DSB (Austria) - 2022-0.616.013

From GDPRhub
Revision as of 14:03, 18 June 2024 by Ec (talk | contribs)
DSB - 2022-0.616.013
LogoAT.png
Authority: DSB (Austria)
Jurisdiction: Austria
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(b) GDPR
Article 6(1)(a) GDPR
Article 8(1) GDPR
Article 15 GDPR
Article 17(1)(a) GDPR
§ 4(4) DSG
Type: Complaint
Outcome: Rejected
Started:
Decided: 01.09.2022
Published: 03.06.2024
Fine: n/a
Parties: n/a
National Case Number/Name: 2022-0.616.013
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): German
Original Source: RIS (in DE)
Initial Contributor: ec

The DPA held that neither the right of access nor the right to erasure can be used to derive a right to the non-erasure of data.

English Summary

Facts

On 1 July 2018, the data subject sent an access request to the controller.

The controller replied with the information of the access request attached as PDF files, and stated that they had deleted the data subject’s account, because they found out, during the processing of his request, that the data subject was not yet of legal age.

On 1 August 2018, the data subject lodged a complaint at the Austrian DPA (“Datenschutzbehörde”). They argued that their right of access had been violated by the controller as their data got deleted even though he had only requested access.

The controller argued that the data subject was requested to provide proof of identity after receiving their request for access. When the controller examined the application, they noticed that the data subject had registered for their customer loyalty programme as a minor (at the age of 14). According to the controller’s terms and conditions, this was not actually permitted. Therefore, the controller cancelled the data subject’s membership and deregistered the data subject from their customer loyalty programme. The controller argued that the fact that this had been done in response to the request for information did not correspond to the facts. Neither the termination of their membership nor the provision of information violated the data subject's right to information pursuant to Article 15 GDPR.

The data subject argued that under Article 8(1) GDPR in conjunction with Austrian data protection law (§ 4(4) DSG), they had effectively consented to the processing of their data upon reaching the age of fourteen.

Holding

The DPA held that the deletion of data after receipt of an access request but before the response to the access request would not comply with the principle of fair processing under Article 5(1)(a) and thus would constitute a violation of the data subject’s right of access under Article 15 GDPR.

After investigation, the DPA found that the controller rightly deleted the data subject’s data after providing information, as the data subject's registration for a customer loyalty programme had not been effective due to the data subject being a minor. Therefore, there was no legitimate purpose for the data processing under Article 5(1)(a) and (b) GDPR. Moreover, the DPA held that recital 38 obliges the controller to exercise particular caution and restraint when processing the data of minors.

The DPA dismissed the data subject’s argument that they effectively consented to the processing of their data under Article 8(1) GDPR in conjunction with Austrian data protection law (§ 4(4) DSG).

Although under Article 8(1) GDPR, Member States can lower the age for the processing of the personal data of a child by law, the DPA held that this only applies to the legal act of consenting to data processing under Article 6(1)(a) GDPR. The national data protection law also only lowered the age to fourteen for the use of “information society services”. Article 8(3) GDPR also clarifies that the question of the validity of the consent of a minor has no influence on the question of the validity of a contract concluded by the data subject as a minor.

Thus, the DPA held that irrespective of the question of whether the controller’s customer loyalty programme is an information society service, the basis for lawfully processing personal data (Article 5(1)(a) and (b) GDPR) ceased to exist, and the controller was obliged to delete the data subject’s data in accordance with Article 17(1)(a) GDPR, even without an erasure request from the data subject. The DPA confirmed that there must always be a lawful purpose for the processing.

The DPA further found that the information provided by the controller was complete. Therefore, the controller complied with the data subject’s access request under Article 15 GDPR.

Furthermore, the DPA stated that according to the wording of Article 15(1) GDPR, the right of access is essentially limited to the data that is actually being processed at the time the request for access is received. Therefore, the DPA held that no right to the processing of personal data, and thus the right to technical reconstruction of the deleted data, could be derived from Article 15 GDPR, Article 17 GDPR or any other provisions of the GDPR. Therefore, the data subject had no right to the non-erasure of the data that was deleted by the controller.

Thus, the DPA held that the fact that the controller provided information and then at the same time deleted the data did not constitute a violation of the data subject’s right of access under Article 15 GDPR. The DPA therefore dismissed the complaint.

Comment

§ 4(4) DSG states that: "In the case of an offer of information society services made directly to a child, consent pursuant to Art. 6 para. 1 lit. a GDPR to the processing of the child's personal data is lawful if the child has reached the age of fourteen."

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

Text

GZ: 2022-0.616.013 of September 1, 2022 (case number: DSB-D123.284)

[Editor's note: Names and companies, legal forms and product names, addresses (including URLs, IP and email addresses), file numbers (and the like), statistical information, etc., as well as their initials and abbreviations may be abbreviated and/or changed for pseudonymization reasons. Obvious spelling, grammatical and punctuation errors have been corrected.

DECISION

RULING

The data protection authority decides on the data protection complaint filed by Bernhard A*** (complainant) from **** K***berg on August 1, 2018 against N*** (Österreich) GmbH (respondent, registered in the commercial register under FN *4*3*8k by the Vienna Commercial Court) from **** Vienna, represented by Dr. Erich W***, lawyer in **** Vienna, for violation of the right to information as follows:

- The complaint is dismissed.

Legal basis: Art. 4 Z 11 and 25, Art. 5 Para. 1 lit. a and b, Art. 8 Para. 1 and 3, Art. 15 Para. 1, Art. 17 Para. 1 lit. a, Art. 51 Para. 1, Art. 57 Para. 1 lit. f and Art. 77 Para. 1 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter: GDPR), OJ No. L 119 of 4 May 2016, p. 1; Sections 18, paragraph 1, and 24, paragraphs 1 and 5 of the Data Protection Act (DSG), Federal Law Gazette I No. 165/1999 as amended. Legal basis: Article 4, number 11 and 25, Article 5, paragraph one, letters a and b, Article 8, paragraph one and 3, Article 15, paragraph one, Article 17, paragraph one, letter a, Article 51, paragraph one, Article 57, paragraph one, letter f, and Article 77, paragraph one, of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter: GDPR), OJ No. L 119 of 4 May 2016, p. 1. Paragraphs 18, paragraph one, and 24 paragraph one and paragraph 5, of the Data Protection Act (DSG), Federal Law Gazette Part One, No. 165 of 1999, as amended.

REASONING

A. Arguments of the parties and course of proceedings

1. In his complaint dated 1 August 2018 and received by the data protection authority by email on the same day, the complainant stated that he had sent a request for information pursuant to Art. 15 GDPR to the respondent by email on 1 July 2018. In response, however, he only received a message that his account had been deleted because it had become apparent during the processing of his request that he was not yet of legal age. His data had been deleted even though he had only requested information. He had not provided false information about his date of birth. The fact that he had submitted a request for information had been used against him, which was certainly not appropriate. The complainant has requested that a violation of his right to information be established.

2. Since the respondent's full response was not attached to the complaint, the data protection authority issued an order to remedy the deficiency (procedural order of 13 August 2018, GZ: DSB-D123.284/0001-DSB/2018). After this order was not fully complied with, the complaint was initially rejected by decision of 25 October 2018, GZ: DSB-D123.284/0006-DSB/2018, in accordance with Section 13 Paragraph 3 of the General Data Protection Regulations (AVG).

3. This decision was annulled as unlawful by the Federal Administrative Court on May 24, 2022, GZ: W256 2228170-1/5E, because the order to remedy the defect was not served on the complainant's legal representatives (parents) and was therefore ineffective. The order to remedy the defect was therefore repeated - the complainant is now of legal age - (procedural order of June 3, 2022, GZ: 2022-0.407.513). In a letter dated June 9, 2022, the complainant submitted the missing documents.

4. The investigation was then initiated. The respondent, legally represented, submitted the following in its statement of July 4, 2022, following a corresponding request from the data protection authority (procedural order of June 10, 2022, ref. no. 2022-0.422.857): The respondent asked the complainant to provide proof of identity after receiving his request for information. On August 1, 2018, the requested data protection information was then provided in full. When examining the application, however, it was noticed for the first time that the complainant had registered for the customer loyalty program "N***Card Program" as a minor (at the age of 14). This was actually not permitted according to the respondent's terms and conditions. As a result, his membership was terminated and he was deregistered from the "N***Card Program". The fact that this happened in response to the request for information does not correspond to the facts. Neither the termination of his membership in the "N***Card Program" nor the provision of information violated the complainant's right to information under Art. 15 GDPR.

5. The complainant, who was granted the right to be heard as a party to these results of the investigation (procedural order of July 11, 2022, ref. no. 2022-0.485.835), has not made any further statement.

B. Subject matter of the complaint

6. Based on the parties' submissions, it emerges that the subject matter of the proceedings is the question of whether the respondent provided the complainant with lawful information under data protection law in response to his request of July 1, 2018, and whether a possible deletion of his data in connection with this request for information constituted a violation of the right to information.

C. Findings of fact

7.   The complainant was born on March 22, 2003 and therefore turned 15 on March 22, 2018.

8. Assessment of evidence: The complainant's date of birth is officially known and on record at the data protection authority from several complaint procedures initiated by him.

9.   On February 22, 2018, the complainant registered as a member of the respondent's customer loyalty program called the "N***Card Program." The respondent began processing the complainant's personal data for this reason and for the purpose of managing his membership.

10.  Evaluation of evidence: These findings are based on the credible (and undisputed) statements of the respondent (statement of July 4, 2022, enclosed as an introductory item in GZ: 2022-0.485.835).

11.  On July 1, 2018, the complainant sent a letter to the respondent by email with the following content:

"From: Bernhard A*** <bernhard.a***@h***com.at>

To: service@n***.at

Cc:

Sent: 07/01/18 21:**:**

Subject: Request for information in accordance with the GDPR

Dear Sir or Madam!

I hereby submit a request for information about my personal data in accordance with Art. 15 of the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, GDPR). Please inform me of the following points: I hereby submit a request for information about my personal data in accordance with Article 15 of the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, GDPR). Please inform me about the following points:

Art.15 GDPR Right of access of the data subjectArticle , GDPR Right of access of the data subject

(1) The data subject shall have the right to obtain confirmation from the controller as to whether or not personal data concerning him or her are being processed; where this is the case, he or she shall have the right to information about these personal data and the following information:

a) the purposes of the processing;

b) the categories of personal data being processed;

c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;

d) where possible, the envisaged period for which the personal data will be stored, or, if this is not possible, the criteria used to determine that period;

e) the existence of a right to request from the controller rectification or erasure of the personal data concerning him or her or to restrict processing of the personal data concerning him or her or to object to such processing;

f) the existence of a right to lodge a complaint with a supervisory authority;

(g) where the personal data are not collected from the data subject, all available information as to their source;

(h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject.

(2) Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 of the GDPR relating to the transfer.

(3) The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on the administrative costs. Where the data subject makes the request electronically, the information shall be provided in a commonly used electronic format, unless the data subject indicates otherwise.

(4) The right to receive a copy pursuant to paragraph 1b must not affect the rights and freedoms of others.

I have submitted the request electronically and wish to be informed electronically.

You are obliged to inform me of the measures you have taken within one month of receipt of the request. This period may be extended by a further two months if this is necessary taking into account the complexity and number of requests. You must inform me of any extension within one month of receipt of the request, together with the reasons for the delay. If you consider that you do not need to respond to the request, you must inform me of the reasons for this and of the possibility of lodging a complaint with a supervisory authority no later than one month after receipt of the request.

Kind regards

Bernhard A***“

12.  The respondent responded on July 2nd, also by email, with a letter with the following content:

“From: service@n***.at <service@n***.at>

Sent: Monday, July 2nd, 2018 08:**

To: bernhard.a***@h***com.at

Subject: Request for information in accordance with GDPR

Dear Mr. A***,

Thank you for your message.

After checking your data, I inform you that I am not allowed to give you any information.

Your date of birth indicates that you are not yet of legal age and therefore we are not obliged to provide information.

If you are of legal age, please send us a copy of your ID for identification purposes.

Thank you for your effort.

Kind regards

Franziska B***

N*** Customer Service"

13.  The complainant responded on July 2, 2018 by email as follows:

"From: bernhard.a***@h***com.at

To: service@n***.at

Cc:

Sent: 02.07.18 23:**:**

Subject: RE: Request for information in accordance with GDPR

Dear Sir or Madam!

I am referring to your message of July 2, 2018.

The Austrian Data Protection Act (DSG) as amended by the Data Protection Adaptation Act 2018 and the Data Protection Deregulation Act 2018 sets the age limit for the legality of a child's consent to an offer of information society services at the age of 14.

I am therefore of the opinion that you are permitted to provide me with the information and request that you comply with your obligation to provide information in accordance with Section 44 of the Data Protection Act and Article 15 of the General Data Protection Regulation. I am enclosing a copy of my passport to prove my identity. Otherwise, I will be forced to lodge a complaint with the relevant authority in accordance with Article 77 of the General Data Protection Regulation.I am therefore of the opinion that you are permitted to provide me with the information and request that you comply with your obligation to provide information in accordance with Section 44 of the Data Protection Act and Article 15 of the General Data Protection Regulation. I am enclosing a copy of my passport to prove my identity. Otherwise, I will be forced to lodge a complaint with the relevant authority in accordance with Article 77 of the General Data Protection Regulation.

Kind regards

Bernhard A***“

14.  The respondent responded on July 3, 2018 by email as follows:

“From: SERVICE@N***.AT <SERVICE@N***.AT>

Sent: Tuesday, July 3, 2018 08:**

To: bernhard.a***@h***com.at

Subject: [Ticket# *6*4*23**1] RE: Request for information in accordance with GDPR

Dear Mr. A***,

Please excuse the fact that your first request was not processed with the necessary attention.

So that I can process your request, please fill out and sign the attached form and send it back to me at the address provided on it.

Once the completed letter has been received, I will continue processing it.

I thank you for your support and am happy to help if you have any further questions.

Kind regards

Robert C***

N*** Customer Service"

15.  After submitting the documents requested by the respondent, the complainant received a letter from the respondent by email on August 1, 2018 with the following content (email text and attachments):

"From: SERVICE@N***.AT

Sent: Wednesday, August 1, 2018 10:**

To: bernhard.a***@h***com.at

Subject: [Ticket# *6*4*23**1] RE: Request for information in accordance with GDPR

Attachments: Information in accordance with EU GDPR - Bernhard A***.pdf;

Data protection query_data_Bernhard A***.pdf; Retail

Customer master data.pdf

Hello Mr. A***,

my colleagues and I have collected the data and I have prepared the information.

The information and the associated documents are attached as PDF files.

Since we now know that you are not yet 18 years old, I have deregistered you from the N***Card program and canceled your membership.

According to our terms and conditions, you must be of legal age.

Please understand that you may still receive catalogs in the next 6 weeks due to production reasons.

If you have any further questions, I will be happy to help.

Kind regards

Robert C***

N*** Customer Service"

[Editor's note: The comprehensive information letter from the respondent reproduced here as a facsimile (in the form of several PDF files) would have been difficult to pseudonymize. Since the complainant did not object to its content, it was removed.]

16. Assessment of evidence: These findings are based on the documents submitted by the complainant (annexes to the complaint of August 1, 2018, introductory item in GZ: DSB-D123.284/0001-DSB/2018, and annexes to the supplement to the complaint of June 9, 2022, introductory item in GZ: 2022-0.422.857).

17. After the information was distributed, the complainant's data processed for the purposes of the "N***Card Program" customer loyalty program was deleted.

18. Assessment of evidence: as above, para. 10. The fact that deletion took place corresponds to the complaint's allegations (see para. 1 above).

D. From a legal point of view, this leads to:

D.1. Total:

19. The complaint has proven to be unfounded, since neither Art. 15 (right to information) nor Art. 17 (right to erasure) can give rise to a right not to erase data or to store data, and the purpose of the processing has ceased to exist due to the termination of the complainant's membership in the customer loyalty program "N***Card Program". The content and scope of the information provided comply with the law and have not been objected to in terms of content. In this respect, the present case differs from that on which the decision of September 30, 2021, GZ: 2021-0.664.183, is based.

D.2. applicable legal provisions - right to information:

20. According to Art. 15 Para. 1 GDPR, the data subject has the right to request confirmation from the controller as to whether personal data concerning him or her are being processed; if this is the case, he or she has the right to access these personal data and to the following information:

a) the purposes of the processing;

b) the categories of personal data being processed;

c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;

d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;

e) the existence of a right to request from the controller rectification or erasure of personal data concerning him or her or to restrict processing of such data or to object to such processing;

f) the existence of a right to lodge a complaint with a supervisory authority;

g) where the personal data are not collected from the data subject, all available information as to their origin;

h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject.

21. The right to information is essentially limited, according to the wording of Article 15(1) (“Information about these” – i.e. the “personal data processed by the controller”), to those data that are actually being processed at the time the request for information is received. No right to the processing of personal data can be derived from Article 15 GDPR or other provisions of the GDPR.

22.  The data protection authority has stated the following about the previous legal situation (Section 26 DSG 2000) (underlining not in the original):

23.  In connection with the right to receive information about one's own data, there is no right to obtain information about or evidence of certain facts through such information or to force a client to admit such facts. The basis for any provision of information under data protection law is the actual state of stored personal data and available information about their use, not a desired state of affairs of any kind. Even if in a hypothetical case data were demonstrably deleted in violation of Section 26 Paragraph 7 DSG 2000, there is still no right to technical reconstruction of this data or to any other taking of evidence to subsequently determine its content in the complaint procedure for violation of the right to information (DSB, decision of December 17, 2015, GZ: DSB-D122.259/0008-DSB/2015, RIS, RS 2).

24. This interpretation can be applied to the current legal situation.

25. Unlike the previous Section 26 Paragraph 7 DSG 2000, the GDPR does not provide for an expressly ordered or even criminally punishable “deletion ban” during an ongoing information procedure. However, deleting data after receipt of a request for information but before the request for information has been answered does not comply with the principle of processing in good faith and therefore constitutes a violation of the data subject’s right to information (Article 15 in conjunction with Article 5 Paragraph 1 Letter a of GDPR) (DSB, decision of June 27, 2019, reference number: DSB-D124.071/0005-DSB/2019, RIS).

D.3. Loss of the legal basis for processing

26.  In the complaint proceedings, it was established that the respondent deleted the complainant's data after providing information - i.e. not in bad faith - because it was of the opinion that the complainant's registration for a customer loyalty program had not been effective due to the complainant's minority, and that the data processing therefore did not serve a legitimate purpose. This view cannot be contradicted in view of Article 5(1)(a) and (b) and the controller's duty to exercise particular caution and restraint when processing the data of minors, as expressed in Recital 38.

27.  If, however, the complainant argues that, pursuant to Article 8(1) GDPR in conjunction with Section 4(4) DSG, he was granted the right to effectively consent to the processing of his data when he turned fourteen, he must be told that this only applies to the legal act of consenting to data processing pursuant to Article 4(11) and Article 7 GDPR, and that this effectiveness is also limited to the use of "information society services". According to Article 1(1)(b) of Directive (EU) 2015/1535, to which Article 4(25) GDPR refers, this is "any service provided electronically, at a distance, usually for a fee, and at the individual request of a recipient".

28.  Article 8(3) GDPR also makes it clear that the question of the validity of the consent of a minor has no influence on the question of the validity of a contract concluded by the complainant as a minor.

29. The respondent further argued that in its terms and conditions it reserves the legal transaction of joining the customer loyalty program "N***Card Program" to adults and that it had therefore terminated the corresponding contractual relationship (see paragraph 15 above). This means that, regardless of whether the customer loyalty program "N***Card Program" is an information society service, the basis for data processing in the sense of the legitimate purpose (Article 5(1)(a) and (b) GDPR) no longer applies and the respondent was obliged to delete the complainant's data in accordance with Article 17(1)(a) GDPR even without a corresponding request. A legitimate purpose for the processing must always exist, even if the consent, considered in isolation and detached from its context, is effective.

30.  The examination of the question of whether the respondent was entitled to terminate this contractual relationship (and possibly also to deprive the complainant of associated material benefits such as special customer discounts or collected bonus points) does not fall within the competence of the data protection authority.

D.4. Conclusions:

31.  The respondent legally provided the complainant with information about the data processed concerning him. The information provided at the same time that this data would now be deleted does not constitute a violation of the complainant's right to information under Art. 15 GDPR.

32.  The complaint was therefore to be dismissed as unfounded in accordance with Section 24 Paragraph 5, third sentence, DSG.