes set out in Art. 7, 8 and<br />
47 of the charter are not violated.<br />
<br />
The technical measures presented are also not suitable for preventing the violation of the<br />
<br />
eliminate fundamental rights. The technical measures listed in the<br />
<br />
Access options in connection with the transmission or storage of the data<br />
by US intelligence services based on US law neither prevent nor<br />
<br />
restrict. As correctly led by the bBaus, the technical measures cannot be considered<br />
<br />
be considered effective if the BF2 itself still has the ability to access the<br />
access data in plain text. As far as the BF2 refers to an encryption technology,<br />
<br />
it can be inferred from EDSA recommendations that a data importer (the BF2), the 50 U.S.<br />
<br />
Code is subject to Section 1881a (“FISA 702”) with respect to the imported data contained in its<br />
possession or custody or under his control, has a direct obligation to<br />
<br />
grant access to or release them. This obligation can<br />
also expressly extend to the cryptographic keys, without which the data cannot be processed<br />
<br />
are legible (margin no. 81). - 60 -<br />
<br />
<br />
Also, the explanations of the BF2 are that as far as XXXX -Analytics data for measurement by<br />
Website owners are personal data, should be considered as pseudonymous,<br />
<br />
not suitable as an "additional measure". In this context, the<br />
<br />
convincing view of the German Data Protection Conference, according to which "[...] the<br />
The fact that the users are made identifiable via IDs or identifiers, none<br />
<br />
pseudonymization measure within the meaning of the GDPR. In addition, it is not about<br />
<br />
appropriate guarantees to comply with data protection principles or to safeguard the<br />
Rights of data subjects if IP addresses, cookie<br />
<br />
IDs, advertising IDs, unique user IDs or other identifiers are used. Then,<br />
<br />
other than in cases where data is pseudonymized to the identifying data<br />
obscure or delete it so that the persons concerned are no longer addressed<br />
<br />
can, IDs or identifiers are used to distinguish the individual individuals<br />
<br />
and make it addressable. Consequently, there is no protective effect. It is about<br />
therefore not about pseudonymizations within the meaning of Recital 28, which the risks for those affected<br />
<br />
Lower people and those responsible and the processors in compliance<br />
<br />
support their data protection obligations" (cf. the guidance of the supervisory authorities<br />
for providers of telemedia from March 2019, p. 15).<br />
<br />
In addition, the arguments of BF2 cannot be followed because the XXXX -<br />
<br />
Analytics ID combined with other elements anyway and even with a dem<br />
<br />
BF2 indisputably attributable XXXX account can be connected.<br />
<br />
The "anonymization function of the IP address" mentioned is not relevant to the case<br />
Relevance because it was not implemented correctly (see point II.1.3.4).<br />
<br />
<br />
Overall, the additional measures identified by BF2 are not suitable<br />
Gaps in legal protection identified in the judgment – inappropriate access and<br />
<br />
Surveillance capabilities of US intelligence services and insufficient effective<br />
Legal remedy for those affected – close.<br />
<br />
<br />
II.3.6.2.2.3. Summary:<br />
Based on the decision of the European Court of Justice of July 16, 2020, C-311/18<br />
<br />
(Schrems II), the data transfer at issue was not with the "EU-US<br />
<br />
Privacy Shield". Also, the data transfer that is the subject of the proceedings cannot<br />
based solely on the standard data protection clauses concluded between MB and BF2<br />
<br />
in accordance with Article 46 (2) (c) GDPR. In addition, those of the BF2<br />
The additional measures identified are not suitable for those identified in the judgement<br />
<br />
Legal protection loopholes – inadequate access and monitoring options by US<br />
<br />
intelligence services and insufficient effective legal remedies for those affected - to - 61 -<br />
<br />
<br />
close. Overall, the data transmission that is the subject of the proceedings is not covered<br />
in Art. 46 GDPR.<br />
<br />
<br />
As far as the BF2 in administrative procedures a risk-based approach<br />
Assuming, it should be noted that this approach already differs from the wording of Art. 44 GDPR<br />
<br />
Article 44 GDPR covers any transmission of personal<br />
<br />
Data. The standard therefore does not differentiate between extremely low-threshold data<br />
are transferred for which there is only a very low basis risk. Although the GDPR sees in<br />
<br />
Individual provisions stipulate a risk-based approach (e.g. Art. 24 Para. 1 and Para. 2, Art.<br />
Article 25(1), Article 30(5), Article 32(1) and (2), Article 34(1), Article 35(1) and Article 35(3).<br />
<br />
or Art. 37 Para. 1 lit. b and lit. c GDPR), however, this circumstance does not mean that the<br />
<br />
risk-based approach is to be applied analogously to Art. 44 GDPR.<br />
<br />
The European Court of Justice (ECJ July 16, 2020, C-311/18 (Schrems II)) is in relation to the<br />
<br />
Legal position of the US now just assumes that due to the disproportionate<br />
Access possibilities of US authorities as well as insufficient effective legal remedies for<br />
<br />
Those affected cannot be assumed to have an “appropriate level of data protection”, which is why<br />
<br />
he finally also declared the EU-US adequacy decision to be invalid. The<br />
The European Court of Justice has expressly not aimed at the fact that the obligations<br />
<br />
which is a Privacy Shield certified company from the United States<br />
subject, may be appropriate in individual cases (e.g. because the certified<br />
<br />
Company only non-sensitive or non-criminal relevant personal data<br />
<br />
data received).<br />
<br />
With the help of the GDPR, the free movement of data should also be guaranteed. However, it stands<br />
<br />
free traffic in this context on the premise that the specifications of<br />
GDPR - and this also includes Chapter V - are fully complied with. A softening in the<br />
<br />
In the sense of a "business-friendly interpretation" of the specifications of Chapter V in favor<br />
however, free data traffic is not planned. Economic interests played<br />
<br />
also irrelevant in the judgment of the ECJ of July 16, 2020, C-311/18 (Schrems II).<br />
<br />
II.3.6.3. Regarding the exceptions for certain cases according to Art. 49 GDPR:<br />
<br />
According to the MB's own information, the exception was in accordance with Art. 49 GDPR<br />
<br />
not relevant for the data transfer in question (VWA ./11, page 13). also is<br />
In the process it did not come out that his consent according to Art. 49 Para. 1 lit. a DSGVO<br />
<br />
was caught. Since altogether no circumstances arose that a fact<br />
according to Art. 49 GDPR would be fulfilled, the data transfer that is the subject of the procedure<br />
<br />
are not based on Art. 49 GDPR. - 62 -<br />
<br />
<br />
II.3.6.4. Result:<br />
Since for the data transmission in question the MBan the BF2 (in the United States)<br />
<br />
no adequate level of protection guaranteed by an instrument of Chapter V of the GDPR<br />
<br />
there is a violation of Art. 44. The MB was (at least) for<br />
Complaint-relevant time - i.e. August 14th, 2020 - for the operation of the XXXX website<br />
<br />
responsible. The data protection violation of Art. 44 GDPR relevant here is<br />
<br />
therefore attributable to the MB.<br />
<br />
Overall, the BF2 was not in a position to rule that point 2. of the<br />
To justify the CB's decision which would have violated its legal interests. Also<br />
<br />
for this reason, the complaint by the BF2 was to be rejected.<br />
<br />
II.3.7. Regarding point A.II) – inadmissibility of the revision:<br />
<br />
According to § 25a Abs. 1 VwGG, the administrative court in the ruling of its knowledge or<br />
<br />
Pronounce a resolution as to whether the revision is permissible in accordance with Art. 133 Para. 4 B-VG. The<br />
Statement must be briefly justified.<br />
<br />
The revision is allowed because the question of whether a data recipient (data importer in<br />
<br />
a third country) in the procedure for establishing a violation of the general<br />
<br />
Principles of data transmission according to Art. 44 GDPR are not yet sufficient<br />
Judiciary of the Administrative Court exists.<br />
<br />
It was therefore to be decided accordingly.<br />
<br />
<br />
II.3.8. Regarding point B.I) - rejection of the complaint by the BF1:<br />
As explained under point II.3.3, there are no subjective public ones from Chapter V GDPR<br />
<br />
Rights/obligations to refer to BF2 as data importer. Against this background, the<br />
<br />
BF1's complaint about a decision to be dismissed.<br />
<br />
II.3.9. Re point B.II) - admissibility of the revision:<br />
According to § 25a Abs. 1 VwGG, the administrative court in the ruling of its knowledge or<br />
<br />
Pronounce a resolution as to whether the revision is permissible in accordance with Art. 133 Para. 4 B-VG. The<br />
<br />
Statement must be briefly justified.<br />
<br />
The revision is allowed because the legal questions shown here are not yet sufficient<br />
Judiciary of the Administrative Court exists.<br />
<br />
<br />
It was therefore to be decided accordingly.<br />
</pre></div>Norman.aasmahttps://gdprhub.eu/index.php?title=User:Norman.aasma&diff=32835User:Norman.aasma2023-05-16T14:21:43Z<p>Norman.aasma: </p>
<hr />
<div>'''Norman Aasma''', Country reporter for Estonia & Germany<br />
<br />
LL.M. student at University of Oslo<br />
<br />
Junior Data Protection Associate<br />
<br />
'''CV''': [https://linkedin.com/in/norman-aasma-0256b21a5 linkedin.com/in/norman-aasma-0256b21a5]<br />
<br />
<br />
<br />
<br />
'''My contributions''':<br />
<br />
[[AKI (Estonia) - 2.1.-4/22/2585]]<br />
<br />
[[AKI (Estonia) - 2.1.-5/22/22012]] <br />
<br />
[[BlnBDI (Berlin) - C-807/21 - Deutsche Wohnen]]<br />
<br />
[[The FG München - Auskunftsanspruch nach Art. 15 DSGVO]]<br />
<br />
[[AKI (Estonia) - 2.1-3/22/2542]]<br />
<br />
[[AKI (Estonia) - 2.1.-1/23/2891-5]]<br />
<br />
[[LG Köln - 33 O 376/22]]</div>Norman.aasmahttps://gdprhub.eu/index.php?title=User:Norman.aasma&diff=32754User:Norman.aasma2023-05-14T19:25:05Z<p>Norman.aasma: </p>
<hr />
<div>'''Norman Aasma''', Country reporter for Estonia & Germany<br />
<br />
LL.M. student at University of Oslo<br />
<br />
Junior Data Protection Associate<br />
<br />
'''CV''': [https://linkedin.com/in/norman-aasma-0256b21a5 linkedin.com/in/norman-aasma-0256b21a5]<br />
<br />
<br />
<br />
<br />
'''My contributions''':<br />
<br />
[[AKI (Estonia) - 2.1.-4/22/2585]]<br />
<br />
[[AKI (Estonia) - 2.1.-5/22/22012]] <br />
<br />
[[BlnBDI (Berlin) - C-807/21 - Deutsche Wohnen]]<br />
<br />
[[The FG München - Auskunftsanspruch nach Art. 15 DSGVO]]<br />
<br />
[[AKI (Estonia) - 2.1-3/22/2542]]<br />
<br />
[[AKI (Estonia) - 2.1.-1/23/2891-5]]<br />
<br />
[[LDI (North Rhine-Westphalia) - LG Köln, 33 O 376/22|LDI (North Rhine-Westphalia) - LG Köln, 33 O 376/22 - GDPRhub]]</div>Norman.aasmahttps://gdprhub.eu/index.php?title=LG_K%C3%B6ln_-_33_O_376/22&diff=32753LG Köln - 33 O 376/222023-05-14T19:23:48Z<p>Norman.aasma: Created page with "{{DPAdecisionBOX |Jurisdiction=Germany |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoDE-NW.jpg |DPA_Abbrevation=LDI |DPA_With_Country=LDI (North Rhine-Westphalia) |Case_Number_Name=LG Köln, 33 O 376/22 |ECLI= |Original_Source_Name_1=Verbraucherzentrale NRW e.V., Beratungsstelle Köln |Original_Source_Link_1=https://www.verbraucherzentrale.nrw/sites/default/files/2023-05/lg_koln_vom_23-03-2023_33_o_376_22_geschwaerzt.pdf |Original_Source_Language_1=German |Orig..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Germany<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoDE-NW.jpg<br />
|DPA_Abbrevation=LDI<br />
|DPA_With_Country=LDI (North Rhine-Westphalia)<br />
<br />
|Case_Number_Name=LG Köln, 33 O 376/22<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Verbraucherzentrale NRW e.V., Beratungsstelle Köln<br />
|Original_Source_Link_1=https://www.verbraucherzentrale.nrw/sites/default/files/2023-05/lg_koln_vom_23-03-2023_33_o_376_22_geschwaerzt.pdf<br />
|Original_Source_Language_1=German<br />
|Original_Source_Language__Code_1=DE<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Other<br />
|Outcome=<br />
|Date_Started=25.01.2022<br />
|Date_Decided=23.03.2023<br />
|Date_Published=10.05.2023<br />
|Year=2023<br />
|Fine=<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 6(1)(b) GDPR<br />
|GDPR_Article_Link_1=Article 6 GDPR#1b<br />
|GDPR_Article_2=Article 6(1)(f) GDPR<br />
|GDPR_Article_Link_2=Article 6 GDPR#1f<br />
|GDPR_Article_3=Article 44 GDPR<br />
|GDPR_Article_Link_3=Article 44 GDPR<br />
|GDPR_Article_4=Article 49(1)(a) GDPR<br />
|GDPR_Article_Link_4=Article 49 GDPR#1a<br />
|GDPR_Article_5=<br />
|GDPR_Article_Link_5=<br />
|GDPR_Article_6=<br />
|GDPR_Article_Link_6=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=Verbraucherzentrale NRW e.V., Beratungsstelle Köln<br />
|Party_Link_1=https://www.verbraucherzentrale.nrw/beratungsstellen/koeln/veranstaltungen/713<br />
|Party_Name_2=Telekom Deutschland GmbH<br />
|Party_Link_2=https://www.telekom.de/ueber-das-unternehmen<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Norman Aasma<br />
|<br />
}}<br />
<br />
District Court in Cologne held that transfer of personal data by telecommunication company to Google servers in the USA is unlawful.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The case entailed a dispute between plaintiff, here the North Rhine-Westphalia Consumer Center and German telecommunication company Telekom Deutschland GmBH, here defendant. The plaintiff brought legal action before district court in Cologne against the defendant company. <br />
<br />
The legal dispute was about the lawfulness of the privacy notices, which the defendant was using, the data transfers to third countries and cookie banners. In the dispute, North Rhine-Westphalia Consumer Center objected to the non data protection compliant transmission of positive financial data, i.e the personal data, which is not related to financial transactions or any other non-contractual behaviour, to SCHUFA Holding AG. Furthermore, the plaintiff held that defendant had not received a consent for the cookie banners, which it was used on its website as well as implemented dark patterns with regard to cookie banners thus misleading the users. Thirdly, according to the plaintiff, the transfers of customers' personal data to third countries, inter alia USA, for the analysis and marketing purposes by Telekom Deutschland GmBH's violated GDPR. The plaintiff claimed that when customer visits the website of the defendant company, then personal data like IP aadress, information about browser and device information of the website visitor got transmitted to Google LLC, the operator of Google analysis and marketing services. <br />
<br />
The plaintiff sent the defendant company multiple letters ordering the company to end its unlawful data processing activities, put a stop to its data transfers and bring its activities into compliance with the data protection requirements. However, Telekom Deutschland GmBH disregarded the letters and did not take any measures. <br />
<br />
The plaintiff requested the court to order defendant company:<br />
1) <br />
a) to refrain from transferring personal data to credit agencies, in particular SCHUFA Holding AG and CRIF Bürgel, when carrying out and/or executing mobile communication contracts.<br />
b) to refrain from using the privacy notice clause quoted in the case with regard to mobile communication contracts with consumers or for relying on such clauses for any future contracts.<br />
c) to refrain from using cookie banners to receive consent for storing information on the user's terminal device for the purposes of advertising or marketing analysis unless it is necessary for the operation of the telemedium. In case the cookie banners will be used, there shall be as easy option to refuse cookies as it is to consent to them.<br />
d) To refrain from transferring personal data of consumers to third countries for advertising and marketing analysis purposes.<br />
<br />
=== Holding ===<br />
The court held that the plaintiff's application to order defendant to not transfer positive data to credit agencies is unfounded. According to the court, the plaintiff's request for injunction is too broad. <br />
<br />
Furthermore, the court held that in the present case, the privacy notice clause based on circumstances at hand shall not be up to clause review. The defendant does inform the consumers about the data transfers and there shall not be any separate regulatory content inferred from this.<br />
<br />
The court held that the plaintiff's order with regard to cookie banners was unfounded. The court highlighted that according to article 4(11) GDPR, the consent shall be freely given, specific to the purposes, informed and unambiguous. At the same time, the court points out that the plaintiff's request is too broad and the requests of plaintiff do not reflect the requirements stemming coming from GDPR. According to the court, it is not possible to require the controller to implement specific form of design for the cookie banner. <br />
<br />
With regard to data transfers to the US, the court agreed with the plaintiff. The court held that transfer of users personal data, such as IP addresses as well as browser and device information to Google LCC as the operator of Google analytics and marketing services based in the US is not in compliance with the GDPR. The court referenced the ruling of the Court of Justice of the European Union in case C-311/18, the Schrems II case according to which there is no adequate level of data protection guaranteed in the US. Based on the interpretation of the court, such data transfer is not covered by the GDPR. Moreover, the decision highlighted that in present case it is not possible to rely on the standard data protection clauses either for the data transfer as they are not suitable to ensure adequate level of data protection in the US. The court held that users consent via simple "accept all" button in cookie banner does not reflect the explicit consent of the data subject with regard to the data transfers to third countries. The defendant had not provided the data subjects with the information on the data transfers of their IP addresses and browser and device information to Google LCC and thus violated GDPR.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the German original. Please refer to the German original for more details.<br />
<br />
<pre><br />
2<br />
<br />
<br />
Ordinary detention is to be carried out at their respective legal representative and<br />
must not exceed a total of two years,<br />
<br />
in the context of business dealings with consumers<br />
<br />
refrain from using the website www.telekom.de, in particular when<br />
<br />
Use of cookies and similar technologies for analysis and<br />
<br />
Marketing purposes, personal data of consumers in third countries<br />
transmit, provided neither<br />
<br />
(1) there is an adequacy decision pursuant to Art. 45 GDPR, nor<br />
<br />
(2) suitable guarantees according to Art. 46 GDPR are provided, nor<br />
<br />
(3) there is an exception according to Art. 49 GDPR,<br />
<br />
<br />
if this happens as in the brief of January 14, 2023 on sheet 6 - 8 under bb)<br />
reproduced (pages 210 – 212 of the file):3 5<br />
<br />
<br />
Institutions within the meaning of § 4 UKlaG at the Federal Office of Justice (status: 26.<br />
November 2021) under number 69.<br />
<br />
<br />
The defendant is a subsidiary of Deutsche Telekom AG. she is for<br />
<br />
Responsible for private customers as well as small and medium-sized business customers and has its headquarters<br />
in Bonn. In terms of the number of connections, the defendant is one of the largest<br />
<br />
mobile operators in the market.<br />
<br />
<br />
The parties dispute the legality of the defendant in the<br />
<br />
Data protection notices used in the past and corresponding ones<br />
Data transfers and cookie banners used in the past.<br />
<br />
<br />
The plaintiff complains under the applications 1.a. and 1.b the transmission of<br />
<br />
Positive data to SCHUFA and the one clause used in this regard in the<br />
<br />
privacy notices.<br />
<br />
Under the application 1.c. the plaintiff objects that the defendant in its cookie<br />
<br />
Banners do not obtain consent that satisfies the legal requirements.<br />
<br />
<br />
Under the application 1.d. the plaintiff complains of non-compliance with the provisions of the<br />
VO (EU) 2016/679 (hereinafter: GDPR) in connection with<br />
<br />
Transfer of data to third countries and under the applications 1.e. and 1.f. related<br />
<br />
Clause in the defendant's privacy policy.<br />
<br />
<br />
The defendant provides under the brand "congstar"<br />
telecommunications services. For those taking place in this context<br />
<br />
Data processing is the defendant according to Section 9 of the under<br />
<br />
https://www.congstar.de/fileadmin/<br />
files_congstar/documents/Privacy Policy/Privacy Policy_congstar_<br />
<br />
general.pdf retrievable general data protection information of the "congstar - a<br />
<br />
Telekom Deutschland GmbH brand” is responsible for data protection.<br />
<br />
<br />
According to Section 4 Paragraph 4 of the General Data Protection Notice, the<br />
According to the defendant, in the course of the initiation and/or implementation<br />
<br />
of contractual relationships with consumers positive data to credit agencies.<br />
<br />
Positive data is data that does not have negative payment experiences or<br />
have other non-contractual behavior as their content, but information<br />
<br />
about the application, implementation and termination of the contract.<br />
<br />
<br />
Literally it said in the above place: 6<br />
<br />
<br />
"[...] Send to SCHUFA Holding AG and CRIF Bürgel GmbH<br />
we also collected as part of the contractual relationship<br />
<br />
personal data about the application, the implementation and<br />
<br />
Termination of the same as well as data about non-contractual or<br />
fraudulent behavior. Legal bases for these transmissions are<br />
<br />
Art. 6 para. 1 b and f GDPR. SCHUFA and CRIF Bürgel process them<br />
<br />
received data and also use them for scoring purposes<br />
<br />
their contractual partners in the European Economic Area and in Switzerland<br />
and possibly other third countries (if these include a<br />
<br />
adequacy decision of the European Commission exists)<br />
<br />
Information, among other things, to assess the creditworthiness of<br />
<br />
to give to natural persons. Supported independently of credit rating<br />
the SCHUFA its contractual partners through profiling in the recognition<br />
<br />
Conspicuous facts (e.g. for the purpose of fraud prevention in<br />
<br />
mail order) […] “<br />
<br />
The defendant also provides mobile communications services under the “Telekom” brand and is<br />
<br />
as evidenced by their own "General Data Protection Notice".<br />
<br />
Responsible for data processing.<br />
<br />
<br />
In Section 4. Para. 4 of the data protection notice it was stated verbatim:<br />
<br />
"[...] Send to SCHUFA Holding AG and CRIF Bürgel GmbH<br />
<br />
we also collected as part of the contractual relationship<br />
<br />
personal data about the application, the implementation and<br />
Termination of the same as well as data about non-contractual or<br />
<br />
fraudulent behavior. Legal bases for these transmissions are<br />
<br />
Art. 6 Para.1 b and f GDPR. SCHUFA and CRIF Bürgel process them<br />
<br />
received data and also use them for scoring purposes<br />
their contractual partners in the European Economic Area and in Switzerland<br />
<br />
and possibly other third countries (if these include a<br />
<br />
adequacy decision of the European Commission exists)<br />
Information, among other things, to assess the creditworthiness of<br />
<br />
to give to natural persons. Supported independently of credit rating<br />
<br />
the SCHUFA its contractual partners through profiling in the recognition<br />
<br />
Conspicuous facts (e.g. for the purpose of fraud prevention in<br />
mail order). [...]” 7<br />
<br />
<br />
In a letter dated January 25, 2022, the plaintiff requested the defendant to refrain from<br />
with complaint to 1.a. and 1.b. actions objected to and setting a deadline<br />
<br />
on February 8th, 2022, which was then extended until March 8th, 2022<br />
<br />
a corresponding declaration of discontinuance and reimbursement of a flat-rate<br />
reimbursement of expenses in the amount of EUR 260.00.<br />
<br />
<br />
In a letter dated March 8th, 2022, the defendant refused to submit a<br />
<br />
cease-and-desist declaration.<br />
<br />
<br />
When calling up the website www.telekom.de operated by the defendant<br />
Consumers will be presented with a cookie banner as reproduced below<br />
<br />
Claim for 1.c. superimposed was designed, with the second superimposition the<br />
<br />
shows the second level of the banner, which can be reached by clicking on the button<br />
<br />
"Change settings" reached. The respective cookie categories could be found on the<br />
second level can be selected or deselected.<br />
<br />
<br />
In the “Privacy Policy of Telekom Deutschland GmbH (“Telekom”) for the<br />
<br />
Use of the Internet site” via the link “Privacy Policy” on both<br />
Levels of the banner could be selected, it said under the headline<br />
<br />
"Is my usage behavior evaluated, e.g. for advertising or tracking?"<br />
<br />
Page 3 at the point "Analytical Cookies" verbatim:<br />
<br />
<br />
“These cookies help us to better understand user behavior.<br />
Analysis cookies enable the collection of usage and<br />
<br />
Detection options through first or third party, in so-called<br />
<br />
pseudonymous usage profiles. For example, we use analysis cookies,<br />
to measure the number of unique visitors to a website or service<br />
<br />
determine or other statistics relating to the operation of our<br />
<br />
To collect products, as well as user behavior on the basis of anonymous and<br />
<br />
analyze pseudonymous information about how visitors interact with the website<br />
to interact. There is no direct conclusion about a person<br />
<br />
possible. The legal basis for these cookies is Art. 6 I a) GDPR<br />
<br />
Third countries Art. 49 Para. 1 b GDPR.”<br />
<br />
Below is a tabular listing of cookie providers, including the following<br />
<br />
Entry contains: 8<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
It also says under the subheading "Marketing Cookies / Retargeting".<br />
other verbatim:<br />
<br />
<br />
“These cookies and similar technologies are used to offer you<br />
<br />
to be able to display personalized and therefore relevant advertising content.<br />
Marketing cookies are used to provide interesting advertising content<br />
<br />
and measure the effectiveness of our campaigns. This<br />
<br />
happens not only on Telekom Deutschland GmbH websites, but also<br />
<br />
also on other advertising partner sites (third-party providers). […] legal basis<br />
for these cookies is Art. 6 1 a) GDPR or, in the case of third countries, Art. 49 Para. 1 b<br />
<br />
GDPR)."<br />
<br />
<br />
Below is a tabular listing of cookie providers, including the following<br />
Entry contains:<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Finally, under the heading "Where is my data processed?"<br />
on pages 5 and 6 of the data protection information verbatim:<br />
<br />
<br />
“Your data will be processed in Germany and other European countries.<br />
<br />
In exceptional cases, your data will also be processed in countries<br />
<br />
outside the European Union (in so-called third countries), this happens<br />
<br />
a) if you have expressly consented to this (Art. 49 Para. 1a GDPR).<br />
<br />
(In most countries outside the EU, the level of data protection is the same<br />
<br />
not to EU standards). This applies in particular to comprehensive<br />
Monitoring and control rights of state authorities, e.g. in the USA, the<br />
<br />
in the data protection of European citizens<br />
<br />
intervene disproportionately<br />
<br />
<br />
b) or as far as it is necessary for our service provision to you<br />
is required (Art. 49 Para. 1 b GDPR),<br />
<br />
<br />
c) or to the extent provided for by law (Art. 6 Para. 1 c GDPR). 9<br />
<br />
<br />
In addition, your data will only be processed in third countries<br />
as far as it is ensured by certain measures that a<br />
<br />
adequate level of data protection exists (e.g. adequacy decision<br />
<br />
of the EU Commission or so-called suitable guarantees, Art. 44ff. GDPR)."<br />
<br />
For further details of the data protection information, please refer to Annex K1, Bl.<br />
<br />
49 ff.<br />
<br />
<br />
In a letter dated February 24, 2022, the plaintiff also requested the defendant<br />
<br />
Failure to comply with the complaint to 1.c., 1.d. and 1.e. described actions<br />
and setting a deadline of March 10, 2022 for submitting a corresponding<br />
<br />
Declaration of discontinuance and reimbursement of a flat-rate reimbursement of expenses<br />
<br />
in the amount of EUR 260.00.<br />
<br />
<br />
The defendant rejected this in a letter dated March 16, 2022.<br />
<br />
With regard to application 1.a. considers the transmission of<br />
<br />
Positive data is for the fulfillment of a contract or for implementation<br />
<br />
pre-contractual measures not required within the meaning of Art. 6 Para. 1 lit b)<br />
DSGVO, and there is no legitimate interest in this according to Art. 6 Para.1 lit. f)<br />
<br />
GDPR. That is why it depends on the granting of consent, which is undisputed<br />
<br />
not present.<br />
<br />
<br />
Regarding the application 1.b. the plaintiff considers that the clause<br />
against §§ 307 Section 1, Section 2 No.1 in conjunction with Art 6 Section 1 Sentence 1 GDPR and against Section 1<br />
<br />
UKlaG i. V. m. § 307 Abs. 1 S. 2 BGB.<br />
<br />
<br />
The application 1.c. the plaintiff based on § 2 paragraph 1, paragraph 2 sentence 1 No. 11 b) UKlaG in conjunction with §<br />
25 para. 1 sentence 1 TTDSG. He means that the defendant does not meet the requirements of Art.<br />
<br />
4 No. 11 DSGVO corresponding consent.<br />
<br />
<br />
Due to the optical design, the choices would not<br />
<br />
stand side by side on an equal footing.<br />
<br />
The plaintiff asserts that the linking "continue" to deny not<br />
<br />
necessary cookies will not be perceived as a clickable button. The<br />
<br />
Change settings button turns white with its light gray border<br />
Color lags well behind the "Accept All" button, as does the button<br />
<br />
"Confirm selection". 10<br />
<br />
<br />
In connection with the application 1.d. the plaintiff claims that he was calling<br />
the website www.telekom.de on 01/03/2023 the network traffic using a<br />
<br />
Internet browser recorded. Be there when you visit the website<br />
<br />
personal data such as the IP address and browser and<br />
Device information from a website visitor's end device to Google<br />
<br />
LLC (Address: 1600 Amphitheater Parkway Mountain View, CA 94043, USA) as<br />
<br />
Operator of Google analysis and marketing services ("Google Adservices" with<br />
<br />
based in the USA, based on a real-time analysis of the<br />
The plaintiff's browser could be used to identify incoming and outgoing network connections.<br />
<br />
For the details of this lecture, reference is made to p. 209 ff.<br />
<br />
<br />
The plaintiff is of the opinion that this alleged transmission of the<br />
<br />
personal data of affected consumers to servers of Google LLC in<br />
the USA by the defendant succeeds in a third country without adequate<br />
<br />
level of protection i. s.d. Art. 45 GDPR and without suitable guarantees i. s.d. Article 46<br />
<br />
GDPR.<br />
<br />
Furthermore, the plaintiff claims that the services Heap and Xandr<br />
<br />
Data transfers abroad had taken place.<br />
<br />
<br />
Regarding the applications 1.e. and 1.f. says the plaintiff that in the<br />
<br />
Clauses used in the data protection notices would be subject to the General Terms and Conditions control.<br />
<br />
The plaintiff requests<br />
<br />
<br />
1. to condemn the defendant, avoiding one for each case of<br />
<br />
Violation of a fine to be set up to EUR 250,000.00,<br />
alternatively detention, or detention for up to six months, whereby<br />
<br />
the orderly detention is to be carried out on their respective legal representative<br />
<br />
and may not exceed a total of two years,<br />
<br />
<br />
a. in the context of business dealings with consumers<br />
refrain from initiating and/or carrying out<br />
<br />
Mobile phone contracts positive data, i.e. personal data that<br />
<br />
no payment history or anything else that is not in accordance with the contract<br />
behavior to have content, but information about the<br />
<br />
Commissioning, implementation and termination of a contract<br />
<br />
Credit agencies, in particular SCHUFA<br />
<br />
Holding AG, Kormoranweg 5, 65201 Wiesbaden and CRIF Bürgel 11<br />
<br />
<br />
GmbH, Leopoldstrasse 244, 80807 Munich, Germany<br />
because there is an effective consent of the affected consumers<br />
<br />
before or the transmission is to comply with a legal<br />
<br />
Obligation required of Telekom Deutschland GmbH<br />
subject to<br />
<br />
<br />
b. to refrain from using the trailing (enclosed in quotation marks) or<br />
<br />
a clause with the same content in relation to data protection notices for<br />
<br />
to use mobile phone contracts with consumers and to subscribe to<br />
existing contracts: “To SCHUFA Holding<br />
<br />
AG and to CRIF Bürgel GmbH we also transmit in<br />
<br />
Personal data collected as part of the contractual relationship<br />
<br />
Data on the application, implementation and termination<br />
of the same as well as data about non-contractual or<br />
<br />
fraudulent behavior. Legal basis for these transfers<br />
<br />
are Art. 6 Para. 1 b and f GDPR.”,<br />
<br />
c. to refrain from engaging in business dealings<br />
<br />
Consumers in telemedia via forms (cookie banners)<br />
<br />
Asking consumers to submit a declaration of consent<br />
<br />
for advertising and/or market research purposes<br />
to store the end device of the user or to information<br />
<br />
access that is already stored in the user's device, provided that<br />
<br />
storage or terminal access for the operation of the<br />
Telemediums is not strictly necessary without the cookie banner<br />
<br />
one of the declaration of consent in form, function and color scheme<br />
<br />
equivalent, equal and equally easy to use<br />
<br />
Provide opt-out option when done as below<br />
shown: 12<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
i.e. in the context of business dealings with consumers<br />
refrain from using the website www.telekom.de, in particular<br />
<br />
when using cookies and similar technologies for analysis and<br />
<br />
Marketing Purposes, Consumer Personal Data in<br />
<br />
to transmit to third countries, provided neither<br />
<br />
(1) there is an adequacy decision pursuant to Art. 45 GDPR, nor<br />
<br />
<br />
(2) suitable guarantees according to Art. 46 GDPR are provided, nor<br />
<br />
<br />
(3) there is an exception according to Art. 49 GDPR,<br />
<br />
if this happens as in the brief of January 14, 2023 on pages 6 - 8<br />
<br />
reproduced under bb) (pages 210 – 212 of the file):1314 15<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
e. to refrain from using the trailing (enclosed in quotation marks) or<br />
<br />
a clause with the same content in relation to data protection notices for<br />
<br />
Consumers to use and rely on in existing contracts<br />
to call:<br />
<br />
<br />
"Analytical cookies<br />
<br />
<br />
These cookies help us to better understand user behavior.<br />
Analysis cookies enable the collection of usage and<br />
<br />
Possibilities of detection by first or third party providers, in so<br />
<br />
mentioned pseudonymous usage profiles. We use<br />
<br />
for example analysis cookies to count the number of unique visitors<br />
of a website or service or to identify others<br />
<br />
collect statistics regarding the operation of our products,<br />
<br />
as well as user behavior on the basis of anonymous and pseudonymous 16<br />
<br />
<br />
Analyze information about how visitors interact with the website<br />
to interact. […] The legal basis for these cookies is […] at<br />
<br />
Third countries Art. 49 Para. 1 b GDPR.”<br />
<br />
<br />
f. to refrain from using the following (enclosed in quotation marks) or<br />
a clause with the same content in relation to data protection notices for<br />
<br />
Consumers to use and rely on in existing contracts<br />
<br />
to call:<br />
<br />
<br />
"Marketing cookies/ retargeting These cookies and similar ones<br />
Technologies are used to offer you personalized and thereby<br />
<br />
to be able to display relevant advertising content. marketing cookies<br />
<br />
are used to display interesting advertising content and the<br />
<br />
measure the effectiveness of our campaigns. […] marketing and<br />
Retargeting cookies help us to find possible relevant advertising content for<br />
<br />
to show you. […] The legal basis for these cookies is […] at<br />
<br />
Third countries Art. 49 Para. 1 b GDPR.”<br />
<br />
2. to order the defendant to pay the plaintiff EUR 520.00 plus interest<br />
<br />
of five percentage points above the respective base interest rate<br />
<br />
pendency to pay.<br />
<br />
<br />
The defendant requests<br />
<br />
reject the complaint.<br />
<br />
<br />
Regarding the requests 1.a. and 1.b. the defendant considers the applications<br />
<br />
are indefinite and therefore do not meet the requirements of Section 253 (2).<br />
No. 2 ZPO. In addition, the application is illegal. Incidentally, be the<br />
<br />
Transmission of so-called positive data covered by Art. 6 Para. 1 lit. f) GDPR.<br />
<br />
<br />
The defendant is of the opinion that the plaintiff limits himself to<br />
<br />
Formulations in the data protection information and the cookie banner as such<br />
to attack He does not present any concrete violations of data protection regulations.<br />
<br />
It should also be taken into account that the defendant already at the end of 2021<br />
<br />
Passing on so-called positive data.<br />
<br />
The defendant claims, in connection with application 1.c., that the gray<br />
<br />
framed, white button with gray writing was just as noticeable as the 17th<br />
<br />
<br />
magenta button with white lettering. It was made clear to the consumer<br />
that he has two choices.<br />
<br />
<br />
Regarding the application 1.d. claims the defendant, the German service provider<br />
<br />
use an upstream proxy server to ensure that IP addresses for<br />
Analyzes and evaluations are not transmitted to "Heap" and therefore none<br />
<br />
transfer personal data of users in Germany to the USA<br />
<br />
unless the processor (i.e. Flexperto GmbH) previously had one<br />
<br />
separate agreement (EU standard contractual clauses) with a<br />
Sub-processors closed in a third country. For this purpose, the Flexperto<br />
<br />
GmbH on the basis of the existing with the defendant<br />
<br />
Committed to an order processing contract.<br />
<br />
<br />
The defendant claims that any transfer to a third country is due to the use<br />
of standard data protection clauses and in any case due to the<br />
<br />
Banner granted consent justified.<br />
<br />
<br />
<br />
<br />
Reasons for decision<br />
<br />
<br />
The admissible lawsuit is with regard to the application to 1.d. justified. Incidentally, the<br />
<br />
Complaint unfounded.<br />
<br />
<br />
I. Application for 1.a.<br />
<br />
The request is admissible but unfounded.<br />
<br />
<br />
1. The application is admissible, in particular it is sufficiently specific according to § 253 para.<br />
<br />
2 No. 2 ZPO.<br />
<br />
An application for a cease and desist - and according to § 313 Paragraph 1 No. 4 ZPO one based on it<br />
<br />
Conviction – must not be so vague that the subject of the dispute<br />
<br />
and the scope of the court's examination and decision-making authority (§ 308 I<br />
<br />
ZPO) are not recognizable delimited, the defendant is therefore not exhaustive<br />
can defend and the decision about what the defendant is prohibited from<br />
<br />
ultimately left to the enforcement court. One in need of interpretation<br />
<br />
However, application formulation can then be accepted if a further-reaching<br />
Specification not possible and the selected application formulation for granting<br />
<br />
effective legal protection is required (BGH GRUR 2017, 422 - ARD-Buffet, m. 18<br />
<br />
<br />
w. Nachw.). One on the repetition of the statutory prohibition<br />
limited claim for action satisfies the requirements for certainty<br />
<br />
not in principle (BGH GRUR 2010, 749 para. 21 – reminder advertising in<br />
<br />
Internet). However, it is not fundamentally inadmissible in a complaint<br />
to use terms that require interpretation. The requirements for<br />
<br />
Specification of the subject of the dispute in an injunction are included<br />
<br />
also dependent on the peculiarities of the respective subject area (cf. BGH<br />
<br />
GRUR 2002, 1088, 1089 - encore bundle).<br />
<br />
According to these principles, the application 1.c. sufficiently determined. The application<br />
<br />
contrary to what the defendant argues, does not simply repeat that<br />
<br />
Wording of the law, but names the specific form of the data (positive data) in<br />
<br />
descriptively: “Positive data, i.e. personal data that does not<br />
Payment experiences or other non-contractual behavior regarding the content<br />
<br />
have, but in particular information about the commissioning, implementation<br />
<br />
and termination of a contract.”<br />
<br />
The plaintiff also specifically names the data recipient in his application as<br />
<br />
Credit agency and names an example to clarify his request<br />
<br />
SCHUFA and CRIF Bürgel GmbH ("in particular (...)").<br />
<br />
<br />
As far as the plaintiff lawful data transfers from his application<br />
excludes to avoid being subject to the partial dismissal, this is not to<br />
<br />
complain. In particular, the use of indefinite terms and<br />
<br />
the partial repetition of the wording of the law is required. The repetition<br />
is also harmless as long as the rest of the application - as here - a<br />
<br />
adequate specification follows.<br />
<br />
<br />
The specific reference to a form of infringement (e.g. to an attachment) is in<br />
<br />
present case not possible and expedient. Because the data transmission can<br />
various technical and factual forms and is made up of this<br />
<br />
Reason not pictorially representable.<br />
<br />
<br />
2. The application is unfounded, however, since it also allows data to be transmitted in the event of a<br />
possible future legitimate interest, i.e. behavior which<br />
<br />
according to Art. 6 (1) sentence 1 lit. f) GDPR would be permissible.<br />
<br />
<br />
It is true that the past data transmission alleged by the plaintiff<br />
<br />
been inadmissible because the requirements of Art. 6 (1) sentence 1 lit. f) GDPR, 19<br />
<br />
<br />
as far as the defendant refers to the fight against fraudulent behavior<br />
has, not templates. Despite the basically existing legitimate interest of the<br />
<br />
Defendant, the necessary balancing of interests here falls to the detriment of the defendant,<br />
<br />
because the interests of the data subjects prevail. The data transfer to<br />
Credit bureaus was based on the model of the defendants at no further<br />
<br />
Conditions attached and affected all positive data about the<br />
<br />
contractual relationship. So the right to informational self-determination was affected<br />
<br />
of those concerned, without reducing the data to a certain necessary minimum<br />
have been reduced and without the data subject himself having reason for the transmission<br />
<br />
bot. Consequently, the transmission of the data was for the person concerned<br />
<br />
incalculable and indefinable. The legitimation of new customers<br />
<br />
The defendant would also have its own identification<br />
legitimation procedures can be carried out. A blanket and preventive<br />
<br />
Transmission of all data in connection with the contractual relationship<br />
<br />
in commercial transactions without consent, it is neither usual nor does it become more reasonable<br />
way expected. It should also be noted that the data transfer from<br />
<br />
everyday processes in a person's economic life, this future<br />
<br />
Making it considerably more difficult to conclude contracts without making it clear and understandable for them<br />
<br />
it can be seen which data led to this state. The fundamental<br />
informational self-determination in relation to personal data comes a way<br />
<br />
high level of protection that their restriction may only be the exception. At<br />
<br />
However, the permission of unprovoked contract data transmission would be due to a<br />
General suspicion reversed the rule-exception relationship. After<br />
<br />
The defendant's line of argument would ultimately be to allow any data transmission, since<br />
<br />
more data basically means more security or more financial<br />
<br />
efficiency can lead. This would violate the meaning and purpose of Art. 6 Para. 1 lit. f)<br />
GDPR but miss.<br />
<br />
<br />
Nevertheless, the application for injunctive relief, as the defendant rightly points out in the<br />
<br />
oral hearing, too broad.<br />
<br />
<br />
A request must not be worded in such a way as to permit permissible acts<br />
can record (BGH GRUR 1999, 509/511 - stock gaps; GRUR 2002, 706 -<br />
<br />
vossius.de; GRUR 2004, 70 - price breaker; GRUR 2004, 605 - permanently low prices;<br />
<br />
GRUR 2007, 987 - change of default, there under item 22).<br />
<br />
But the latter is the case here. The plaintiff merely closes cases of consent<br />
<br />
and the legal obligation, but not the legitimate interest. 20<br />
<br />
<br />
Under the wide version of the application for injunctive relief according to application 1.a. fall but<br />
for example, cases in which – unlike in the past – a<br />
<br />
legitimate interest exists. This cannot be ruled out from the outset.<br />
<br />
The plaintiff did not show the latter either. The plaintiff was also without<br />
further possible these cases by an equivalent to the further exclusions<br />
<br />
rule out formulation.<br />
<br />
<br />
II. Application for 1.b.<br />
<br />
<br />
The admissible application is unfounded.<br />
<br />
The plaintiff has no claim against the defendant to cease use<br />
<br />
in application 1.b. designated clause, from §§ 1, 3 para. 1 No. 1, 4 UKlag in conjunction with §§<br />
<br />
307 Paragraph 1, Paragraph 2 No.1 in conjunction with Article 5 Paragraph 1 Letter a), Article 6 Paragraph 1 Clause 1 GDPR.<br />
<br />
<br />
It is true that the data transmission of positive data without cause is permitted, provided that it is only based on<br />
general anti-fraud and identification is not supported<br />
<br />
lawfully according to the GDPR (see above).<br />
<br />
<br />
However, the clause is not subject to the general terms and conditions control, so § 1 UKlaG is not<br />
is applicable.<br />
<br />
<br />
According to the plaintiff's submission, it is not apparent that the clause objected to<br />
<br />
included as general terms and conditions when the contract was concluded.<br />
<br />
Rather, the plaintiff's submission only results in the inclusion of one<br />
such a clause under clause 4.4. the data protection information.<br />
<br />
<br />
An explicit provision regarding the relationship of data protection law<br />
<br />
and general terms and conditions law is found neither in Union nor in national law (from<br />
Lewinski/Herrmann, PinG 2017, 165 (171)).<br />
<br />
<br />
According to § 305 paragraph 1 sentence 1 BGB, general terms and conditions are all for<br />
<br />
a variety of contracts pre-formulated contract terms, the one<br />
<br />
Contracting party (user) of the other contracting party when concluding a contract<br />
puts.<br />
<br />
<br />
However, the information obligations are for the parties to the<br />
<br />
Data processing (responsible and data subject) non-dispositive right<br />
(Paal/Hennemann, in: Paal/Pauly, DS-GVO/BDSG, 3rd edition 2021, DS-GVO Art. 13<br />
<br />
paragraph 7). The data protection notices are information that the 21<br />
<br />
<br />
The person responsible has to provide it without it being at his or her will<br />
would arrive For this reason, a will to be legally binding with regard to the content<br />
<br />
of the data protection notices are regularly removed. Mirror images are likely to be affected<br />
<br />
People – rightly so – regularly do not assume responsibility<br />
apply for a contract with them by means of the data protection information. One<br />
<br />
The binding effect of data protection notices then already fails at the hurdle of<br />
<br />
§§ 133, 157 BGB.<br />
<br />
<br />
As far as data protection notices i. R. d. Information obligations according to Art. 13 and 14<br />
DS-GVO, they are not subject to the legal clause control of general terms and conditions, since they<br />
<br />
insofar as there is no separate regulatory content (OLG Hamburg MMR 2015,<br />
<br />
740 m. Note Hansen/Struwe; KG MMR 2020, 239 m. Note Heldt, Ls. 5; Hacker,<br />
<br />
ZfPW 2019, 148 (184); Moos, in: Moos/Schefzig/Arning, Praxishdb. GDPR, 2nd edition,<br />
Cape. 2 paragraph 27; Wendehorst/Count v. Westphalen, NJW 2016, 3745 (3748)).<br />
<br />
<br />
But that is the case here. The defendant informs the consumer about the<br />
<br />
Sharing of Data. A separate regulation content cannot be inferred from this.<br />
In particular, the explanation is also not drawn from it<br />
<br />
blended consent. That the notice in the conclusion of the contract in relation to<br />
<br />
Mobile phone contracts is included and there the impression of the legal transaction<br />
<br />
The plaintiff does not submit that the bond is created. This is what makes it different<br />
Case also from the judgment of the KG Berlin referred to by the plaintiff, judgment<br />
<br />
of March 21, 2019 - 23 U 268/13 -, juris.<br />
<br />
<br />
III. Application 1.c.<br />
<br />
The application is admissible, but unfounded in the form presented here.<br />
<br />
<br />
The plaintiff has no claim for injunctive relief against the defendant<br />
<br />
the application 1.c. from Section 2 Paragraph 1, Paragraph 2 Clause 1 No. 11 b) UKlaG in conjunction with Section 25 Paragraph 1 Clause 1<br />
<br />
TTDSG in conjunction with GDPR.<br />
<br />
The former design of the cookie banner did not correspond to the<br />
<br />
Requirements of § 25 Para. 1 TTDSG. The granting of consent cannot be<br />
<br />
"voluntary" within the meaning of the GDPR.<br />
<br />
According to Art. 4 No. 11 of Regulation (EU) 2016/679, consent is always voluntary for the<br />
<br />
specific case, given in an informed manner and unequivocally<br />
<br />
Expression of will in the form of a declaration or another clear 22<br />
<br />
<br />
affirmative action by which the data subject indicates that they<br />
consent to the processing of your personal data<br />
<br />
is. This presupposes that the consumer, when giving their consent,<br />
<br />
real choice and not through the design of the cookie banner<br />
is unilaterally steered in the direction of consent.<br />
<br />
<br />
This was the case with the disputed cookie banner.<br />
<br />
Because while in the case of the "Accept all" button, a one-click solution in<br />
<br />
Size, color and layout was clearly designed as an eye-catcher, continued surfing<br />
"only with the necessary cookies" hidden in the body text and thus in size, shape<br />
<br />
and design insufficient to be considered actual and equivalent<br />
<br />
option to be viewed.<br />
<br />
<br />
The option "Change settings" also does not lead to the same<br />
Effectiveness of the consent, since the button - like the state commissioner for<br />
<br />
Data protection and freedom of information in his statement of February 27, 2023<br />
<br />
correctly described – no information about the button that is recognizable to the consumer<br />
"Accept all" option in the alternative relationship in the form of a<br />
<br />
contains a declaration of intent or a reference to it. That's in the wording<br />
<br />
"Change settings" is not an unmistakable reference to one - albeit to<br />
<br />
second level – alternative possibility of rejection of the technically unnecessary<br />
contain cookies. So if the consumer sees a declaration of intent ("everything<br />
<br />
accept") and next to it an unspecific configuration option<br />
<br />
to the possible following declaration of intent “Not accept everything/everything<br />
deselect" etc.) and so that the option to choose does not indicate, is through the<br />
<br />
Clicking the "Accept all" button is not a free choice between two<br />
<br />
declarations of intent made.<br />
<br />
<br />
However, the plaintiff's application is too broad and contains<br />
Wording "without in the cookie banner a declaration of consent in the form,<br />
<br />
Function and coloring equivalent, equal and equally simple too<br />
<br />
to provide a user-friendly opt-out option” expressly accepts an obligation<br />
a certain form of banner design. However, the latter does not result<br />
<br />
the provisions of the GDPR from the recitals.<br />
<br />
<br />
From the requirements for the voluntariness of the consent, a<br />
<br />
certain form of the design. In particular, the plaintiff can<br />
such a specific form of configuration not by means of a 23<br />
<br />
<br />
enforce an injunction. Such a request runs under Section 2 (1) UKlaG<br />
against. During the oral hearing, the plaintiff responded to the suggestion of<br />
<br />
Court to delete or restrict this passage<br />
<br />
given that it's about getting an equivalent one<br />
Opt-out option must be present at first level. An obligation<br />
<br />
however, neither the UKlaG nor the TTDSG or the DGSVO is entitled to do this<br />
<br />
remove. Rather, different designs are conceivable that the<br />
<br />
Requirements for voluntary consent are sufficient.<br />
<br />
IV. Application 1.d.<br />
<br />
<br />
The application is admissible and justified.<br />
<br />
<br />
1. In any case, the application is within the scope of admissibility in its last form<br />
<br />
sufficiently determined, since the specific form of infringement by reference to the<br />
Description on pages 6 to 8 of the pleading of January 4th, 2023 (page 210-212 of the file)<br />
<br />
has been specified.<br />
<br />
<br />
The restriction of the application is also permissible under § 264 No. 2 ZPO, since the<br />
Changed complaint requests from the previous request as a minus with the same content<br />
<br />
was included.<br />
<br />
<br />
2. The application is justified.<br />
<br />
<br />
The defendant has a claim against the defendant for injunctive relief<br />
referred data transfer to the USA according to § 2 para. 2 sentence 1 no. 11 UKlaG in conjunction<br />
<br />
§§ 8, 3 para. 1, 3a UWG in conjunction with Art. 44 et seq. GDPR.<br />
<br />
<br />
The transmission of IP addresses as well as browser and<br />
Device information to Google LLC as the operator of Google analytics and<br />
<br />
Marketing Services based in the United States shall be treated as common ground and shall not<br />
<br />
covered by the justifications of the GDPR.<br />
<br />
<br />
a. The transmission of IP addresses to Google LLC in the USA applies according to Section 138<br />
Para. 2, 3 ZPO as granted. The plaintiff has substantiated the transmission<br />
<br />
performed. The subsequent denial of the defendants in the brief of<br />
<br />
02.02.2023, however, is not sufficiently substantiated. Rather, it exhausts itself<br />
despite the picking up of individual points, the result was a blanket dispute<br />
<br />
or doubting. 24<br />
<br />
<br />
The denier's burden of substantiation depends on how he substantiates<br />
has presented opponents who are obliged to explain. The more detailed the submission of the<br />
<br />
is burdened with presentation, the higher are the substantiation requirements acc.<br />
<br />
§ 138 paragraph 2 ZPO. Accordingly, substantiated submissions are fundamentally impossible<br />
be disputed across the board. It is assumed that the contesting party<br />
<br />
substantiated counter-presentation is possible and reasonable, of which as a rule<br />
<br />
is to be assumed if the alleged facts are within their sphere of perception<br />
<br />
located (BeckOK ZPO/von Selle ZPO § 138 Rn. 18; BGH NJW-RR 2019,<br />
1332 para. 23 with further references).<br />
<br />
<br />
Such is the case here. The transmission and processing of data lies in<br />
<br />
Area of perception and organization of the defendant. It would be the defendant<br />
<br />
therefore been possible to present substantiated, under which<br />
Prerequisites which data is transferred to Google LLC and where<br />
<br />
are processed. It is therefore not sufficient in particular to merely be in doubt<br />
<br />
pull whether the location of the IP address "142.250.185.228" is in the USA<br />
or whether the registered office of the company is independent of the location of the server<br />
<br />
IP address is. It is just as insufficient to explain the significance of the registration of the<br />
<br />
IP address and the systems K11 and K12 into question.<br />
<br />
<br />
b. The transmitted IP addresses represent both the defendant and Google<br />
LLC as the controller of the data transmission represents personal data.<br />
<br />
<br />
Dynamic IP addresses then represent personal data if the<br />
<br />
Legal means available to the person responsible, which he reasonably<br />
could use, with the help of third parties (e.g. the competent authority and the<br />
<br />
Internet provider) the data subject based on the stored IP address<br />
<br />
to be determined (BGH ZD 2017, 424 = MMR 2017, 605).<br />
<br />
<br />
This is the case both with regard to the defendants and with regard to Google LLC.<br />
Both have the legal means available via additional information from<br />
<br />
to draw conclusions about the natural person from the IP address.<br />
<br />
<br />
As a telecommunications provider and website operator, the defendant can, to the extent<br />
the visitors are their customers, without much effort Internet<br />
<br />
Identify users to whom it has assigned an IP address, as they typically<br />
<br />
in files systematically date, time, duration and the Internet user<br />
<br />
allocated dynamic IP address. In combination, 25<br />
<br />
<br />
the incoming information is used to profile the natural<br />
Create people and identify them (even without involving third parties).<br />
<br />
(cf. BeckOK data protection R/Shield DS-GVO Art. 4 para. 20).<br />
<br />
<br />
The same applies to Google LLC, which as a provider of online media services also<br />
has the means to create and evaluate personal profiles. Included<br />
<br />
the IP address can serve as a person-specific feature (cf. LG<br />
<br />
Munich I, judgment of January 20, 2022 - 3 O 17493/20) and in combination with<br />
<br />
used for identification when using other online services<br />
(Feldmann, in: Forgó/Helfrich/Schneider, operational data protection, 3rd edition 2019,<br />
<br />
Chapter 4. Data protection-compliant use of search engines in companies, para.<br />
<br />
12).<br />
<br />
<br />
Whether data is also transmitted abroad to the Heap and Xandr services<br />
against this background can be left undecided.<br />
<br />
<br />
c. An adequate level of data protection is not guaranteed in the USA (cf. ECJ<br />
<br />
judgment of July 16, 2020 – C-311/18 – Facebook Ireland and Schrems, hereinafter:<br />
Schrems II).<br />
<br />
<br />
The ECJ has ruled that the EU-US adequacy decision<br />
<br />
(“Privacy Shield”) is void without maintaining its effect. The<br />
<br />
The transfer of data in question is therefore not covered by Art. 45 GDPR.<br />
<br />
i.e. Any standard data protection clauses also allow data transmission in<br />
<br />
not to justify the USA as they are not suitable for the GDPR<br />
<br />
to ensure an appropriate level of data protection, especially since such<br />
Do not protect contracts from US government access.<br />
<br />
<br />
The defendant submits that they have standard data protection clauses in the up to<br />
<br />
27.12.2022 valid version with their service providers and these in turn with their<br />
<br />
Sub-service providers had completed. Although the plaintiff denies this, would<br />
the presentation of the defendant, even if it is assumed to be true, is not sufficient to<br />
<br />
to justify the data transfer.<br />
<br />
<br />
In Schrems II, the ECJ stated that standard data protection clauses as<br />
Instrument for international data traffic basically not allowed<br />
<br />
are objectionable, but the ECJ also pointed out that 26<br />
<br />
<br />
Standard Data Protection Clauses are by their nature a contract and therefore<br />
Authorities from a third country cannot bind:<br />
<br />
<br />
"Accordingly, there are situations in which the recipient of such a<br />
<br />
Transmission in view of the legal situation and the practice in the concerned<br />
Third country the necessary data protection solely on the basis of<br />
<br />
Standard data protection clauses can guarantee, but also situations in which<br />
<br />
which the provisions contained in these clauses may not<br />
<br />
constitute sufficient means to ensure, in practice, the effective protection of the in<br />
personal data transmitted to the relevant third country<br />
<br />
guarantee. This is the case, for example, if the law of that third country<br />
<br />
whose authorities are interfering with the rights of the data subjects<br />
<br />
of this data allowed.”<br />
<br />
(Schrems II, para. 126).<br />
<br />
<br />
The ECJ came to the conclusion that the EU-US<br />
<br />
Adequacy decision based on relevant US and US law<br />
Implementation of official monitoring programs not adequate<br />
<br />
Level of protection for natural persons guaranteed (Schrems II, para. 180 ff).<br />
<br />
<br />
If even the EU-US adequacy decision due to the legal situation in the<br />
<br />
USA was declared invalid, it can certainly not be assumed that<br />
that contractual ties between private legal entities are appropriate<br />
<br />
Level of protection according to Art. 44 GDPR for the data transfer in question<br />
<br />
USA can guarantee. Because these can already by their very nature be foreign<br />
Do not restrict authorities in their power to act.<br />
<br />
<br />
This also corresponds to the assessment of the ECJ:<br />
<br />
<br />
“Because by their very nature, these standard data protection clauses do not provide guarantees<br />
<br />
can offer, beyond the contractual obligation, for compliance with the<br />
to ensure the level of protection required under Union law<br />
<br />
be necessary according to the situation in a certain third country,<br />
<br />
that the controller takes additional measures to ensure compliance<br />
to ensure this level of protection.”<br />
<br />
<br />
(Schrems II, para. 133). 27<br />
<br />
<br />
To such - according to the "Recommendations 01/2020 on measures to supplement<br />
Transmission tools to ensure the level of protection under Union law for<br />
<br />
personal data" of the EDPB probably contractual, technical or<br />
<br />
organizational measures - the defendant did not submit.<br />
<br />
Such measures would have to be appropriate within the framework of the Schrems II judgment<br />
<br />
gaps in legal protection identified by the ECJ - i.e. the access and<br />
<br />
Surveillance capabilities of US intelligence services - to close. This is<br />
<br />
not given here.<br />
<br />
e. The defendant cannot successfully rely on consent within the meaning of Art. 49 para.<br />
<br />
1 lit. a) GDPR.<br />
<br />
<br />
An "express consent" within the meaning of Article 49 (1) (a) GDPR on a sufficient basis<br />
<br />
Disclosure of information, etc. about the recipient of the information was already not<br />
set forth.<br />
<br />
<br />
According to Art. 4 No. 11 GDPR, consent is unequivocally given<br />
<br />
Expression of will in the form of a declaration or another clear one<br />
affirmative action. For the purposes required under Art. 49 (1) (a) GDPR<br />
<br />
According to the wording, consent is also required that the<br />
<br />
declaration is made "expressly". Given these different<br />
<br />
Choice of words are higher in terms of consent to transfers to third countries<br />
to make requirements than other consents. In particular, Art. 49<br />
<br />
Paragraph 1 lit.<br />
<br />
<br />
Among other things, the consenting party must have been informed as to which third countries<br />
and to which recipients his data is transmitted (BeckOK<br />
<br />
Data protectionR/Lange/Filip DS-GVO Art. 49 para. 7; Klein/Pieper in:<br />
<br />
Schwartmann/Jaspers/Thüsing/Kugelmann, DS-GVO/BDSG, Article 49 exceptions<br />
<br />
for certain cases para. 6).<br />
<br />
Here, however, the website visitors are by no means informed about data transmission<br />
<br />
Google LLC has been informed. In the former data protection information<br />
<br />
only been informed about a transmission of data to Xandr and Heap,<br />
which obviously does not record the recipient Google LLC. 28<br />
<br />
<br />
That the defendant at the time of data transfer to Google LLC on<br />
03.01.2023 has used changed data protection notices that comply with the above<br />
<br />
meet requirements is neither stated nor otherwise apparent.<br />
<br />
<br />
However, according to Art. 5 para. 1, 7 para. 1 DSGVO, it is up to the defendant<br />
To present and prove the prerequisites for the validity of the consent (cf.<br />
<br />
BeckOK data protection R/Stemmer DS-GVO Art. 7 para. 89-91.1; Diekmann, in:<br />
<br />
Koreng/Lachenmann, Form Manual Data Protection Law, 3rd edition 2021, 4th<br />
<br />
Consent of the persons concerned, note 1.-12.). This is for the relevant<br />
Time on 01/03/2023 not taken place.<br />
<br />
<br />
V. Applications 1.e. and 1.f.<br />
<br />
<br />
The plaintiff has no claim against the defendant to cease use<br />
<br />
in the applications 1.e. and 1.f. designated clause from §§ 1, 3 para. 1 No. 1, 4<br />
UKlag in conjunction with §§ 307 Paragraph 1, Paragraph 2 No.1 in conjunction with Art. 44 et seq. GDPR.<br />
<br />
<br />
The clauses contained in the data protection information are not subject to the AGB<br />
<br />
Control, so that § 1 UKlaG is not applicable (see above under point II). It is also closed<br />
take into account that the defendant only has its website on its website<br />
<br />
Services and products informed. The offer of the website itself represents<br />
<br />
on the other hand, does not represent a service that the defendant offers to consumers. Since that<br />
<br />
calling up the page is not connected with the conclusion of a contract, the assumption<br />
that the data protection notices contain contractual terms and the defendant<br />
<br />
insofar as has a will to be legally binding, from the point of view of the consumer. It<br />
<br />
the data protection notices are rather information that the<br />
Responsible provides without giving the consumer the impression<br />
<br />
will be bound by the data protection information.<br />
<br />
<br />
VI. Application for 2<br />
<br />
<br />
The application for 2 is unfounded, with regard to the applications for 1.a. to c. and 1.e. and f.<br />
if only because of the unfoundedness of those applications.<br />
<br />
<br />
But also with regard to the second warning, the flat-rate fee cannot<br />
<br />
be required. Because the now asserted specific allegation of a<br />
The warning at the time was not about data transmission to Google LLC<br />
<br />
perish.<br />
<br />
<br />
vii<br />
</pre></div>Norman.aasmahttps://gdprhub.eu/index.php?title=User:Norman.aasma&diff=32140User:Norman.aasma2023-04-18T09:43:56Z<p>Norman.aasma: </p>
<hr />
<div>'''Norman Aasma''', Country reporter for Estonia & Germany<br />
<br />
LL.M. student at University of Oslo<br />
<br />
Junior Data Protection Associate<br />
<br />
'''CV''': [https://linkedin.com/in/norman-aasma-0256b21a5 linkedin.com/in/norman-aasma-0256b21a5]<br />
<br />
<br />
<br />
<br />
'''My contributions''':<br />
<br />
[[AKI (Estonia) - 2.1.-4/22/2585]]<br />
<br />
[[AKI (Estonia) - 2.1.-5/22/22012]] <br />
<br />
[[BlnBDI (Berlin) - C-807/21 - Deutsche Wohnen]]<br />
<br />
[[The FG München - Auskunftsanspruch nach Art. 15 DSGVO]]<br />
<br />
[[AKI (Estonia) - 2.1-3/22/2542]]<br />
<br />
[[AKI (Estonia) - 2.1.-1/23/2891-5]]</div>Norman.aasmahttps://gdprhub.eu/index.php?title=User:Norman.aasma&diff=32139User:Norman.aasma2023-04-18T09:37:03Z<p>Norman.aasma: </p>
<hr />
<div>'''Norman Aasma''', Country reporter for Estonia & Germany<br />
<br />
LL.M. student at University of Oslo<br />
<br />
'''CV''': [https://linkedin.com/in/norman-aasma-0256b21a5 linkedin.com/in/norman-aasma-0256b21a5]<br />
<br />
<br />
<br />
<br />
'''My contributions''':<br />
<br />
[[AKI (Estonia) - 2.1.-4/22/2585]]<br />
<br />
[[AKI (Estonia) - 2.1.-5/22/22012]] <br />
<br />
[[BlnBDI (Berlin) - C-807/21 - Deutsche Wohnen]]<br />
<br />
[[The FG München - Auskunftsanspruch nach Art. 15 DSGVO]]<br />
<br />
[[AKI (Estonia) - 2.1-3/22/2542]]<br />
<br />
[[AKI (Estonia) - 2.1.-1/23/2891-5]]</div>Norman.aasmahttps://gdprhub.eu/index.php?title=AKI_(Estonia)_-_2.1.-1/23/2891-5&diff=32137AKI (Estonia) - 2.1.-1/23/2891-52023-04-18T09:34:29Z<p>Norman.aasma: Created page with "{{DPAdecisionBOX |Jurisdiction=Estonia |DPA-BG-Color= |DPAlogo=LogoEE.png |DPA_Abbrevation=AKI |DPA_With_Country=AKI (Estonia) |Case_Number_Name=2.1.-1/23/2891-5 |ECLI= |Or..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Estonia<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoEE.png<br />
|DPA_Abbrevation=AKI<br />
|DPA_With_Country=AKI (Estonia)<br />
<br />
|Case_Number_Name=2.1.-1/23/2891-5<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Andmekaitse Inspektsioon<br />
|Original_Source_Link_1=https://www.aki.ee/sites/default/files/ettekirjutus-hoiatus_isikuandmete_kaitse_asjas_2.1-1-23-2891_eraisik.pdf<br />
|Original_Source_Language_1=Estonian<br />
|Original_Source_Language__Code_1=ET<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Other<br />
|Outcome=<br />
|Date_Started=26.01.2023<br />
|Date_Decided=10.03.2023<br />
|Date_Published=12.04.2023<br />
|Year=2023<br />
|Fine=<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 6(1)(a) GDPR<br />
|GDPR_Article_Link_1=Article 6 GDPR#1a<br />
|GDPR_Article_2=Article 6(1)(f) GDPR<br />
|GDPR_Article_Link_2=Article 6 GDPR#1f<br />
|GDPR_Article_3=<br />
|GDPR_Article_Link_3=<br />
|GDPR_Article_4=<br />
|GDPR_Article_Link_4=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=§ 10 IKS<br />
|National_Law_Link_1=https://www.riigiteataja.ee/en/eli/523012019001/consolide<br />
|National_Law_Name_2=§ 4 IKS<br />
|National_Law_Link_2=https://www.riigiteataja.ee/en/eli/523012019001/consolide<br />
|National_Law_Name_3=<br />
|National_Law_Link_3=<br />
|National_Law_Name_4=<br />
|National_Law_Link_4=<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Norman Aasma<br />
|<br />
}}<br />
<br />
Estonian Data Protection Authority held that disclosure of personal data of debtors in a public Facebook group without legal basis is unlawful<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The Estonian DPA received a complaint in regard to the disclosure of private debt data in the Facebook group "XXX" (here controller). After receiving the complaint, the DPA launched its investigation into the matter. The investigation concerns a Facebook group, where the group members are making posts which include the personal data of other people. The aim of some of the posts has been to warn other people to avoid transacting with individuals, whose personal information is being disclosed in the posts. At the same time, certain posts are made with the purpose to influence the debtor and put pressure on the debtor to pay the debt. Due to the fact that the controller made the Facebook group public, personal data that is published there has been available to everyone without any restrictions. <br />
In February 2023, the DPA made a proposal to the controller to stop the publication of postings containing personal data on a Facebook group "XXX" that the controller manages. The controller had a talk with the DPA, but the proposal has not been complied with by the controller.<br />
<br />
=== Holding ===<br />
The DPA held that on the basis of [[Article 4 GDPR#7|Article 4(7) GDPR]], the controller determines the purposes for which the personal data are processed (group name, rules) and means (choice of social media platform, public group), then it is the controller, who is responsible for ensuring that the disclosure of data in that group is lawful. The DPA highlighted that under [[Article 6 GDPR#1a|Article 6(1)(a) GDPR]], processing of personal data is lawful only where the data subject has given his or her consent to the processing of his or her personal data for one or more of the following purposes listed under the provision. In the current case, the DPA held that the controller has not provided evidence that there is the consent of the data subject for the disclosure of personal data nor there is evidence provided that the consent of the data is in accordance with the conditions set out in Article 4(11) of the GDPR.<br />
requirements.<br />
The DPA also reminded that according to Article 6(1)(f), processing of personal data on the basis of a legitimate interest, the data processor must ensure that the purposes for which the personal data are processed override the rights and freedoms of the data subject. However, in the current scenario, the processing of personal data for the sole purpose of the public alert is not legitimate on the basis of legitimate interest. Furthermore, the controller has not provided the DPA with a legitimate interest analysis in the processing of personal data. <br />
At the same time, the DPA noted that in addition to legal basis of [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]], it is possible to publish the personal data of debtors on the basis of Personal Data Protection Act Article 10 according to which, in the event of a breach of an obligation.<br />
the disclosure to a third party of personal data relating to the breach of the obligation and the processing of the data transmitted.<br />
by a third party is lawful for the purposes of assessing the creditworthiness of the data subject or for any other similar purpose, but only if three conditions are met:<br />
1) the data controller has verified that there is a legal basis for the transfer;<br />
2) the data controller has verified the accuracy of the data;<br />
3) the data transfer has been recorded (keeping a record of to whom and what the data was transferred).<br />
The DPA held that the controller had not checked the legal basis for transferring of personal data. As the debt data was published in the public domain, the controller was not able to control who can actually see the data, and therefore whether the recipient of the data has the necessary legal basis. Thus, it was not possible to rely on Article 10 of the Personal Data Protection Act for processing. The publishing of such dept data could not be done also for the purpose of public interest as the public interest criterion was not met and that would have required compliance with the code of journalistic ethics, which was not complied with in the case. <br />
The DPA held that the controller is therefore required to cease the disclosure of other people's posts containing personal data in the Facebook group 'XXX'.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Estonian original. Please refer to the Estonian original for more details.<br />
<br />
<pre><br />
PRIVACY PROTECTION AGAINST STATE TRANSPARENCY<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
PRESCRIPTION WARNING<br />
personal data protection case no. 2.1.-1/23/2891-5<br />
<br />
<br />
<br />
<br />
Alissa Hmelnitskaja, lawyer of the Data Protection Inspectorate, issued the order<br />
<br />
Time of prescription<br />
and place 10.03.2023 in Tallinn<br />
<br />
Addressee of the prescription - XXX<br />
e-mail address of the personal data processor: XXX<br />
<br />
<br />
RESOLUTION:<br />
§ 56 subsection 1, subsection 2 point 8, § 58 subsection 1, § 10 of the Personal Data Protection Act (IKS) and<br />
Article 58 paragraph 1 point d and paragraph 2 of the General Regulation on Personal Data Protection (GPR).<br />
<br />
on the basis of clauses f and g, as well as taking into account Article 6 of the IKÜM, Data Protection does<br />
Inspection to fulfill the mandatory prescription:<br />
1. Terminate the Facebook group "XXX" managed by XXX, without IKÜM Article 6<br />
Disclosure of other people's personal data without consent in accordance with subsection 1 point a.<br />
<br />
I set 24.03.2023 as the deadline for fulfilling the injunction. Report the fulfillment of the prescription<br />
by this deadline at the latest to the e-mail address of the Data Protection Inspectorate at info@aki.ee.<br />
<br />
<br />
DISPUTE REFERENCE:<br />
This order can be challenged within 30 days by submitting either:<br />
- a complaint to the Data Protection Inspectorate under the Administrative Procedure Act or<br />
- a complaint to the administrative court according to the Code of Administrative Court Procedure (in this case it is no longer possible<br />
to review the argument in the same matter).<br />
<br />
Challenging an injunction does not suspend the obligation to fulfill it or the measures necessary for its fulfillment<br />
<br />
implementation.<br />
<br />
EXTORTION WARNING:<br />
If the injunction has not been fulfilled by the set deadline, the Data Protection Inspectorate will determine<br />
to the addressee of the injunction on the basis of § 60 of the Personal Data Protection Act:<br />
A fine of 1,500 euros.<br />
<br />
<br />
A fine may be imposed repeatedly - until the injunction is fulfilled. If the recipient does not pay<br />
extortion money, it is forwarded to the bailiff to start enforcement proceedings. In this case, they are added<br />
bailiff's fee and other enforcement costs for the enforcement money.<br />
<br />
VIOLATION PENALTY WARNING:<br />
Protection of personal data against failure to comply with the injunction pursuant to Article 58 (2) of the General Regulation<br />
misdemeanor proceedings may be initiated based on § 69 of the Personal Data Protection Act. For this act<br />
<br />
a natural person may be fined up to 20,000,000 euros and a legal person<br />
Tatari tn 39 / 10134 Tallinn / 627 4135 / info@aki.ee / www.aki.ee<br />
Registration code 70004235 may be punished with a fine of up to 20,000,000 euros or up to 4 percent of his previous<br />
of the total worldwide annual turnover of the financial year, whichever is the amount<br />
bigger. The out-of-court procedure for a misdemeanor is the Data Protection Inspectorate.<br />
<br />
FACTUAL CIRCUMSTANCES:<br />
In the proceedings of the Data Protection Inspectorate (AKI) there is a person's complaint regarding the debt data of private individuals<br />
with disclosure in the Facebook group "XXX". Therefore, AKI initiated the supervision procedure.<br />
<br />
<br />
As part of the supervision procedure, on 26.01.2023 AKI made XXX (hereinafter also the data processor or<br />
controller) proposal in personal data protection case no. 2.1.-1/23/2891-2, the content of which was<br />
the following: "stop disclosing posts containing personal data in your managed<br />
in the Facebook group "XXX". The deadline for responding to the proposal was 10.02.2023. In the proposal<br />
drew the attention of the AKI, among others, to the possibility of making an injunction and imposing a fine and<br />
to the right to file a case before issuing an administrative act in accordance with § 40 (1) of the Administrative Procedure Act<br />
<br />
about your opinion and objections.<br />
<br />
The data processor has received AKI's proposal and on 09.02.2023 expressed a desire to chat<br />
with the official. The conversation took place on 15.02.2023 by telephone, during which the official gave<br />
further clarifications on the proposal. As of 10.03.2023, the data processor is not AKI<br />
completed the proposal.<br />
<br />
<br />
<br />
GROUNDS FOR DATA PROTECTION INSPECTION:<br />
Pursuant to article 4 point 1 of ICYM, personal data is any information identified or<br />
about an identifiable natural person (data subject). An identifiable natural person is a person who can<br />
to identify directly or indirectly, in particular on the basis of an identification feature such as a name,<br />
personal code, location information; but also one or more physical, physiological of this natural person<br />
<br />
based on the feature. Therefore, personal data also includes a person's name, image and other information that<br />
enables identification.<br />
<br />
In this case, it is a public Facebook group in which other people's actions are made<br />
posts containing personal data. In the case of certain posts, it is a matter of warnings, perhaps<br />
the purpose of the post is to warn other people to avoid entering into transactions with persons,<br />
whose personal data is disclosed. At the same time, posts are also made in this group which<br />
<br />
the purpose is to influence the debtor and pressure the debtor to pay off the debt. Examples:<br />
1) The post was made on 19.02.2023 at 13:02. On the computer network: XXX<br />
2) The post was made on 19.02.2023 at 13:00. On the computer network: XXX<br />
3) The post was made on 19.02.2023 at 13:06. On the computer network: XXX<br />
4) The post was made on 19.02.2023 at 13:01. On the computer network: XXX<br />
5) The post was made on 19.02.2023 at 13:06. On the computer network: XXX<br />
6) Cont<br />
<br />
<br />
According to article 4 point 2 of the IKÜM, the processing of personal data is personal data or theirs<br />
an automated or non-automated operation or set of operations performed with sets, incl<br />
distributing them or otherwise making them available to the public.<br />
<br />
Article 4 point 7 of IKÜM states that the responsible processor is a natural or legal person,<br />
a public sector institution, agency or other body that, alone or together with others, determines<br />
<br />
purposes and means of personal data processing. Facebook has determined that the group<br />
the administrator (or data processor) has access to the Facebook group with full control.<br />
This means that the data processor can change the name of the group or its privacy settings, can delete posts and comments written about it. It follows that the contested<br />
As a Facebook group administrator, the data processor has the opportunity to change the name of the given group and<br />
delete posts made in the group and comments made about it.<br />
<br />
<br />
In addition, the data processor, as an administrator, has assigned the name of this group to "XXX" and is<br />
made this group public, which has clearly directed the discussion in the group<br />
(created a group for the purpose of allowing users to post on specific topics) and<br />
due to the fact that the data processor made the group public, personal data will be disclosed there<br />
unlimited for everyone.<br />
<br />
<br />
Taking into account the above, AKI considers that the data processor is in accordance with Article 4, Clause 7 of the IKÜM<br />
controller, as it determines the purposes of personal data processing (group name,<br />
rules) and tools (choice of social media platform, public group). Data processor as a group<br />
the administrator is responsible for ensuring that the disclosure of data is legal.<br />
<br />
<br />
The principles of personal data processing are set out in Article 5 of the IKÜM, which must be followed by the person in charge<br />
processor to follow, including the principle of legality. The processing of personal data is legal,<br />
if it corresponds to one of the legal grounds set out in Article 6 of the IKÜM (consent, performance of the contract,<br />
legal obligation, protection of vital interests, to fulfill a task in the public interest or<br />
<br />
for the exercise of public authority, legitimate interest).<br />
<br />
1. IKYM article 6 paragraph 1 point a<br />
<br />
IKÜM Article 6(1)(a) states that the processing of personal data is legal only if<br />
<br />
if the data subject has given consent to process his personal data in one or more ways<br />
for a specific purpose.<br />
<br />
In article 4, clause 11 of the UNCLOS, consent is defined as "voluntary, specific, informed and<br />
an unequivocal statement of intent to which the data subject either in the form of a statement or express consent<br />
<br />
by expressing his consent to the processing of his personal data":<br />
<br />
a) The word "voluntary" means truly free choice and control for the data subject.<br />
In general, IKÜM stipulates that if the data subject does not have a real<br />
option if he feels compelled to consent or if he has to not consent<br />
<br />
failure to bear negative consequences, the consent is invalid. If consent is part<br />
of non-negotiable terms, shall not be deemed to have been voluntarily given. So no<br />
the consent shall be considered as consent given voluntarily if the data subject cannot be deprived of it<br />
refuse or withdraw consent without adverse consequences.<br />
b) "Specific" means that the consent of the data subject must be given "on one or<br />
<br />
for several specific purposes". According to IKÜM article 5 paragraph 1 point b precedes<br />
accurate, clear and lawful processing always planned for obtaining valid consent<br />
determining the goal. Necessity of specific consent together with Article 5 paragraph 1<br />
by delimiting the purpose according to point b, prevent the purposes of data processing<br />
gradual expansion or obfuscation after the data subject has provided<br />
<br />
your consent to data collection.<br />
c) IKÜM strengthens the requirement that consent must be informed. On the basis of Article 5 of the Convention<br />
One of the basic principles is transparency, which is closely related to legality and justice<br />
with the principle. Providing information to data subjects before obtaining their consent is<br />
important to enable data subjects to make an informed decision, to understand what<br />
<br />
they agree, and for example exercise their right to withdraw consent.<br />
<br />
1 Facebook Help Center: https://www.facebook.com/help/901690736606156;<br />
https://www.facebook.com/help/289207354498410?helpref=faq_content<br />
2Similarly, in decision C-210/16, the European Court has concluded that the administrator of the Facebook page is responsible<br />
processor within the meaning of Article 2 point d of Directive 95/46. d) It is clearly stated in IKÜM that a statement from the data subject is required for consent or<br />
a clear action expressing consent, which means that it must always be given<br />
by taking active steps or providing confirmation. It should be obvious that<br />
the data subject has consented to the specific processing. Silence of the data subject or<br />
<br />
inaction and merely continuing to use the service cannot be considered an active choice<br />
to do.<br />
<br />
In addition, the controller must keep in mind that the obligation to prove consent lies precisely<br />
on him.<br />
<br />
<br />
As a result of the above, the controller cannot rely on IKÜ Article 6(1)(a) because<br />
has not provided AKI with proof that personal data is disclosed to the data subject<br />
with consent and that the consent is valid in accordance with the provisions of article 4, clause 11 of the IKÜM<br />
requirements.<br />
<br />
<br />
2. IKYM article 6 paragraph 1 p f<br />
<br />
IKÜM article 6 paragraph 1 point f, i.e. personal data processing on the basis of legitimate interest<br />
the data processor must be convinced that the purpose of personal data processing is more compelling than<br />
<br />
the rights and freedoms of the data subject and articles 21 (right to object) and 17 of the IKÜM<br />
(right to deletion of data) the processing of personal data must be terminated if<br />
the data processor is unable to prove that the processing is for a compelling legitimate reason that weighs<br />
the interests, rights and freedoms of the data subject.<br />
<br />
<br />
Processing of personal data on the basis of legitimate interest must be preceded by the data processor<br />
the analysis carried out in terms of the legitimate interest and importance of the data processor and third parties,<br />
analysis and subsequent weighing of the rights and interests of the data subject and their weighting<br />
between the interests of the data processor and the data subject. 3<br />
<br />
<br />
AKI is of the opinion that the processing of personal data for the mere purpose of public warning is not<br />
legitimate on the basis of legitimate interest. In addition, the data controller is not entitled to the AKI<br />
interest analysis.<br />
<br />
3. IKS § 10<br />
<br />
<br />
In addition to the legal bases mentioned in Article 6 of the IKÜM, it is possible for debtors<br />
to disclose data, rely on IKS § 10, which stipulates that with a breach of a debt relationship<br />
disclosure of related personal data to a third party and processing of transmitted data<br />
a third party is allowed to assess the creditworthiness of the data subject or otherwise<br />
<br />
for the same purpose and only if all three conditions are met:<br />
1) the data processor has verified that there is a legal basis for data transmission;<br />
2) the data processor has checked the correctness of the data;<br />
3) the data transmission is registered (keeping information about who and what was transmitted).<br />
<br />
<br />
In this case, according to AKI, the presumption that the data controller would have checked has not been met<br />
legal basis for the transfer of personal data. However, the controller has disclosed<br />
debt data in unlimited public view, which means that the data controller cannot<br />
to check who can see the data and therefore also check whether the recipient of the data has<br />
legal basis.<br />
<br />
<br />
In addition, according to IKS § 10 (2) point 3, the processing of a person's debt data (including on Facebook)<br />
<br />
<br />
3 AKI Guide to Legitimate Interest, page 6. Available on the computer network:<br />
https://www.aki.ee/sites/default/files/dokumendid/oigudustu_huvi_juhend_aki_26.05.2020.pdfallowed if it would excessively harm the rights and freedoms of the data subject. So it comes<br />
the data processor must assess whether the right of the data is based on the circumstances of each specific case<br />
to the processing outweighs the interference caused to the privacy of the person or not.<br />
<br />
AKI is of the opinion that in this case the disclosure of personal data of different people is<br />
large-scale, as it is carried out via the Internet (including Facebook). Internet data<br />
<br />
disclosure increases people's vulnerability, as the given environment is sometimes uncontrollable<br />
and it is not possible to identify who has received information related to personal data and what is doing with it<br />
forward with the information.<br />
<br />
Therefore, on the basis of § 10 of the IKS, the requirements for disclosure of personal data are not met.<br />
<br />
4. IKS § 4<br />
<br />
<br />
In certain cases, there may be a journalistic justification for disclosing some people's data<br />
for the purpose. According to IKS § 4, personal data may be processed without the data subject's consent<br />
for journalistic purposes, in particular to disclose in the media, if there is a public interest and that<br />
is in line with the principles of journalistic ethics. Disclosure of personal data may not be excessive<br />
harm the rights of the data subject.<br />
<br />
<br />
In order to disclose personal data on the basis of § 4 of the IKS, three conditions must be met:<br />
1. there is a public interest in the disclosure of personal data;<br />
2. the disclosure is in accordance with the rules of journalistic ethics;<br />
3. the disclosure of personal data must not excessively harm the rights of the data subject.<br />
<br />
According to AKI, the criterion of public interest is not met in this case. Public interest<br />
<br />
the existence can be confirmed if the topic raised and personal data disclosed contribute<br />
to debate in a democratic society. The latter could be the case, for example, if<br />
a published opinion piece, for example, about why loans are taken lightly in Facebook groups in Estonia<br />
are taken and, on the contrary, loans are given, but the disclosure of personal data of individual debtors such<br />
does not have the driving force of the discussion.<br />
<br />
Also, the data processor has not proven to AKI that the code of journalistic ethics has been met<br />
<br />
requirements, because the data subject is not heard before publishing the debt data (p. of the Code).<br />
4.2) and he is not given the opportunity to submit an objection (p. 5 of the Code).<br />
<br />
AKI is of the opinion that data processing is accompanied by an obvious inviolability of the privacy of data subjects<br />
interference, which, in addition to the lack of a legal basis, is also excessive considering the composition of the data.<br />
For example, it is not legal to disclose photos of the debtor or other people, held with the person(s).<br />
complete extracts of conversations, etc.<br />
<br />
<br />
Since the criteria for the application of IKS § 4 have not been met, personal data cannot be obtained on the basis of IKS § 4<br />
to disclose.<br />
<br />
AKI notes that in the case of payment defaults, it must be borne in mind that in the event of arrears, there will be<br />
in order to achieve payment of the debt, the creditor can primarily use § 101 of the Law of Obligations Act<br />
listed legal remedies, one of which is to demand the performance of an obligation. of persons<br />
<br />
the publication of payment default data is not only a pressure measure to achieve payment of the debt<br />
permissible.<br />
<br />
Taking the above into account, AKI is of the opinion that in this case other people<br />
There is no disclosure of personal data referred to in Article 6, paragraph 1 of the IKÜM<br />
legal grounds and the data processor has not proven to AKI that the data<br />
<br />
the legal basis for disclosure comes from IKS § 10. Personal data has been processed without any legal basis, therefore the controller must stop the processing of other people's<br />
disclosure of posts containing personal data in the Facebook group "XXX".<br />
<br />
According to IKS § 58 paragraph 1 and IKÜ Article 58 paragraph 2 points f and g, the inspection has the right<br />
to issue an order to limit the processing of personal data. Considering that in a particular case<br />
the personal data of natural persons is disclosed illegally and that the responsible processor is not<br />
<br />
fulfilled the AKI's proposal of 26.01.2023, the AKI considers that making a mandatory injunction given<br />
in the matter, it is necessary to end the offense as soon as possible.<br />
<br />
<br />
<br />
(signed digitally)<br />
Alissa Khmelnitskaya<br />
<br />
lawyer<br />
on the authority of the Director General<br />
</pre></div>Norman.aasmahttps://gdprhub.eu/index.php?title=User:Norman.aasma&diff=31724User:Norman.aasma2023-03-18T21:39:39Z<p>Norman.aasma: </p>
<hr />
<div>'''Norman Aasma''', Country reporter for Estonia & Germany<br />
<br />
LL.M. student at University of Oslo<br />
<br />
'''CV''': [https://linkedin.com/in/norman-aasma-0256b21a5 linkedin.com/in/norman-aasma-0256b21a5]<br />
<br />
<br />
<br />
<br />
'''My contributions''':<br />
<br />
[[AKI (Estonia) - 2.1.-4/22/2585]]<br />
<br />
[[AKI (Estonia) - 2.1.-5/22/22012]] <br />
<br />
[[BlnBDI (Berlin) - C-807/21 - Deutsche Wohnen]]<br />
<br />
[[The FG München - Auskunftsanspruch nach Art. 15 DSGVO]]<br />
<br />
[[AKI (Estonia) - 2.1-3/22/2542]]</div>Norman.aasmahttps://gdprhub.eu/index.php?title=AKI_(Estonia)_-_2.1-3/22/2542&diff=31723AKI (Estonia) - 2.1-3/22/25422023-03-18T21:38:59Z<p>Norman.aasma: </p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Estonia<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoEE.png<br />
|DPA_Abbrevation=AKI<br />
|DPA_With_Country=AKI (Estonia)<br />
<br />
|Case_Number_Name=2.1-3/22/2542<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Estonian Data Protection Inspectorate<br />
|Original_Source_Link_1=https://www.aki.ee/sites/default/files/vaideotsused/2022/tehver_ja_partnerid_vaideotsus_eesti_ehitu.pdf<br />
|Original_Source_Language_1=Estonian<br />
|Original_Source_Language__Code_1=ET<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Other<br />
|Outcome=<br />
|Date_Started=25.10.2022<br />
|Date_Decided=08.12.2023<br />
|Date_Published=06.02.2023<br />
|Year=2023<br />
|Fine=<br />
|Currency=<br />
<br />
|GDPR_Article_1=<br />
|GDPR_Article_Link_1=<br />
|GDPR_Article_2=<br />
|GDPR_Article_Link_2=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=§ 45 (1)(3) AvTS<br />
|National_Law_Link_1=https://www.riigiteataja.ee/en/eli/ee/502012023005/consolide/current<br />
|National_Law_Name_2=§ 51 (1)(3)<br />
|National_Law_Link_2=https://www.riigiteataja.ee/en/eli/ee/502012023005/consolide/current<br />
|National_Law_Name_3=§ 51 (1)(7)<br />
|National_Law_Link_3=https://www.riigiteataja.ee/en/eli/ee/502012023005/consolide/current<br />
|National_Law_Name_4=§ 75ˇ1(4) VVS<br />
|National_Law_Link_4=https://www.riigiteataja.ee/en/eli/ee/502012023006/consolide/current<br />
|National_Law_Name_5=§ 85(2) HMS<br />
|National_Law_Link_5=https://www.riigiteataja.ee/en/eli/ee/527032019002/consolide/current<br />
|National_Law_Name_6=<br />
|National_Law_Link_6=<br />
|National_Law_Name_7=<br />
|National_Law_Link_7=<br />
<br />
|Party_Name_1=Eesti Ehitusinseneride Liit MTÜ<br />
|Party_Link_1=<br />
|Party_Name_2=OÜ Advokaadibüroo Tehver & Partnerid<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Norman Aasma<br />
|<br />
}}<br />
<br />
Estonian DPA held that disclosure of the part of the application of the applicant for engineering qualification that includes information related to the major works, projects and studies does not infringe on the inviolability of private life.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
Jaanus Tehver, the attorney-at law of law at the law firm Advokaadibüroo Tehver & Partnerid, the data subject, lodged a complaint with the Estonian Data Protection Inspectorate against the decision of the Estonian Association of Civil Engineers, the controller, in which the latter refused to comply with the attorney's request for information. <br />
The whole dispute revolved around the information related to the information in regard to applicants of engineering qualification. <br />
Data Protection Inspectorate issued a statement of objection in which they obliged the Estonian Association of Civil Engineers to disclose the information to the extent that the restrictions do not apply. After the DPA had issued its initial decision, the Association of Civil Engineers disclosed the information to which no restrictions applied. <br />
<br />
The data subject was not satisfied with the information disclosed, finding that the information, which had been requested still had not been disclosed and it also noted that the document to which the request was made, cannot contain information to which restrictions on access could be applied pursuant to Public Information Act. According to the position of the data subject, non-disclosure of information could be legitimate only if disclosure would lead to a significant impairment of the data subject's privacy. The data subject also provided that the Estonian Association of Civil Engineer's refusal to comply with a request for information infringes the data subject's right to receive public information. <br />
The data subject of this case was of the opinion that the personal data on where and for how long the applicant of engineering qualification attended the school, which further training did the applicant received, and data about the applicant's personal characteristics, state of health, assessments of his/her level of knowledge and abilities cannot be regarded as data, disclosure of which would substantially undermine or adversely affect the inviolability of private life of the data subject. <br />
<br />
Estonian Association of Civil Engineers, however, justified the non-disclosure of the requested information by referring to the fact that the information, which was requested, fell under the private life information of the applicants and would infringe the inviolability of the private life. The controller referenced the case law of the European Court of Human Rights, which highlighted that activities of a professional and commercial nature also fall under the notion of information of private life. The controller also noted that there was no legal basis nor purpose for disclosure of the requested information to an unlimited number of persons. Some further referrals were made by the controller to Estonian legislation that was supposed to justify the non disclosure of the requested information.<br />
<br />
=== Holding ===<br />
The DPA held that even though information provided to the professional organisation with the goal to obtain a vocation does not usually fall under special categories of personal data, then it does not exclude a possibility to impose access restriction to such information. The DPA referred to the Constitution of the Republic of Estonia, which also includes the right to inviolability of private life and extends to the protection of personal data, including personal data related to a person's education and skills. <br />
<br />
The DPA highlighted that it is important to weigh the right to privacy and right to public access to information against each other. <br />
The DPA held that the Estonian Association of Civil Engineers had disclosed to the data subject the documents requested as appropriate, to the extent that it does not contain restricted data. The DPA obliged in its decision the controller to assess again the part of the request of information that related to the information concerning works, studies and projects carried out by the applicant for engineering qualification, and to provide the information requested, to the extent that it does not include the information related to third parties. <br />
<br />
In case the controller still will refuse to disclose the mentioned part of the information, it must justify how the disclosure of such information would seriously undermine or damage the inviolability of private life of the individual, if the official building register already contains the relevant information.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Estonian original. Please refer to the Estonian original for more details.<br />
<br />
<pre><br />
PRIVACY PROTECTION AGAINST STATE TRANSPARENCY<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
DECISION ON APPEAL<br />
and<br />
PRESCRIPTION WARNING<br />
in public information case no. 2.1-3/22/2542<br />
<br />
<br />
<br />
<br />
ElveAdamson, lawyer of the Data Protection Inspectorate for the appeal decision and injunction<br />
maker<br />
<br />
Appeal decision and injunction<br />
time and place of execution 08.12.2022 in Tallinn<br />
<br />
Time of submission of objection 25.10.2022 (registered in the inspection on 26.10.2022)<br />
<br />
The owner of the information is the Estonian Construction Engineers Union, NGO<br />
address: A.H. Tammsaare tee 47, 11316 Tallinn<br />
<br />
e-mail address: info@ehitusinsener.ee<br />
<br />
Member of the management board of the person in charge of the whistleblower<br />
<br />
<br />
OÜVokaadibüro Tehver & Partners<br />
Complainant (information requester) Attorney-at-law Jaanus Tehver<br />
<br />
e-mail address: jaanus@tehver.ee<br />
<br />
<br />
RESOLUTION:<br />
§ 45 (1) point 1 of the Public Information Act (AvTS), § 51 (1) points 3 and 7, administrative procedure<br />
1<br />
(HMS) § 85 point 2 and § 75 subsection 4 of the Government of the Republic Act.<br />
on the basis of<br />
<br />
1) I make an appeal decision to partially satisfy the appeal;<br />
2) I make a mandatory prescription for the holder of the information to comply with:<br />
Re-examine the applicant for the invitation requested by the objector in the request for information<br />
the part of the application/request, where the most important works/projects/expertise are reflected and<br />
<br />
issue the aforementioned part of the document to the extent that it does not include third parties<br />
data. In the opinion of the inspectorate, the disclosure of such information does not harm those who requested the invitation<br />
the inviolability of a person's private life, as it is not related to private life, but to professional activities. In addition, there is<br />
corresponding data also in the building register. However, if the Union of Civil Engineers finds that their<br />
the disclosure of data significantly infringes on the integrity of a person's private life, then justify why<br />
the important catch is.<br />
<br />
3) to reject the objection in the full scope of the remaining documents requested in the request for information<br />
in terms of issuance, as the Union of Civil Engineers has duly complied with the injunction and<br />
issued documents in the part that does not contain restricted information<br />
4) I set December 22, 2022 as the deadline for fulfilling the injunction<br />
<br />
Pursuant to AvTS § 52, the holder of the information must within five working days of receiving the injunction<br />
<br />
Tatari tn 39 / 10134 Tallinn / 627 4135 / info@aki.ee / www.aki.ee<br />
Registration code 70004235 to take measures to comply with the order and report it to Data Protection<br />
For inspection.<br />
<br />
<br />
DISPUTE REFERENCE:<br />
The complainant can only appeal to the administrative court against the information holder within 30 days<br />
in the unsatisfied part of the appeal decision (point 3 above). The complainant will receive within 30 days<br />
apply to the administrative court against the Data Protection Inspectorate, as the Data Protection Inspectorate<br />
violated the complainant's rights in another way during the proceedings.<br />
<br />
<br />
The whistleblower can challenge the injunction (point 2 above) within 30 days by submitting<br />
either:<br />
- a complaint under the Administrative Procedure Act to the Director General of the Data Protection Inspectorate or<br />
-appeal to the administrative court in accordance with the Code of Administrative Court Procedures (in the case of the case in question<br />
to review the dispute in the matter).<br />
<br />
Challenging an injunction does not suspend the obligation to fulfill it or the measures necessary for its fulfillment<br />
implementation.<br />
<br />
<br />
WARNING:<br />
If the information holder fails to comply with the Data Protection Inspectorate's order, the Data Protection may<br />
The inspection should contact the information holder's superior institution, person or entire party<br />
<br />
to organize supervision or initiate disciplinary proceedings against the official. (AvTS §<br />
10 subsections 1 and 4, § 53 subsection 1).<br />
<br />
EXTORTION ALERT:<br />
If the injunction has not been fulfilled by the set deadline, the Data Protection Inspectorate will determine<br />
to the addressee of the injunction on the basis of § 51 (3) of the Public Information Act:<br />
Extortion money 2000 euros.<br />
<br />
<br />
A fine may be imposed repeatedly - until the injunction is fulfilled. If the recipient does not pay<br />
extortion money, it is forwarded to the bailiff to start enforcement proceedings. In this case, they are added<br />
bailiff's fee and other enforcement costs for the enforcement money.<br />
<br />
<br />
FACTUAL DISTRIBUTIONS:<br />
<br />
1. On 20.07.2022, Jaanus Tehver submitted a complaint to the Data Protection Inspectorate against the Civil Engineers<br />
Objection by the Union to the refusal to comply with his 01.06.2022 request for information.<br />
<br />
2. On 12.09.2022, the Data Protection Inspectorate issued an injunction-warning of the appeal decision, in which<br />
obliged the information holder to re-examine the claimant's request for information and issue the information<br />
to the extent restrictions do not apply. The inspection ordered compliance with the injunction<br />
by the deadline of 26.09.2022.<br />
<br />
3. 26.09.2022. as a fulfillment of the prescription, the Union of Construction Engineers issued the desired<br />
documents to the extent that no restriction was established on the basis of § 35 (1) p. 12 of the Act<br />
4. On 25.10.2022, Jaanus Tehver submitted an objection to the improper execution of the injunction,<br />
<br />
finding that the documents requested by him cannot contain information that would have<br />
justified to establish an access restriction on the basis of § 35 subsection 1 paragraph 12 of the AvTS.<br />
<br />
<br />
CLAIMS AND GROUNDS OF THE COMPLAINT:<br />
<br />
01.06.2022 I submitted an information request to the Estonian Association of Civil Engineers (EEL) (Appendix 1).<br />
<br />
<br />
<br />
2 (9) EEL responded to the request for information on 27.06.2022. by letter (appendix 2). The answer showed that EEL refused<br />
on the issuance of the meaningful part of the requested information with a reference on the basis of § 35 subsection 1 paragraph 12 of the AvTS<br />
to the established access restriction.<br />
<br />
I filed a complaint with the Data Protection Inspectorate (AKI) against the refusal to comply with the request for information.<br />
<br />
<br />
AKI made 12.09.2022. appeal decision and injunction-warning to the EEL (public information matter no. 2.1-<br />
3/22/1766). The content of AKI's decision (Appendix 3) was as follows: 1) I satisfy the objection 2) I make the information holder<br />
to comply with the mandatory injunction: a) re-examine the claimant's 01.06.2022 information request<br />
b) issue the requested information to the objector to the extent that it does not contain restricted information. Information<br />
in case of non-issue, the refusal must be justified (AvTS § 23 paragraph 3). 3) I set a prescription<br />
by the deadline of 26.09.2022<br />
<br />
<br />
26.09.2022 EEL sent a letter to the objector with attached material (Appendix 4).<br />
<br />
I find that EEL's 26.09.2022 the action qualifies as a refusal to comply with a request for information or<br />
at least for improper fulfillment of the request for information.<br />
<br />
I hereby submit an objection to the action of the EEL in accordance with § 46 (1) of the AvTS.<br />
<br />
<br />
Anyone who observes EEL on 26.09.2022. copies of the documents attached to the letter, you can make sure<br />
in that EEL has not issued (covered up or removed) practically all the information<br />
of the relevant documents. Responding to a request for information in this way - I dare you<br />
to call mockery -- in my opinion, clearly shows disrespect on the part of EEL<br />
the attitude towards the complainant as well as the fact that he is being asked for the information in question.<br />
<br />
<br />
I consider that the refusal to comply with the request for information is unlawful. To the requested information<br />
imposing an access restriction is also illegal. I will justify my position<br />
next. The EEL has justified the failure to issue the requested information on the basis of § 35 (1) p. 12 of the AvTS<br />
with an established access restriction. Data can be accessed according to the referenced standard<br />
limit if allowing access to the information would significantly harm the privacy of the data subject<br />
immunity.<br />
<br />
<br />
I claim that the data to which EEL in its 26.09.2022.a. according to the letter of access restriction<br />
established - i.e. data on where and how long the applicant attended school, which ones<br />
through advanced training, which job applicant's character traits, health status, evaluations<br />
to the level of his knowledge and abilities - cannot, in principle, be accessible<br />
enabling would significantly harm the data subject's privacy (as the only exception, I can here<br />
admit that the health status data belongs to the relevant category and if<br />
only such data would have been removed from the documents, then I will not the actions of the information holder<br />
<br />
would dispute). The whistleblower has not bothered to provide any justification as to how it could<br />
in this case, the release of data removed from the documents will significantly harm<br />
privacy of the data subject. At the same time, it is noteworthy that the documents have<br />
access restriction established only on 09.08.2022. i.e. after EEL for the first time<br />
refused to comply with my request for information (EEL established an access restriction AKI dispute procedure<br />
during - therefore included EEL on 27.06.2022. a letter with false information about imposing an access restriction<br />
about). Therefore, the establishment of the access restriction shows the EEL's desire not so much to protect<br />
<br />
the inviolability of the data subject's private life (in which case access restrictions would have to be established<br />
when receiving the data) but simply not to issue the information in question to me. Such behavior<br />
qualifies as classic arbitrariness in public duty.<br />
<br />
EEL's activity in concealing data under the label of protecting the privacy of the data subject is special<br />
cynical given the fact that a specific data subject - a Private Person - has deemed it possible<br />
<br />
publish the data of their educational progress to the public aimed at offering their services<br />
<br />
3 (9) on the website<br />
<br />
I would like to emphasize that personality characterizes one's own education, knowledge and experiences<br />
provided the data to the professional organization for the purpose of obtaining an invitation and the person in his public<br />
in the activity relies on the invitation attributed to him based on the same data, then it is not possible<br />
reasonably claim that the disclosure of the data that was the basis for receiving the invitation as a response<br />
<br />
to the request for information would significantly damage the integrity of the person's private life.<br />
Separately, I consider it necessary to emphasize that the mere invasion of privacy (which can be<br />
in the case of data publication, concede) does not justify imposing a data access restriction<br />
or refusal to issue data. Failure to issue data could be legitimate<br />
only in the event that the release would lead to a significant loss of privacy of the data subject<br />
damage. I believe that issuing the requested data in this case will lead to such a consequence<br />
basically cannot be brought.<br />
<br />
<br />
Refusal to comply with information requests violates my right to receive public information from EEL. Please<br />
AKI should satisfy this complaint and issue a mandatory order to EEL to issue me an EEL-<br />
i 26.09.2022 documents attached to the letter in full (without removing the information contained therein<br />
or undisguised).<br />
<br />
<br />
Also, I ask AKI to apply 12.09.2022 to EEL. prescribed in the injunction-warning<br />
measures due to failure to comply with the injunction.<br />
<br />
INFORMATION HOLDER REASONS:<br />
<br />
Referring to your inquiry of 11.11.2022, we will answer your questions and submit them<br />
in order:<br />
<br />
<br />
1. Requests<br />
We explain by category of personal data why the relevant data pertains to the Private Person<br />
is restricted information based on AvTS § 35 (1) p. 12:<br />
According to the information holder's explanations, 2018 and 2019 are the year of wishes of the Private Person<br />
his jobs vary. In addition, job applicants can be in several at the same time<br />
in employment relations. What choice does the job applicant make when entering job data<br />
<br />
to receive an invitation to the request, can be considered as private information, as it shows the latter<br />
the conviction of which workplace information is the most important to add in the job applicant's opinion<br />
more relevant when submitting the relevant request.<br />
<br />
1.2. The most important works, projects, expertises<br />
<br />
– to the extent that more important works, projects, expertises directly show the work experience of the applicant for the invitation,<br />
<br />
then the level of a person's knowledge and abilities can also be deduced from this list, the disclosure of which<br />
in its personalized form, the invitation violates the privacy of the applicant. Please note that privacy includes<br />
The EIK also considered activities of a professional and commercial nature (EIKo 13710/88, Niemietz vs.<br />
Germany, 16.12.1992),<br />
<br />
In addition, according to the General Regulation on the Protection of Personal Data EU 2016/679, personal data is any kind<br />
information about an identified or identifiable natural person ("data subject"). In this case, it works<br />
<br />
relevant information about the person's experiences, thus also knowledge. This is personal data,<br />
allowing access to which may significantly damage the privacy of the data subject,<br />
e.g. allow conclusions to be drawn based on the professional applicant's (data subject's) knowledge of specific fields or<br />
regarding their absence.<br />
<br />
As stated in the previous answer to the Data Protection Inspectorate, the invitation applicant<br />
<br />
to assess competence, an assessment committee has been formed by the professional committee (KutS §<br />
<br />
4 (9)19 paragraph 1), who assesses the competence of the applicant based on the data provided by the applicant. Given<br />
the disclosure of data to an unlimited circle of persons is not lawful, because there is no way to do so<br />
purpose as well as legal basis.<br />
<br />
2. Information disclosed by the person<br />
<br />
<br />
In order for EEL to obtain restrictions on the requested documents from the data that has already become public<br />
to remove and issue them to the information requester, must be checked by the Data Protection Inspectorate<br />
the content of the information on the websites referred to by the applicant and then compare them<br />
with what was provided in the request (to avoid a situation where information is issued that was not previously available<br />
made public). In connection with this, we ask the Data Protection Inspectorate to clarify and<br />
specify on which legal basis EEL processes personal data in such a case? In addition, as<br />
EEL may come into contact with the invitation applicant's data, which EEL previously had about the invitation applicant<br />
<br />
was not, then EEL is of the opinion that the invitation to the applicant comes from the corresponding processing of personal data<br />
to inform (Articles 12 and 14 of the General Regulation on Personal Data Protection). We ask for Data protection<br />
Confirm the information at the inspection. EEL is ready to remove restrictions from the given data if possible<br />
answers to the above questions, which allow the personal data of the invitation applicant in such a way<br />
processing by EEL.<br />
<br />
<br />
3. Minutes of the evaluation commission<br />
<br />
The requested professional level is fully covered in the protocols of the evaluation commission, because as well<br />
mentioned earlier, it also contains a list of areas for which it was decided not to invite the applicant<br />
give. The information on which professional levels were given to the person has been published (p. 10), as it is public information<br />
with data available in the register of professional activities: www.kutseregister.ee. To clarify,<br />
Under the minutes of the 2018 evaluation committee, the explanation part is covered because it contains<br />
<br />
only the basis of the negative decision. Explanation section under the minutes of the 2019 evaluation committee<br />
mostly contains references to the previous negative decision and bold text which<br />
follows the previous description of the negative decision and which in its wording suggests that<br />
previously, a negative decision has been made regarding the invitation applicant. Also, if you cover up the explanation part,<br />
that precedes the text in bold, it further allows for the conclusion that the invitation is on the part of the applicant<br />
a negative decision made in some respect, which may then lead to negative decisions regarding the invitation applicant<br />
assessments.<br />
<br />
<br />
The data protection inspection has clarified, however, that part of the information is not covered<br />
(words, sentences), the disclosure of which would violate the integrity of a person's private life, not the entire explanation<br />
part. Otherwise, it should be clear on what basis the commission made a positive decision.<br />
<br />
We explain that point 10 of the protocol of the evaluation committee contains the proposal of the evaluation committee,<br />
in which part the invitation applicant must be given an invitation - so it is clear from the given point in which<br />
<br />
the evaluation committee has made a positive decision. Explain the part that does not contain direct words<br />
the description of the negative decision, giving the possibility to conclude, that the persons who were previously present<br />
negative assessment given in terms of knowledge. At the same time, the year 2019 does not include the evaluation committee<br />
the positive part of the explanation of the protocol, the evaluation committee's additional explanation of why the corresponding decision<br />
is done. Therefore, if we consider the risks involved in the thickness of the 2019 evaluation committee<br />
by publishing the explanatory part of the letter and at the same time taking into account that the evaluation committee<br />
the proposal in which part to issue an invitation (p. 10) has been published to the information requester, the EEL finds that the invitation<br />
<br />
based on the interests of the applicant, the corresponding text must be covered, i.e. it is restricted information.<br />
<br />
We refer here to the general guidelines of the Public Information Act of the Data Protection Inspectorate, where<br />
explained that if possible, access is provided only to the requested part<br />
of the document/information that is not affected by the restriction (§ 38, paragraph 2 of AvTS) (see instructions § 38, p. 18). Maybe<br />
then the EEL is left with the right to decide whether it is necessary to disclose any specific information to the information requester<br />
<br />
possible or not.<br />
<br />
5 (9) Pursuant to § 12 (1) p. 8 of KuTS, the party giving the invitation guarantees the publication received during the invitation<br />
not belonging to information protection. Due to this provision and considering the information requester and invitation applicant<br />
interests, the EEL has taken the position that the interests of the applicant for the invitation to privacy prevail in this case<br />
up the interest of the information requester. The latter is interested in relevant information, like a sworn lawyer<br />
Jaanus Tehver also brought it up in his first argument, in order to make sure that the invitation was issued<br />
<br />
in justification and in the actual correspondence of the qualifications of the person (data subject) with the profession,<br />
to which the person with the invitation claims to comply.<br />
<br />
Pursuant to Section 18(2)(6) of KutS, the vocational committee decides whether to grant a vocational qualification to a person applying for a vocational qualification or<br />
failure to provide. The invitation to assess the applicant's competence is issued by the professional committee<br />
formed evaluation committee (KutS § 19 subsection 1). Therefore, the competence of the applicant is still assessed<br />
evaluation committee, not every information requester who wants information about the person with the invitation<br />
<br />
to get acquainted with the documents.<br />
<br />
The public can consult the professional certificate data of a person with a profession in the professional register, which<br />
proves the compliance of the person's competence with the requirements established in the professional standard. Professional certificate<br />
the professional who issued the professional certificate is responsible for its correctness (KutS § 21 (1)). It will also come<br />
to take into account that according to § 21 subsection 2 of KutS, a person with a profession has the right to use a professional certificate<br />
<br />
the professional title or its abbreviation indicated on the professional certificate during its validity and present yourself<br />
as competent according to the professional level given to him. Therefore, as long as the professional certificate is valid,<br />
the person with the invitation has the right to rely on it as well.<br />
<br />
EEL notes that it is possible to revoke a professional certificate in accordance with the procedure specified in KutS.<br />
In case of successful invalidation of the professional certificate, the person with the professional certificate has no right from earlier<br />
use the professional name or its abbreviation indicated on the valid professional certificate and present yourself<br />
<br />
as competent according to the given professional level.<br />
<br />
In addition, if the information requester doubts the legality of the actions of the party giving the invitation, it is possible to initiate<br />
supervision procedure over the activities of the person giving the invitation in accordance with the procedure provided by law<br />
<br />
4. Reviews of the professional suitability of the applicant for the engineering profession<br />
<br />
<br />
Requests for an invitation, content of evaluation committee protocols and reviews<br />
parts deal with information about the level of knowledge and abilities of the applicant for the profession, the disclosure of which<br />
an unlimited circle of persons is not allowed based on AvTS § 35 (1) p. 12, as it violates<br />
strongly inviolability of a person's private life, promising to give certain information about the person when it becomes public<br />
evaluations, including negative ones, which may directly affect the position of the applicant for the invitation<br />
when providing the service. There is also no legal basis for publishing such data<br />
purpose. The competence of a person with a profession according to the given professional level is certified by the certificate issued<br />
<br />
professional certificate, which can be viewed by all interested parties in the professional register. If<br />
if the information requester has doubts about the competence of the applicant for the invitation, then there is a separate provision for this in the KuTS<br />
the possibility of revoking the professional certificate. Based on the above, EEL is of the opinion that<br />
partial refusal to fulfill the request for information and restriction of access to the requested information<br />
the imposition has not been unlawful.<br />
<br />
<br />
<br />
GROUNDS FOR DATA PROTECTION INSPECTION:<br />
<br />
Information obtained and created during the process of requesting and issuing an invitation<br />
Acquired education and further education<br />
<br />
The complainant has taken the position that the data to which EEL in its 26.09.2022.a. letter<br />
according to the access restriction was established - i.e. information about where and for how long the invitation applicant<br />
went to school, what additional training did he complete, what are the character traits of the applicant for the profession,<br />
<br />
6 (9) health condition, assessments of the level of his knowledge and abilities - cannot be, in principle<br />
those, to which the provision of access significantly affects the privacy of the data subject<br />
would damage).<br />
<br />
EEL's activity in concealing data under the label of protecting the privacy of the data subject is special<br />
cynical given the fact that a specific data subject - a Private Person - has deemed it possible<br />
<br />
publish the data of their educational progress to the public aimed at offering their services<br />
on the website<br />
<br />
If the person has submitted data characterizing his educational background and knowledge and experience<br />
to a professional organization for the purpose of receiving an invitation, and the person relies on it in his public activities<br />
to the invitation attributed to him on the basis of the same data, then it is not possible to reasonably claim that<br />
disclosure of the data that was the basis for receiving the invitation in response to a request for information would be harmful<br />
<br />
substantially inviolability of a person's private life.<br />
<br />
The Data Protection Inspectorate does not agree with the above. To receive an invitation to a professional organization<br />
as a rule, the data provided is not a special type of personal data, which does not mean that it cannot be received<br />
to impose an access restriction. In the previous objection decision, the inspection indicated that it agreed<br />
cannot, however, argue with the claimant's claim that they cannot in principle contain personal data to which<br />
<br />
allowing access would significantly harm the privacy of the data subject.<br />
Personal data is not only the name of the person (which is known to the information requester and which cannot be hidden<br />
reason), however, for example, where and for how long is his private information that needs to be protected<br />
did he go to school, what advanced training did he take, what are his character traits, healthy<br />
condition, assessments of the level of his knowledge and abilities, etc. So you can also get a public task<br />
the information collected during the execution must have access restrictions and must not be available to everyone.<br />
Regarding the above, the inspection has not changed its position.<br />
<br />
<br />
PS § 26 provides for the protection of a person's private life. The protection of personal data must also be included in this, including such<br />
data protection regarding a person's education and skills. Paragraph 2 of § 44 of the PS states that persons have<br />
the right to receive information from state authorities about their activities, which also includes public tasks<br />
documents created and received during execution. This right may also be limited by the rights of other people<br />
for protection, including the protection of privacy and personal data. This position has also been adopted<br />
Tallinn District Court in case 3-17-458. In addition, the court has noted that even if the information no<br />
<br />
to be recognized as information for internal use is not disclosure of personal information<br />
allowed unconditionally.<br />
<br />
Since two fundamental rights collide here - the right to privacy and the right to receive public information, then<br />
here, the institution has to weigh between two fundamental rights, whether the right of the individual is greater in a specific case<br />
privacy or the objector's right to receive public information. In borderline cases, however<br />
to prefer an interpretation that more strongly protects privacy, rather than prioritizing it<br />
<br />
interests of third parties.<br />
<br />
In this case, there is no dispute that every processing of personal data affects the individual to some extent<br />
privacy, but the question is whether it is a significant intrusion that allows<br />
to impose an access restriction on the data contained in the document. Object of dispute<br />
the application does not only contain the level of education, but also contains information about when in which<br />
in the educational institution and which curriculum and at what time the person studied, which professional skills he acquired<br />
<br />
and in the scope of which subject points<br />
the place of participation in studies and further training over the course of approx. 20 years, including which ones<br />
additional trainings have been completed abroad and, to the extent, disclosure of such information<br />
to third parties already significantly infringes on the integrity of a person's private life. To add here more<br />
the 17 years of work and internships reflected in the application, then it already enables the person as well<br />
to profile. In the opinion of the inspectorate, disclosing information to this extent is a significant violation<br />
<br />
inviolability of a person's private life. Therefore, the last one reflected in the kasovia statement is not subject to disclosure<br />
<br />
7 (9) 17 years of work and internships.<br />
<br />
It should also be taken into account that a person applying for an invitation must submit the invitation documents<br />
to request an invitation to the provider, which does not mean that the institution can disclose this information<br />
to an unlimited circle of persons. Here, without a doubt, the individual's right to privacy is more important than<br />
<br />
right of third parties to receive information.<br />
<br />
However, what concerns the claimant's remark that EEL's actions in concealing the data of the data subject<br />
under the guise of privacy protection is particularly cynical given the fact that a specific<br />
the data subject - Private person - has considered it possible to publish the data of his educational background<br />
on the website aimed at offering its services to the public and relies on its public<br />
<br />
in the activity to the invitation assigned to him on the basis of the same data. At this point I consider it necessary<br />
explain that the person himself always has the right to access his data anywhere and to anyone<br />
to disclose. However, institutions that have to act on the basis of the law do not have this right. Nor is it<br />
the institution has the obligation to check whether the person has previously mentioned himself somewhere when receiving the documents<br />
disclosed the data. The institution can only be based on the documents submitted to it and there<br />
of the contained data. At this point, the information of the complainant remains incomprehensible to the inspection<br />
<br />
the need to obtain, if the complainant has already received the requested information. Request for information<br />
the purpose of the submission is primarily to request information that is not known to the person submitting the objection.<br />
<br />
The complainant has also stated in the complaint that it is noteworthy that the documents have<br />
the access restriction was established only on 09.08.2022, i.e. after EEL first my<br />
refused to comply with the request for information (EEL imposed an access restriction during the AKI dispute procedure-<br />
<br />
consequently, EEL's letter of 27.06.2022 contained the introduction of an access restriction.<br />
<br />
The fact that the physical limitation has not been noted in the document in time does not mean that<br />
that such a document can no longer be marked with a restriction. I agree with the objector that<br />
if the EEL already found at the time of refusal to comply with the primary information request that the document contains<br />
restricted information and the document did not have a restriction, it should have been done immediately.<br />
<br />
However, the foregoing does not invalidate the restriction. I also agree with the objector that if<br />
the request for information is refused on the grounds that it infringes on the integrity of the person's private life, then<br />
also explain to the information requester in a comprehensible way what this important interference consists of (AvTS § 23 paragraph 3).<br />
Here, it is not enough to merely refer to the basis of the restriction.<br />
<br />
Most important works/projects/expertises<br />
<br />
In response to the inspection's inquiry, EEL has justified the request for that part which<br />
concerns the establishment of a restriction on the work done as follows. How much more important work, projects,<br />
examinations directly show the work experience of the job applicant, then you can also use the given list<br />
<br />
to conclude the level of the person's knowledge and abilities, the disclosure of which in a personalized form violates the invitation<br />
privacy of the applicant. We would like to point out that private life also includes the concept of the Court of Justice<br />
activities of a professional and commercial nature (EIKo 13710/88, Niemietz v. Germany,<br />
16.12.1992).<br />
<br />
The Data Protection Inspectorate does not agree with the above. First of all, I think it is necessary to note that<br />
the cited judgment is not relevant in this case, as it concerned the lawyer's office<br />
<br />
searching. As the makers of building design, owner supervision and construction expertise<br />
according to § 25 of the Construction Code, must register themselves in the register of economic activities, where there is<br />
data of public and competent persons, then this is limited information. Building register basic regulation<br />
In accordance with §5lg1p9, additional transactions of the building are entered in the building register with the construction of the building or construction<br />
data of related persons. According to § 10 of the same regulation, the construction project is also entered in the building register<br />
first and last name of the compiler (p. 5), first and last name of the person supervising the owner (p. 6),<br />
<br />
data of the construction project expert and the building audit (p. 10 and 11). So it is<br />
<br />
1 See also RKHKo 3-20-1265, p 24.<br />
<br />
8 (9) in the construction register, in addition to the data of the building, also the data of the aforementioned persons involved in construction activities,<br />
which is not restricted information, therefore the disclosure of such data cannot in any way infringe either<br />
privacy of a person, as it is work-related information that can be carried out by a person who is<br />
registered in the economic activity register.<br />
<br />
Publicity of reviews<br />
<br />
The Data Protection Inspectorate agrees with EEL that the reviewer's assessment, which also includes<br />
gives reasons why the reviewer considers that the applicant meets/does not meet the requested professional level<br />
assessment of the applicant's skills and knowledge. Thus, the reviews contain such positive ones<br />
<br />
and negative reviews. Although the reviewers are certainly very competent<br />
with individuals, however, all such assessments are somewhat subjective. Neither does the commission<br />
decision based only on the opinion of one reviewer. If such opinions are issued to third parties<br />
to persons, then everyone can draw their own conclusion from them, which may be adequate and may bring<br />
negative consequences for the applicant, affecting his professional position. You can't here either<br />
the complainant should not evaluate what decision should have been made instead of the reviewer or the committee<br />
commission to do. The Data Protection Inspectorate finds that just as there are no teaching staff at the university<br />
<br />
feedback to the student is public, so the review given to the professional applicant cannot be public either<br />
in terms of knowledge and skills.<br />
<br />
The statement of the objector, as if the disclosure of the documents requested by him could not be done in any way<br />
to significantly infringe on a person's privacy is not appropriate. This is the invitation to give<br />
the documents submitted and prepared during the process also contain restricted data, as already follows from the KuTS<br />
§ 12 (1) p. 8, according to which the person giving the invitation guarantees the publication obtained in the course of giving the invitation<br />
<br />
protection of non-proprietary information. Here, the Inspectorate fully agrees with EEL that by invitation<br />
the competence of the person according to the given professional level is proven by the issued professional certificate, with which<br />
it is possible for all interested parties to familiarize themselves with the professional register. In case the information requester has doubts, call<br />
in terms of the applicant's competence, the KuTS provides a separate option for a professional certificate<br />
for annulment.<br />
<br />
The Data Protection Inspectorate also already explained to the complainant in the previous appeal decision that the invitation<br />
<br />
the qualification checks the compliance of education, skills and knowledge with the requirements for granting the qualification<br />
the giver, not every seeker. Pursuant to § 23 of the Professions Act, supervision is carried out by the person giving the profession and<br />
on the activities of professional councils by the Ministry of Education and Research or on the basis of an administrative contract<br />
authorized foundation. If an administrative contract has been concluded for the performance of the tasks of a professional institution, it performs<br />
administrative supervision over the professional institution Ministry of Education and Research.<br />
<br />
<br />
Based on the above, the Data Protection Inspectorate finds that the EEL has been issued by the complainant<br />
requested documents to the extent that they do not contain restricted data, except in the statement<br />
more important works, projects, expertises, which, according to the inspection, cannot be<br />
with a limitation.<br />
<br />
Therefore, the EEL must re-examine the part of the invitation requester's request<br />
performed works, expertise and projects and issue the desired information to the extent that does not include<br />
<br />
data of third parties or, in case of continued refusal, justify how such information<br />
disclosure would significantly damage the integrity of the person's private life, if there are corresponding ones in the building register<br />
data public. In other respects, the complaint remains unsatisfied.<br />
<br />
/signed digitally/<br />
ElveAdamson<br />
lawyer<br />
<br />
on the authority of the Director General<br />
<br />
<br />
<br />
<br />
9 (9)<br />
</pre></div>Norman.aasmahttps://gdprhub.eu/index.php?title=AKI_(Estonia)_-_2.1-3/22/2542&diff=31722AKI (Estonia) - 2.1-3/22/25422023-03-18T21:36:59Z<p>Norman.aasma: Created page with "{{DPAdecisionBOX |Jurisdiction=Estonia |DPA-BG-Color= |DPAlogo=LogoEE.png |DPA_Abbrevation=AKI |DPA_With_Country=AKI (Estonia) |Case_Number_Name=2.1-3/22/2542 |ECLI= |Origi..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Estonia<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoEE.png<br />
|DPA_Abbrevation=AKI<br />
|DPA_With_Country=AKI (Estonia)<br />
<br />
|Case_Number_Name=2.1-3/22/2542<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Estonian Data Protection Inspectorate<br />
|Original_Source_Link_1=https://www.aki.ee/sites/default/files/vaideotsused/2022/tehver_ja_partnerid_vaideotsus_eesti_ehitu.pdf<br />
|Original_Source_Language_1=Estonian<br />
|Original_Source_Language__Code_1=ET<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Other<br />
|Outcome=<br />
|Date_Started=25.10.2022<br />
|Date_Decided=08.12.2023<br />
|Date_Published=06.02.2023<br />
|Year=2023<br />
|Fine=<br />
|Currency=<br />
<br />
|GDPR_Article_1=<br />
|GDPR_Article_Link_1=<br />
|GDPR_Article_2=<br />
|GDPR_Article_Link_2=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=§ 45 (1)(3) AvTS<br />
|National_Law_Link_1=https://www.riigiteataja.ee/en/eli/ee/502012023005/consolide/current<br />
|National_Law_Name_2=§ 51 (1)(3)<br />
|National_Law_Link_2=https://www.riigiteataja.ee/en/eli/ee/502012023005/consolide/current<br />
|National_Law_Name_3=§ 51 (1)(7)<br />
|National_Law_Link_3=https://www.riigiteataja.ee/en/eli/ee/502012023005/consolide/current<br />
|National_Law_Name_4=§ 75ˇ1(4) VVS<br />
|National_Law_Link_4=https://www.riigiteataja.ee/en/eli/ee/502012023006/consolide/current<br />
|National_Law_Name_5=§ 85(2) HMS<br />
|National_Law_Link_5=https://www.riigiteataja.ee/en/eli/ee/527032019002/consolide/current<br />
|National_Law_Name_6=<br />
|National_Law_Link_6=<br />
|National_Law_Name_7=<br />
|National_Law_Link_7=<br />
<br />
|Party_Name_1=Eesti Ehitusinseneride Liit MTÜ<br />
|Party_Link_1=<br />
|Party_Name_2=OÜ Advokaadibüroo Tehver & Partnerid<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Norman Aasma<br />
|<br />
}}<br />
<br />
Estonian DPA held that disclosure of the part of the application of the applicant for engineering qualification that includes information related to the major works, projects and studies does not infringe on the inviolability of private life.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
Jaanus Tehver, the attorney-at law of law at the law firm Advokaadibüroo Tehver & Partnerid, the data subject, lodged a complaint with the Estonian Data Protection Inspectorate against the decision of the Estonian Association of Civil Engineers, the controller, in which the latter refused to comply with the attorney's request for information. <br />
The whole dispute revolved around the information related to the information in regard to applicants of engineering qualification. <br />
Data Protection Inspectorate issued a statement of objection in which they obliged the Estonian Association of Civil Engineers to disclose the information to the extent that the restrictions do not apply. After the DPA had issued its initial decision, the Association of Civil Engineers disclosed the information to which no restrictions applied. <br />
<br />
The data subject was not satisfied with the information disclosed, finding that the information, which had been requested still had not been disclosed and it also noted that the document to which the request was made, cannot contain information to which restrictions on access could be applied pursuant to Public Information Act. According to the position of the data subject, non-disclosure of information could be legitimate only if disclosure would lead to a significant impairment of the data subject's privacy. The data subject also provided that the Estonian Association of Civil Engineer's refusal to comply with a request for information infringes the data subject's right to receive public information. <br />
The data subject of this case was of the opinion that the personal data on where and for how long the applicant of engineering qualification attended the school, which further training did the applicant received, and data about the applicant's personal characteristics, state of health, assessments of his/her level of knowledge and abilities cannot be regarded as data, disclosure of which would substantially undermine or adversely affect the inviolability of private life of the data subject. <br />
Estonian Association of Civil Engineers, however, justified the non-disclosure of the requested information by referring to the fact that the information, which was requested, fell under the private life information of the applicants and would infringe the inviolability of the private life. The controller referenced the case law of the European Court of Human Rights, which highlighted that activities of a professional and commercial nature also fall under the notion of information of private life. The controller also noted that there was no legal basis nor purpose for disclosure of the requested information to an unlimited number of persons. Some further referrals were made by the controller to Estonian legislation that was supposed to justify the non disclosure of the requested information.<br />
<br />
=== Holding ===<br />
The DPA held that even though information provided to the professional organisation with the goal to obtain a vocation does not usually fall under special categories of personal data, then it does not exclude a possibility to impose access restriction to such information. The DPA referred to the Constitution of the Republic of Estonia, which also includes the right to inviolability of private life and extends to the protection of personal data, including personal data related to a person's education and skills. <br />
<br />
The DPA highlighted that it is important to weigh the right to privacy and right to public access to information against each other. <br />
The DPA held that the Estonian Association of Civil Engineers had disclosed to the data subject the documents requested as appropriate, to the extent that it does not contain restricted data. The DPA obliged in its decision the controller to assess again the part of the request of information that related to the information concerning works, studies and projects carried out by the applicant for engineering qualification, and to provide the information requested, to the extent that it does not include the information related to third parties. <br />
<br />
In case the controller still will refuse to disclose the mentioned part of the information, it must justify how the disclosure of such information would seriously undermine or damage the inviolability of private life of the individual, if the official building register already contains the relevant information.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Estonian original. Please refer to the Estonian original for more details.<br />
<br />
<pre><br />
PRIVACY PROTECTION AGAINST STATE TRANSPARENCY<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
DECISION ON APPEAL<br />
and<br />
PRESCRIPTION WARNING<br />
in public information case no. 2.1-3/22/2542<br />
<br />
<br />
<br />
<br />
ElveAdamson, lawyer of the Data Protection Inspectorate for the appeal decision and injunction<br />
maker<br />
<br />
Appeal decision and injunction<br />
time and place of execution 08.12.2022 in Tallinn<br />
<br />
Time of submission of objection 25.10.2022 (registered in the inspection on 26.10.2022)<br />
<br />
The owner of the information is the Estonian Construction Engineers Union, NGO<br />
address: A.H. Tammsaare tee 47, 11316 Tallinn<br />
<br />
e-mail address: info@ehitusinsener.ee<br />
<br />
Member of the management board of the person in charge of the whistleblower<br />
<br />
<br />
OÜVokaadibüro Tehver & Partners<br />
Complainant (information requester) Attorney-at-law Jaanus Tehver<br />
<br />
e-mail address: jaanus@tehver.ee<br />
<br />
<br />
RESOLUTION:<br />
§ 45 (1) point 1 of the Public Information Act (AvTS), § 51 (1) points 3 and 7, administrative procedure<br />
1<br />
(HMS) § 85 point 2 and § 75 subsection 4 of the Government of the Republic Act.<br />
on the basis of<br />
<br />
1) I make an appeal decision to partially satisfy the appeal;<br />
2) I make a mandatory prescription for the holder of the information to comply with:<br />
Re-examine the applicant for the invitation requested by the objector in the request for information<br />
the part of the application/request, where the most important works/projects/expertise are reflected and<br />
<br />
issue the aforementioned part of the document to the extent that it does not include third parties<br />
data. In the opinion of the inspectorate, the disclosure of such information does not harm those who requested the invitation<br />
the inviolability of a person's private life, as it is not related to private life, but to professional activities. In addition, there is<br />
corresponding data also in the building register. However, if the Union of Civil Engineers finds that their<br />
the disclosure of data significantly infringes on the integrity of a person's private life, then justify why<br />
the important catch is.<br />
<br />
3) to reject the objection in the full scope of the remaining documents requested in the request for information<br />
in terms of issuance, as the Union of Civil Engineers has duly complied with the injunction and<br />
issued documents in the part that does not contain restricted information<br />
4) I set December 22, 2022 as the deadline for fulfilling the injunction<br />
<br />
Pursuant to AvTS § 52, the holder of the information must within five working days of receiving the injunction<br />
<br />
Tatari tn 39 / 10134 Tallinn / 627 4135 / info@aki.ee / www.aki.ee<br />
Registration code 70004235 to take measures to comply with the order and report it to Data Protection<br />
For inspection.<br />
<br />
<br />
DISPUTE REFERENCE:<br />
The complainant can only appeal to the administrative court against the information holder within 30 days<br />
in the unsatisfied part of the appeal decision (point 3 above). The complainant will receive within 30 days<br />
apply to the administrative court against the Data Protection Inspectorate, as the Data Protection Inspectorate<br />
violated the complainant's rights in another way during the proceedings.<br />
<br />
<br />
The whistleblower can challenge the injunction (point 2 above) within 30 days by submitting<br />
either:<br />
- a complaint under the Administrative Procedure Act to the Director General of the Data Protection Inspectorate or<br />
-appeal to the administrative court in accordance with the Code of Administrative Court Procedures (in the case of the case in question<br />
to review the dispute in the matter).<br />
<br />
Challenging an injunction does not suspend the obligation to fulfill it or the measures necessary for its fulfillment<br />
implementation.<br />
<br />
<br />
WARNING:<br />
If the information holder fails to comply with the Data Protection Inspectorate's order, the Data Protection may<br />
The inspection should contact the information holder's superior institution, person or entire party<br />
<br />
to organize supervision or initiate disciplinary proceedings against the official. (AvTS §<br />
10 subsections 1 and 4, § 53 subsection 1).<br />
<br />
EXTORTION ALERT:<br />
If the injunction has not been fulfilled by the set deadline, the Data Protection Inspectorate will determine<br />
to the addressee of the injunction on the basis of § 51 (3) of the Public Information Act:<br />
Extortion money 2000 euros.<br />
<br />
<br />
A fine may be imposed repeatedly - until the injunction is fulfilled. If the recipient does not pay<br />
extortion money, it is forwarded to the bailiff to start enforcement proceedings. In this case, they are added<br />
bailiff's fee and other enforcement costs for the enforcement money.<br />
<br />
<br />
FACTUAL DISTRIBUTIONS:<br />
<br />
1. On 20.07.2022, Jaanus Tehver submitted a complaint to the Data Protection Inspectorate against the Civil Engineers<br />
Objection by the Union to the refusal to comply with his 01.06.2022 request for information.<br />
<br />
2. On 12.09.2022, the Data Protection Inspectorate issued an injunction-warning of the appeal decision, in which<br />
obliged the information holder to re-examine the claimant's request for information and issue the information<br />
to the extent restrictions do not apply. The inspection ordered compliance with the injunction<br />
by the deadline of 26.09.2022.<br />
<br />
3. 26.09.2022. as a fulfillment of the prescription, the Union of Construction Engineers issued the desired<br />
documents to the extent that no restriction was established on the basis of § 35 (1) p. 12 of the Act<br />
4. On 25.10.2022, Jaanus Tehver submitted an objection to the improper execution of the injunction,<br />
<br />
finding that the documents requested by him cannot contain information that would have<br />
justified to establish an access restriction on the basis of § 35 subsection 1 paragraph 12 of the AvTS.<br />
<br />
<br />
CLAIMS AND GROUNDS OF THE COMPLAINT:<br />
<br />
01.06.2022 I submitted an information request to the Estonian Association of Civil Engineers (EEL) (Appendix 1).<br />
<br />
<br />
<br />
2 (9) EEL responded to the request for information on 27.06.2022. by letter (appendix 2). The answer showed that EEL refused<br />
on the issuance of the meaningful part of the requested information with a reference on the basis of § 35 subsection 1 paragraph 12 of the AvTS<br />
to the established access restriction.<br />
<br />
I filed a complaint with the Data Protection Inspectorate (AKI) against the refusal to comply with the request for information.<br />
<br />
<br />
AKI made 12.09.2022. appeal decision and injunction-warning to the EEL (public information matter no. 2.1-<br />
3/22/1766). The content of AKI's decision (Appendix 3) was as follows: 1) I satisfy the objection 2) I make the information holder<br />
to comply with the mandatory injunction: a) re-examine the claimant's 01.06.2022 information request<br />
b) issue the requested information to the objector to the extent that it does not contain restricted information. Information<br />
in case of non-issue, the refusal must be justified (AvTS § 23 paragraph 3). 3) I set a prescription<br />
by the deadline of 26.09.2022<br />
<br />
<br />
26.09.2022 EEL sent a letter to the objector with attached material (Appendix 4).<br />
<br />
I find that EEL's 26.09.2022 the action qualifies as a refusal to comply with a request for information or<br />
at least for improper fulfillment of the request for information.<br />
<br />
I hereby submit an objection to the action of the EEL in accordance with § 46 (1) of the AvTS.<br />
<br />
<br />
Anyone who observes EEL on 26.09.2022. copies of the documents attached to the letter, you can make sure<br />
in that EEL has not issued (covered up or removed) practically all the information<br />
of the relevant documents. Responding to a request for information in this way - I dare you<br />
to call mockery -- in my opinion, clearly shows disrespect on the part of EEL<br />
the attitude towards the complainant as well as the fact that he is being asked for the information in question.<br />
<br />
<br />
I consider that the refusal to comply with the request for information is unlawful. To the requested information<br />
imposing an access restriction is also illegal. I will justify my position<br />
next. The EEL has justified the failure to issue the requested information on the basis of § 35 (1) p. 12 of the AvTS<br />
with an established access restriction. Data can be accessed according to the referenced standard<br />
limit if allowing access to the information would significantly harm the privacy of the data subject<br />
immunity.<br />
<br />
<br />
I claim that the data to which EEL in its 26.09.2022.a. according to the letter of access restriction<br />
established - i.e. data on where and how long the applicant attended school, which ones<br />
through advanced training, which job applicant's character traits, health status, evaluations<br />
to the level of his knowledge and abilities - cannot, in principle, be accessible<br />
enabling would significantly harm the data subject's privacy (as the only exception, I can here<br />
admit that the health status data belongs to the relevant category and if<br />
only such data would have been removed from the documents, then I will not the actions of the information holder<br />
<br />
would dispute). The whistleblower has not bothered to provide any justification as to how it could<br />
in this case, the release of data removed from the documents will significantly harm<br />
privacy of the data subject. At the same time, it is noteworthy that the documents have<br />
access restriction established only on 09.08.2022. i.e. after EEL for the first time<br />
refused to comply with my request for information (EEL established an access restriction AKI dispute procedure<br />
during - therefore included EEL on 27.06.2022. a letter with false information about imposing an access restriction<br />
about). Therefore, the establishment of the access restriction shows the EEL's desire not so much to protect<br />
<br />
the inviolability of the data subject's private life (in which case access restrictions would have to be established<br />
when receiving the data) but simply not to issue the information in question to me. Such behavior<br />
qualifies as classic arbitrariness in public duty.<br />
<br />
EEL's activity in concealing data under the label of protecting the privacy of the data subject is special<br />
cynical given the fact that a specific data subject - a Private Person - has deemed it possible<br />
<br />
publish the data of their educational progress to the public aimed at offering their services<br />
<br />
3 (9) on the website<br />
<br />
I would like to emphasize that personality characterizes one's own education, knowledge and experiences<br />
provided the data to the professional organization for the purpose of obtaining an invitation and the person in his public<br />
in the activity relies on the invitation attributed to him based on the same data, then it is not possible<br />
reasonably claim that the disclosure of the data that was the basis for receiving the invitation as a response<br />
<br />
to the request for information would significantly damage the integrity of the person's private life.<br />
Separately, I consider it necessary to emphasize that the mere invasion of privacy (which can be<br />
in the case of data publication, concede) does not justify imposing a data access restriction<br />
or refusal to issue data. Failure to issue data could be legitimate<br />
only in the event that the release would lead to a significant loss of privacy of the data subject<br />
damage. I believe that issuing the requested data in this case will lead to such a consequence<br />
basically cannot be brought.<br />
<br />
<br />
Refusal to comply with information requests violates my right to receive public information from EEL. Please<br />
AKI should satisfy this complaint and issue a mandatory order to EEL to issue me an EEL-<br />
i 26.09.2022 documents attached to the letter in full (without removing the information contained therein<br />
or undisguised).<br />
<br />
<br />
Also, I ask AKI to apply 12.09.2022 to EEL. prescribed in the injunction-warning<br />
measures due to failure to comply with the injunction.<br />
<br />
INFORMATION HOLDER REASONS:<br />
<br />
Referring to your inquiry of 11.11.2022, we will answer your questions and submit them<br />
in order:<br />
<br />
<br />
1. Requests<br />
We explain by category of personal data why the relevant data pertains to the Private Person<br />
is restricted information based on AvTS § 35 (1) p. 12:<br />
According to the information holder's explanations, 2018 and 2019 are the year of wishes of the Private Person<br />
his jobs vary. In addition, job applicants can be in several at the same time<br />
in employment relations. What choice does the job applicant make when entering job data<br />
<br />
to receive an invitation to the request, can be considered as private information, as it shows the latter<br />
the conviction of which workplace information is the most important to add in the job applicant's opinion<br />
more relevant when submitting the relevant request.<br />
<br />
1.2. The most important works, projects, expertises<br />
<br />
– to the extent that more important works, projects, expertises directly show the work experience of the applicant for the invitation,<br />
<br />
then the level of a person's knowledge and abilities can also be deduced from this list, the disclosure of which<br />
in its personalized form, the invitation violates the privacy of the applicant. Please note that privacy includes<br />
The EIK also considered activities of a professional and commercial nature (EIKo 13710/88, Niemietz vs.<br />
Germany, 16.12.1992),<br />
<br />
In addition, according to the General Regulation on the Protection of Personal Data EU 2016/679, personal data is any kind<br />
information about an identified or identifiable natural person ("data subject"). In this case, it works<br />
<br />
relevant information about the person's experiences, thus also knowledge. This is personal data,<br />
allowing access to which may significantly damage the privacy of the data subject,<br />
e.g. allow conclusions to be drawn based on the professional applicant's (data subject's) knowledge of specific fields or<br />
regarding their absence.<br />
<br />
As stated in the previous answer to the Data Protection Inspectorate, the invitation applicant<br />
<br />
to assess competence, an assessment committee has been formed by the professional committee (KutS §<br />
<br />
4 (9)19 paragraph 1), who assesses the competence of the applicant based on the data provided by the applicant. Given<br />
the disclosure of data to an unlimited circle of persons is not lawful, because there is no way to do so<br />
purpose as well as legal basis.<br />
<br />
2. Information disclosed by the person<br />
<br />
<br />
In order for EEL to obtain restrictions on the requested documents from the data that has already become public<br />
to remove and issue them to the information requester, must be checked by the Data Protection Inspectorate<br />
the content of the information on the websites referred to by the applicant and then compare them<br />
with what was provided in the request (to avoid a situation where information is issued that was not previously available<br />
made public). In connection with this, we ask the Data Protection Inspectorate to clarify and<br />
specify on which legal basis EEL processes personal data in such a case? In addition, as<br />
EEL may come into contact with the invitation applicant's data, which EEL previously had about the invitation applicant<br />
<br />
was not, then EEL is of the opinion that the invitation to the applicant comes from the corresponding processing of personal data<br />
to inform (Articles 12 and 14 of the General Regulation on Personal Data Protection). We ask for Data protection<br />
Confirm the information at the inspection. EEL is ready to remove restrictions from the given data if possible<br />
answers to the above questions, which allow the personal data of the invitation applicant in such a way<br />
processing by EEL.<br />
<br />
<br />
3. Minutes of the evaluation commission<br />
<br />
The requested professional level is fully covered in the protocols of the evaluation commission, because as well<br />
mentioned earlier, it also contains a list of areas for which it was decided not to invite the applicant<br />
give. The information on which professional levels were given to the person has been published (p. 10), as it is public information<br />
with data available in the register of professional activities: www.kutseregister.ee. To clarify,<br />
Under the minutes of the 2018 evaluation committee, the explanation part is covered because it contains<br />
<br />
only the basis of the negative decision. Explanation section under the minutes of the 2019 evaluation committee<br />
mostly contains references to the previous negative decision and bold text which<br />
follows the previous description of the negative decision and which in its wording suggests that<br />
previously, a negative decision has been made regarding the invitation applicant. Also, if you cover up the explanation part,<br />
that precedes the text in bold, it further allows for the conclusion that the invitation is on the part of the applicant<br />
a negative decision made in some respect, which may then lead to negative decisions regarding the invitation applicant<br />
assessments.<br />
<br />
<br />
The data protection inspection has clarified, however, that part of the information is not covered<br />
(words, sentences), the disclosure of which would violate the integrity of a person's private life, not the entire explanation<br />
part. Otherwise, it should be clear on what basis the commission made a positive decision.<br />
<br />
We explain that point 10 of the protocol of the evaluation committee contains the proposal of the evaluation committee,<br />
in which part the invitation applicant must be given an invitation - so it is clear from the given point in which<br />
<br />
the evaluation committee has made a positive decision. Explain the part that does not contain direct words<br />
the description of the negative decision, giving the possibility to conclude, that the persons who were previously present<br />
negative assessment given in terms of knowledge. At the same time, the year 2019 does not include the evaluation committee<br />
the positive part of the explanation of the protocol, the evaluation committee's additional explanation of why the corresponding decision<br />
is done. Therefore, if we consider the risks involved in the thickness of the 2019 evaluation committee<br />
by publishing the explanatory part of the letter and at the same time taking into account that the evaluation committee<br />
the proposal in which part to issue an invitation (p. 10) has been published to the information requester, the EEL finds that the invitation<br />
<br />
based on the interests of the applicant, the corresponding text must be covered, i.e. it is restricted information.<br />
<br />
We refer here to the general guidelines of the Public Information Act of the Data Protection Inspectorate, where<br />
explained that if possible, access is provided only to the requested part<br />
of the document/information that is not affected by the restriction (§ 38, paragraph 2 of AvTS) (see instructions § 38, p. 18). Maybe<br />
then the EEL is left with the right to decide whether it is necessary to disclose any specific information to the information requester<br />
<br />
possible or not.<br />
<br />
5 (9) Pursuant to § 12 (1) p. 8 of KuTS, the party giving the invitation guarantees the publication received during the invitation<br />
not belonging to information protection. Due to this provision and considering the information requester and invitation applicant<br />
interests, the EEL has taken the position that the interests of the applicant for the invitation to privacy prevail in this case<br />
up the interest of the information requester. The latter is interested in relevant information, like a sworn lawyer<br />
Jaanus Tehver also brought it up in his first argument, in order to make sure that the invitation was issued<br />
<br />
in justification and in the actual correspondence of the qualifications of the person (data subject) with the profession,<br />
to which the person with the invitation claims to comply.<br />
<br />
Pursuant to Section 18(2)(6) of KutS, the vocational committee decides whether to grant a vocational qualification to a person applying for a vocational qualification or<br />
failure to provide. The invitation to assess the applicant's competence is issued by the professional committee<br />
formed evaluation committee (KutS § 19 subsection 1). Therefore, the competence of the applicant is still assessed<br />
evaluation committee, not every information requester who wants information about the person with the invitation<br />
<br />
to get acquainted with the documents.<br />
<br />
The public can consult the professional certificate data of a person with a profession in the professional register, which<br />
proves the compliance of the person's competence with the requirements established in the professional standard. Professional certificate<br />
the professional who issued the professional certificate is responsible for its correctness (KutS § 21 (1)). It will also come<br />
to take into account that according to § 21 subsection 2 of KutS, a person with a profession has the right to use a professional certificate<br />
<br />
the professional title or its abbreviation indicated on the professional certificate during its validity and present yourself<br />
as competent according to the professional level given to him. Therefore, as long as the professional certificate is valid,<br />
the person with the invitation has the right to rely on it as well.<br />
<br />
EEL notes that it is possible to revoke a professional certificate in accordance with the procedure specified in KutS.<br />
In case of successful invalidation of the professional certificate, the person with the professional certificate has no right from earlier<br />
use the professional name or its abbreviation indicated on the valid professional certificate and present yourself<br />
<br />
as competent according to the given professional level.<br />
<br />
In addition, if the information requester doubts the legality of the actions of the party giving the invitation, it is possible to initiate<br />
supervision procedure over the activities of the person giving the invitation in accordance with the procedure provided by law<br />
<br />
4. Reviews of the professional suitability of the applicant for the engineering profession<br />
<br />
<br />
Requests for an invitation, content of evaluation committee protocols and reviews<br />
parts deal with information about the level of knowledge and abilities of the applicant for the profession, the disclosure of which<br />
an unlimited circle of persons is not allowed based on AvTS § 35 (1) p. 12, as it violates<br />
strongly inviolability of a person's private life, promising to give certain information about the person when it becomes public<br />
evaluations, including negative ones, which may directly affect the position of the applicant for the invitation<br />
when providing the service. There is also no legal basis for publishing such data<br />
purpose. The competence of a person with a profession according to the given professional level is certified by the certificate issued<br />
<br />
professional certificate, which can be viewed by all interested parties in the professional register. If<br />
if the information requester has doubts about the competence of the applicant for the invitation, then there is a separate provision for this in the KuTS<br />
the possibility of revoking the professional certificate. Based on the above, EEL is of the opinion that<br />
partial refusal to fulfill the request for information and restriction of access to the requested information<br />
the imposition has not been unlawful.<br />
<br />
<br />
<br />
GROUNDS FOR DATA PROTECTION INSPECTION:<br />
<br />
Information obtained and created during the process of requesting and issuing an invitation<br />
Acquired education and further education<br />
<br />
The complainant has taken the position that the data to which EEL in its 26.09.2022.a. letter<br />
according to the access restriction was established - i.e. information about where and for how long the invitation applicant<br />
went to school, what additional training did he complete, what are the character traits of the applicant for the profession,<br />
<br />
6 (9) health condition, assessments of the level of his knowledge and abilities - cannot be, in principle<br />
those, to which the provision of access significantly affects the privacy of the data subject<br />
would damage).<br />
<br />
EEL's activity in concealing data under the label of protecting the privacy of the data subject is special<br />
cynical given the fact that a specific data subject - a Private Person - has deemed it possible<br />
<br />
publish the data of their educational progress to the public aimed at offering their services<br />
on the website<br />
<br />
If the person has submitted data characterizing his educational background and knowledge and experience<br />
to a professional organization for the purpose of receiving an invitation, and the person relies on it in his public activities<br />
to the invitation attributed to him on the basis of the same data, then it is not possible to reasonably claim that<br />
disclosure of the data that was the basis for receiving the invitation in response to a request for information would be harmful<br />
<br />
substantially inviolability of a person's private life.<br />
<br />
The Data Protection Inspectorate does not agree with the above. To receive an invitation to a professional organization<br />
as a rule, the data provided is not a special type of personal data, which does not mean that it cannot be received<br />
to impose an access restriction. In the previous objection decision, the inspection indicated that it agreed<br />
cannot, however, argue with the claimant's claim that they cannot in principle contain personal data to which<br />
<br />
allowing access would significantly harm the privacy of the data subject.<br />
Personal data is not only the name of the person (which is known to the information requester and which cannot be hidden<br />
reason), however, for example, where and for how long is his private information that needs to be protected<br />
did he go to school, what advanced training did he take, what are his character traits, healthy<br />
condition, assessments of the level of his knowledge and abilities, etc. So you can also get a public task<br />
the information collected during the execution must have access restrictions and must not be available to everyone.<br />
Regarding the above, the inspection has not changed its position.<br />
<br />
<br />
PS § 26 provides for the protection of a person's private life. The protection of personal data must also be included in this, including such<br />
data protection regarding a person's education and skills. Paragraph 2 of § 44 of the PS states that persons have<br />
the right to receive information from state authorities about their activities, which also includes public tasks<br />
documents created and received during execution. This right may also be limited by the rights of other people<br />
for protection, including the protection of privacy and personal data. This position has also been adopted<br />
Tallinn District Court in case 3-17-458. In addition, the court has noted that even if the information no<br />
<br />
to be recognized as information for internal use is not disclosure of personal information<br />
allowed unconditionally.<br />
<br />
Since two fundamental rights collide here - the right to privacy and the right to receive public information, then<br />
here, the institution has to weigh between two fundamental rights, whether the right of the individual is greater in a specific case<br />
privacy or the objector's right to receive public information. In borderline cases, however<br />
to prefer an interpretation that more strongly protects privacy, rather than prioritizing it<br />
<br />
interests of third parties.<br />
<br />
In this case, there is no dispute that every processing of personal data affects the individual to some extent<br />
privacy, but the question is whether it is a significant intrusion that allows<br />
to impose an access restriction on the data contained in the document. Object of dispute<br />
the application does not only contain the level of education, but also contains information about when in which<br />
in the educational institution and which curriculum and at what time the person studied, which professional skills he acquired<br />
<br />
and in the scope of which subject points<br />
the place of participation in studies and further training over the course of approx. 20 years, including which ones<br />
additional trainings have been completed abroad and, to the extent, disclosure of such information<br />
to third parties already significantly infringes on the integrity of a person's private life. To add here more<br />
the 17 years of work and internships reflected in the application, then it already enables the person as well<br />
to profile. In the opinion of the inspectorate, disclosing information to this extent is a significant violation<br />
<br />
inviolability of a person's private life. Therefore, the last one reflected in the kasovia statement is not subject to disclosure<br />
<br />
7 (9) 17 years of work and internships.<br />
<br />
It should also be taken into account that a person applying for an invitation must submit the invitation documents<br />
to request an invitation to the provider, which does not mean that the institution can disclose this information<br />
to an unlimited circle of persons. Here, without a doubt, the individual's right to privacy is more important than<br />
<br />
right of third parties to receive information.<br />
<br />
However, what concerns the claimant's remark that EEL's actions in concealing the data of the data subject<br />
under the guise of privacy protection is particularly cynical given the fact that a specific<br />
the data subject - Private person - has considered it possible to publish the data of his educational background<br />
on the website aimed at offering its services to the public and relies on its public<br />
<br />
in the activity to the invitation assigned to him on the basis of the same data. At this point I consider it necessary<br />
explain that the person himself always has the right to access his data anywhere and to anyone<br />
to disclose. However, institutions that have to act on the basis of the law do not have this right. Nor is it<br />
the institution has the obligation to check whether the person has previously mentioned himself somewhere when receiving the documents<br />
disclosed the data. The institution can only be based on the documents submitted to it and there<br />
of the contained data. At this point, the information of the complainant remains incomprehensible to the inspection<br />
<br />
the need to obtain, if the complainant has already received the requested information. Request for information<br />
the purpose of the submission is primarily to request information that is not known to the person submitting the objection.<br />
<br />
The complainant has also stated in the complaint that it is noteworthy that the documents have<br />
the access restriction was established only on 09.08.2022, i.e. after EEL first my<br />
refused to comply with the request for information (EEL imposed an access restriction during the AKI dispute procedure-<br />
<br />
consequently, EEL's letter of 27.06.2022 contained the introduction of an access restriction.<br />
<br />
The fact that the physical limitation has not been noted in the document in time does not mean that<br />
that such a document can no longer be marked with a restriction. I agree with the objector that<br />
if the EEL already found at the time of refusal to comply with the primary information request that the document contains<br />
restricted information and the document did not have a restriction, it should have been done immediately.<br />
<br />
However, the foregoing does not invalidate the restriction. I also agree with the objector that if<br />
the request for information is refused on the grounds that it infringes on the integrity of the person's private life, then<br />
also explain to the information requester in a comprehensible way what this important interference consists of (AvTS § 23 paragraph 3).<br />
Here, it is not enough to merely refer to the basis of the restriction.<br />
<br />
Most important works/projects/expertises<br />
<br />
In response to the inspection's inquiry, EEL has justified the request for that part which<br />
concerns the establishment of a restriction on the work done as follows. How much more important work, projects,<br />
examinations directly show the work experience of the job applicant, then you can also use the given list<br />
<br />
to conclude the level of the person's knowledge and abilities, the disclosure of which in a personalized form violates the invitation<br />
privacy of the applicant. We would like to point out that private life also includes the concept of the Court of Justice<br />
activities of a professional and commercial nature (EIKo 13710/88, Niemietz v. Germany,<br />
16.12.1992).<br />
<br />
The Data Protection Inspectorate does not agree with the above. First of all, I think it is necessary to note that<br />
the cited judgment is not relevant in this case, as it concerned the lawyer's office<br />
<br />
searching. As the makers of building design, owner supervision and construction expertise<br />
according to § 25 of the Construction Code, must register themselves in the register of economic activities, where there is<br />
data of public and competent persons, then this is limited information. Building register basic regulation<br />
In accordance with §5lg1p9, additional transactions of the building are entered in the building register with the construction of the building or construction<br />
data of related persons. According to § 10 of the same regulation, the construction project is also entered in the building register<br />
first and last name of the compiler (p. 5), first and last name of the person supervising the owner (p. 6),<br />
<br />
data of the construction project expert and the building audit (p. 10 and 11). So it is<br />
<br />
1 See also RKHKo 3-20-1265, p 24.<br />
<br />
8 (9) in the construction register, in addition to the data of the building, also the data of the aforementioned persons involved in construction activities,<br />
which is not restricted information, therefore the disclosure of such data cannot in any way infringe either<br />
privacy of a person, as it is work-related information that can be carried out by a person who is<br />
registered in the economic activity register.<br />
<br />
Publicity of reviews<br />
<br />
The Data Protection Inspectorate agrees with EEL that the reviewer's assessment, which also includes<br />
gives reasons why the reviewer considers that the applicant meets/does not meet the requested professional level<br />
assessment of the applicant's skills and knowledge. Thus, the reviews contain such positive ones<br />
<br />
and negative reviews. Although the reviewers are certainly very competent<br />
with individuals, however, all such assessments are somewhat subjective. Neither does the commission<br />
decision based only on the opinion of one reviewer. If such opinions are issued to third parties<br />
to persons, then everyone can draw their own conclusion from them, which may be adequate and may bring<br />
negative consequences for the applicant, affecting his professional position. You can't here either<br />
the complainant should not evaluate what decision should have been made instead of the reviewer or the committee<br />
commission to do. The Data Protection Inspectorate finds that just as there are no teaching staff at the university<br />
<br />
feedback to the student is public, so the review given to the professional applicant cannot be public either<br />
in terms of knowledge and skills.<br />
<br />
The statement of the objector, as if the disclosure of the documents requested by him could not be done in any way<br />
to significantly infringe on a person's privacy is not appropriate. This is the invitation to give<br />
the documents submitted and prepared during the process also contain restricted data, as already follows from the KuTS<br />
§ 12 (1) p. 8, according to which the person giving the invitation guarantees the publication obtained in the course of giving the invitation<br />
<br />
protection of non-proprietary information. Here, the Inspectorate fully agrees with EEL that by invitation<br />
the competence of the person according to the given professional level is proven by the issued professional certificate, with which<br />
it is possible for all interested parties to familiarize themselves with the professional register. In case the information requester has doubts, call<br />
in terms of the applicant's competence, the KuTS provides a separate option for a professional certificate<br />
for annulment.<br />
<br />
The Data Protection Inspectorate also already explained to the complainant in the previous appeal decision that the invitation<br />
<br />
the qualification checks the compliance of education, skills and knowledge with the requirements for granting the qualification<br />
the giver, not every seeker. Pursuant to § 23 of the Professions Act, supervision is carried out by the person giving the profession and<br />
on the activities of professional councils by the Ministry of Education and Research or on the basis of an administrative contract<br />
authorized foundation. If an administrative contract has been concluded for the performance of the tasks of a professional institution, it performs<br />
administrative supervision over the professional institution Ministry of Education and Research.<br />
<br />
<br />
Based on the above, the Data Protection Inspectorate finds that the EEL has been issued by the complainant<br />
requested documents to the extent that they do not contain restricted data, except in the statement<br />
more important works, projects, expertises, which, according to the inspection, cannot be<br />
with a limitation.<br />
<br />
Therefore, the EEL must re-examine the part of the invitation requester's request<br />
performed works, expertise and projects and issue the desired information to the extent that does not include<br />
<br />
data of third parties or, in case of continued refusal, justify how such information<br />
disclosure would significantly damage the integrity of the person's private life, if there are corresponding ones in the building register<br />
data public. In other respects, the complaint remains unsatisfied.<br />
<br />
/signed digitally/<br />
ElveAdamson<br />
lawyer<br />
<br />
on the authority of the Director General<br />
<br />
<br />
<br />
<br />
9 (9)<br />
</pre></div>Norman.aasmahttps://gdprhub.eu/index.php?title=User:Norman.aasma&diff=31449User:Norman.aasma2023-03-01T12:17:37Z<p>Norman.aasma: </p>
<hr />
<div>'''Norman Aasma''', Country reporter for Estonia & Germany<br />
<br />
LL.M. student at University of Oslo<br />
<br />
'''CV''': [https://linkedin.com/in/norman-aasma-0256b21a5 linkedin.com/in/norman-aasma-0256b21a5]<br />
<br />
<br />
<br />
<br />
'''My contributions''':<br />
<br />
[[AKI (Estonia) - 2.1.-4/22/2585]]<br />
<br />
[[AKI (Estonia) - 2.1.-5/22/22012]] <br />
<br />
[[BlnBDI (Berlin) - C-807/21 - Deutsche Wohnen]]<br />
<br />
[[The FG München - Auskunftsanspruch nach Art. 15 DSGVO]]</div>Norman.aasmahttps://gdprhub.eu/index.php?title=FG_M%C3%BCnchen_-_Auskunftsanspruch_nach_Art._15_DSGVO&diff=31284FG München - Auskunftsanspruch nach Art. 15 DSGVO2023-02-21T22:07:27Z<p>Norman.aasma: Created page with "{{COURTdecisionBOX |Jurisdiction=Germany |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=The FG München |Court_Original_Name=Finanzgericht München |Court_En..."</p>
<hr />
<div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=Germany<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=The FG München<br />
|Court_Original_Name=Finanzgericht München<br />
|Court_English_Name=Munich Finance Court<br />
|Court_With_Country=The FG München (Germany)<br />
<br />
|Case_Number_Name=Auskunftsanspruch nach Art. 15 DSGVO<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Bayern.Recht<br />
|Original_Source_Link_1=https://www.gesetze-bayern.de/Content/Document/Y-300-Z-BECKRS-B-2022-N-5603?hl=true<br />
|Original_Source_Language_1=German<br />
|Original_Source_Language__Code_1=DE<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Date_Decided=03.02.2023<br />
|Date_Published=03.02.2023<br />
|Year=2023<br />
<br />
|GDPR_Article_1=Article 15(3) GDPR<br />
|GDPR_Article_Link_1=Article 15 GDPR#3<br />
|GDPR_Article_2=<br />
|GDPR_Article_Link_2=<br />
|GDPR_Article_3=<br />
|GDPR_Article_Link_3=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=§ 91 AO <br />
|National_Law_Link_1=https://www.gesetze-im-internet.de/englisch_ao/<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
|National_Law_Name_3=<br />
|National_Law_Link_3=<br />
<br />
|Party_Name_1=Bank<br />
|Party_Link_1=<br />
|Party_Name_2=Tax Office<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
<br />
|Appeal_From_Body=<br />
|Appeal_From_Case_Number_Name=<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Norman Aasma<br />
|<br />
}}<br />
<br />
A data subject cannot have access to information under [[Article 15 GDPR|Article 15 GDPR]] on tax assessments if the data goes beyond the input data.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The case entailed a dispute between a bank (the data subject) and a tax office (the processor). In 2019 the plaintiff, here the bank, had received a letter from the tax office, here the data processor, which informed the plaintiff about results of certain tax investigations in relation to investment funds in which the plaintiff was custodian. <br />
<br />
The plaintiff sent the tax office a letter on the basis of Section 91 of the Fiscal Code to exercise his right to be heard and for inspection of those fails. The tax office rejected the letter and also following objection of the bank. <br />
In response the plaintiff filed a lawsuit with the Munich Finance Court against the rejection of the information on the basis of [[Article 15 GDPR#3|Article 15(3) GDPR]]. The bank was aiming to obtain a copy of its data processed by the tax office and annul the earlier decision of the tax office. <br />
<br />
The tax office rejected the claims of plaintiff and provided that right to inspect the files or to receive a copy of the content of the files concerned does not fall under the scope of [[Article 15 GDPR|Article 15 GDPR]]. Furthermore, the tax office was ofmthe opinion that a claim for the information had already expired as the plaintiff already had the needed information.<br />
<br />
=== Holding ===<br />
The FG München dismissed the claim. It held that, even though data subject would have a right to a acess under [[Article 15 GDPR|Article 15 GDPR]], then it does not extend to current circumstances. The court held that GDPR does not vest the data subject with a right to full texts within a file, especially if the files contain unrecorded source data. <br />
<br />
The court ruled that the right to information under GDPR extends in the present case only to the input data processed for the specific tax assessments. The court was of the opinion, that the tax office had done all that is necessary and that is required by law by providing the plaintiff with the documents on capital gains and there are no reasons to doubt about the truthfulness of the tax office. <br />
<br />
The plaintiff can exercise rights stemming from procedural provisions of the Fiscal Code The plaintiff can have an access to the documents, which were submitted to the court by the tax offixe. <br />
<br />
Consequently, the court held that GDPR does not grant the bank, here the data subject a right to inspect the files to which latter requested access to. The reason for no acess comes from restrictions, which apply to tax records.<br />
<br />
== Comment ==<br />
It was interesting to get to know that a legal person can have GDPR rights in Germany<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the German original. Please refer to the German original for more details.<br />
<br />
<pre><br />
Title:<br />
Right to information according to Art. 15 GDPR<br />
chains of standards:<br />
StPO § 147 paragraph 5, § 496 paragraph 3<br />
AO § 91, § 364<br />
GDPR Art. 2 Para. 2 d, Art. 4 No. 7, Art. 12 Para. 1, Art. 13 Para. 4, Art. 14 Para. 5 a, Art. 15, Art. 23 para. 1 e and i<br />
FGO § 32a Paragraph 1 No. 1, Paragraph 2, § 32c Paragraph 1 No. 1§ 33, § 90 a, § 115 Paragraph 2 No. 1 and 2, § 135 Paragraph 1<br />
VwGO § 40 paragraph 1<br />
OWiG § 49<br />
BDSG § 19<br />
GG Art. 19 Para. 4<br />
BDSG § 1 Section 8<br />
Guiding principles:<br />
1. A general right to inspect the files from the tax authorities exists according to std. Correspondence of the BFH not (cf. BFH, decision of November 3rd, 2020 - III R 59/19). (Rn. 155) (editorial motto)<br />
2. ECJ clarifies that the right to information under Art. 15 GDPR does not secure a right of access to administrative documents (ECJ, C-141/12, loc. cit. on the previous provision), so that this must apply even more to the entire collection of documents. (Rn. 131) (editorial guiding principle)<br />
tags:<br />
Right to information according to Art. 15 GDPR, General Data Protection Regulation<br />
Further information:<br />
Revision approved<br />
Findings:<br />
StEd 2022, 233<br />
EFG 2022, 727<br />
StB 2022, 179<br />
BeckRS 2022, 5603<br />
LSK 2022, 5603<br />
ZD 2022, 400<br />
<br />
<br />
tenor<br />
<br />
1. The lawsuit is dismissed.<br />
<br />
2. The plaintiff bears the costs of the proceedings.<br />
<br />
3. The revision is allowed.<br />
<br />
Reasons for decision<br />
<br />
1<br />
It is disputed whether the plaintiff has a claim under Article 15 of the General Data Protection Regulation (GDPR), the scope of this claim and whether it was fulfilled by granting inspection of individual documents or providing copies.<br />
<br />
2<br />
1. The plaintiff is a bank (...).<br />
<br />
3<br />
2. On ... ... 2019, the plaintiff received a letter dated ... ... 2019 from the tax office X, tax investigation office (hereinafter: tax investigation). In it, the plaintiff was informed of a large number of investigation results, the content of which relates to certain investment funds for which the plaintiff acted as custodian bank in 2010. The letter announced that the tax consequences should be drawn from the plaintiff. With the letter, brief tax reports were sent on the change in the plaintiff's capital gains tax registrations in tax matters of various investment funds (for the exact list of documents sent with the letter, reference is made to Annex K2 submitted by the plaintiff - file of the case, sheet 32).<br />
<br />
4<br />
3. Referring to the above letter, the plaintiff applied to the defendant - the tax office - in a letter dated ... ... 2019 for a right to be heard and for inspection of the files. The plaintiff derived the latter claim from Section 91 of the Fiscal Code (AO), or a right to inspect files at due discretion, and alternatively from Section 32c AO and Art. 15 (3) GDPR.<br />
<br />
5<br />
4. In a letter dated ... ...2019, the tax office pointed out that the application for inspection of the tax investigation files under Section 147 (5) of the Code of Criminal Procedure (StPO) should be submitted to the X public prosecutor's office. The tax office refused to inspect the capital gains tax file because the entire content of this file was already known to the plaintiff. The investment income tax office had already received the investigation reports from the investment funds. It is intended to use the results of these investigation reports as a basis for taxation and to change the capital gains tax returns concerned accordingly. The plaintiff has the opportunity to comment on the facts relevant to the decision until ... ... 2019. A separate letter will be sent out shortly about the application under Art. 15 (3) GDPR.<br />
<br />
6<br />
The plaintiff lodged an objection to this rejection notice (Annex K7, complaint file sheet 117), on which a decision has not yet been made.<br />
<br />
7<br />
5. In a letter dated ... ...2019, the tax office rejected the alternative request for information under the GDPR (action file, sheet 45). It justified the rejection by saying that the capital gains tax file only contained documents that were already known to the applicant. All other documents listed are the content of investigation files in criminal tax proceedings conducted by public prosecutor X. In this regard, it is doubtful whether Art. 15 GDPR applies to the investigation files at all, since according to Art. 2 Para. 2 d GDPR, Section 2a Para. 4 AO, the GDPR does not apply to the processing of personal data by the competent authorities for the purpose of prevent, investigate, detect or prosecute criminal offences. Even if this were the case, §§ 32c Paragraph 1 No. 1, 32b Paragraph 1 Clause 1 No. 1 a, Clause 2, § 32a Paragraph 2 AO - endangering the proper fulfillment of tasks - would prevent the provision of information. By inspecting the files, it cannot be ruled out that information would be revealed that could enable the plaintiff or the investment fund to conceal tax-related facts, to cover up tax-related tracks, or to allow conclusions to be drawn about planned control or audit measures, and thus make it much more difficult to uncover tax-related facts. Furthermore, this exception to the obligation to provide information is of particular importance in an ex-post view, since according to the current state of knowledge, preliminary proceedings by the public prosecutor's office X have been initiated against the plaintiff in the meantime. In addition, the tax office referred to the right to inspect files under Section 147 StPO. However, such an application would have to be submitted to the public prosecutor's office.<br />
<br />
8th<br />
6. In a letter dated ... ...2019, the plaintiff brought an action against the rejection of the information on the basis of Art. 15 (3) GDPR by the decision of ... ...2019.<br />
<br />
9<br />
In doing so, it is pursuing its aim of obtaining a copy of the data relating to the plaintiff which is the subject of processing by the tax office (file of the complaint, page 90 ff).<br />
<br />
10<br />
a. The obligation action is admissible, the Munich Finance Court has factual and local jurisdiction. A preliminary procedure does not take place, the legal period has been observed.<br />
<br />
11<br />
The lawsuit is also well founded. The claim from Art. 15 GDPR is aimed directly at a data copy. According to § 2a Para. 5 No. 2 AO, the plaintiff is covered by the scope of protection of the GDPR as “Société Anonyme”, S.A., as an identified legal entity. The tax office, as the processor of the plaintiff's personal data, is the opponent of the claim. The area exemption complained about by the tax office does not apply, since the transfer of the findings of the criminal proceedings to the taxation procedure resulted in a change of purpose, so that the area exemption no longer applies. Also, no other exclusions of the right to information are evident.<br />
<br />
12<br />
b. The plaintiff has no comprehensive knowledge of the processed data. The defendant's allegation in this regard is sweeping and unsubstantiated. The documents mentioned in the references and footnotes were not attached to any letter from the defendant. The claim is also not limited to the capital gains tax file. According to the substantive concept of files, all documents related to the applicant are included, and consequently also the documents to which the references and footnotes in question relate.<br />
<br />
13<br />
c. The information also does not jeopardize the proper fulfillment of the tasks that are the responsibility of the tax office. The tax office did not state to what extent the plaintiff should be able to conceal tax-relevant facts or to take misleading measures by providing the information. The tax office essentially reproduces the text of the law without going into individual cases. Apart from that, the plaintiff has an overriding interest in the disclosure of the information. The defendant did not put forward any specific indications of a specific collision situation. The explanations in the rejection were exhausted in clichéd reproductions of the legal text without considering individual cases. In the concrete balancing of interests, the interests of the plaintiff clearly prevail. The significant financial consequences of a tax arrears were particularly significant. The amount required a precise examination of the facts for the purpose of full clarification. The plaintiff's rights to a fair trial and a fair hearing continue to speak for her. On the one hand, the defendant could not process the knowledge of the tax investigator X for the purpose of issuing notices of additional claims, but on the other hand, it could not provide full insight into the personal data of the plaintiff that were the subject of the processing. The imbalance is not compensated for by the right to inspect files. Both rights have existed side by side since the introduction of the GDPR.<br />
<br />
14<br />
i.e. The right to information is also not excluded by reference to § 147 StPO. As already explained, criminal tax proceedings are different from taxation proceedings.<br />
<br />
15<br />
Contrary to the opinion of the tax office, the decision to provide information in the form of a data copy is no longer at the discretion of the tax authorities. Thus, the tax office has no discretion regarding the provision of a copy. The scope of the copy is also not at the discretion of the person responsible.<br />
<br />
16<br />
For the legal argumentation in detail, reference is made to the statement of claim (particularly file of the lawsuit sheet 90 ff., 179 ff., 251 ff., 278 ff., and pleading of January 28, 2022).<br />
<br />
17<br />
7. The plaintiff requests<br />
<br />
annul the decision of ... ... 2019 and oblige the tax office to provide the plaintiff with a copy of the data relating to her that are the subject of the processing by the defendant.<br />
<br />
18<br />
The tax office requests<br />
<br />
19<br />
8. a. The request for information under the GDPR has already been partially granted. The plaintiff has no right to further information. The plaintiff can only refer to the GDPR because Section 2a (5) No. 2 AO extends its scope to legal entities, which should be taken into account when interpreting the GDPR. In the event of a dispute, a clear distinction must be made between the information on processing operations in tax proceedings on the one hand and the processing operations in criminal tax proceedings on the other. This separation is imperative in a data protection assessment, since only parts of the requested information, namely that from the taxation procedure, fall within the scope of the GDPR.<br />
<br />
20<br />
b. With regard to the processing of data in the context of the taxation procedure, the tax office has already provided the information. The tax office had already sent the plaintiff the investigative reports listed from the tax investigation office and informed them that the capital gains tax file contained the capital gains tax registration for 2010 and the associated correspondence. The plaintiff filled out the capital gains tax returns herself and was either the addressee or the sender of the associated correspondence. Accordingly, the plaintiff is aware of the entire content of the capital gains tax file.<br />
<br />
21<br />
c. With regard to the other contents of the files, in which the plaintiff requests access to the files, she cannot invoke Art. 15 GDPR, since these contents are criminal files - and also those of third parties - to which the GDPR does not apply. Rather, the BDSG applies in this respect. In this respect, however, legal recourse to the tax courts is not open.<br />
<br />
22<br />
i.e. Alternatively, the tax office states that for all documents that are related to the ongoing criminal tax proceedings, the exceptional circumstances of Article 23 (1) e GDPR in conjunction with Sections 32c (1) No. 1, 32b (1) sentence 1 No 1 a, sentence 2, § 32 paragraph 2 AO intervene (endangerment of task fulfillment). It is obvious that the plaintiff or other persons against whom criminal proceedings have been initiated in some cases could rely on the state of knowledge of the tax authorities if the contents of the files were made known to them, especially since the investigations have not yet been completed. If the tax investigation offices had to disclose the findings of their investigations during the ongoing proceedings, all criminal offenses under Section 370 AO could no longer be effectively prosecuted in the future. The evaluation of § 147 StPO would be undermined.<br />
<br />
23<br />
e. In the event that more information was provided, this would also be detrimental to the welfare of the federal government or a state (Article 23 (1) e GDPR in conjunction with Sections 32c (1) no. 1, 32b (1) sentence 1 no. 1 b AO). According to media reports, the ongoing criminal and investigation proceedings in connection with this are about damage to the state treasury in the billions. This would possibly thwart the investigation and criminal prosecution of “one of the biggest tax scandals in German history” (so-called “cum-ex” cases). In view of the extent of the damage, the federal interest in effective clarification and enforcement of the tax refunds clearly takes precedence over the plaintiff's individual interest in disclosure of information.<br />
<br />
24<br />
f. Finally, with regard to all file contents from criminal proceedings against other persons, the exception of Art. 23 Para. 1 e and i DSGVO in conjunction with §§ 32c Para. 1 No. 1, 32b Para. 1 Sentence 1 No. 2 AO, Art. 15 Paragraph 4 GDPR. The requested documents therefore contained information which, if disclosed, would undoubtedly endanger the rights and freedoms of third parties. The interest of the person concerned in the provision of information must take second place to these rights of a large number of third parties (accused persons, witnesses, official employees, etc.). All investigation results fell under the tax secrecy, which is specially protected in § 30 AO. There is already no power of disclosure that would allow the defendant to inform the plaintiff about the data of third parties.<br />
<br />
25<br />
G. Each of the exceptional circumstances presented is of such weight that the plaintiff's individual interest in the provision of information must take a back seat to each one. The plaintiff's interest in checking the data stored in the files is entirely understandable. However, you may assume that all processing operations within the defendant were carried out in a lawful manner in accordance with data protection on the basis of Sections 29b, 29c (1) AO. At the same time, the plaintiff is entitled to sufficient other legal protection options, which it can also take or has already taken and which also offer this possibility of verification. The plaintiff can apply for access to the files in administrative offense proceedings under Section 49 OWiG and in criminal proceedings under Section 147 StPO. The constitutional control of the tax assessments is carried out through the already ongoing fiscal court objection proceedings or, if necessary, in the context of a subsequent lawsuit.<br />
<br />
26<br />
H. The tax office is of the opinion that Art. 15 GDPR does not provide for a right to inspect the files or to have a copy of the content of the files sent. The claim of the plaintiff has already expired, insofar as she already has the information. Furthermore, the right to information does not relate to all internal processes of a person responsible, such as notes, legal assessments or analyses. Such documents do not represent personal data. The publication of all internal documents would be equivalent to a right to inspect files, which Art. 15 GDPR does not offer.<br />
<br />
27<br />
i. The tax office expressly contradicts the plaintiff's view that the right to information under Art. 15 GDPR is a bound right that excludes any discretion with regard to the type of information provided. Both in the GDPR itself (Art. 12 Para. 1 GDPR) and specifically in Section 32d Para. 1 AO, it is expressly stipulated that Art. 12-15 GDPR are regulations that are subject to due discretion.<br />
<br />
28<br />
The view that a right to a copy of the content of the file can be derived from Art. 15 GDPR is also expressly contradicted.<br />
<br />
29<br />
k. The tax office initially refused to send the files relating to the dispute, fearing that the main issue would be preempted. In this respect, it referred to the decision of the Federal Fiscal Court (BFH) of June 3, 2015 (VII S 11/15, BFH/NV 2015, 1100).<br />
<br />
30<br />
For the argumentation in detail, reference is made to the written submissions (particularly the complaint file, pages 141 et seq., 219 et seq., 294 et seq., 384 et seq.).<br />
<br />
31<br />
9. a. In a letter dated ... ...2020, the plaintiff stated that she had now been able to inspect the investigation files of the X public prosecutor's office. The evaluation of the file of around 32,000 sheets is ongoing. By inspecting the investigation files, the claim asserted here for the submission of copies of personal data is neither fulfilled nor otherwise settled, because the plaintiff cannot find out which personal data the defendant is processing in the context of taxation by inspecting the files in criminal proceedings. Rather, the plaintiff must assume that the personal data processed by the defendant for the purpose of capital gains tax are still not available to her in full, since the defendant persistently denies her access.<br />
<br />
32<br />
b. At the request of the court, the tax office has the files relating to the dispute (cf. BFH, decision of 19.12.2016 - XI B 57/16 -, BFH/NV 2017, 599) - this is the data protection request for information, the correspondence exchanged and the issued decision - filed.<br />
<br />
33<br />
For the reasoning below, reference is made to the written submissions of the parties involved.<br />
<br />
34<br />
The admissible action is unfounded.<br />
<br />
35<br />
1. The action is admissible.<br />
<br />
36<br />
a. Legal recourse to the financial courts is possible according to § 32i Para. 2 AO, since the complaint of the person concerned against the tax office as the tax authority (§ 6 Para. 2 No. 5 AO) with regard to the processing of personal data is based on rights under the DSGVO (here : Art. 15 (1) GDPR).<br />
<br />
37<br />
The legal process is determined by the subject of the dispute. In the event of a dispute, this only includes the right to information from the GDPR against the tax authority as the authority responsible for taxation.<br />
<br />
38<br />
(1) According to the so-called two-part concept of the subject matter of the dispute, the subject matter of the dispute is generally characterized as the procedural claim by the desired legal consequence described in the application and the cause of action, i.e. the facts from which the legal consequence is to result (trial case law, cf. BVerwG , decision of 20.09.2012 - 7 B 5/12 -, para. 6, NVwZ 2012, 1563). In the case of a request for a commitment, the legal basis for a claim is also used to determine, define and specify it (ibid; BFH decision of April 7th, 2020 - 2015 II B 82/19 -, BStBl II 2020, 624; BVerwG, decision of November 18th, 2019 - 10 B 20/19, BFH/NV 2020, 336, margin no. 7; the same result: BFH, decision of June 16, 2020 - II B 65/19 -, BStBl II 2020, 622). Even in the case of a single application, there can therefore be several issues in dispute. The prerequisite for this is that the application is based on several facts and claims (BGH, decision of 27.11.2013 - III ZB 59/13 -, BGHZ 199, 159, para. 16).<br />
<br />
39<br />
(2) If information from the relationship between the data processor and the data subject is requested and presented at the intersection of taxation and criminal tax proceedings, and if this information gives rise to a right to a copy of the administrative files or parts thereof, four different issues must be distinguished:<br />
<br />
40<br />
aa) On the one hand, information on data protection law without cause - derived from data processing - and not dependent on a specific administrative legal relationship within the scope of the GDPR.<br />
<br />
41<br />
bb) On the other hand, the equally unfounded - derived from the data processing -, process-independent information beyond the material scope of the GDPR, insofar as the data subject requests information from law enforcement authorities.<br />
<br />
42<br />
cc) Thirdly, independent and dependent file inspection rights derived from a specific administrative legal relationship, aimed at the files of specific taxation procedures.<br />
<br />
43<br />
dd) Fourth, rights to inspect files derived from the specific legal relationship as a subject to criminal investigations.<br />
<br />
44<br />
Various legal avenues are open to these four matters of dispute. While for aa) pursuant to § 32i AO the specially assigned financial legal recourse is open and for cc) the general financial legal recourse according to § 33 paragraph 1 of the Financial Court Code (FGO), for bb) the legal recourse to the administrative courts is open and for dd) the legal recourse to the criminal courts.<br />
<br />
45<br />
This results from the fact that for the data protection information claims from the data processing relationship in the relationship between authorities and citizens (above aa and bb) - i.e. outside of a specific administrative legal relationship - there is in principle a public law dispute of a non-constitutional nature, for which, subject to a special assignment, the general Administrative legal recourse is given (§ 40 Para. 1 VwGO; BVerwG, decision of 18.11.2019 - 10 B 20/19 -, para. 4, BFH/NV 2020, 336). This also applies to data processing by law enforcement authorities (above bb., cf. BFH, decision of April 7th, 2020 - II B 82/19 -, BStBl II 2020, 624). With the repressive special assignment of § 32i AO, the legislature has assigned questions of data processing in the area of the tax authorities (above aa) to the more relevant tax courts.<br />
<br />
46<br />
On the other hand, rights to inspect files are not rooted in the fact of data processing, but are derived from the specific administrative or taxation procedural legal relationship; the same applies to the accused who is subject to a criminal investigation. In the latter case, the right to inspect the files is regulated by ordinary law in Section 147 StPO, with the assignment of legal recourse to the criminal courts (Section 147 (5) StPO).<br />
<br />
47<br />
The legislature has not standardized a statutory right to inspect files in the taxation procedure. For any disputes, however, the general financial legal recourse would be open (§ 33 FGO). The same applies to the direct constitutional right developed by case law to a decision based on due discretion regarding an application for inspection (cf. BFH, judgment of June 8, 2021 - II R 15/20 -, para. 10, juris; BFH, judgment of July 30, 2003 - VII R 45/02 -, BStBl II 2004, 387).<br />
<br />
48<br />
(3) In the event of a dispute, only a request for information pursuant to Art. 15 GDPR is the subject of the dispute and not, for example, a claim to a legal hearing derived from the administrative legal relationship, to inspection of files or a dependent claim to notification of the tax documents (§ 364 AO). The plaintiff also submitted these claims to the tax office before the trial, which denied these claims. However, a decision has not yet been made on the admissible appeal filed. The plaintiff does not seek a decision on this in the legal proceedings, but derives its claim solely from Art. 15 GDPR. Therefore, in the case of a dispute - unlike the decision of the BFH (BFH, judgment of June 8, 2021 - II R 15/20 -, para. 10, juris) - there is no uniform subject matter in dispute in relation to the right to inspect files from the specific taxation procedure and the right to information according to Art. 15 GDPR.<br />
<br />
49<br />
In the opinion of the Senate, it cannot be deduced from the above-cited BFH decision that there is always a uniform subject matter of dispute as soon as the plaintiff also claims access to files from the GDPR. Since the subject matter of the dispute is decisively determined by the facts presented by the plaintiff in the respective proceedings, no general statement can be derived from the individual case decided by the BFH. In the event of a dispute, it is also decisive for the assumption of two different matters in dispute that the right to information under the GDPR differs fundamentally from the right to a decision on the request for inspection of files in the specific taxation procedure that is free of discretionary errors. While the right to information, as a bound decision, guarantees information from the data processor to the data subject without cause, the independent right to a decision on a request for inspection of files that is free of discretionary errors is subject to the discretion of the tax office. The discretionary decision to be made in the second case is subject to completely different standards, not only with regard to the administrative decision and the objection decision to be made in the appeal proceedings, but also with regard to the judicial review.<br />
<br />
50<br />
The facts on which the action is based also differ in the two claims: While the right to information under data protection law is justified by the fact that the person responsible processes personal data of the person concerned in a file system or intends to do so (Art. 2 DSGVO), a right to inspect the files is required to justify the claim Presentation of a specific administrative legal relationship, on the basis of which the authority keeps files and specific facts which - contrary to the fundamentally not guaranteed by law access to files - in the specific case require a discretionary decision by the authority in favor of an inspection of files. Accordingly, the BVerwG also distinguishes between the right to inspect files in the specific taxation procedure and, for example, the right to information from freedom of information laws and in this respect assumes two matters in dispute, for which legal recourse to the finance courts and the administrative courts are open (BVerwG, decision of 18.11.2019 - 10 B 20/19 -, para. 4, BFH/NV 2020).<br />
<br />
51<br />
(4) The plaintiff's application is also not aimed at data protection information from the area of activity of the tax office as a criminal investigation authority (subject of the dispute above bb). In response to the objection of the tax office, the plaintiff has made it clear that it is only seeking information from the area of the capital gains tax office, assuming that the relevant documents were handed over to the tax investigation office and thus became part of the taxation data (...).<br />
<br />
52<br />
(5) Finally, the plaintiff's claim is not aimed at specific access to the files as a person subject to criminal investigations. She explicitly states that the subject of the dispute should not be an application for inspection of files under § 147 StPO (...).<br />
<br />
53<br />
b. The permissible type of action for the judicial assertion of a claim for information against an authority under Art. 15 Para. 1 of the GDPR is the obligation action. Because the decision on a data protection right to information by an authority is an administrative act. The provision of information is preceded by an official decision, which is to be made on the basis of a statutory examination program and in which the authority has to observe special procedural precautions such as the obligation to provide reasons or to be heard. Therefore, the provision of information by an authority on the basis of Art. 15 Para. 1 DSGVO is always preceded by an examination of possible exclusions and restrictions (cf. BVerwG, judgment of 16.09.2020 - 6 C 10/19 -, para. 12, HFR 2021, 419).<br />
<br />
54<br />
c. The lawsuit is also directed against the correct defendant. The person responsible for the data protection claims from the GDPR is passively legitimate (Art. 15 Para. 1 GDPR). According to Art. 4 No. 7 GDPR, this is the natural or legal person, authority, institution or other body that alone or jointly with others decides on the purposes and means of processing personal data. § 2a AO also links the responsibilities in connection with the protection of personal data to the tax authority or public administration body. The subject of the rights and obligations in the area of data protection is therefore the authority that decides on this processing within the scope of its responsibility. The claim can therefore only relate to the processing of data that is within the decision-making authority of the respective authority and to this data. In the event of a dispute, since information about the data processed in the taxation procedure is requested, that is the defendant tax office.<br />
<br />
55<br />
As already explained above, the lawsuit is not aimed at information about data from a criminal investigation. In this respect, the scope of the GDPR would not be open either. Rather, legal recourse to the administrative courts would be open to this extent. Incidentally, the specific public prosecutor's office would be passively legitimized, also insofar as the files of their auxiliary officials - such as the tax investigation office - are concerned.<br />
<br />
56<br />
2. The lawsuit is unfounded.<br />
<br />
57<br />
The plaintiff has a right to information under Art. 15 (1) GDPR, which, however, does not include the requested inspection of administrative documents. The plaintiff is already aware of the data that was actually processed for the subsequent or repayment notice, i.e. on which the taxation is based. In addition, by sending the extensive reports in a letter dated ... ...2019 to the plaintiff, the tax office also communicated or disclosed taxation documents and provided evidence that went beyond the claim under Art. 15 (1) GDPR.<br />
<br />
58<br />
The plaintiff clearly does not seek access to the mere input data for the notification or the basic data overview - or a copy thereof - both would be covered by her claim under Art. 15 DSGVO.<br />
<br />
59<br />
The tax office is not obliged by the right to information under data protection law to grant access to the tax files beyond the information provided, to provide copies of the files or to search for and communicate data from the tax files.<br />
<br />
60<br />
The GDPR is also applicable in the area of direct taxes (a.).<br />
<br />
61<br />
As a processor within the meaning of the GDPR, the tax office is also the correct defendant or passive legitimizer of the right to information (b.).<br />
<br />
62<br />
In the event of a dispute, the material scope of the GDPR applies to the extent that the processing of personal data is to be assessed (c.), but only to the extent that the personal data is also processed by the tax office in a partially or partially automated manner (d.).<br />
<br />
63<br />
The right to information, which is already limited by this, is correspondingly limited with regard to the restrictions on the right to information in the GDPR itself, as well as by the AO and general principles (e.).<br />
<br />
64<br />
He does not grant any right to inspect files or administrative documents (f.).<br />
<br />
65<br />
a. The GDPR is also applicable to the processing of data in the administration of direct taxes.<br />
<br />
66<br />
(1) As an EU regulation, the GDPR applies in accordance with Article 288 of the Treaty on the Functioning of the European Union (TFEU) directly in every member state of the Union, without the need for further implementation by national law (cf. also FG Sachsen, Judgment of 08.05.2019 - 5 K 337/19 -, EFG 2020, 661, para. 12).<br />
<br />
67<br />
According to Art. 1 GDPR, the regulation protects the fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data. According to the will of the EU legislator, the fundamentally comprehensive scope of the regulation is derived directly from Article 8 (1) of the Charter of Fundamental Rights of the European Union (Charter) and Article 16 (1) TFEU (compare recitals to the GDPR [recital] 1, 2). It is intended to “contribute to the completion of an area of freedom, security and justice” (Recit. 2). In doing so, the legislator is claiming the competence of Art. 4 (2) j TFEU, which is shared between the Union and the member states.<br />
<br />
68<br />
(2) The legislature restricts this scope of action, which is generally considered to be comprehensive, in Art. Accordingly, the regulation does not apply to the processing of personal data in the context of an activity that does not fall within the scope of Union law (Art. 2 Para. 2 a GDPR) or to data processing by the competent authorities for the purpose of prevention, investigation, Detection or prosecution of criminal offenses or the execution of sentences, including protection against and averting of threats to public security (Article 2 Paragraph 2 d GDPR).<br />
<br />
69<br />
The legislator does not explicitly state which activities are to be excluded from the scope of the regulation because they do not fall within the scope of Union law (Art. 2 Para. 2 a GDPR). In the recitals, he gives examples of national security and data processing within the framework of the common foreign and security policy.<br />
<br />
70<br />
The activity at issue in the dispute is data processing in the field of direct tax administration. Since the administrative activity itself falls within the competence of the member states, it can only be determined whether the administered taxes fall within the competence of the Union. This is basically to be denied for the non-harmonised direct taxes (Drüen in: Tipke/Kruse, AO/FGO, 166. Delivery 05.2021, § 2a AO, Rn. 6, with further reference). On the other hand, the ECJ claims competence to examine whether regulations of the member states in the area of direct taxes violate Union law or fundamental freedoms. The BFH recognizes this competence (cf. e.g. BFH, ECJ submission of November 6th, 2019 - I R 32/18 -, BFHE 269, 205, BStBl II 2021, 68, para. 21; judgment of April 20th, 1988 - I R 219/ 82 -, BFHE 154, 38, BStBl II 1990, 701, para. 21), so that the question arises whether for the application of Art. 2 Para. 2 a GDPR it can be said that direct taxes are not included in fall within the scope of Union law. This, especially since the GDPR is based on the shared competence of Art. 4 Para. 2 j TFEU (cf. above and recital 2).<br />
<br />
71<br />
Accordingly, the answers to the question of the applicability of the GDPR in the area of direct taxes are controversial (cf. on the Drüen dispute in: Tipke/Kruse, AO/FGO, 166th delivery 05.2021, § 2a AO, para. 6).<br />
<br />
72<br />
(3) However, the Senate can leave open the question of the direct application of the GDPR by virtue of a legislative act of the Union, since the federal legislature has ordered its application at least by reference in § 2a AO. Through the reference, the texts to which reference is made (reference norms and other reference texts) become part of the referring regulation (initial norm) (Federal Ministry of Justice and Consumer Protection, Handbuch der Rechtsformlichkeit, 3rd edition 2008, Part B, 4.1, 2018, quoted from http://hdr.bmj.de/page_b.4.html, accessed on July 16, 2021).<br />
<br />
73<br />
The German legislator assumed the following understanding when standardizing Section 2a AO and Sections 29b, 29c and 32a et seq. Drs. 18/12611, page 74):<br />
<br />
"The regulations of the AO are to be adapted to the law of the European Union, in particular the [GDPR]. Due to the regulatory mandates of the [GDPR], the existing regulations on the processing of personal data are to be adapted to the regulations and definitions of this regulation or new area-specific regulations are to be created in close accordance with the new Federal Data Protection Act. At the same time, on the basis of Art. 23 of the [GDPR], area-specific restrictions on the rights concerned are to be determined so that the financial authorities can continue to fulfill their constitutional mandate to set and collect taxes evenly in accordance with the law and to uncover tax cuts.”<br />
<br />
74<br />
The explanatory memorandum to Section 2a (3) AO goes on to say:<br />
<br />
"Section. 3 clarifies that the directly applicable European law regulations on the protection of personal data of natural persons, in particular the [GDPR], take precedence over the regulations of the AO and the tax laws, insofar as these do not issue any regulatory mandates or grant regulatory powers to the member states and corresponding national regulations have been made .”<br />
<br />
75<br />
This justification clearly expresses the unconditional will of the federal legislator that area-specific data protection in the area of all tax law should be regulated by the AO and the GDPR that precedes it, in the area of individual tax laws possibly modified for their area. In the opinion of the Senate, it cannot be deduced from the justification for the law or from the legal wording of § 2a AO that the regulations of the AO or the GDPR should only apply in the area of harmonized taxes and not also in the area of direct taxes.<br />
<br />
76<br />
The explanatory memorandum to § 2a Para. 5 AO confirms the result found above. With this provision, the legislator is endeavoring to expand the scope of the GDPR to include cases in which it does not apply as such according to Recital 27 of the GDPR. This corresponds to the general principle of the AO that procedural regulations - which regularly also represent regulations on the processing of personal data - apply equally to all those affected by tax law and tax procedural law, regardless of their legal form.<br />
<br />
77<br />
The unconditional will of the legislator for the validity of the European data protection regulations is also expressed in the general clause-like provision of § 1 Para. in the area-specific law - here the AO - something different is regulated.<br />
<br />
78<br />
According to the above, it can be assumed that the German legislator assumes that the GDPR applies directly to the processing of personal data by the tax authorities (§ 2a Para. 1 AO). The reference to the same should therefore have been intended as a declarative reference. In the opinion of the Senate, however, this does not exclude an alternative interpretation as a constitutive reference. The legislator wanted the GDPR to apply - modified by its own regulations, e.g. in the AO - for the entire activity of the tax authorities - without differentiated handling depending on the type of tax. Otherwise he would have worded this differently in § 2a Para. 1 AO.<br />
<br />
79<br />
This view also corresponds to the case law of the BVerwG (ECJ submission of July 4th, 2019 - 7 C 31/17 -, para. 14, juris), which states the following:<br />
<br />
"With the additions to the Fiscal Code, the legislature - as can be seen in particular from § 2a Para. 3 and 5 AO - is pursuing the goal of uniform procedural regulations in accordance with the general principle of the Fiscal Code that go beyond the immediate scope of application of the [GDPR] - which regularly also contain regulations about the processing of personal data - to be provided for all those affected by tax law and tax procedural law, regardless of their legal form (cf. Bundestag printed paper 18/12611, p. 76). There are no indications that this regulatory objective is limited to taxes determined by Union law. Incidentally, as the representatives of the Federal Ministry of Finance, which is responsible for amending the tax code, explained in the oral hearing, it would also not be technically possible to process the data differently according to tax debtors and types of tax. [...] Against this background, a "split" interpretation of the new regulations in the tax code for facts that are subject to Union law on the one hand and facts that are not subject to it on the other is out of the question."<br />
<br />
80<br />
After all this, the recognized Senate assumes that the GDPR applies at least to the content of the entire data-processing activity of the tax authorities (as here, but only in summary assessment FG Saarland, decision of April 3rd, 2019 - 2 K 1002/16 -, EFG 2019, 1217; without problem discussion FG Sachsen, judgment of 08.05.2019 - 5 K 337/19 -, EFG 2020, 661; without problem discussion FG Cologne, judgment of 18.09.2019 - 2 K 312/19 -, EFG 2020, 413; loc Reference to the literature FG Lower Saxony, judgment of January 28, 2020 - 12 K 213/19 -, EFG 2020, 665).<br />
<br />
81<br />
(4) The BMF letter dated January 12, 2018, BStBl I 2018, 185 (replaced by BMF letter dated January 13, 2020 IV A 3-S 0130/19/10017:004, 2019/1129406) reflect the legal opinion justified above , so that it can be stated that the financial administration also assumes that the GDPR applies in the area of tax administration.<br />
<br />
82<br />
b. The GDPR and the related provisions of the AO apply to the processing of personal data by the tax office in the taxation procedure.<br />
<br />
83<br />
The data protection regulations of the AO, the tax laws and the GDPR apply to the processing of personal data by tax authorities according to § 2a Para. 1 AO. The tax office is one (§ 6 Para. 2 No. 5 AO). The defendant tax office is "responsible" within the meaning of Article 4 No. 7 GDPR as the natural or legal person, authority, institution or other body that alone or jointly with others decides on the purposes and means of processing personal data and is therefore the passive legitimate Claim from Art. 15 GDPR.<br />
<br />
84<br />
Since the plaintiff does not request any information from the investigation files of the tax investigation (cf. above the explanations on the subject matter of the dispute), there is no need to go into the question of whether the tax office would have passive legitimacy as the organizational body of the tax investigation office, or - probably preferable - the functional investigative body Public prosecutor. The legal concept of § 147 StPO would probably speak for the latter.<br />
<br />
85<br />
c. In the event of a dispute, the material scope of the GDPR is open to the extent that the processing of personal data is to be assessed.<br />
<br />
86<br />
Not only the individual details stored in database fields with reference to the tax number or the name of the plaintiff are personal data. The information contained in unstructured full texts relating to your person is also personal data under the circumstances of the dispute.<br />
<br />
87<br />
(1) (1.1) The GDPR applies to the fully or partially automated processing of personal data as well as to the non-automated processing of personal data that is stored or intended to be stored in a file system (Art. 2 Para. 1 GDPR).<br />
<br />
88<br />
§ 2a para. 5 AO orders the corresponding application of the GDPR to deceased natural persons and corporations, legal or unincorporated associations of persons or assets like the plaintiff.<br />
<br />
89<br />
(1.2) According to Art. 4 No. 1 GDPR, personal data is all information relating to an identified or identifiable natural person. According to Regulation (EC) No. 45/2001 or the predecessor of the GDPR, Directive 95/46/EC, this is all information about an identified or identifiable natural person. The different terminology "obtain" instead of "via" does not result in a significantly different meaning. Accordingly, personal data are individual details (as expressly stated in § 3 Para. 1 BDSG old version), i.e. not files or collections of files (see recital 15 to the GDPR).<br />
<br />
90<br />
(1.3) The term "personal data" is interpreted broadly by the ECJ called upon to interpret it (cf. BVerwG, ECJ proposal 7 C 31/17, loc (but not the examination questions themselves) can represent personal data (ECJ, judgment of December 20, 2017 - C-434/16 -, para. 34, juris; cf. also VG Gelsenkirchen, judgment of April 27, 2020 - 20 K 6392/ 18 -, para. 140, juris; to a very large extent also Cologne Higher Regional Court, judgment of July 26, 2019 - I-20 U 75/18 -, para. 303, CR 2019, 654). In his decision on Directive 95/46/EC, he derives this from the two objectives of the directive: Firstly, the protective principles provided for in it are reflected in the obligations incumbent on those responsible for processing; these obligations relate in particular to data quality, technical security, notification to the supervisory authority and the conditions under which processing can be carried out. On the other hand, they would be expressed in the rights of the persons whose data are the subject of processing, to be informed about this, to have access to the data, to request their correction or, under certain conditions, to be able to object to the processing (ibid., paragraph 48).<br />
<br />
91<br />
(1.4) The ECJ works out the difference between personal data and the documents in a further decision issued on RL 95/46/EC of 17.07.2014 - C-141/12 and C-372/12 -, CR 2015, 103 , which contain, among other things, personal data. In the proceedings on which the request for a preliminary ruling is based, the applicants requested access to a so-called "draft document" which contained data on the parties to the proceedings, but also a legal analysis. The ECJ has decided that the data contained in this draft document, which represents the factual basis for the legal analysis also contained in the draft document, is personal data of the person involved in the procedure. In this respect, he affirms a right to information. On the other hand, he denies a right to information regarding the legal analysis. This could not be the subject of a review by the applicant and a correction. In fact, extending the right of access to this legal analysis would not serve the aim of the directive, which is to ensure the protection of the privacy of that applicant with regard to the processing of data concerning him, but rather the aim of guaranteeing him a right of access to administrative documents , to which Directive 95/46 is not directed (ECJ, ibid., para. 46).<br />
<br />
92<br />
The ECJ also clarifies that the directive leaves it up to the member states to determine the specific form in which the information is to be provided, insofar as it enables the data subject to gain knowledge of the personal data concerning them and to check whether it is correct and processed in accordance with the Directive, so that it may exercise the rights conferred on it by the Directive (ECJ, ibid., para. 57). In order to safeguard the right to information, it is sufficient if the applicant receives a complete overview of the data presented in the draft document - i.e. also such personal data that are contained in the legal analysis - in an understandable form (ECJ, ibid., para. 59). Insofar as this information can be used to achieve the goal sought with the right to information, the data subject is not entitled, either under the right to information or under Article 2(2) of the Charter, to a copy of the document or the original file in which this data is contained , to obtain. In order to prevent the data subject from having access to information other than personal data concerning him/her, he/she could obtain a copy of the document or the original file in which this other information had been redacted (ECJ, ibid., para. 58).<br />
<br />
93<br />
(2) In accordance with these legal principles, personal data are not just all individual details that are stored in the database systems of the tax office with reference to the person concerned or their tax or tax identification number - mostly under code numbers (their meaning roughly corresponds to the concept of category). are. Personal data is also available to the extent that tax files - regardless of whether they are electronic or on paper - contain documents whose unstructured texts contain individual information about the plaintiff's tax and thus always personal circumstances. Evaluations, value judgments and assessments of the plaintiff or his tax situation by clerks of the tax office contained under code numbers or in texts that are not themselves further structuring also have the character of personal data.<br />
<br />
94<br />
(2.1) There may be doubts as to whether unstructured or poorly structured texts that contain a large number of individual details in free linguistic description can be regarded as "data" as long as they have not been structured in individual details, i.e. in appropriately structured ordered pairs from "Category" and "Value" or field identifier and field content, have been extracted - for example by being structured and transferred separately to a form.<br />
<br />
95<br />
According to the broad interpretation of the term "data" by the ECJ, however, it is irrelevant what degree of formal structuring the individual information contained in a text has. According to the case of the ECJ cited above, it is sufficient for the existence of "data" that facts are described in a text in continuous, unstructured language that are assigned to the person concerned - and are therefore personal.<br />
<br />
96<br />
(2.2) According to the decision of the ECJ cited above, according to which the examiner’s correction comments also become personal data of the test participant as soon as they - e.g. by handwriting - are assigned to his examination paper and thus to his person, nothing else can be used for - possibly also purely subjective - Assessments and comments in the form of memos and processing notes from clerks apply. Merely the pure legal analysis of a taxation issue does not represent any personal data. Of course, this can in turn contain individual information relating to the person concerned, and this is also typically in a professionally written legal subsumption part.<br />
<br />
97<br />
(2.3) It can be assumed that the data is assigned to the plaintiff, since the file containing the documents with the description of the facts is kept under her name or the tax number linked to it and thus the documents contained and notes made in relation to the plaintiff set. Due to their structure, individual details in databases can be assigned to the respective person concerned without any problems.<br />
<br />
98<br />
i.e. The substantive scope of the GDPR is only open to the extent that the personal data are processed by the tax office in an automated or partially automated manner (Art. 2 Para. 1 Alt. 1 GDPR).<br />
<br />
99<br />
(1) Data processing is at least partially automated if data processing systems are used (Kuhling/Buchner, commentary on the GDPR and the Federal Data Protection Act, Beck, 3rd edition, GDPR Art. 2 para. 15 - Kühling -). There is no specific definition of "automated data processing" in the GDPR. This corresponds to the will of the legislator to design a technology-neutral protection system that also covers future technological developments (compare recital 15). As a result, the term partially automated data processing must be interpreted very broadly (Kuhling, GDPR Art. 2 para. 15). This unproblematically includes all processing steps that are carried out with the help of the computer systems of the tax administration.<br />
<br />
100<br />
The creation of a letter using data with a PC using a commercially available writing program is not to be regarded as automated data processing, since the rights of the person concerned are no more endangered than when a text is created with a typewriter (cf. FG Munich, Judgment of November 4th, 2021 - 15 K 2687/19 -, juris).<br />
<br />
101<br />
(2) Non-automated processing is only subject to the scope of the GDPR if the personal data are stored or are to be stored in a file system (Art. 2 Para. 1 Alt. 2 GDPR).<br />
<br />
102<br />
“Non-automated” means “manual” processing (Recit. 15). No sub-step of the processing may take place automatically. Insofar as the tax administration files documents in paper form in tax files, such manual processing is given.<br />
<br />
103<br />
(2.1) It has not yet been sufficiently clarified when there is (intended) storage in a file system (Article 2 (1) GDPR). Art. 4 No. 6 GDPR defines the file system as "any structured collection of personal data that is accessible according to certain criteria, regardless of whether this collection is centralized, decentralized or organized according to functional or geographical aspects". According to the H.M., this term is essentially equivalent to the term file used in the predecessor provision of the GDPR (Directive 95/46) (Kuhling, GDPR Art. 6 No. 6 para. 1). According to the common idea, a collection is a planned, structured compilation of individual information that shows an internal connection, either through the similarity of the information (e.g. customer data) or the purpose (e.g. access control) of the collection (Kuhling, DSGVO Art. 4 No. 6 Rn. 3). According to the BDSG old version, this meant a similar structure of the compilation, an external form that must have a certain arrangement. According to this, no random or changing structure of the information was allowed. Rather, it required a formal scheme of order (ibid.).<br />
<br />
104<br />
(2.2) Case law of the ECJ on the interpretation of the term "file system" is - as far as can be seen - not yet available. The ECJ (ECJ, judgment of 07/10/2018 - C-25/17 -, Celex no. 62017CJ0025) explains the term "file" used in the previous provision of the GDPR:<br />
<br />
"According to recitals 15 and 27 of Directive 95/46, the content of a file must be structured in such a way that it enables easy access to personal data. Article 2(c) of this Directive does not specify the criteria according to which the file must be structured, but according to the recitals mentioned, the criteria must be "personal". Thus, the requirement that the collection of personal data must be "structured according to certain criteria" means only that the data about a specific individual can be easily retrieved.<br />
<br />
Apart from this requirement, Article 2(c) of Directive 95/46 does not regulate the modalities according to which a file must be structured, nor the form that it must have. In particular, neither this nor any other provision of this Policy indicates that the personal data in question must be contained in specific files or registers or any other search system in order for the existence of a file within the meaning of this Policy to be affirmed. […] The answer to the second [submission] question is that Art. 2 Letter c of Directive 95/46 is to be interpreted in such a way that the term “file” mentioned in this provision means a collection of personal data that is of a door-to-door preaching activity, which includes names and addresses and other information about the persons visited, provided that this data is structured according to certain criteria in such a way that it can be easily retrieved in practice for later use. In order to fall under this term, such a collection does not have to consist of specific card files or directories or other classification systems used for research (ECJ, judgment of 10.07.2018 - C-25/17 -, Celex no. 62017CJ0025, para. 57 f , 62)”.<br />
<br />
105<br />
The request for a preliminary ruling was based on the visiting activities of the witnesses J., who, as part of their door-to-door preaching work, make notes about visits to people who are unknown to them or to the community. The data collected may include: the names and addresses of the persons visited, as well as information about their religious beliefs and family circumstances. This data is collected as a memory aid and to be retrievable in the event of a return visit without the data subject having consented or having been informed of this.<br />
<br />
106<br />
The Fellowship of J. Witnesses has provided its members with instructions for making such notes, which are reproduced in at least one of their newsletters dedicated to preaching. In particular, the fellowship and its congregations organize and coordinate the door-to-door ministry of their members by preparing maps of areas based on which districts are divided among the members involved in the ministry and by keeping registers of publishers and the number of fellowship publications they distribute. In addition, the congregations of the J. Witnesses keep a list of those who have asked not to be visited by the publishers. The personal data contained in this list, the so-called "banned list", is used by the members of the community. In the past, the fellowship provided its members with forms for collecting this data as part of their preaching work; however, their use was discontinued as a result of a recommendation from the data protection officer. The data collected was not structured in the form of a card file.<br />
<br />
107<br />
(2.3) If, according to the case law of the ECJ, it is sufficient for the existence of a file or a file system that data are structured according to certain criteria in such a way that they can be easily found in practice for later use and such a collection does not consist of specific card files or directories or other classification systems used for research, then the term file system has no shape at first glance.<br />
<br />
108<br />
To resolve this apparent lack of contours, it is worth taking a look at Recital 15 of the GDPR, according to which files or collections of files and their cover sheets that are not arranged according to specific criteria should not fall within the scope of this regulation. The GDPR does not specify when files or collections of files "are not arranged according to certain criteria". However, this cannot mean that an individual file within a collection of files can be found according to the one criterion "name" or "tax number", since otherwise each collection of files would appear "sorted according to certain criteria" and their exception from the scope of the GDPR entirely empty. Because a collection of files without at least one classification criterion for arranging the files it contains is practically unimaginable.<br />
<br />
109<br />
Accordingly, the presumably h.M. in the literature to affirm an "order according to criteria" (recital 15) requires that the collection can be sorted according to at least two criteria (Kuhling, GDPR Art. 2 para. 18), which when collecting tax files that are only filed according to Az. or tax number is not the case.<br />
<br />
110<br />
This applies in particular to the content of each individual tax file in which documents are filed as full text in historical order without further "order according to criteria".<br />
<br />
111<br />
In the reference case of the ECJ (C-25/17, Jehovah's Witnesses), there was a structure in the sense of easy retrieval of data because the individual visit report contained relatively little, manageable data in a structured form. This is not the case with a file that, without any further order, contains a large number of non-uniform and largely unstructured documents in the order in which they were filed - with paper tax files it is not uncommon for high two-digit and also three-digit page numbers - not to be the case.<br />
<br />
112<br />
In contrast to a collection of structured individual sheets, the effort involved in searching for individual information on a specific criterion from a file is not "easy". Rather, a human processor who wanted to find all the individual information from the documents contained in a comprehensive tax file for information required a lot of time - in individual cases probably hours. As a result, it cannot be assumed from the outset that files - especially paper files - that contain extensive, unstructured individual documents will not be "stored in a file system". Accordingly, the German legislator has made it clear in § 496 para. 3 StPO in the context there that files are not file systems within the meaning of the data processing regulations of the StPO.<br />
<br />
113<br />
(3) As far as can be seen, the respondent has not yet had the opportunity to comment in more detail on the data protection treatment of such extensive collections of files with a large number of unstructured bundles of documents, such as the tax files. The same applies to the question of whether the differentiation between fully and partially automated data processing and non-automated data processing in Art. 2 GDPR must result in conclusions for the scope of the right to information under Art. 15 GDPR.<br />
<br />
114<br />
The recognizing Senate considers it necessary to give a differentiated answer to the scope of the GDPR and the interplay of the rights of the GDPR for large file systems, based on their function.<br />
<br />
115<br />
(3.1) In such systems, a distinction must be made between the individual information held in databases, such as, in the event of a dispute, the "eData" and the "basic data" in the databases of the tax offices. These are undoubtedly subject to the scope of the GDPR because they are specifically stored for machine processing.<br />
<br />
116<br />
(3.2) The same applies to the individual information on which the tax assessments are based as part of the tax assessment, such as the keyed tax bases on which the tax calculation is based. They are the starting point for the automatic tax calculation.<br />
<br />
117<br />
(3.3) The result of the tax calculation, the aggregated partial results and results shown in the notifications also represent generated personal data. They are also stored in the databases for further processing if necessary.<br />
<br />
118<br />
(3.4) In the opinion of the judging Senate, the paper tax file itself, the chronologically sorted filing of the written communication between the administration and the person concerned/taxpayer and various other unstructured texts are generally not included in the scope of protection of the GDPR. While the individual details stored in the databases are structured and assigned criteria, the collection of written material contains texts that are unstructured and unequally structured. It is true that these themselves also contain such individual information that has a reference to the person concerned, i.e. "personal data". In addition to this, however, they also contain a large number of individual details without direct reference to the data subject - such as processing notes, processor names, legal analyzes and subsumptions. On the "collective" date - also related to the person concerned - the latter information only becomes available when the document is included in the collection of documents, which in turn is kept under the name of the person concerned. However, the individual information contained "slumbers" unexposed in the full texts of the collection of documents. The Senate does not recognize a "structuring according to certain criteria" for "easy retrieval" (cf. above 2.3) in these as yet "unresolved" individual details. They are therefore only subject to the material scope of the GDPR if they are removed from the file by human action and transferred to a file system. This act of extraction represents manual and therefore "non-automated" processing. Only the "raising" of the individual information, which is an intellectual human act, by assigning the content to a criterion - the intended use of the date for the subsequent partially automated processing for tax purposes - leads to the fact that this date is/should be stored in a file system within the meaning of Art. 2 Para. 1 GDPR.<br />
<br />
119<br />
(3.5) Insofar as electronic indices or tables of contents are kept for the filing of written communication dealt with under 3.4, these enable "easy retrieval" (cf. 2.3 above), for example the knowledge that correspondence with a certain title or type on a certain day is listed. This index data, which is meaningless in itself, also becomes personal data through the assignment to the tax number and thus to the data subject. They are therefore subject to the scope of the GDPR.<br />
<br />
120<br />
(3.6) Control material from other taxation procedures is usually initially available as more or less unstructured full text correspondence, so that the principles set out under 3.4 apply. The Senate can leave it open whether particularly highlighted messages (e.g. the so-called "green arc") must be considered structured because of their color, since such content is subject to the restrictions of the right to information and is irrelevant in the event of a dispute.<br />
<br />
121<br />
(3.7) The contents of tax bases transmitted by third parties (e.g. transmitted health insurance contributions or paid wage taxes) are naturally computer-readable structured data for which the principles mentioned under 3.1 apply.<br />
<br />
122<br />
(3.8) Internal processing notes can be stored in database fields (e.g. the report on the tax audit) and are then subject to the principles mentioned under 3.1. Editing notes that are connected to or applied to documents should generally be subject to the principles of 3.4 as unstructured content. Due to their double nature as personal data of the author of the note or their nature in preparation for a decision, such internal notes are likely to be subject to regular restrictions on the right to information.<br />
<br />
123<br />
(4) The differentiation made under (3) for extensive data collections including the associated file collections between easily retrievable data stored in a structured manner under criteria identifiers on the one hand and full-text documents that are not further structured in themselves on the other hand is reflected in the effort required to provide information in accordance with Art. 15 GDPR caused for the person responsible. The person responsible can provide information about easily locatable, structured data with justifiable effort. On the other hand, an obligation to provide information about the individual details contained in the unstructured collection of documents would mean that these documents would have to be looked through by a human - and thus manually - in order - exclusively for information purposes - to first "raise" the individual details contained therein and thus into the easy-to-find data area.<br />
<br />
124<br />
The GDPR itself does not assume such a complex obligation to provide information. In Art. 12 (1) GDPR, it standardizes an obligation on the part of the person responsible to take measures that allow him to obtain information quickly. This does not mean, however, that the person responsible has to work through the entire correspondence as a precautionary measure in order to extract the individual information contained therein and only keep it available for potential requests for information.<br />
<br />
125<br />
(5) Individual information that is “dormant” in unstructured full-text documents has a completely different quality than individual information that is recorded under one criterion with the aim of basing a decision on it – data processing. Only this provision, "to be processed", makes it appear practicable to assess the individual data as "correct" or "incorrect" and to link the rights of the person concerned to correction, for example. On the other hand, the documents of the correspondence between the tax office and the person concerned often contain factual information. However, these usually initially represent not further verifiable allegations by the person concerned or preliminary assumptions by the tax office. An assumption by the tax office contained in an earlier document may also turn out to be wrong in further correspondence, even turn out to be wrong as admitted by the tax office. But then it would be pointless to inform the person entitled to information of the earlier date recognized as incorrect.<br />
<br />
126<br />
The fact that because of the documentation function of the file, the person concerned cannot have any claim to deletion of the information given in earlier correspondence and, on top of that, should already be aware of the content of his correspondence with the tax office - or the tax office with him - is in view of the restrictions of the right to information has already been noted at this point.<br />
<br />
127<br />
The idea of the GDPR that data can be judged in binary terms as "correct" or "incorrect" often does not apply to the - unexamined - individual information contained in full texts.<br />
<br />
128<br />
(6) According to the Senate, another specific feature of the tax files prohibits equating information about the processed data with a right to inspect the files. Descriptions of assumed, asserted, true or false assessed or to be assessed taxation facts typically and diversely contained in full texts are usually descriptions of transactions between the person concerned and other persons. If one now wanted to grant access to the files, the entire correspondence contained in the files would have to be checked manually for the appearance of the names of third parties in order to protect the rights of these persons, these would have to be blacked out by hand because their rights would generally conflict with the information; if necessary, their consent would have to be requested in each individual case. The same applies to notes documenting the official decision-making process based on the division of labour, where their personal nature is based solely on the fact that they document a decision in a specific tax case. The expected effort of searching and anonymizing bears no relation to the knowledge gained by the person concerned. This, especially since he should know his own correspondence with the tax office anyway.<br />
<br />
129<br />
(7) Reports, such as those issued by tax audit and tax investigation agencies, have a special function in the taxation process. They serve as a concentrated summary of complex taxation issues, which in turn consist of a large number of individual issues. You can claim provisional validity or mark the completion of investigations. Especially in the latter case, they serve as the basis and usually also justification for subsequent administrative acts. Therefore, as a rule, instead of a detailed justification in the administrative act itself, they are left to the person concerned as justification within the framework of the legal hearing or the notification of the tax bases - i.e. within the concrete administrative legal relationship.<br />
<br />
130<br />
According to data protection law, the data contained in such reports is only raised when the person responsible for taxation converts the data to produce the tax assessment - from this point in time the input data is undoubtedly subject to data protection information. However, details on the underlying tax issues elude structured recording. In this respect, these facts can only be taken from the more or less extensive linguistic descriptions of the facts in the report. This means that these facts are no longer “easily accessible” in the sense of the ECJ case law cited above. Rather, it requires a manual "viewing" of the facts in the sense that a human reader grasps the meaning of the described facts, taking into account linguistic inaccuracies. Therefore, with regard to the full texts of the reports themselves and the factual information contained therein, the same principles apply as are otherwise stated for full texts. This is acceptable despite the importance of these facts for the taxation procedure, because the procedural regulations applicable to the specific procedure require the justification of the administrative act and the corresponding report is usually left to the individual. Incidentally, this is also shown by the dispute in which the tax office left the essential reports to the plaintiff before issuing the additional claim notice.<br />
<br />
131<br />
(8) It is not only the recitals to the GDPR (recital 15) that exclude files and collections of files that are not classified according to specific criteria from the scope of the GDPR. The ECJ also makes it clear that the right to information under Art. 15 GDPR does not secure a right of access to administrative documents (ECJ, C-141/12, loc. cit. on the previous provision). If this applies to the individual document, then this must certainly apply to the entire document collection.<br />
<br />
132<br />
(9) The BFH and the BVerfG also saw it as justified - before the GDPR came into force - that the AO did not guarantee a general right to inspect files in the area of tax law (see also below).<br />
<br />
e. Scope of the right to information<br />
<br />
133<br />
Accordingly, the plaintiff only has a right to information from the tax office in accordance with Art. 15 (1) GDPR, which is limited by the scope of application of the GDPR defined above, the scope of which must be outlined in accordance with the legal principles set out above and with a view to the restrictions on the right to information in the GDPR itself, as well as further limited by the AO and general principles.<br />
<br />
134<br />
(1) A bound right to information is to be assumed. The case law of the BFH assumes that in the absence of a standardized entitlement, access to the files should be granted at the discretion of the authority. This cannot be transferred to the right to information under Art. 15 GDPR. According to the wording of the standard, the latter is not subject to the discretion of the authority. Section 32d (1) AO only allows the tax office discretion with regard to the form in which information is provided. In this context, for example, the latter is free to provide information by providing a data printout, granting online access or even granting access to files (for this special form of providing information see BFH, decision of 29.08.2019 - X S 6/19 -, para 23, BFH/NV 2020, 25).<br />
<br />
135<br />
(2) If, according to Art. 15 (3) GDPR, the data subject is to be provided with a copy of the data that is the subject of the processing, then this does not mean - as claimed by the plaintiff - a photocopy of paper documents, for example. The “date” as such is bodiless. Copy means nothing other than a displayable duplicate of the data. The term "copy" therefore has no meaning beyond the "embodiment of the information" (as well as the h.M. in the commentary literature: Kamlah in Plath, DSGVO/BDSG, Art. 15 Rz. 16; Paal in Paal/Pauly, DSGVO/BDSG , Article 15 paragraph 33; Schaffland/Holthaus in Schaffland/Wiltfang, GDPR, Article 15 GDPR paragraph 44; loc. A. Härting, CR 2019, 219).<br />
<br />
136<br />
(3) In accordance with the above legal principles, the plaintiff from Art. 15 GDPR cannot claim the requested inspection of or the provision of a copy of the documents that she describes in her briefs. Art. 15 GDPR does not grant a right to the full texts in the file, in particular if they contain unrecorded source data.<br />
<br />
137<br />
Insofar as the plaintiff alleges that the tax office processed data from other source reports that were only cited by way of brief quotations, but that the claim for information extends to these source data, it cannot be followed. The right to information extends (only) to the (input) data processed for the specific tax assessment. If this is already aggregated data, such as total amounts, the right to information under Art. 15 GDPR does not grant the source data from other administrative documents or individual amounts that may first have to be collected via a chain of references. From the point of view of data protection, the provision of the reports with an explanation of the origin of the amounts is sufficient for the plaintiff's legitimate interest in information.<br />
<br />
138<br />
In particular, the right to information from Art. 15 GDPR does not oblige the tax office to first consult files or parts of files or documents from other proceedings, specifically the criminal investigation proceedings in the tax investigation, in order to then provide information from them. In this respect, the tax office has declared (...) that it has already sent the plaintiff all the documents that are available at the capital gains tax office. The doubts expressed by the plaintiff in this respect are not substantiated. According to the previous submissions of the parties involved, the court therefore has no reason to doubt the truthfulness of the defendant. In addition, the GDPR does not provide for a "verification procedure" for the completeness of the information in the relationship between the person responsible and the person concerned.<br />
<br />
139<br />
The plaintiff is therefore not without rights. Rather, the procedural provisions of the Fiscal Code give it extensive and stronger procedural and procedural rights than the unreasonable right to information from the GDPR. In order to fulfill the plaintiff's claims for information, the tax office gave her a whole folder with the essential documents for the intended subsequent taxation in a letter dated ... ... 2019. Insofar as their interest in information has not yet been fulfilled, they can, in accordance with the AO regulations, receive further information or access to the files to be submitted to the court in this process (which is in the objection process stage) or at the latest in a subsequent tax court process. In addition, according to her information, the plaintiff also asserted her rights to information in the criminal investigation proceedings and apparently gained access to essential documents there. The request for inspection of further documents can be pursued with the legal remedies provided for in the Code of Criminal Procedure and in accordance with the provisions of the Code of Criminal Procedure.<br />
<br />
140<br />
It is also appropriate that the plaintiff, with the most substantial right to inspect the files, is referred to the rights to be derived from the specific taxation procedure relationship or to the rights as an accused or otherwise affected by a criminal investigation. The respective rules of procedure regulate the legal relationship between the taxpayer or the accused and the authority in a factual and balanced manner - more precisely than the standardization of the general and quite general right to information of the person affected by data processing. If the right to information from the GDPR were extended to allow access to the files without cause, there would inevitably be conflicts with the legislator’s process-specific standards in taxation or criminal proceedings.<br />
<br />
141<br />
(4) After that, the limitations of the right to information put forward by the tax office and the counter-argument put forward by the plaintiff are no longer relevant. However, the reasons for exclusion of the GDPR and the AO also largely rule out an inspection of the tax files derived from the right to information.<br />
<br />
142<br />
The arguments of the tax office clearly show that an extension of the right to information to all personal data contained in full texts would pose disproportionate problems for those obliged to provide information, firstly with the classification problem of what the reporting date is (4.1 below) and secondly with that for each date found, a decision to be made on a case-by-case basis as to whether a reason for exclusion applies (4.2) and how a weighing of interests required in the reason for exclusion results (4.2.3).<br />
<br />
(4.1) Classification problem<br />
<br />
143<br />
While it is clear from the outset in a data record what the date is (the individual entry, e.g. the amount of the tax assessment basis for capital gains tax) and what the criterion (the field identifier, e.g. the designation that the “tax assessment basis for capital gains tax " is indicated) and therefore the correctness of the date can be easily checked (by comparing the amount entered in the field with the amount proven to be correct in reality), this is not the case with full-text documents in files: Is the entire text written by the author of the document a personal date? Is it individual passages of text that describe specific taxation issues? Are they individual securities transactions with an indication of a total amount or is it broken down into each individual transaction?<br />
<br />
144<br />
This classification problem is reflected in the question of how the correction of a date that is considered incorrect should look like in a full text - and the correction of an incorrect date is precisely one, if not the essential goal that the right to information should enable:<br />
<br />
- Is an entire letter the personal date: how should this be corrected?<br />
<br />
- Is the "date" the individual text passage that represents a taxable event: does the attribute claimed or assumed or used in an argument, that the taxpayer acted intentionally, make the entire text passage wrong, which e.g. represents a complex business transaction?<br />
<br />
- If the "date" is an individual piece of information, for example the amount or total amount of a transaction: Only in this case could the correctness of the date be clarified as easily as if the date had already been "raised", transferred to a database field. However, the question arises as to whether the point in time at which the comparison "right" or "wrong" is made is not the moment when the datum has been assigned the meaning that it should actually be processed through the "lifting".<br />
<br />
(4.2) Exclusions<br />
<br />
(4.2.1) GDPR and AO restrictions<br />
<br />
145<br />
According to Art. 15 Para. 1 GDPR, the person concerned (Art. 4 No. 1 GDPR) has a right to information from the person responsible (Art. 4 No. 7 GDPR) about the personal data processed concerning him. This information is provided by the person responsible providing the data subject with a copy of the personal data that is the subject of the processing (Article 15 (3) GDPR). The right to receive a copy according to Art. 15 Para. 1 b) GDPR must not impair the rights and freedoms of other persons (Art. 15 Para. 4 GDPR - the legislator is thinking here of secrets or rights of intellectual property and in particular copyright Software, cf. Remark 63).<br />
<br />
146<br />
(4.2.1.1) §§ 32a AO et seq. limit the rights of data subjects in the exercise of the competence granted to the member states by Art. 23 GDPR, namely the limitation competence of Art. 23 Para. 1 e) GDPR. As far as relevant here, the AO standardizes the following restrictions:<br />
<br />
147<br />
According to Section 32c Paragraph 1 No. 1 AO in conjunction with Section 32a Paragraph 1 No. 1, Paragraph 2 AO, the person concerned does not have the right to information if the provision of the information would jeopardize the proper fulfillment of the tasks for which the tax authorities are responsible and the interests of the tax authorities in not providing the information outweigh the interests of the data subject. This is the case in particular if the provision of information<br />
<br />
- could enable the person concerned or third parties to conceal tax-related facts (1.a), to cover up tax-related tracks (1.b) or to adapt the type and scope of the fulfillment of tax cooperation obligations to the state of knowledge of the tax authorities (1. c), or<br />
<br />
- Allow conclusions to be drawn about the design of automated risk management systems or planned control or audit measures (2.)<br />
<br />
- and thus the disclosure of tax-relevant facts would be made much more difficult.<br />
<br />
148<br />
The right to information does not exist according to Section 32c Paragraph 1 AO in conjunction with Section 32b Paragraph 1 No. 2 AO if the data, their origin, their recipients or the fact of their processing according to Section 30 AO or another legal regulation or their By nature, in particular because of overriding legitimate interests of a third party within the meaning of Art. 23 Para. 1 i of the GDPR, must be kept secret and therefore the interest of the person concerned in the provision of information must take a back seat. The latter corresponds to the restriction already contained in Art. 15 Para. 4 GDPR.<br />
<br />
149<br />
The right to information does not exist according to Section 32c Paragraph No. 1 AO in conjunction with Section 32b Paragraph 1 No. 1a AO, insofar as the provision of information requires the proper fulfillment of the tasks within the responsibility of the tax authorities [...] within the meaning of Article 23 Paragraph 1 d to h of the GDPR would endanger.<br />
<br />
150<br />
There is also no right to information according to Section 32c Paragraph 1 No. 1 AO in conjunction with Section 32a Paragraph 1 No. 4 AO insofar as the provision of information would jeopardize the confidential disclosure of protected data to public authorities.<br />
<br />
151<br />
If the personal data is neither automated nor stored in non-automated file systems, information will only be provided if the data subject provides information that enables the data to be found and the effort required to provide the information is not disproportionate to that of the data subject person asserted interest in information (§ 32c Abs. 3 AO).<br />
<br />
152<br />
The GDPR itself restricts the obligation to provide information in Article 13 Paragraph 4 GDPR in such a way that information known to the data subject does not fall under the obligation to provide information and thus also not the obligation to provide information (cf. Section 32c Section 1 No. 1 AO in conjunction with Section 32a Section 1 AO, Art. 13 Para. 4, Art. 14 Para. 5 a GDPR).<br />
<br />
153<br />
Furthermore, the right to information does not exist if the personal data<br />
<br />
- are only stored because they may not be deleted due to statutory retention requirements, or<br />
<br />
- exclusively serve the purposes of data backup or data protection control and the provision of information would require a disproportionate effort and processing for other purposes is excluded by suitable technical and organizational measures (§ 32c Para. 1 No. 3 AO).<br />
<br />
154<br />
(4.2.1.2) Some of the aforementioned restrictions already existed word for word before the GDPR came into force or the regulations of the AO that completed it (cf. for example in the scope of application of the old version of the BDSG that was in force until May 24th, 2018: § 19 BDSG). The case law of the financial courts and the BVerfG on the right to information rejected, citing in this context, information about data stored at the information center abroad (IZA), because this would prevent the proper fulfillment of the tasks within their responsibility or the responsible tax offices in individual cases (BFH, judgment of 07/30/2003 - VII R 45/02 -, BStBl II 2004, 387; BVerfG, decision of 03/10/2008 - 1 BvR 2388/03 -, BStBl II 2009, 23). Financial case law assumes that this restriction will continue to apply under the GDPR (Cologne District Court, judgment of September 18, 2019 - 2 K 312/19 -, EFG 2020, 413; the appeal filed against this at the BFH bears the file number II R 43/ 19).<br />
<br />
(4.2.2) No general right to inspect files<br />
<br />
155<br />
The case law before the GDPR came into force made a clear distinction between information and inspection of files. According to std. Correspondence of the BFH not (in summary with further references: BFH, decision of November 3rd, 2020 - III R 59/19 -, NJW 2021, 1263, para. 7; judgment of February 23rd, 2010 - VII R 19/09 -, BStBl II 2010, 729). In any case, the rejection of a bound right to inspect files was based on the consideration that the legislature had not considered a general right to inspect files in tax administration proceedings to be practicable because this would conflict with aspects of the protection of third parties and the investigative interests of the tax authorities as well as the administrative burden of the tax authorities, which would have to check before each file inspection , whether a third party's interest in secrecy could be impaired and then the entire control material, authority-internal notes and instructions and the like would have to be removed from the files (BTDrs 7/4292, p. 24 f.). From this, the BFH deduced that the inspection of the files during the ongoing administrative or tax investigation procedure should only be an exception to be granted in application of § 91 AO or § 364 AO for reasons of the right to be heard.<br />
<br />
156<br />
In the decision of May 26, 1995 (- VI B 91/94 -, BFH/NV 1995, 1004), the BFH assumed that the tax office can grant access to files at its discretion, although the AO does not regulate a general right to inspect files, and this should in any case be done regularly if the circumstances of third parties are not affected. As a result, the BFH assumes a right to a dutiful and error-free discretionary decision by the authority, which is guaranteed if the authority has weighed up its interests and those of the authority against each other in the context of a weighing of interests (BFH, in III R 59/19, loc.cit.). In this decision, the BFH expressly left open the question of whether Art. 15 GDPR justifies a right to inspect the tax files in addition to the right to information (BFH, ibid., para. 16).<br />
<br />
157<br />
The BFH did not regard the right of the taxpayer to be granted a fair hearing according to Art. 103 (1) GG or his right to legal protection (Art. 19 (4) GG) as violated by the refused inspection of the files in the administrative proceedings (BFH, decision of 04.06.2003 - VII B 138/01 -, Federal Tax Gazette II 2003, 790, para. 15). Art. 19 (4) GG guarantees the right to effective judicial control (BVerfG, judgment of December 15, 1983 - 1 BvR 209/83 et al. - census judgment -, BVerfGE 65, 1, 70) and Art. 103 (1) GG guarantees that the taxpayer is given the opportunity in court proceedings to comment on the facts on which a decision is based before it is issued. The right to inspect files according to Section 147 of the Code of Criminal Procedure in (tax) criminal proceedings and Section 78 of the FGO in fiscal court proceedings served to secure these claims. In the opinion of the BVerfG, the right to a fair hearing in criminal tax proceedings and the right to fair legal proceedings are satisfied if the files and pieces of evidence are disclosed to the accused in criminal proceedings according to the rule of law after the investigation has been completed (BVerfG, resolutions of January 12, 1983 - 2 BvR 864/81 -, NJW 1983, 1043; dated February 10, 1981 - 7 B 26/81 -, NJW 1981, 2270).<br />
<br />
158<br />
The BFH also did not derive any binding right to information from previous regulations of the GDPR. Rather, in the light of the subsidiarity clause contained in the former BDSG, he judged the AO to be the final area-specific data protection regulation. The fact that the legislature did not standardize the right to inspect files there is to be respected as a "deliberate waiver of regulation" (BFH, dated June 4th, 2003 - VII B 138/01 -, loc.cit.).<br />
<br />
159<br />
The GDPR also does not grant the data subject a right to inspect files, as above under d. with a view to the ECJ case law to the previous provision (ECJ - C-141/12 -, loc.cit.). Art. 15 para. 1 GDPR does not guarantee a right of access to administrative documents and thus no right to inspect files.<br />
<br />
(4.2.3) Application of Restrictions to Tax Records<br />
<br />
160<br />
The restrictions cited in detail under (4.2) can be summarized in seven principles: The right to information is suspended if - subject to the weighing of interests, the information enables the person concerned<br />
<br />
- adjust to the state of knowledge of the tax authority, he would be able to cover up or cover tracks (restriction 1),<br />
<br />
- conclusions about the risk management system (constraint 2) or<br />
<br />
- draw on planned control or audit measures (Limitation 3),<br />
<br />
- if there are overriding confidentiality interests of third parties (restriction 4),<br />
<br />
- if confidence in the confidential disclosure of proprietary data would be compromised (Limitation 5),<br />
<br />
- if the information is not already known to the person concerned (limitation 6)<br />
<br />
- or if they are retained essentially for statutory retention requirements (Restriction 7).<br />
<br />
161<br />
Compressed further, it contains the following assessments by the legislature:<br />
<br />
- The tax office may retain secret knowledge of taxation issues for future reviews of the taxpayer's declarations (Restrictions 1, 2, 3).<br />
<br />
- Confidentiality interests of third parties are to be protected (restriction 4).<br />
<br />
- The identity of an informant may be kept secret (Restriction 5).<br />
<br />
- No information needs to be given about what is already known (restriction 6).<br />
<br />
- Retention rules take precedence (Restriction 7).<br />
<br />
162<br />
Since these suspensions are sometimes completely contrary to the principle of transparency under data protection law, the decision can almost always only be found after weighing up the conflicting interests. If this weighing were to be carried out - specifically - on the individual date, the presentation of the argumentative weighing of interests in the justification of the negative decision would allow conclusions to be drawn about the state of knowledge of the tax office. If one wanted to carry out a specific assessment for each personal date in the tax file, the result would be a completely disproportionate amount of justification for answering every unreasonable (!) request for information under data protection law.<br />
<br />
163<br />
In practical terms, therefore, the consideration can only be carried out abstractly in relation to classes of data, as has already been shown under d.(3). In this sense, the data contained in the full texts of the tax files basically form a class from the point of view of the senate. If one wanted to give priority to the principle of transparency under data protection law with regard to this entire class of "information in full texts", this would practically mean obliging the tax office to inspect every tax file without cause.<br />
<br />
164<br />
And this despite the fact that the total of the restrictions suspend the right to information for almost all of the content of the tax file:<br />
<br />
165<br />
The correspondence between the tax office and the taxpayer is known or should be known to him, earlier correspondence, but also data on tax matters that has become obsolete due to the passage of time, are subject to the retention requirements (limitations 6 and 7) due to the documentation function of the tax file.<br />
<br />
166<br />
Insofar as the file contains data for future checks, the balancing of interests required by restrictions 1-3 should generally turn out in favor of the tax office's possibility of checking due to the taxpayer's obligation to tell the truth. The same applies to control material, audit reports and reports from informants, but also to file notes that provide information on the review of future tax returns.<br />
<br />
167<br />
The contents of files for the current ongoing taxation fall - as the dispute shows in an exemplary manner - under the restriction that the person concerned can adjust to the state of knowledge of the tax office. However, despite the taxpayer's obligation to tell the truth, a weighing of interests in this data does not always have to be at the expense of the taxpayer. He has a legitimate interest in checking the facts on which the taxation is based and, if necessary, uncovering doubts in the context of the taxation procedure and the legal hearing to which he is entitled. In this respect, there is little difference between the right to information and the dependent procedural law of § 364 AO. If, however, the taxpayer is entitled to more information under the current taxation procedure with the justification of the administrative act and the disclosure of the taxation documents than a right to information under data protection law, it does not appear necessary when weighing up the interests to grant a right to information in addition to these basic procedural rights, which in a separate procedure ultimately gives the person concerned less information.<br />
<br />
168<br />
(5) The claimant's right to a copy of, for example, the input and calculation data processed for the preparation of the notice and the basic data overview is obviously not relevant to the plaintiff.<br />
<br />
169<br />
3. The finance court did not have to submit the relevant legal issues to the ECJ (Gräber, Finanzgerichtsordnung, 8th ed., FGO § 115, para. 84). Courts of first instance are not obliged under Union law to make a submission (BFH, decision of January 14, 2014 - III B 89/13 -, BFH/NV 2014, 521).<br />
<br />
170<br />
4. The decision on costs is based on Section 135 (1) FGO.<br />
<br />
171<br />
5. The revision is permitted under Section 115 (2) Nos. 1 and 2 FGO, since the question of the scope of the right to information in the area of tax administration after the introduction of the GDPR in 2018 is of fundamental importance. In addition, in view of the conflicting decisions of the tax courts cited above on the scope of application of the GDPR in the area of direct taxes, it seems necessary to allow an appeal to ensure uniform case law.<br />
<br />
172<br />
6. It seems appropriate to decide by court order (§ 90 a FGO).<br />
</pre></div>Norman.aasmahttps://gdprhub.eu/index.php?title=AKI_(Estonia)_-_2.1.-5/22/22012&diff=30689AKI (Estonia) - 2.1.-5/22/220122023-01-25T09:01:14Z<p>Norman.aasma: /* Holding */</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Estonia<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoEE.png<br />
|DPA_Abbrevation=AKI<br />
|DPA_With_Country=AKI (Estonia)<br />
<br />
|Case_Number_Name=2.1.-5/22/22012<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=AKI<br />
|Original_Source_Link_1=https://www.aki.ee/sites/default/files/ettekirjutused/2022/ettekirjutus-hoiatus_isikuandmete_kaitse_asjas_mm_inkasso_ou.pdf<br />
|Original_Source_Language_1=Estonian<br />
|Original_Source_Language__Code_1=ET<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Started=01.11.2022<br />
|Date_Decided=06.12.2022<br />
|Date_Published=29.12.2022<br />
|Year=2022<br />
|Fine=<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 6(1)(d) GDPR<br />
|GDPR_Article_Link_1=Article 6 GDPR#1d<br />
|GDPR_Article_2=<br />
|GDPR_Article_Link_2=<br />
|GDPR_Article_3=<br />
|GDPR_Article_Link_3=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=§ 10 IKS (Personal Data Protection Act)<br />
|National_Law_Link_1=https://www.riigiteataja.ee/en/eli/523012019001/consolide<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
|National_Law_Name_3=<br />
|National_Law_Link_3=<br />
<br />
|Party_Name_1=M&M Inkasso OÜ<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Norman Aasma<br />
|<br />
}}<br />
<br />
The publication of debtors' debt data on the debt collection company's social media accounts and the processing of data that this entails is not lawful.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
A debt collection company, M&M Inkasso OÜ (data controller), published private debt data on its website and social media. <br />
<br />
After receiving a formal notice about the doings of the said debt collection company, the Estonian DPA started an investigation with the aim of urging the company to start acting in compliance with the data protection requirements. More specifically, the Estonian DPA asked the company in the formal injuction to stop disclosing the personal data of the deptors on the company's website and on company's TikTok account. During the proceedings, the controller explained to the DPA that the debt collection company was acting based on the protection of vital interests. It also told that it had taken into consideration all other necessary legal consideration with a view to avoiding other legal infringements and all information published on company's website and social media was taken from the Internet as it was all freely available.<br />
<br />
=== Holding ===<br />
Firstly, the DPA explained that based on recital 46 GDPR, the processing of personal data should be.<br />
lawful also where it is necessary for the purposes of the private life of the data subject or of another natural person, or for the purposes of the processing of personal data.<br />
The DPA also explained that in accordance with the Estonian Personal Data Protection Act, the disclosure to a third party of data, which is related to the breach of a contractual obligation and the processing of the data transmitted by the third party is lawfulfor the purpose of assessing the creditworthiness of the data subject or for any other related similar purpose. Furthermore, in such case there are other additional legal presumptions that must be met. <br />
<br />
Under § 10 (2)(3) and (4) Personal Data Protection Act, it is not lawful to publish such data in case it would excessively prejudice the rights or freedoms of the data subject and/or if less than 30 days have passed since the breach of a contract. <br />
The DPA rejected the arguments of the controller that the processing of personal data. <br />
The DPA found that disclosure of the personal information of the deptors does not imply disclosure of such data to an unlimited number of unidentified persons.<br />
<br />
The DPA held that as the public interest criteria stemming from the Personal Data protection Act is not met, then all other basis for such data processing cannot even be considered. The DPA held that disclosure of debtors' data on social media accounts managed by the debt collection company M&M Inkasso OÜ is unlawful and the data processing is done without lawful basis.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Estonian original. Please refer to the Estonian original for more details.<br />
<br />
<pre><br />
PRIVACY PROTECTION AGAINST STATE TRANSPARENCY<br />
<br />
INTERNAL USE<br />
Note made: 06.12.2022e Inspection<br />
The access restriction applies until the procedure is completed<br />
until the decision comes into force<br />
Basis: AvTS § 35 subsection 1 point 2<br />
<br />
<br />
<br />
PRESCRIPTION WARNING<br />
<br />
personal data protection case no. 2.1.-5/22/2012<br />
<br />
<br />
<br />
Alissa Hmelnitskaja, lawyer of the Data Protection Inspectorate, issued the order<br />
<br />
<br />
Time of making the prescription 06.12.2022 in Tallinn<br />
and place<br />
M&M Inkasso OÜ (12820582)<br />
Addressee of the injunction –<br />
address of the personal data processor: Harju county, Keila city, Pae tn 8-54, 76610<br />
email address: madisaus@gmail.com<br />
<br />
Copy Representatives: XXX, XXX<br />
XXX<br />
<br />
Personal data processor Member of the Board<br />
responsible person<br />
<br />
<br />
<br />
RESOLUTION:<br />
§ 56 subsection 1, subsection 2 point 8, § 56 subsection 3 points 3 and<br />
4, § 58 (1), § 10 and Article 58 (1) of the General Regulation on the Protection of Personal Data (GPR)<br />
on the basis of point d and points f and g of paragraph 2, as well as taking into account Article 6 of IKÜM, does<br />
<br />
inspection to fulfill the mandatory prescription:<br />
1. M&M Inkasso OÜ must terminate the company's TikTok, Instagram and Facebook<br />
disclosure of personal data of debtors in accounts, if there is no person for this purpose<br />
voluntary consent.<br />
<br />
<br />
I set the deadline for the execution of the order as 20.12.2022. Report the fulfillment of the prescription<br />
by this deadline at the latest to the e-mail address of the Data Protection Inspectorate at info@aki.ee.<br />
<br />
<br />
<br />
DISPUTE REFERENCE:<br />
This order can be challenged within 30 days by submitting either:<br />
- a complaint to the Data Protection Inspectorate under the Administrative Procedure Act or<br />
- a complaint to the administrative court according to the Code of Administrative Court Procedure (in this case it is no longer possible<br />
to review the argument in the same matter).<br />
<br />
<br />
Challenging an injunction does not suspend the obligation to fulfill it or the measures necessary for its fulfillment<br />
implementation.<br />
<br />
<br />
EXTORTION WARNING:<br />
If the injunction has not been fulfilled by the set deadline, the Data Protection Inspectorate will determine<br />
<br />
1https://www.facebook.com/profile.php?id=100054229521619; https://www.tiktok.com/@mminkasso.ee;<br />
https://www.instagram.com/mminkasso/?igshid=YmMyMTA2M2Y%3D<br />
Tatari tn 39 / 10134 Tallinn / 627 4135 / info@aki.ee / www.aki.ee<br />
<br />
Registration code 70004235 to the addressee of the injunction on the basis of § 60 of the Personal Data Protection Act:<br />
A fine of 1,000 euros.<br />
<br />
A fine may be imposed repeatedly - until the injunction is fulfilled. If the recipient does not pay<br />
extortion money, it is forwarded to the bailiff to start enforcement proceedings. In this case, they are added<br />
bailiff's fee and other enforcement costs for the enforcement money.<br />
<br />
<br />
VIOLATION PENALTY WARNING:<br />
Protection of personal data against failure to comply with the injunction pursuant to Article 58 (2) of the General Regulation<br />
misdemeanor proceedings may be initiated based on § 69 of the Personal Data Protection Act. For this act<br />
a natural person may be fined up to 20,000,000 euros and a legal person<br />
may be punished with a fine of up to 20,000,000 euros or up to 4 percent of his previous one<br />
of the total worldwide annual turnover of the financial year, whichever is the amount<br />
<br />
bigger. The out-of-court procedure for a misdemeanor is the Data Protection Inspectorate.<br />
<br />
FACTUAL CIRCUMSTANCES: The Data Protection Authority (AKI) received a notification that M&M<br />
Inkasso OÜ publishes debt data of private individuals on its website and on social media.<br />
<br />
The inspection started the supervision procedure on the basis of IKS § 56 (3) point 8, within the framework of which there was<br />
made on 01.11.2022 proposal for better fulfillment of personal data protection requirements no. 2.1.-<br />
5/22/2012. According to the proposal, M&M Inkasso OÜ had to terminate the company's website and<br />
<br />
disclosure of debtors' personal information on the company's TikTok account and to send about it<br />
confirmation to the inspection no later than 17.11.2022. We also noted that if M&M Inkasso OÜ no<br />
accept the proposal, then the company should have answered additional questions.<br />
<br />
The inspection has received the following response from the contractual representative of the company on 10.11.2022:<br />
<br />
"You have contacted M&M Inkasso OÜ with a written request for information on 01.11.21 with two questions.<br />
<br />
In response to your questions, I confirm that the personal data published on the website of M&M Inkasso OÜ<br />
the basis for publication is the protection of vital interests. I would like to further explain that the published personal data<br />
help prevent malicious exploitation by bona fide individuals. Published personal data<br />
prevent new contractual violations if the disclosed persons do not behave according to their contractual obligations<br />
fulfilling obligations in good faith. I also explain that all published photographic material has been taken<br />
from public space (social media). M&M Inkasso OÜ has considered when publishing the data<br />
<br />
the possible infringement of the rights of the persons reflected in the photos and found that the published persons<br />
the damage caused by the activity to other natural persons and its extent outweighs the debtors<br />
the principle of privacy. M&M Inkasso OÜ has not published personal identification codes of individuals.<br />
Only names are published and low quality posts from social media by the individuals themselves<br />
photos. If the published photos are removed, the impact of the published information disappears and is great<br />
the risk that the rights of bona fide persons operating in the same legal space will be acquired by malicious ones<br />
to suffer once again by legal entities."<br />
<br />
<br />
As of 06.12.2022, personal data of other persons is still published by M&M Inkasso OÜ<br />
accounts on social media (TikTok, Facebook and Instagram). But the company's website<br />
https://mminkasso.ee/ is no longer available as of this date.<br />
<br />
<br />
GROUNDS FOR DATA PROTECTION INSPECTION:<br />
<br />
<br />
1. Legal basis for publishing personal data<br />
<br />
In the answer of 10.11.2022, the data processor, i.e. M&M Inkasso OÜ, stated that M&M Inkasso<br />
The basis for publishing personal data published on OÜ's website is the protection of vital interests.<br />
considered legal even if it is necessary for the life of the data subject or other natural person<br />
to protect interests. Personal data could be obtained on the basis of the vital interests of another natural person<br />
in principle, only be processed if the processing cannot obviously be carried out on another legal basis<br />
on the basis of As a result, the disclosure of debtors' data cannot take place IN ACCORDANCE with article 6 par<br />
1 point d.<br />
<br />
<br />
In addition to the above, IKS § 10(1) stipulates that personal data related to the breach of a debt relationship<br />
disclosure to a third party and processing of the transmitted data by a third party is<br />
permitted for the evaluation of the creditworthiness of the data subject or for other similar purposes and<br />
only if all three conditions are met:<br />
1. the data processor has verified that there is a legal basis for the transfer of data;<br />
2. the data processor has checked the correctness of the data;<br />
<br />
3. the data transfer is recorded (keeping information about who and what was transferred).<br />
<br />
However, it is not allowed to collect data for the aforementioned purpose and to a third party<br />
transmit if it would excessively harm the rights or freedoms of the data subject and/or the contract<br />
less than 30 days have passed since the violation (ICS § 10 (2) points 3 and 4).<br />
<br />
In addition, we note that the inspection is of the opinion that the right to the debtor's default data<br />
<br />
to publish does not mean to disclose them to an unlimited number of unidentified persons (on the Internet,<br />
in a newspaper, on the bulletin board of an apartment building, on the company's website, etc.). IKS § 10 also stipulates an obligation<br />
before disclosing the data, check the legal basis of the recipient of the data for obtaining the data.<br />
This obligation cannot be fulfilled if disclosure is made to an unlimited circle. That's why it is<br />
at least one of the prerequisites for publishing data on the basis of IKS § 10 has not been fulfilled.<br />
<br />
<br />
In the case of payment defaults, it must be borne in mind that the creditor incurs a debt in the event of arrears<br />
to achieve payment, use primarily those listed in § 101 of the Law of Obligations Act<br />
legal remedies, one of which is to demand the fulfillment of an obligation. of persons<br />
the publication of payment default data is not only a pressure measure to achieve payment of the debt<br />
permissible.<br />
<br />
The data processor has noted that "M&M Inkasso OÜ has considered photographs when publishing data<br />
<br />
the possible infringement of the rights of the reported persons and found that the activities of the persons disclosed<br />
the damage caused to other natural persons and its extent outweighs the private life of the debtors<br />
principle of immunity". From this sentence it can be concluded that M&M Inkasso OÜ relies on<br />
when publishing personal data, Article 6(1)(f) of IKÜM, i.e. legitimate interest. However<br />
in doing so, we explain that even if the disputed data processing could only take place in IKÜM<br />
on the basis of Article 6(1)(f), the data processor has not submitted a legitimate interest to the inspection<br />
analysis.<br />
<br />
<br />
In addition, we point out that in certain cases it may be possible to disclose the data of some people<br />
justification for journalistic purposes. According to § 4 of the IKS, personal data may be transferred to the data subject<br />
to process without consent for journalistic purposes, in particular to disclose in the media, if for this purpose<br />
is in the public interest and is consistent with the principles of journalistic ethics. Personal data<br />
disclosure must not excessively harm the rights of the data subject.<br />
<br />
<br />
In order to disclose personal data on the basis of § 4 of the IKS, three conditions must be met:<br />
1. there is a public interest in the disclosure of personal data;<br />
2. the disclosure is in accordance with the rules of journalistic ethics;<br />
3. the disclosure of personal data must not excessively harm the rights of the data subject.<br />
<br />
According to AKI, the criterion of public interest is not met in this case. Public interest<br />
its existence can be confirmed if the topic raised and personal data disclosed contribute to the debate in a democratic society. However, the fact of indebtedness of each individual natural person does not<br />
fall into the sphere of public interest, the publication of which contributes to the further development of a democratic society<br />
would help.<br />
<br />
Since one criterion for the application of IKS § 4, i.e. the existence of public interest, has not been met, no<br />
analyze the fulfillment of the following criteria of the AKI, because in the absence of even one criterion § 4 of the IKS<br />
<br />
on the basis of which personal data cannot be disclosed.<br />
<br />
Taking into account the above, there are no other disclosures of personal debt data besides IKS § 10<br />
legal grounds.<br />
<br />
Based on the above, the inspection's assessment is that those managed by M&M Inkasso OÜ<br />
The processing of personal debt data on Facebook, Instagram, and TikTok accounts is not<br />
<br />
legitimate because by disclosing to an unlimited circle of unidentified persons on the Internet<br />
it is not possible to fulfill the requirements of IKS § 10 with the data of natural persons (including the data processor must<br />
verify that there is a legal basis for the transfer of data). Personal data has been processed without<br />
without a legal basis, which is why M&M Inkasso OÜ must terminate those containing personal data<br />
disclosure of posts on Facebook, Instagram, TikTok managed by him<br />
on pages, accounts, posts and groups.<br />
<br />
<br />
According to IKS § 58 paragraph 1 and IKÜ Article 58 paragraph 2 p. f and g, the inspection has the right<br />
to issue an order to limit the processing of personal data. Considering that in a particular case<br />
the debt data of natural persons is publicly disclosed illegally and that M&M<br />
Inkasso OÜ did not agree to comply with the proposal of the Data Protection Inspectorate of 01.11.2022, finds<br />
inspection, that making a mandatory injunction in this case is necessary in order to stop it<br />
offense as soon as possible.<br />
<br />
<br />
<br />
(signed digitally)<br />
Alissa Khmelnitskaya<br />
lawyer<br />
on the authority of the Director General<br />
</pre></div>Norman.aasmahttps://gdprhub.eu/index.php?title=User:Norman.aasma&diff=30688User:Norman.aasma2023-01-25T08:49:02Z<p>Norman.aasma: </p>
<hr />
<div>'''Norman Aasma''', Country reporter for Estonia & Germany<br />
<br />
L.L.M student at University of Oslo<br />
<br />
'''CV''': [https://linkedin.com/in/norman-aasma-0256b21a5 linkedin.com/in/norman-aasma-0256b21a5]<br />
<br />
<br />
<br />
<br />
'''My contributions''':<br />
<br />
[[AKI (Estonia) - 2.1.-4/22/2585]]<br />
<br />
[[AKI (Estonia) - 2.1.-5/22/22012]] <br />
<br />
[[BlnBDI (Berlin) - C-807/21 - Deutsche Wohnen]]</div>Norman.aasmahttps://gdprhub.eu/index.php?title=User:Norman.aasma&diff=30687User:Norman.aasma2023-01-25T08:46:35Z<p>Norman.aasma: </p>
<hr />
<div>'''Norman Aasma''', Country reporter for Estonia & Germany<br />
<br />
L.L.M student at University of Oslo<br />
<br />
'''CV''': [https://linkedin.com/in/norman-aasma-0256b21a5 linkedin.com/in/norman-aasma-0256b21a5]<br />
<br />
<br />
<br />
<br />
'''My contributions''':<br />
<br />
[[AKI (Estonia) - 2.1.-4/22/2585]]<br />
<br />
AKI (Estonia) - 2.1.-5/22/22012 <br />
<br />
[[BlnBDI (Berlin) - C-807/21 - Deutsche Wohnen]]</div>Norman.aasmahttps://gdprhub.eu/index.php?title=AKI_(Estonia)_-_2.1.-5/22/22012&diff=30684AKI (Estonia) - 2.1.-5/22/220122023-01-25T08:43:54Z<p>Norman.aasma: Created page with "{{DPAdecisionBOX |Jurisdiction=Estonia |DPA-BG-Color= |DPAlogo=LogoEE.png |DPA_Abbrevation=AKI |DPA_With_Country=AKI (Estonia) |Case_Number_Name=2.1.-5/22/22012 |ECLI= |Ori..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Estonia<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoEE.png<br />
|DPA_Abbrevation=AKI<br />
|DPA_With_Country=AKI (Estonia)<br />
<br />
|Case_Number_Name=2.1.-5/22/22012<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=AKI<br />
|Original_Source_Link_1=https://www.aki.ee/sites/default/files/ettekirjutused/2022/ettekirjutus-hoiatus_isikuandmete_kaitse_asjas_mm_inkasso_ou.pdf<br />
|Original_Source_Language_1=Estonian<br />
|Original_Source_Language__Code_1=ET<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Started=01.11.2022<br />
|Date_Decided=06.12.2022<br />
|Date_Published=29.12.2022<br />
|Year=2022<br />
|Fine=<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 6(1)(d) GDPR<br />
|GDPR_Article_Link_1=Article 6 GDPR#1d<br />
|GDPR_Article_2=<br />
|GDPR_Article_Link_2=<br />
|GDPR_Article_3=<br />
|GDPR_Article_Link_3=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=§ 10 IKS (Personal Data Protection Act)<br />
|National_Law_Link_1=https://www.riigiteataja.ee/en/eli/523012019001/consolide<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
|National_Law_Name_3=<br />
|National_Law_Link_3=<br />
<br />
|Party_Name_1=M&M Inkasso OÜ<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Norman Aasma<br />
|<br />
}}<br />
<br />
The publication of debtors' debt data on the debt collection agency's social media accounts and the processing of data that this entails is not lawful.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
A debt collection company, M&M Inkasso OÜ (data controller), published private debt data on its website and social media. <br />
<br />
After receiving a formal notice about the doings of the said debt collection company, the Estonian DPA started an investigation with the aim of urging the company to start acting in compliance with the data protection requirements. More specifically, the Estonian DPA asked the company in the formal injuction to stop disclosing the personal data of the deptors on the company's website and on company's TikTok account. During the proceedings, the controller explained to the DPA that the debt collection company was acting based on the protection of vital interests. It also told that it had taken into consideration all other necessary legal consideration with a view to avoiding other legal infringements and all information published on company's website and social media was taken from the Internet as it was all freely available.<br />
<br />
=== Holding ===<br />
Firstly, the DPA explained that based on recital 46 GDPR, the processing of personal data should be.<br />
lawful also where it is necessary for the purposes of the private life of the data subject or of another natural person, or for the purposes of the processing of personal data.<br />
The DPA also explained that in accordance with the Estonian Personal Data Protection Act, the disclosure to a third party of data, which is related to the breach of a contractual obligation and the processing of the data transmitted by the third party is lawfulfor the purpose of assessing the creditworthiness of the data subject or for any other related similar purpose. Furthermore, in such case there are other additional legal presumptions that must be met. <br />
Furthermore, under § 10 (2)(3) and (4) Personal Data Protection Act, it is not lawful to publish such data in case it would excessively prejudice the rights or freedoms of the data subject and/or if less than 30 days have passed since the breach of a contract. <br />
The DPA rejected the arguments of the controller that the processing of personal data. <br />
The DPA found that disclosure of the personal information of the deptors does not imply disclosure of such data to an unlimited number of unidentified persons.<br />
The DPA held that as the public interest criteria stemming from the Personal Data protection Act is not met, then all other basis for such data processing cannot even be considered. The DPA held that disclosure of debtors' data on social media accounts managed by the debt collection company M&M Inkasso OÜ is unlawful and the data processing is done without lawful basis.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Estonian original. Please refer to the Estonian original for more details.<br />
<br />
<pre><br />
PRIVACY PROTECTION AGAINST STATE TRANSPARENCY<br />
<br />
INTERNAL USE<br />
Note made: 06.12.2022e Inspection<br />
The access restriction applies until the procedure is completed<br />
until the decision comes into force<br />
Basis: AvTS § 35 subsection 1 point 2<br />
<br />
<br />
<br />
PRESCRIPTION WARNING<br />
<br />
personal data protection case no. 2.1.-5/22/2012<br />
<br />
<br />
<br />
Alissa Hmelnitskaja, lawyer of the Data Protection Inspectorate, issued the order<br />
<br />
<br />
Time of making the prescription 06.12.2022 in Tallinn<br />
and place<br />
M&M Inkasso OÜ (12820582)<br />
Addressee of the injunction –<br />
address of the personal data processor: Harju county, Keila city, Pae tn 8-54, 76610<br />
email address: madisaus@gmail.com<br />
<br />
Copy Representatives: XXX, XXX<br />
XXX<br />
<br />
Personal data processor Member of the Board<br />
responsible person<br />
<br />
<br />
<br />
RESOLUTION:<br />
§ 56 subsection 1, subsection 2 point 8, § 56 subsection 3 points 3 and<br />
4, § 58 (1), § 10 and Article 58 (1) of the General Regulation on the Protection of Personal Data (GPR)<br />
on the basis of point d and points f and g of paragraph 2, as well as taking into account Article 6 of IKÜM, does<br />
<br />
inspection to fulfill the mandatory prescription:<br />
1. M&M Inkasso OÜ must terminate the company's TikTok, Instagram and Facebook<br />
disclosure of personal data of debtors in accounts, if there is no person for this purpose<br />
voluntary consent.<br />
<br />
<br />
I set the deadline for the execution of the order as 20.12.2022. Report the fulfillment of the prescription<br />
by this deadline at the latest to the e-mail address of the Data Protection Inspectorate at info@aki.ee.<br />
<br />
<br />
<br />
DISPUTE REFERENCE:<br />
This order can be challenged within 30 days by submitting either:<br />
- a complaint to the Data Protection Inspectorate under the Administrative Procedure Act or<br />
- a complaint to the administrative court according to the Code of Administrative Court Procedure (in this case it is no longer possible<br />
to review the argument in the same matter).<br />
<br />
<br />
Challenging an injunction does not suspend the obligation to fulfill it or the measures necessary for its fulfillment<br />
implementation.<br />
<br />
<br />
EXTORTION WARNING:<br />
If the injunction has not been fulfilled by the set deadline, the Data Protection Inspectorate will determine<br />
<br />
1https://www.facebook.com/profile.php?id=100054229521619; https://www.tiktok.com/@mminkasso.ee;<br />
https://www.instagram.com/mminkasso/?igshid=YmMyMTA2M2Y%3D<br />
Tatari tn 39 / 10134 Tallinn / 627 4135 / info@aki.ee / www.aki.ee<br />
<br />
Registration code 70004235 to the addressee of the injunction on the basis of § 60 of the Personal Data Protection Act:<br />
A fine of 1,000 euros.<br />
<br />
A fine may be imposed repeatedly - until the injunction is fulfilled. If the recipient does not pay<br />
extortion money, it is forwarded to the bailiff to start enforcement proceedings. In this case, they are added<br />
bailiff's fee and other enforcement costs for the enforcement money.<br />
<br />
<br />
VIOLATION PENALTY WARNING:<br />
Protection of personal data against failure to comply with the injunction pursuant to Article 58 (2) of the General Regulation<br />
misdemeanor proceedings may be initiated based on § 69 of the Personal Data Protection Act. For this act<br />
a natural person may be fined up to 20,000,000 euros and a legal person<br />
may be punished with a fine of up to 20,000,000 euros or up to 4 percent of his previous one<br />
of the total worldwide annual turnover of the financial year, whichever is the amount<br />
<br />
bigger. The out-of-court procedure for a misdemeanor is the Data Protection Inspectorate.<br />
<br />
FACTUAL CIRCUMSTANCES: The Data Protection Authority (AKI) received a notification that M&M<br />
Inkasso OÜ publishes debt data of private individuals on its website and on social media.<br />
<br />
The inspection started the supervision procedure on the basis of IKS § 56 (3) point 8, within the framework of which there was<br />
made on 01.11.2022 proposal for better fulfillment of personal data protection requirements no. 2.1.-<br />
5/22/2012. According to the proposal, M&M Inkasso OÜ had to terminate the company's website and<br />
<br />
disclosure of debtors' personal information on the company's TikTok account and to send about it<br />
confirmation to the inspection no later than 17.11.2022. We also noted that if M&M Inkasso OÜ no<br />
accept the proposal, then the company should have answered additional questions.<br />
<br />
The inspection has received the following response from the contractual representative of the company on 10.11.2022:<br />
<br />
"You have contacted M&M Inkasso OÜ with a written request for information on 01.11.21 with two questions.<br />
<br />
In response to your questions, I confirm that the personal data published on the website of M&M Inkasso OÜ<br />
the basis for publication is the protection of vital interests. I would like to further explain that the published personal data<br />
help prevent malicious exploitation by bona fide individuals. Published personal data<br />
prevent new contractual violations if the disclosed persons do not behave according to their contractual obligations<br />
fulfilling obligations in good faith. I also explain that all published photographic material has been taken<br />
from public space (social media). M&M Inkasso OÜ has considered when publishing the data<br />
<br />
the possible infringement of the rights of the persons reflected in the photos and found that the published persons<br />
the damage caused by the activity to other natural persons and its extent outweighs the debtors<br />
the principle of privacy. M&M Inkasso OÜ has not published personal identification codes of individuals.<br />
Only names are published and low quality posts from social media by the individuals themselves<br />
photos. If the published photos are removed, the impact of the published information disappears and is great<br />
the risk that the rights of bona fide persons operating in the same legal space will be acquired by malicious ones<br />
to suffer once again by legal entities."<br />
<br />
<br />
As of 06.12.2022, personal data of other persons is still published by M&M Inkasso OÜ<br />
accounts on social media (TikTok, Facebook and Instagram). But the company's website<br />
https://mminkasso.ee/ is no longer available as of this date.<br />
<br />
<br />
GROUNDS FOR DATA PROTECTION INSPECTION:<br />
<br />
<br />
1. Legal basis for publishing personal data<br />
<br />
In the answer of 10.11.2022, the data processor, i.e. M&M Inkasso OÜ, stated that M&M Inkasso<br />
The basis for publishing personal data published on OÜ's website is the protection of vital interests.<br />
considered legal even if it is necessary for the life of the data subject or other natural person<br />
to protect interests. Personal data could be obtained on the basis of the vital interests of another natural person<br />
in principle, only be processed if the processing cannot obviously be carried out on another legal basis<br />
on the basis of As a result, the disclosure of debtors' data cannot take place IN ACCORDANCE with article 6 par<br />
1 point d.<br />
<br />
<br />
In addition to the above, IKS § 10(1) stipulates that personal data related to the breach of a debt relationship<br />
disclosure to a third party and processing of the transmitted data by a third party is<br />
permitted for the evaluation of the creditworthiness of the data subject or for other similar purposes and<br />
only if all three conditions are met:<br />
1. the data processor has verified that there is a legal basis for the transfer of data;<br />
2. the data processor has checked the correctness of the data;<br />
<br />
3. the data transfer is recorded (keeping information about who and what was transferred).<br />
<br />
However, it is not allowed to collect data for the aforementioned purpose and to a third party<br />
transmit if it would excessively harm the rights or freedoms of the data subject and/or the contract<br />
less than 30 days have passed since the violation (ICS § 10 (2) points 3 and 4).<br />
<br />
In addition, we note that the inspection is of the opinion that the right to the debtor's default data<br />
<br />
to publish does not mean to disclose them to an unlimited number of unidentified persons (on the Internet,<br />
in a newspaper, on the bulletin board of an apartment building, on the company's website, etc.). IKS § 10 also stipulates an obligation<br />
before disclosing the data, check the legal basis of the recipient of the data for obtaining the data.<br />
This obligation cannot be fulfilled if disclosure is made to an unlimited circle. That's why it is<br />
at least one of the prerequisites for publishing data on the basis of IKS § 10 has not been fulfilled.<br />
<br />
<br />
In the case of payment defaults, it must be borne in mind that the creditor incurs a debt in the event of arrears<br />
to achieve payment, use primarily those listed in § 101 of the Law of Obligations Act<br />
legal remedies, one of which is to demand the fulfillment of an obligation. of persons<br />
the publication of payment default data is not only a pressure measure to achieve payment of the debt<br />
permissible.<br />
<br />
The data processor has noted that "M&M Inkasso OÜ has considered photographs when publishing data<br />
<br />
the possible infringement of the rights of the reported persons and found that the activities of the persons disclosed<br />
the damage caused to other natural persons and its extent outweighs the private life of the debtors<br />
principle of immunity". From this sentence it can be concluded that M&M Inkasso OÜ relies on<br />
when publishing personal data, Article 6(1)(f) of IKÜM, i.e. legitimate interest. However<br />
in doing so, we explain that even if the disputed data processing could only take place in IKÜM<br />
on the basis of Article 6(1)(f), the data processor has not submitted a legitimate interest to the inspection<br />
analysis.<br />
<br />
<br />
In addition, we point out that in certain cases it may be possible to disclose the data of some people<br />
justification for journalistic purposes. According to § 4 of the IKS, personal data may be transferred to the data subject<br />
to process without consent for journalistic purposes, in particular to disclose in the media, if for this purpose<br />
is in the public interest and is consistent with the principles of journalistic ethics. Personal data<br />
disclosure must not excessively harm the rights of the data subject.<br />
<br />
<br />
In order to disclose personal data on the basis of § 4 of the IKS, three conditions must be met:<br />
1. there is a public interest in the disclosure of personal data;<br />
2. the disclosure is in accordance with the rules of journalistic ethics;<br />
3. the disclosure of personal data must not excessively harm the rights of the data subject.<br />
<br />
According to AKI, the criterion of public interest is not met in this case. Public interest<br />
its existence can be confirmed if the topic raised and personal data disclosed contribute to the debate in a democratic society. However, the fact of indebtedness of each individual natural person does not<br />
fall into the sphere of public interest, the publication of which contributes to the further development of a democratic society<br />
would help.<br />
<br />
Since one criterion for the application of IKS § 4, i.e. the existence of public interest, has not been met, no<br />
analyze the fulfillment of the following criteria of the AKI, because in the absence of even one criterion § 4 of the IKS<br />
<br />
on the basis of which personal data cannot be disclosed.<br />
<br />
Taking into account the above, there are no other disclosures of personal debt data besides IKS § 10<br />
legal grounds.<br />
<br />
Based on the above, the inspection's assessment is that those managed by M&M Inkasso OÜ<br />
The processing of personal debt data on Facebook, Instagram, and TikTok accounts is not<br />
<br />
legitimate because by disclosing to an unlimited circle of unidentified persons on the Internet<br />
it is not possible to fulfill the requirements of IKS § 10 with the data of natural persons (including the data processor must<br />
verify that there is a legal basis for the transfer of data). Personal data has been processed without<br />
without a legal basis, which is why M&M Inkasso OÜ must terminate those containing personal data<br />
disclosure of posts on Facebook, Instagram, TikTok managed by him<br />
on pages, accounts, posts and groups.<br />
<br />
<br />
According to IKS § 58 paragraph 1 and IKÜ Article 58 paragraph 2 p. f and g, the inspection has the right<br />
to issue an order to limit the processing of personal data. Considering that in a particular case<br />
the debt data of natural persons is publicly disclosed illegally and that M&M<br />
Inkasso OÜ did not agree to comply with the proposal of the Data Protection Inspectorate of 01.11.2022, finds<br />
inspection, that making a mandatory injunction in this case is necessary in order to stop it<br />
offense as soon as possible.<br />
<br />
<br />
<br />
(signed digitally)<br />
Alissa Khmelnitskaya<br />
lawyer<br />
on the authority of the Director General<br />
</pre></div>Norman.aasmahttps://gdprhub.eu/index.php?title=User:Norman.aasma&diff=30679User:Norman.aasma2023-01-24T22:09:18Z<p>Norman.aasma: </p>
<hr />
<div>'''Norman Aasma''', Country reporter for Estonia & Germany<br />
<br />
L.L.M student at University of Oslo<br />
<br />
'''CV''': [https://linkedin.com/in/norman-aasma-0256b21a5 linkedin.com/in/norman-aasma-0256b21a5]<br />
<br />
<br />
<br />
<br />
'''My contributions''':<br />
<br />
[[AKI (Estonia) - 2.1.-4/22/2585]]<br />
<br />
[[BlnBDI (Berlin) - C-807/21 - Deutsche Wohnen]]</div>Norman.aasmahttps://gdprhub.eu/index.php?title=BlnBDI_(Berlin)_-_C-807/21_-_Deutsche_Wohnen&diff=30678BlnBDI (Berlin) - C-807/21 - Deutsche Wohnen2023-01-24T22:07:41Z<p>Norman.aasma: Created page with "{{DPAdecisionBOX |Jurisdiction=Germany |DPA-BG-Color= |DPAlogo=LogoDE-BE.png |DPA_Abbrevation=BlnBDI |DPA_With_Country=BlnBDI (Berlin) |Case_Number_Name=C-807/21 - Deutsche..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Germany<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoDE-BE.png<br />
|DPA_Abbrevation=BlnBDI<br />
|DPA_With_Country=BlnBDI (Berlin)<br />
<br />
|Case_Number_Name=C-807/21 - Deutsche Wohnen<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Curia<br />
|Original_Source_Link_1=https://curia.europa.eu/juris/showPdf.jsf?text=&docid=253761&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=4987<br />
|Original_Source_Language_1=English<br />
|Original_Source_Language__Code_1=EN<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Other<br />
|Outcome=<br />
|Date_Started=21.12.2021<br />
|Date_Decided=<br />
|Date_Published=16.01.2023<br />
|Year=<br />
|Fine=14385000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 83 GDPR<br />
|GDPR_Article_Link_1=Article 83 GDPR<br />
|GDPR_Article_2=<br />
|GDPR_Article_Link_2=<br />
|GDPR_Article_3=<br />
|GDPR_Article_Link_3=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=§ 30 OWiG<br />
|National_Law_Link_1=https://www.gesetze-im-internet.de/englisch_owig/index.html<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
|National_Law_Name_3=<br />
|National_Law_Link_3=<br />
<br />
|Party_Name_1=Deutsche Wohnen SE<br />
|Party_Link_1=<br />
|Party_Name_2=Staatsanwaltschaft Berlin<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
<br />
|Appeal_To_Body=The Landgericht Berlin (Regional Court, Berlin)<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Appealed - Confirmed<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Norman Aasma<br />
|<br />
}}<br />
<br />
Request for preliminary ruling on interpretation of [[Article 83 GDPR|Article 83 GDPR]] of whether fining an undertaking would require there to be a natural person who had, in his or her capacity as a representative of the undertaking committed the offense<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
A request for a preliminary ruling lodged by Kammergericht in relation to interpretation of [[Article 83 GDPR|Article 83 GDPR]] of whether fining an undertaking would require there to be a natural person who had, in his or her capacity as a representative of the undertaking committed the offense or shall this requirement be disregarded under primacy of EU law. <br />
<br />
The case itself concerns a publicly listed real estate enterprise (the processor), which holds participating interests in around 163 000 housing units and 3 000 commercial units and its group companies as part of their professional activities are handling the personal data related to the tenants of their housing and commercial units. The data handled includes things like proof of identity, data on health and social insurance, tax and also information regarding tenancies, which has been held earlier. <br />
<br />
On its own initiative, the Berlin Commissioner for Data Protection (the DPA) started an investigation on-the-spot on the companies, which were part of the group. <br />
<br />
The processor explained the DPA that the checked archove had been decommissioned and the stored data had been transferred immediately to the new system.<br />
<br />
=== Holding ===<br />
The DPA found that the group companies were storing personal data of tenants in the electronic archive system, but it was not possible to have a clear overview of whether such storage was even necessary and the existing system did not enable erasure of the data if that was no longer necessary. <br />
<br />
The DPA required the real estate enterprise to delete all the documents from its electronic archive. 3 years later in 2020, the DPA carried out another, but instead at the corporate headquarters of the group. The DPA made adopted administrative penalty order and explained that the enterprise concerned had not taken any of the necessary measures, which they were required to in order to enable the erasure of personal data of the tenants, which was not necessary any more at that moment. <br />
<br />
Furthermore, the DPA also held that the company still continued storing data of some of the tenants even though that particular data was not needed. <br />
<br />
The DPA found there to be infringement of Articles 25(1), 5(1)(a), (c) and (e) GDPR and imposed a fine of EUR 14 385 000, as well as 15 further pecuniary penalties each ranging from EUR 3 000 to EUR 17 000 for additionally infringements of Article 6(1) of the GDPR.<br />
<br />
The case ended up at Landgericht Berlin (Regional Court, Berlin), which discontinued the proceedings. This decision was appealed by the Berlin's Public Porsecutor's Office which left Kammergericht to make final decision on the matter.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the English original. Please refer to the English original for more details.<br />
<br />
<pre><br />
List of results<br />
<br />
List of results by case<br />
<br />
List of documents<br />
<br />
Search result: 1 case(s)<br />
1 documents analysed<br />
<br />
Deutsche WohnenCase C-807/21<br />
Reports of Cases<br />
<br />
Information not available<br />
</pre></div>Norman.aasmahttps://gdprhub.eu/index.php?title=User:Norman.aasma&diff=30250User:Norman.aasma2023-01-10T11:37:16Z<p>Norman.aasma: </p>
<hr />
<div>'''Norman Aasma''', Country reporter for Estonia & Germany<br />
<br />
L.L.M student at University of Oslo<br />
<br />
'''CV''': [[linkedin.com/in/norman-aasma-0256b21a5]]<br />
<br />
<br />
<br />
'''My contributions''':<br />
<br />
[[AKI (Estonia) - 2.1.-4/22/2585]]</div>Norman.aasmahttps://gdprhub.eu/index.php?title=User:Norman.aasma&diff=30249User:Norman.aasma2023-01-10T11:36:09Z<p>Norman.aasma: </p>
<hr />
<div>'''Norman Aasma''', Country reporter for Estonia & Germany<br />
<br />
L.L.M student at University of Oslo<br />
<br />
'''CV''': [[linkedin.com/in/norman-aasma-0256b21a5]]<br />
<br />
<br />
My contributions:</div>Norman.aasmahttps://gdprhub.eu/index.php?title=AKI_(Estonia)_-_2.1.-4/22/2585&diff=30245AKI (Estonia) - 2.1.-4/22/25852023-01-10T11:07:32Z<p>Norman.aasma: Created page with "{{DPAdecisionBOX |Jurisdiction=Estonia |DPA-BG-Color= |DPAlogo=LogoEE.png |DPA_Abbrevation=AKI |DPA_With_Country=AKI (Estonia) |Case_Number_Name=2.1.-4/22/2585 |ECLI= |Orig..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Estonia<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoEE.png<br />
|DPA_Abbrevation=AKI<br />
|DPA_With_Country=AKI (Estonia)<br />
<br />
|Case_Number_Name=2.1.-4/22/2585<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=AKI (Estonia)<br />
|Original_Source_Link_1=https://www.aki.ee/sites/default/files/ettekirjutused/2022/ettekirjutus-hoiatus_isikuandmete_kaitse_asjas_ou_laidoneri_kv.pdf<br />
|Original_Source_Language_1=Estonian<br />
|Original_Source_Language__Code_1=ET<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Started=28.10.2022<br />
|Date_Decided=06.12.2022<br />
|Date_Published=06.12.2022<br />
|Year=2022<br />
|Fine=<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 5 GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR<br />
|GDPR_Article_2=Article 6(1) GDPR<br />
|GDPR_Article_Link_2=Article 6 GDPR#1<br />
|GDPR_Article_3=<br />
|GDPR_Article_Link_3=<br />
|GDPR_Article_4=<br />
|GDPR_Article_Link_4=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=OÜ Laidoneri KV<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Norman Aasma<br />
|<br />
}}<br />
<br />
Estonian DPA held that using CCTV cameras during employment can be based only on legitimate interest that is backed by legitimate interest assessment.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
Estonian DPA started an investigation on its own initiative with an aim to find out on what legal basis and for what purpose does the private limited company OÜ Laidoneri KV use the CCTV cameras. <br />
OÜ Laidoneri KV explained that the cameras were visibly installed on the three corners and to the kitchen located in the basement of the Park Hotel Viljandi. <br />
The party concerned did not, however, submit a legitimate interest analysis to the DPA and the DPA found that in the present cicumstances, the processing of personal data based on [[Article 6 GDPR#1a|Article 6(1)(a) GDPR]] cannot be considered lawful. <br />
The investigation also revealed that the signs informing about the usage of CCTV cameras were not suitable as they lacked necessary information about the aim of the video surveillance, no legal basis was mentioned and no information was provided about the controller.<br />
<br />
=== Holding ===<br />
The DPA proposed that due to the lack of a legal basis, the use of video-surveillance should be discontinued and the existing recordings deleted.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Estonian original. Please refer to the Estonian original for more details.<br />
<br />
<pre><br />
PRIVACY PROTECTION AGAINST STATE TRANSPARENCY<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
PRESCRIPTION WARNING<br />
personal data protection case no. 2.1.-4/22/2585<br />
<br />
<br />
<br />
<br />
Geili Keppi, a lawyer from the Data Protection Inspectorate, made the order<br />
<br />
Time of prescription<br />
and place 06.12.2022 in Tallinn<br />
OÜ Laidoner KV registry code 12955595<br />
Addressee of the prescription - Viljandi county, Viljandi city, J. Laidoneri plats 8, 71020<br />
e-mail address of the personal data processor: park@parkhotelviljandi.ee<br />
<br />
Personal data processor Member of the Board<br />
responsible official<br />
<br />
<br />
<br />
RESOLUTION:<br />
§ 56 subsection 1, subsection 2 clause 8, § 58 subsection 1 of the Personal Data Protection Act and personal data<br />
on the basis of Article 58(2)(d) of the General Regulation on Protection (IKÜM), considering the IKÜM<br />
with articles 5, 6 and 12-14, I make a mandatory prescription for compliance:<br />
<br />
Stop the use of cameras on the territory of OÜ Laidoner KV until it is fulfilled<br />
the following points:<br />
<br />
1. a legitimate interest analysis has been prepared regarding the use of cameras accordingly<br />
The instructions prepared by the inspection and which meet the requirements of IKÜM<br />
Approved by the Data Protection Inspectorate;<br />
2. data protection conditions have been drawn up, which meet the requirements of IKÜM<br />
Approved by the Data Protection Inspectorate.<br />
<br />
I set the deadline for the execution of the order as 20.12.2022.<br />
<br />
<br />
Report compliance with the order to the Data Protection Inspectorate by this deadline at the latest.<br />
DISPUTE REFERENCE:<br />
This order can be challenged within 30 days by submitting either:<br />
- appeal to the Data Protection Inspectorate under the Administrative Procedure Act or<br />
- a complaint to the Tallinn Administrative Court in accordance with the Code of Administrative Court Procedure (in this case it is not possible<br />
<br />
to review an argument on the same matter).<br />
<br />
Challenging an injunction does not suspend the obligation to fulfill it or the measures necessary for its fulfillment<br />
implementation.<br />
<br />
EXTORTION ALERT:<br />
If the injunction has not been fulfilled by the set deadline, the Data Protection Inspectorate will determine<br />
<br />
extortion money to the addressee of the injunction on the basis of § 40 (2) of the Personal Data Protection Act<br />
in points 1-2 for failure to fulfill each obligation in the amount of 2000 euros.<br />
<br />
Tatari tn 39 / 10134 Tallinn / 627 4135 / info@aki.ee / www.aki.ee<br />
Registration code 70004235 The penalty may be imposed repeatedly - until the injunction is fulfilled. If the recipient does not pay<br />
extortion money, it is forwarded to the bailiff to start enforcement proceedings. In this case, they are added<br />
bailiff's fee and other enforcement costs for the enforcement money.<br />
<br />
<br />
FACTUAL DISTRIBUTIONS:<br />
<br />
On 28.10.2022, AKI initiated a self-initiated supervision procedure, the purpose of which was to<br />
explain on what legal basis and purpose the legal entity uses OÜ Laidoner<br />
<br />
KV, cameras with registry code 12955595.<br />
<br />
OÜ Laidoneri KV explained in the letter sent on 02.11.2022 that the cameras of Park Hotell Viljandi are<br />
visibly installed in the three outer corners of the house (the farmyard, the front door and the other side of the house),<br />
to the public spaces on the first floor (inner atrium and restaurant) and to the one on the basement floor<br />
to the kitchen.<br />
<br />
Insofar as AKI was not provided with a legitimate interest analysis carried out prior to the use of the cameras,<br />
then on 18.11.2022 AKI made a proposal to Laidoneri KV OÜ in the matter of personal data protection, incl.<br />
<br />
explaining that, understandably, they relied on the General Regulation on Personal Data Protection in their response<br />
(hereinafter IKÜM) Article 6 paragraph 1 point a, according to which the processing of personal data<br />
(the use of video cameras) the legal basis is the consent of the persons. Data Protection Inspectorate<br />
consequently proposed to OÜ Laidoner KV to stop using video surveillance and<br />
delete the existing recordings, as KV Laidoneri OÜ does not have a verified legal<br />
a basis for using video surveillance and send a confirmation of this to the inspection at the latest<br />
24.11.2022.<br />
<br />
<br />
In the proposal, AKI explained, among other things, why consent given in employment relationships is not considered<br />
for voluntarily given consent and why cameras cannot be used on this legal basis<br />
rely on use.<br />
<br />
OÜ Laidoneri KV responded to the proposal made by AKI on 21.11.2022 and continued to confirm that<br />
however, the use of cameras is based on the consent of employees;<br />
<br />
As it became clear during the supervision procedure that the signs informing about the cameras do not correspond<br />
requirements, then in the proposal made on 18.11.2022, the inspection asked to create also those that meet the requirements<br />
<br />
notification signs, in case KV Laidoneri OÜ still wants to use video surveillance. For inspection<br />
images of notification signs were transmitted, but these signs did not indicate the purpose of video surveillance,<br />
to the legal basis and controller. There was also no indication of where and how<br />
the customer/employee can find the data protection conditions.<br />
<br />
OÜ Laidoneri KV explained in its response to the inspection's proposal submitted on 21.11.2022 that their<br />
it is estimated that the existing notification signs are sufficient, as they are installed on the walls of the house and<br />
<br />
it is understood that they refer to the cameras in this house. However, KV Laidoneri forwarded<br />
OÜ 29.11.2022 pictures of notification labels prepared by the Data Protection Inspectorate<br />
developed with video surveillance tag generator.<br />
<br />
<br />
PERSONAL DATA PROCESSOR EXPLANATION:<br />
In the response to AKI's proposal submitted on 21.11.2022, KV Laidoneri OÜ explained, among other things,<br />
the following: "As I have explained many times, the people who work in our building have given<br />
verbal consent (you may be surprised, but completely voluntarily) that they understand which ones<br />
purposes, we have surveillance cameras in our house. The aim is to ensure that those staying in the territory<br />
the safety of people and the house. Notification signs have been installed and photos have been sent to you.<br />
Notification signs are installed on the walls of the house (indicating video surveillance) and you can get out of there<br />
<br />
read that they apply to this house, as they are installed on the walls, doors, fence and<br />
<br />
2 (4) interior rooms. There has never been any indication in previous answers that notification labels should have<br />
the additional information mentioned in your last letter, and I have also not come across it in the cityscape of Viljandi<br />
video surveillance labels with additional information: purpose of processing, legal basis, person responsible<br />
the name and contact details of the processor and information where the data protection conditions can be found."<br />
<br />
<br />
GROUNDS FOR DATA PROTECTION INSPECTION:<br />
<br />
1. According to Article 5 of the General Regulation on the Protection of Personal Data (GPR), data processing must be<br />
legal. The processing of personal data is legal only if there is an IKÜM<br />
of the legal bases given in Article 6.<br />
<br />
2. According to article 6 paragraph 1 of the IKYM, the processing of personal data is legal only if<br />
there is a legal basis provided for in the said article. As a rule, in an employment relationship<br />
the processing of personal data be lawful if it is related to contractual obligations or<br />
to the employer by fulfilling the obligations arising from the law or if it is an employer or<br />
with the legitimate interest of a third party. We note here that contractual obligations<br />
compliance can only be relied upon for such processing operations as are real<br />
<br />
necessary for the employer to fulfill the employment contract, which must be the use of cameras<br />
can not. There is also no obligation arising from the law that would oblige KV in this case<br />
Laidoneri OÜ to use camera surveillance. So in this case there are cameras<br />
use is possible only in case of legitimate interest (IKÜM art. 6 paragraph 1 p f). Legitimate<br />
However, when relying on interest, a legitimate interest assessment must have been carried out<br />
in terms of use. Information about this was sent by AKI on 18.11.2022<br />
in proposal No. 2.1.-4/22/2585. In addition, AKI also explained why not in the mentioned proposal<br />
<br />
can rely on the consent of employees when using cameras.<br />
3. Because the monitoring of persons by means of a camera infringes the integrity of private life to a significant extent and theirs<br />
use is only possible if there is a legitimate interest, then it is important that it is over<br />
<br />
evaluation of the legitimate interest carried out, which shows that the interest of the data processor outweighs it<br />
interests or fundamental rights and freedoms of the data subject. In a situation where it is not, no<br />
the use of cameras is also not allowed. According to article 5 paragraph 2 of the IKYM, must<br />
data processor to prove the legality of data processing. How to assess legitimate interest,<br />
we have explained in the guide.<br />
<br />
4. The assessment of legitimate interest is not just for filling out forms. It is aimed at everyone<br />
clearly explain why it is necessary to use just so much and in such cases<br />
cameras in locations. What purpose do cameras serve and why no other<br />
the measure is not sufficient. The objectives must be stated precisely, e.g. an abstract reference is not suitable<br />
"to monitor processes" or "to ensure security". When the camera is used early<br />
<br />
for protection, then it is necessary to describe exactly what the threat to the property is and why it is a threat<br />
realistic (references to past events). Cameras cannot be used<br />
because of a hypothetical threat. You must write down all the purposes for which the cameras are actually used<br />
is used.<br />
<br />
5. Then it is necessary to specifically justify why the cameras are installed in these<br />
places and which cameras are used. Caused by camera surveillance<br />
to reduce friction, they must be directed only to a specific problem area.<br />
Unnecessary part of the camera's field of view must be blurred or covered.<br />
<br />
6. Once the above is done, it is necessary to explain what effect the cameras have on the employees.<br />
How long the recordings are kept and by whom also affects the extent of the encroachment on the rights of employees<br />
have access to them. Among other things, stress caused by constant stress must be taken into account<br />
being under surveillance.<br />
<br />
7. AKI explained in the proposal, among other things, that consent cannot be relied upon in an employment relationship<br />
to the legal basis, insofar as it is a subordination relationship and in such a case it is<br />
it is unlikely that the person gave consent voluntarily. Europe too<br />
<br />
<br />
3 (4) of the Data Protection Board in its directive on personal data via video devices<br />
processing ("Guidelines 3/2019 on processing of personal data through video devices")<br />
reached the same conclusion, and the Data Protection Inspectorate is based on Europe<br />
of the guidelines of the Data Protection Board. In addition, we also explained that if a situation should arise<br />
(on the example of OÜ KV Laidoner), where one employee gives his own consent to the processing of his data<br />
does not give or withdraws it later (this right derives from Article 7, paragraph 3 of IKÜM), then<br />
<br />
theoretically, he should also not be in the field of view of the camera, which is why the employer has<br />
the obligation to close the camera at any moment when the employee is in front of the camera (which is<br />
impossible in reality). In addition, the use of consent is for cameras<br />
problematic also because persons who are not in the field of view of the cameras also remain<br />
employees and it is not vitally plausible that KV Laidoneri OÜ as a data processor from them<br />
obtains consent from individuals each time. In this case, cameras are used<br />
therefore, without a legal basis - illegally.<br />
<br />
8. When using cameras, the appropriate ones must also be installed<br />
notice labels with a more detailed reference to the data processor's data protection conditions.<br />
KV Laidoneri OÜ explained in the initial response to AKI that the information labels were theirs<br />
<br />
considered suitable, because they were installed on the wall of the house, and therefore it was understood<br />
get that they are about this house. In addition, according to KV Laidoneri OÜ, there is no AKI before<br />
making the proposal referred to the information that must be on the information labels. At this point<br />
we note that AKI already referred to the video surveillance tag generator developed by AKI<br />
in the first inquiry. The information label must have information about who is responsible<br />
processor, what is the purpose of personal data processing and its legal basis, and also<br />
contact details of the data controller. 29.11.2022 transmitted by KV Laidoneri OÜ<br />
<br />
to the inspection, pictures of the new installed signs, which show that the signs have<br />
necessary information. However, it is confusing that the labels refer to it as a legal basis<br />
on the basis of legitimate interest. At the same time, KV Laidoneri OÜ has been repeatedly involved in the proceedings<br />
referred as if the use of video surveillance was based on the consent of individuals.<br />
<br />
9. Taking into account the above, personal data is currently being processed<br />
(filming) by OÜ KV Laidoner illegal because it does not comply with IKÜM 5, 6, 12 and 13<br />
requirements.<br />
<br />
10. According to IKS § 58 paragraph 1 and IKÜ Article 58 paragraph 2 points d and f, it is<br />
the inspectorate has the right to order the data processor to carry out the processing of personal data<br />
actions in a certain way and within a certain time to comply with the provisions of the IKÜM, right<br />
establish a temporary or permanent restriction on the processing of personal data, including a ban on processing.<br />
<br />
11. At the end of the proposal, AKI pointed out that the Data Protection Inspectorate has<br />
right according to IKS § 56 (2) point 8, § 58 (1) and protection of personal data<br />
on the basis of Article 58 (2) of the General Regulation, issue an injunction to the processor of personal data if<br />
the personal data processor has violated the personal data protection processing requirements.<br />
<br />
12. Taking into account the circumstances that personal data is currently being processed illegally and OÜ<br />
KV Laidoneri has not shown a willingness to harmonize data processing in IKÜM<br />
with the stated requirements, then the inspection considers that the mandatory injunction has been granted<br />
in the matter is necessary in order to end the offense as soon as possible and to ensure<br />
protection of privacy of individuals. Therefore, the inspection makes a mandatory prescription<br />
<br />
stop the use of surveillance cameras on the territory of OÜ KV Laidoner until the company<br />
fulfills the obligations imposed by IKÜM to perform such data processing.<br />
<br />
<br />
(signed digitally)<br />
Geili Kepp<br />
lawyer<br />
on the authority of the Director General<br />
<br />
<br />
<br />
4 (4)<br />
</pre></div>Norman.aasmahttps://gdprhub.eu/index.php?title=User:Norman.aasma&diff=30233User:Norman.aasma2023-01-10T09:39:29Z<p>Norman.aasma: </p>
<hr />
<div>'''Norman Aasma''', Country reporter for Estonia & Germany<br />
<br />
L.L.M student at University of Oslo<br />
<br />
'''CV''': [[linkedin.com/in/norman-aasma-0256b21a5]]</div>Norman.aasmahttps://gdprhub.eu/index.php?title=User:Norman.aasma&diff=30232User:Norman.aasma2023-01-10T09:38:40Z<p>Norman.aasma: </p>
<hr />
<div>Norman Aasma, Country reporter for Estonia & Germany<br />
<br />
L.L.M student at University of Oslo<br />
<br />
CV: [[linkedin.com/in/norman-aasma-0256b21a5]]</div>Norman.aasmahttps://gdprhub.eu/index.php?title=User:Norman.aasma&diff=30231User:Norman.aasma2023-01-10T09:38:08Z<p>Norman.aasma: </p>
<hr />
<div>Norman Aasma, Country reporter for Estonia & Germany<br />
<br />
L.L.M student at University of Oslo<br />
<br />
CV: linkedin.com/in/norman-aasma-0256b21a5</div>Norman.aasmahttps://gdprhub.eu/index.php?title=User:Norman.aasma&diff=30230User:Norman.aasma2023-01-10T09:34:54Z<p>Norman.aasma: Created page with "Norman Aasma, Country reporter for Estonia & Germany"</p>
<hr />
<div>Norman Aasma, Country reporter for Estonia & Germany</div>Norman.aasma