BVwG - W214 2222613-2
From GDPRhub
| BVwG - W214 2222613-2 | |
|---|---|
 | |
| Court: | BVwG (Austria) |
| Jurisdiction: | Austria |
| Relevant Law: | Article 15(3) GDPR |
| Decided: | 20.11.2023 |
| Published: | 28.08.2024 |
| Parties: | |
| National Case Number/Name: | W214 2222613-2 |
| European Case Law Identifier: | ECLI:AT:BVWG:2023:W214.2222613.2.00 |
| Appeal from: | DSB (Austria) DSB-D124.059/0005-DSB/2019 |
| Appeal to: | |
| Original Language(s): | German |
| Original Source: | Rechtsinformationssystem des Bundes (RIS) (in German) |
| Initial Contributor: | wp |
The court ordered a credit reference agency (the controller) to disclose the credit reports related to the data subject under Article 15(3) GDPR.
English Summary
Facts
A credit reference agency (the controller), acting under Austrian law (Article 152 of the Law on business activity - Gewerbeordnung), created an identity and creditworthiness database. Using the collected data, the controller assigned individuals with a creditworthiness score. Apart from identifying data, the controller processed a final score and the “interim” scores, used to create the final one. The database was framed and logically prepared within the Microsoft SQL Server software. The database consisted of various tables, defined and related to each other. The design of the database aimed at maximizing the performance of the database, inter alia by avoiding redundant storage of data.
One of the people who's data had been collected in the database (the data subject) exercised their rights under Article 12 GDPR and Article 15 GDPR with the controller. They requested details on the processing activities pursued and the copy of the data in a “standard technical format”.
The controller answered the access request and provided the data subject with the details of processing activities, in particular, the source of the data, data recipients, the creditworthiness score.
The data subject, unsatisfied with the answer, lodged a complaint with the Austrian DPA (DSB) regarding the violation of Article 14 GDPR and violation of Article 15 GDPR, indicating the controller didn’t provide them with the copy of the data. The DPA dismissed the case.
The DPA’s decision was appealed by the data subject with the Federal Administrative Court (Bundesverwaltungsgericht – BVwG).
In the meantime, the controller supplemented the information sent to data subject, explaining retention period, criteria of data deletion, and claiming that in previous six months there were no inquiries regarding the creditworthiness of data subject. During the proceedings before the court, the controller provided the data subject with additional information.
The court issued a partial ruling on other parts of the appeal and referred to the CJEU for the preliminary ruling concerning the interpretation of Article 15(3) GDPR.
Holding
The court based the judgement in the case at hand on the preliminary ruling of the CJEU - C-487/21 - F.F. v DSB.
The data subject didn’t receive a copy of their data, especially, no database extract, no copies of creditworthiness reports nor partial scores were disclosed. Since the data subject submitted the access request and demanded the copy of their data, the controller was obliged to provide the data subject with a copy of their data.
The court explained the copy of the data didn’t mean sequence of binary values, as argued by the controller, by the representation of the data in the human-readable format. Nevertheless, the court didn't shared the interpretation of Article 15(3) GDPR suggested by the data subject. For the data subject, the faithful reproduction of the data coming from the database to another format (a table), didn’t amount to a copy of the data under Article 15(3) GDPR. The court wasn’t convinced that disclosure of a screenshot of the database was necessary to satisfy the data subject request in the case at hand.
However, the court found the partial credit scores didn’t need to be disclosed. This was because, as pointed by the controller, it would be possible to draw conclusions about the scoring formula used by the controller. Hence, for the specific partial credit scores were regarded as a part of algorithm protected by the trade secrets.
Consequently, the controller was ordered to provide the data subject with the credit reports related to the them within four weeks. The reports were not to exclude the contact data of recipients’ employees.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
Decision date
20.11.2023
Standard
B-VG Art133 Para.4
DSG §4
DSGVO Art12
DSGVO Art15
DSGVO Art4
UWG §26b Para.1
B-VG Art. 133 today B-VG Art. 133 valid from 01.01.2019 to 24.05.2018 last amended by BGBl. I No. 138/2017 B-VG Art. 133 valid from 01.01.2019 last amended by BGBl. I No. 22/2018 B-VG Art. 133 valid from 25.05.2018 to 31.12.2018 last amended by BGBl. I No. 22/2018 B-VG Art. 133 valid from 01.08.2014 to May 24, 2018, last amended by BGBl. I No. 164/2013 B-VG Art. 133 valid from January 1, 2014 to July 31, 2014, last amended by BGBl. I No. 51/2012 B-VG Art. 133 valid from January 1, 2004 to December 31, 2013, last amended by BGBl. I No. 100/2003 B-VG Art. 133 valid from January 1, 1975 to December 31, 2003, last amended by BGBl. No. 444/1974 B-VG Art. 133 valid from December 25, 1946 to December 31, 1974, last amended by BGBl. No. 211/1946 B-VG Art. 133 valid from 19.12.1945 to 24.12.1946 last amended by StGBl. No. 4/1945 B-VG Art. 133 valid from January 3, 1930 to June 30, 1934
DSG Art. 2 § 4 today DSG Art. 2 § 4 valid from January 1, 2020 last amended by BGBl. I No. 14/2019 DSG Art. 2 § 4 valid from May 25, 2018 to December 31, 2019 last amended by BGBl. I No. 24/2018 DSG Art. 2 § 4 valid from May 25, 2018 to May 24, 2018 last amended by BGBl. I No. 120/2017 DSG Art. 2 § 4 valid from January 1, 2010 to May 24, 2018 last amended by BGBl. I No. 133/2009 DSG Art. 2 § 4 valid from 01.01.2000 to 31.12.2009
UWG § 26b today UWG § 26b valid from 29.01.2019 last amended by BGBl. I No. 109/2018
Ruling
W214 2222613-2/62E
PARTIAL KNOWLEDGE
IN THE NAME OF THE REPUBLIC!
The Federal Administrative Court, through Judge Dr. Eva SOUHRADA-KIRCHMAYER as chairwoman and the expert lay judges Mag. Huberta MAITZ-STRASSNIG and Mag. Claudia KRAL-BAST as assessors on the complaint of XXXX, represented by noyb - European Center for Digital Rights, against the decision of the Data Protection Authority of September 11, 2019, DSB-D124.059/0005-DSB/2019, in relation to the provision of a copy of the processed personal data in the context of a request for information in accordance with Art. 15 GDPR, rightly ruled:The Federal Administrative Court, represented by Judge Dr. Eva SOUHRADA-KIRCHMAYER as chairperson and the expert lay judges Mag. Huberta MAITZ-STRASSNIG and Mag. Claudia KRAL-BAST as assessors on the complaint of the roman 40 , represented by noyb - European Center for Digital Rights, against the decision of the data protection authority dated September 11, 2019, DSB-D124.059/0005-DSB/2019, in relation to the provision of a copy of the personal data processed in the context of a request for information pursuant to Article 15, GDPR, rightly ruled:
A)
1. The complaint is partially upheld and it is determined that the co-participating party has violated the complainant's right to information about his personal data pursuant to Art. 15 GDPR by not providing him with complete information in the form of a copy of the personal data that are the subject of the processing. 1. The complaint is partially upheld and it is determined that the co-participating party has violated the complainant's right to information about his personal data in accordance with Article 15 of the GDPR by not providing him with complete information in the form of a copy of the personal data that is the subject of the processing.
2. The co-participating party is ordered to provide the complainant with the credit reports relating to the complainant within four weeks, with the exception of any contact details of third natural persons who work for the recipients, under penalty of execution.
3. The rest of the complaint is dismissed as unfounded.
B)
The appeal is admissible in accordance with Art. 133, Paragraph 4 of the Federal Constitutional Law.The appeal is admissible in accordance with Article 133, Paragraph 4 of the Federal Constitutional Law.
Text
Reasons for the decision:
I. Procedure: Roman one. Procedure:
1. In his complaint dated January 16, 2019, addressed to the Data Protection Authority (DSB, the authority concerned before the Federal Administrative Court), the complainant alleged a violation of the right to information pursuant to Art. 14 GDPR and a violation of the right to information pursuant to Art. 15 GDPR by XXXX (former respondent before the authority concerned, now a co-participating party before the Federal Administrative Court) and, in summary, argued that his request for information dated December 28, 2018 had been inadequately answered in a letter from the co-participating party dated December 31, 2018 and that a copy of the personal data had not been transmitted. 1. In his complaint of January 16, 2019, addressed to the Data Protection Authority (DSB, the authority concerned before the Federal Administrative Court), the complainant alleged a violation of the right to information pursuant to Article 14, GDPR and a violation of the right to information pursuant to Article 15, GDPR by the Roman 40 (former respondent before the authority concerned, now a co-participating party before the Federal Administrative Court) and, in summary, argued that his request for information of December 28, 2018 had been inadequately answered in the letter from the co-participating party dated December 31, 2018 and that a copy of the personal data had not been provided.
2. At the request of the authority concerned, the co-participating party submitted a statement on March 18, 2019 in which it was stated (as far as relevant to the proceedings) that the information provided clearly presented all the data kept by the complainant and that a copy did not add any value. Beyond the list, the party involved did not process any data in the form of correspondence. Moreover, the release of all data would violate business secrets, which is a recognized reason for refusing to provide information.
3. With the contested decision of September 11, 2019, the authority concerned rejected the complaint due to a violation of the right to information and due to a violation of information obligations under Art. 14 GDPR (points 1 and 2) and due to a violation of the right to confidentiality due to a violation of the data minimization obligation and due to a violation of the data backup obligations under Art. 25 GDPR (point 3).3. In the contested decision of September 11, 2019, the authority concerned rejected the complaint due to a violation of the right to information and due to a violation of information obligations under Article 14, GDPR (ruling points 1 and 2) and due to a violation of the right to confidentiality due to a violation of the data minimization obligation and due to a violation of the data backup obligations under Article 25, GDPR (ruling point 3).
In summary, the authority concerned justified its decision (as far as relevant to the proceedings) by stating that the information provided gave the complainant complete knowledge of all data stored about him by the co-participating party, since no further correspondence and files or bank statements were held by the co-participating party. If the complainant wanted a copy of the data, he was obviously aiming for printouts or screenshots of data processed by the co-participating party. In doing so, however, he overlooked the fact that an independent right to a copy of the data exists alongside the right to information on the content of the data processed, but the transmission of the copy of the data covers both claims if the data can be inferred from the copy in accordance with the transparency requirement for the data subject. A copy of the data therefore does not mean an exact transcript or a facsimile, but rather the controller has the right to choose how to comply with the request of a data subject, limited by Art. 15 Para. 3 Sentence 3 GDPR, according to which a controller must in any case provide information requested electronically electronically. In its justification, the authority concerned (as far as relevant to the proceedings) summarized that the information provided gave the complainant complete knowledge of all the data stored about him by the co-participating party, since no further correspondence and files or bank statements were held by the co-participating party. If the complainant wants a copy of the data, he is obviously aiming for prints or screenshots of data processed by the other party involved. In doing so, however, he overlooks the fact that an independent right to a copy of the data exists alongside the right to information about the content of the data processed, but the transmission of the copy of the data covers both claims if the data can be deduced from the copy for the data subject in accordance with the transparency requirement. A copy of the data therefore does not mean an exact copy or a facsimile, but rather the controller has the right to choose how to comply with the request of a data subject, limited by Article 15, Paragraph 3, Section 3 of the GDPR, according to which a controller must in any case provide information requested electronically electronically.
4. The complainant lodged an appeal against this decision with the Federal Administrative Court on October 4, 2019, within the deadline. In summary, he argued (as far as relevant to the proceedings) that the authority in question would misinterpret the GDPR if it claimed that the controller had a right to choose how to comply with the request of a data subject and that a copy of the data was not an exact transcript or a facsimile. It is true that the literature assumes that if the data can be inferred from the copy in accordance with the transparency requirement for the data subject, both the right to a copy of the data and the right to information on the content are covered. However, the reverse conclusion cannot be drawn from this that the right to a copy of the data is also covered by information on the content. To the extent that the co-participating party objects that the release of a copy would violate trade secrets, since a copy of data from the relational database would inevitably also reflect the logical and mathematical links between the individual data sets, the answer to this is that if such a blanket statement were sufficient to refuse a copy of the data, this right would de facto be obsolete, since in practice data is usually stored in a relational database. Rather, the co-participating party would have to provide a comprehensible reason for the data subject, the data protection authority and the reviewing courts as to why this information in particular constitutes a trade secret. However, the co-participating party did not provide such a comprehensible reason. In addition, the logical and mathematical links between the data constitute information that could be of importance for assessing the legality of the processing. Thus, in addition to providing information on the content, the co-participating party should also have provided a copy of the data. However, this was not done.
5. In a letter dated October 14, 2019, the authority concerned submitted the complaint and the administrative act to the Federal Administrative Court for a decision and issued a statement in which it stated (as far as relevant to the proceedings) that the complainant assumed, without any justification in the literature, that he was entitled to a copy in the form of a facsimile. Neither the text of the regulation, the recitals nor the literature support this view. Rather, the authority concerned assumed that, in principle, information about one's own data under data protection law was a procedural right accompanying the verification of whether data was being processed in accordance with the law. In this sense, the ECJ also ruled that the right to information serves to prepare the correction, deletion or blocking of data. Accordingly, the "interest" of the complainant, regardless of what can be asserted in the right to information, is normatively limited. This also shows that a facsimile is not the subject of the right to information. With regard to the argument that a responsible party cannot waive the right to information on the grounds that he has business secrets, it should be noted that the complainant is again concerned with the release of a facsimile. However, this reason, which was used by the co-participating party in the original proceedings to refuse this, was not used by the authority concerned to justify the decision. For this reason alone, it is not clear to what extent this is a procedurally relevant argument at all.
6. In a letter dated April 14, 2021, the Federal Administrative Court granted the complainant, the co-participating party and the authority concerned the right to be heard and the opportunity to comment.
7. The parties subsequently each submitted a statement in which they essentially repeated their previous arguments. The co-participating party added that additional information had been provided in a letter dated May 5, 2021 and the request had thus been fully met.
8. By partial decision of August 9, 2021, reference number W211 XXXX, the Federal Administrative Court ruled on the points of complaint concerning the provision of information on the origin of the data, the storage period and the purposes of processing as well as concerning the alleged violation of information obligations pursuant to Art. 14 GDPR, concerning the alleged violation of the right to confidentiality pursuant to Section 1 DSG and the alleged violation of the data minimization obligation pursuant to Art. 5 GDPR and the data backup obligations pursuant to Art. 25 GDPR, as follows:8. With a partial ruling dated August 9, 2021, No. W211 Roman 40, the Federal Administrative Court ruled as follows on the points of complaint concerning the provision of information on the origin of the data, the storage period and the purposes of processing, as well as on the alleged violation of information obligations pursuant to Article 14, GDPR, concerning the alleged violation of the right to confidentiality pursuant to paragraph one, DSG and the alleged violation of the data minimization obligation pursuant to Article 5, GDPR and the data backup obligations pursuant to Article 25, GDPR:
"A)
I.Roman one.
1. The complaint against point 1 is partially upheld and it is determined that the co-participating party violated the complainant's right to information by providing inadequate information within the meaning of Art. 15 Para. 1 lit. d GDPR regarding the planned duration for which the personal data will be stored or the criteria for determining this duration.1. The complaint against point 1 is partially upheld and it is determined that the co-participating party has violated the complainant's right to information by providing insufficient information within the meaning of Article 15, paragraph one, letter d, GDPR regarding the planned duration for which the personal data will be stored or the criteria for determining this duration.
2. The co-participating party is instructed to provide information regarding the storage period in accordance with Art. 15 GDPR within a period of two weeks, otherwise execution will be carried out.2. The co-participating party is instructed to provide information regarding the storage period in accordance with Article 15 GDPR within a period of two weeks, otherwise execution will be carried out.
3. The complaint against point 1 is rejected with regard to the points of complaint regarding the provision of information about the origin of the data and the purposes of processing.
II. The complaint against ruling point 2 is upheld and it is determined that the party involved has violated its duty to provide information under Art. 14 paragraph 1 letter e of the GDPR.3. The complaint against ruling point 1 is rejected with regard to the points of complaint concerning the provision of information about the origin of the data and the purposes of processing.
II. The complaint against ruling point 2 is upheld and it is determined that the party involved has violated its duty to provide information under Article 14 paragraph 1 letter e of the GDPR.
III.Roman III.
1. The complaint against ruling point 3 is upheld with regard to the alleged violations of the data minimization obligation under Art. 5 of the GDPR and the data backup obligations under Art. 25 of the GDPR and the contested decision is corrected without replacement in this regard.1. The appeal against point 3 is upheld with regard to the alleged violations of the data minimization obligation under Article 5, GDPR and the data backup obligations under Article 25, GDPR, and the contested decision is repealed without replacement in this regard.
2. The appeal against point 3 is dismissed with regard to the rejection of the data protection complaint due to an alleged violation of the right to confidentiality.
B)
The appeal is admissible pursuant to Article 133, Paragraph 4, B-VG. "The appeal is admissible pursuant to Article 133, Paragraph 4, B-VG."
9. By decision of August 9, 2021, Ref. W211 XXXX, the Federal Administrative Court referred the following questions on the appeal relating to the provision of a copy of the personal data pursuant to Article 15, Paragraph 3, GDPR to the Court of Justice of the European Union for a preliminary ruling under Article 267 TFEU:9. By decision of August 9, 2021, Zl. W211 roman 40, the Federal Administrative Court referred the following questions to the Court of Justice of the European Union for a preliminary ruling on the complaint regarding the provision of a copy of the personal data pursuant to Article 15, paragraph 3, GDPR pursuant to Article 267, TFEU:
1. Is the term "copy" in Article 15, paragraph 3 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, OJ L 119/1 of May 4, 2016, p. 1; hereinafter: "GDPR") to be interpreted as meaning a photocopy or facsimile or electronic copy of an (electronic) date, or does the According to the definition of German, French and English dictionaries, does the term also include a "copy", a "double" ("duplicata") or a "transcript"? 1. Is the term "copy" in Article 15, paragraph 3, of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, OJ L 119/1 of 4 May 2016, Session 1; hereinafter: "GDPR") to be interpreted as meaning a photocopy or facsimile or an electronic copy of an (electronic) date, or does the term also include a "copy", a "double" ("duplicata") or a "transcript"?
2. Is Article 15(3) sentence 1 of the GDPR, according to which “the controller shall provide a copy of the personal data undergoing processing”, to be interpreted as meaning that it contains a general legal right of a data subject to be provided with a copy – even – of entire documents in which the data subject’s personal data are processed, or to be provided with a copy of a database extract if the personal data are processed in such a database, or does it – only – give the data subject a legal right to a faithful reproduction of the personal data to be disclosed in accordance with Article 15(1) of the GDPR?2. Is Article 15, Paragraph 3, Sentence 1 of the GDPR, according to which "the controller shall provide a copy of the personal data undergoing processing", to be interpreted as meaning that it contains a general legal right of a data subject to be provided with a copy - even - of entire documents in which the personal data of the data subject are processed, or to be provided with a copy of a database extract if the personal data are processed in such a database, or does it - only - constitute a legal right for the data subject to be provided with a faithful reproduction of the personal data to be disclosed in accordance with Article 15, Paragraph 1 of the GDPR?
3. In the event that question 2 is answered to the effect that the data subject only has a legal right to a faithful reproduction of the personal data to be disclosed in accordance with Article 15 (1) GDPR, Article 15 (3) sentence 1 GDPR is to be interpreted as meaning that, depending on the type of data processed (for example in relation to the diagnoses, test results, findings or documents in connection with an examination referred to in recital 63 or in relation to an examination within the meaning of the judgment of the Court of Justice of the European Union of 20December 2017, C-434/16, ECLI:EU:C:2017:994) and the transparency requirement in Art. 12 Para. 1 GDPR may nevertheless be necessary in individual cases to make text passages or entire documents available to the data subject?3. In the event that question 2 is answered to the effect that the data subject only has a legal right to a faithful reproduction of the personal data to be disclosed in accordance with Article 15, paragraph 1, GDPR, is Article 15, paragraph 3, sentence 1 GDPR to be interpreted as meaning that, due to the type of data processed (for example in relation to the diagnoses, test results, findings or documents in connection with an examination referred to in recital 63, as defined by the judgment of the Court of Justice of the European Union of 20 December 2017, C-434/16, ECLI:EU:C:2017:994) and the transparency requirement in Article 12, paragraph 1, GDPR, it may nevertheless be necessary in individual cases to make text passages or entire documents available to the data subject?
4. Is the term “information” which, according to Article 15, Paragraph 3, Sentence 3 of the GDPR, must be made available to the data subject “in a common electronic format” when he or she submits the request electronically, “unless he or she indicates otherwise”, to be interpreted as meaning only the “personal data that are subject to processing” referred to in Article 15, Paragraph 3, Sentence 1?4. Is the term “information” which, according to Article 15, Paragraph 3, Sentence 3 of the GDPR, must be made available to the data subject “in a common electronic format” when he or she submits the request electronically, “unless he or she indicates otherwise”, to be interpreted as meaning only the “personal data that are subject to processing” referred to in Article 15, Paragraph 3, Sentence 1?
a) If question 4 is answered in the negative: Is the term “information” which, according to Article 15 paragraph 3 sentence 3 GDPR, must be made available to the data subject “in a common electronic format” when they submit their application electronically, “unless they indicate otherwise”, to be interpreted as also including the information in accordance with Article 15 paragraph 1 letters a) to h) of the GDPR?a) If question 4 is answered in the negative: Is the term “information” which, according to Article 15 paragraph 3 sentence 3 GDPR, must be made available to the data subject “in a common electronic format” when they submit their application electronically, “unless they indicate otherwise”, to be interpreted as also including the information in accordance with Article 15 paragraph one letters a) to h) of the GDPR?
b) If question 4.a. is answered in the negative: Is the term “information” which, according to Article 15, Paragraph 3, Sentence 3 of the GDPR, must be made available to the data subject “in a common electronic format” when he or she submits the application electronically, “unless he or she indicates otherwise”, to be interpreted as meaning, for example, the “personal data that are the subject of the processing” and the information specified in Article 15, Paragraph 1, Letters a) – h) of the GDPR, and the associated metadata?b) If question 4.a. is also answered in the negative: Is the term “information” which, according to Article 15, Paragraph 3, Sentence 3 of the GDPR, must be made available to the data subject “in a common electronic format” when he or she submits the application electronically, “unless he or she indicates otherwise”, to be interpreted as meaning, for example, the “personal data that are the subject of the processing” and the information specified in Article 15, Paragraph 1, Letters a) – h) of the GDPR, and the associated metadata?
10. The authority concerned and the other party involved each filed an ordinary appeal against the partial decision of August 9, 2021 with the Administrative Court.
11. Based on the order of the Business Allocation Committee of March 23, 2022, the case in question was assigned to the now responsible court division W214, where it was received on April 1, 2022.
12. In its judgment of May 4, 2023, No. C-487/21, the ECJ rightly ruled on the questions reproduced above:
1. Article 15, paragraph 3, sentence 1 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) is to be interpreted as meaning that the right to receive a copy of the personal data being processed from the controller means that the data subject is provided with a faithful and intelligible reproduction of all of this data. This right presupposes the right to receive a copy of extracts from documents or even entire documents or extracts from databases which, among other things, containing those data, where the provision of such a copy is essential to enable the data subject to effectively exercise the rights conferred on him or her by this Regulation, while taking into account the rights and freedoms of others.1. The first sentence of Article 15(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) is to be interpreted as meaning that the right to obtain from the controller a copy of the personal data undergoing processing means that the data subject is provided with a faithful and intelligible reproduction of all those data. This right presupposes the right to obtain a copy of extracts from documents or even of entire documents or extracts from databases containing, inter alia, containing those data, if the provision of such a copy is essential to enable the data subject to effectively exercise the rights conferred on him or her by this Regulation, taking into account the rights and freedoms of others.
2. Article 15(3), third sentence, of Regulation 2016/679 is to be interpreted as meaning that the term "information" used within the meaning of that provision refers exclusively to personal data of which the controller must provide a copy in accordance with the first sentence of that paragraph.2. Article 15(3), third sentence, of Regulation 2016/679 is to be interpreted as meaning that the term "information" used within the meaning of that provision refers exclusively to personal data of which the controller must provide a copy in accordance with the first sentence of that paragraph.
13. The co-participating party submitted a statement on June 16, 2023, stating that the complainant was not entitled to the copies of documents or database extracts he had requested. The co-participating party does not store the credit reports submitted in the past concerning the complainant in the form of a document and can therefore also provide a copy of such a (non-existent) document. With regard to a database extract, it should be noted that it is impossible to identify the data of an individual data subject in the "true to original" and thus proprietary data format. The co-participating party is only able to create structured data based on the data stored in the proprietary data format using the software provided for this purpose (Microsoft SQL Server). The co-participating party has already done exactly this and provided this data in the information. Any further "true to original" reproduction of the data in its proprietary data format is simply impossible. The data would also probably not be readable by the complainant in its original (proprietary) data format. For the sake of completeness, it should be noted that the right to receive a copy of the data could in no way include disclosure of the relational database model, because this is a trade secret that is exempt from Art. 15 GDPR.13. The co-participating party submitted a statement on June 16, 2023 and stated that the complainant was not entitled to the copies of documents or database extracts he requested. The co-participating party does not store the credit reports submitted in the past concerning the complainant in the form of a document and can therefore also provide a copy of such a (non-existent) document. With regard to a database extract, it should be noted that it is impossible to identify the data of an individual data subject in the "true to original" and thus proprietary data format. The party involved is only able to create structured data based on the data stored in the proprietary data format using the software provided for this purpose (Microsoft SQL Server). The party involved has already done exactly this and provided this data in the information. Any further "true-to-original" reproduction of the data in its proprietary data format is simply impossible. In fact, the data would probably not be readable by the complainant in its true-to-original (proprietary) data format. For the sake of completeness, it should be noted that the right to receive a copy of the data cannot under any circumstances include disclosure of the relational database model, because this is a trade secret that is exempt ex lege from Article 15 of the GDPR.
Furthermore, the complainant was also given additional information in a letter dated June 16, 2023.
14. On June 19, 2023, an oral hearing took place before the Federal Administrative Court, in which the managing director of the co-participating party was heard as a witness.
The co-participating party was instructed by the Federal Administrative Court to report within 14 days which of the complainant's data (in the archive and outside the archive), including empty text fields, are being processed (broken down into stored and "otherwise processed" data).
15. In a statement dated July 10, 2023, the co-participating party stated that it had manually created a document in which all of the complainant's stored, ad hoc calculated or currently not processed data ("free text fields") were listed. The delivery of data goes beyond Article 15 (3) GDPR, and according to the case law of the ECJ, the right to a copy of the data only exists if and to the extent that a copy is essential to enable the person concerned to exercise his rights. The data delivery that has now taken place has no added value for the complainant compared to the data copies already sent to him, which already contain all the information essential for the complainant and the exercise of his rights. The formula for determining credit scores is a trade secret of the party involved, which is also recognized by the authority concerned. Insofar as the party involved stores interim results of the calculation of a score value of the complainant, these are also trade secrets that are ex lege exempt from the right under Article 15 GDPR. The right to a copy of the data in accordance with Article 15 (3) GDPR is more than fulfilled, which is why the discontinuance of the proceedings is requested in accordance with Section 24 (6) DSG. 15. In a statement dated July 10, 2023, the co-participating party stated that it had manually created a document in which all of the complainant's stored, ad hoc calculated or currently unprocessed data ("free text fields") were listed. The delivery of data goes beyond Article 15, paragraph 3, GDPR, and according to the case law of the ECJ, the right to a copy of data only exists if and to the extent that a copy is essential to enable the person concerned to exercise his rights. The data delivery that has now taken place has no added value for the complainant compared to the data copies already sent to him, which already contain all of the information essential for the complainant and the exercise of his rights. The formula for determining credit scores is a trade secret of the co-participating party, which the authority concerned also recognizes. Insofar as the party involved stores interim results of the calculation of a score value of the complainant, these are also trade secrets that are ex lege exempt from the right under Article 15, GDPR. The right to a copy of the data in accordance with Article 15, Paragraph 3, GDPR is more than fulfilled, which is why the discontinuation of the proceedings is requested in accordance with Paragraph 24, Paragraph 6, DSG.
The statement was accompanied by a manual list of the complainant's stored, ad hoc calculated or unprocessed data ("free text fields"). The statement also provided general information on determining the credit scores in the bands XXXX and XXXX, including the parameters used. The statement was accompanied by a manual list of the complainant's stored, ad hoc calculated or unprocessed data ("free text fields"). The statement also provided general information on determining the credit scores in the bands Roman 40 and Roman 40, including the parameters used.
16. The complainant replied to the co-participating party's statement in a written submission dated August 8, 2023, to the effect that the co-participating party was making an inadmissible reinterpretation of the ECJ's case law, and that the wording of "indispensability for the exercise of rights" only clarified why a "copy of extracts from documents or even of entire documents or even of extracts from databases containing, among other things, this data" was necessary in order to effectively implement the fundamental right to information. The ECJ did not state a single word about an additional condition for the exercise of the right to information guaranteed by the fundamental right in Article 8 (2), sentence 2 of the Charter. A complete copy of the data was still being withheld by the co-participating party, which was also shown by the fact that the manual list of the complainant's data that had now been submitted once again revealed information that the co-participating party had not previously disclosed. The party involved had once again not reproduced the data faithfully, but only made an aggregated list of the data processed, although the ECJ had rejected precisely this interpretation of Art. 15 (3) GDPR. In addition to the reduced tabular presentation, the list submitted still lacks several pieces of data or information required for contextualization, such as which scores were assigned to the individual characteristics included in the respective overall score. Copies of the specific credit reports that the party involved had provided to the respective customers were also missing. These were also not trade secrets, as such could only exist in relation to the specific calculation logic itself (the scoring algorithm). In the credit reports, any visible personal data of employees of the data recipients could be blacked out. An application is therefore made to establish the breach of the obligation to provide information and to instruct the co-participating party to provide the complainant within two weeks with a complete copy of the data concerning him processed by the co-participating party, which includes in particular database extracts and screenshots of the processed data, the credit scores assigned to the individual processed data points that were included in the complainant's credit assessments and their weighting for these credit assessments and all credit reports stored in the co-participating party's archive that were made available to the co-participating party's customers. 16. The complainant replied to the co-participating party's statement in a written submission dated August 8, 2023, to the effect that the co-participating party was making an inadmissible reinterpretation of the ECJ's case law, and that the wording of "indispensability for the exercise of rights" only clarified why a "copy of extracts from documents or even of entire documents or even of extracts from databases containing, among other things, this data" was necessary in order to effectively implement the fundamental right to information. The ECJ did not state a single word about an additional condition for the exercise of the right to information guaranteed by the fundamental right in Article 8 (2), sentence 2 of the Charter. A complete copy of the data was still being withheld by the co-participating party, which was also shown by the fact that the manual list of the complainant's data that had now been submitted once again revealed information that the co-participating party had not previously disclosed. The party involved had once again not reproduced the data faithfully, but only made an aggregated list of the data processed, even though the ECJ had rejected precisely this interpretation of Article 15, Paragraph 3, GDPR. In addition to the reduced tabular presentation, the list provided still lacks several pieces of data or information required for contextualization, such as which scores were assigned to the individual characteristics included in the respective overall score. Copies of the specific credit reports that the party involved had provided to the respective customers were also missing. These were also not trade secrets, as such could only exist in relation to the specific calculation logic itself (the scoring algorithm). In the credit reports, any visible personal data of employees of the data recipients could be blacked out. An application is therefore made to establish the breach of the obligation to provide information and to instruct the co-participating party to provide the complainant within two weeks with a complete copy of the data concerning him processed by the co-participating party, which includes in particular database extracts and screenshots of the processed data, the credit scores assigned to the individual processed data points that were included in the complainant's credit assessments and their weighting for these credit assessments and all credit reports stored in the co-participating party's archive that were made available to the co-participating party's customers.
17. By letter dated August 14, 2023, the Federal Administrative Court sent the complainant's statement to the co-participating party and asked it additional questions.
18. In a statement dated September 6, 2023, the co-participating party stated that it was not possible for it to identify or provide information about the complainant's data records in a format that is true to the original, since the co-participating party's entire database is stored using Microsoft SQL Server in specific files whose format has been defined by Microsoft and is known only to Microsoft. This (true to the original) proprietary data format can only be read using Microsoft SQL Server, which, however, does not reproduce the data in the format that is true to the original.The true-to-original format, like any data format, consists of a sequence of binary values (0 and 1). In concrete terms, the entire XXXX database is stored in several such files with an average size of 67 gigabytes. Each such file therefore contains millions of data records of different data subjects. Due to a lack of knowledge of the proprietary data format in which the data subjects' data is stored, the party involved is therefore unable to identify the specific data records of the complainant in these files. The case in question is comparable to a group photo of several people that is stored in a file using a proprietary, i.e. publicly unknown, data format. Even if a company has software that can display such a file, it would still be impossible for the company to identify those binary sequences (i.e. data in the true-to-original format) in the file that are responsible for the representation of the middle person, for example. The party involved processes all information on data subjects in a relational database system. A database extract consists of the representation of the data in the form of tables that are related to one another, which is why a database extract inevitably also reveals the database design. Similar to the source code of complex software, a database design is a technical creation, but due to the almost infinite possibilities of the specific design in its specific form, it is protected by copyright. The database design of the database is known only to the party involved, is kept strictly secret by it and gives it a decisive competitive advantage over market competitors. In particular, it was designed in such a way that, on the one hand, it avoids redundant storage of data as far as possible, and on the other hand, it maximizes the performance of the database system. The database design therefore also has considerable commercial value for the party involved, and the disclosure of database extracts would violate this trade secret, which is why there can be no obligation to disclose according to Section 4 Paragraph 6 of the Data Protection Act. The score formula also represents a trade secret; if the co-participating party were to disclose the partial scores, it would inevitably be possible to draw conclusions about the score formula from them. 18. In a statement dated September 6, 2023, the co-participating party stated that it was not possible for it to identify or provide information about the complainant's data records in a true-to-original format because the co-participating party's entire database was stored using Microsoft SQL Server in specific files whose format was defined by Microsoft and was known only to Microsoft. This (true-to-original) proprietary data format could only be read using Microsoft SQL Server, which, however, did not reproduce the data in the true-to-original format. The true-to-original format, like any data format, consists of a sequence of binary values (0 and 1). In concrete terms, the entire Roman 40 database is stored in several such files with an average size of 67 gigabytes. Each such file therefore contains millions of data records of different data subjects. Due to a lack of knowledge of the proprietary data format in which the data subjects' data is stored, the party involved is therefore unable to identify the specific data records of the complainant in these files. The case in question is comparable to a group photo of several people that is stored in a file using a proprietary, i.e. publicly unknown, data format. Even if a company has software that can display such a file, it would still be impossible for the company to identify those binary sequences (i.e. data in the original format) in the file that are responsible for the representation of, for example, the middle person. The party involved processes all information on data subjects in a relational database system. A database extract consists of the representation of the data in the form of tables that are related to one another, which is why a database extract inevitably also reveals the database design. Similar to the source code of complex software, a database design is a technical creation, but due to the almost infinite possibilities of the specific design in its specific form, it enjoys copyright protection. The database design of the database is known only to the party involved, is kept strictly secret by it and gives it a decisive competitive advantage over competitors. In particular, it was designed in such a way that, on the one hand, it avoids redundant storage of data as far as possible, and on the other hand, it maximizes the performance of the database system. The database design therefore also has considerable commercial value for the party involved, and the disclosure of database extracts would violate this trade secret, which is why there can be no obligation to disclose according to paragraph 4, paragraph 6, DSG. The score formula also represents a trade secret; if the party involved were to disclose the partial scores, it would inevitably be possible to draw conclusions about the score formula.
19. In a statement dated October 9, 2023, the complainant argued that the co-participating party was distorting the concept of "true-to-original format." Every electronic file is ultimately processed as a binary sequence, which is why software is always needed to convert this binary sequence into a format that humans can understand. In terms of data protection law, for example, a photo is provided "true-to-original" as a data copy within the meaning of Article 15 (3) GDPR if it has a file format that can be read in an image viewing program, but not if it is sent to the data subject as a binary sequence. In addition, the comparison of the processing situation in question with a group photo attempted by the co-participating party is massively flawed and deliberately misleading. The purpose of a relational database is precisely to present data in a structured, linked and searchable manner - individual tables are brought into relation with one another. In the case of the credit rating database operated by the party involved, the aim is to use a specific processing logic to find the relevant data records for a specific person and to use the content of selected data fields to calculate a numerical credit rating according to a specific mathematical formula. Unlike photos, relational databases would at least allow an extract of certain information stored in this database using simple means. Whether the Microsoft SQL server of the party involved uses a Microsoft proprietary format internally is completely irrelevant: After all, there are Microsoft applications and export options to export data processed in this way true to the original. The export could be a CSV file that could be opened with the common Microsoft Excel program or any text editor, for example, which corresponds to the "easily accessible form" within the meaning of Article 12 (1) GDPR. In order to only output those data records that relate to the complainant during the export, a so-called "WHERE condition" can be used on SQL servers, which can be used to specifically specify and restrict which data records are exported. The party involved would have to be aware of the corresponding WHERE conditions, as otherwise it would not be able to provide its customers with the appropriate data as part of a credit check. Contrary to what the party involved claims, such a database extract would not reveal the database design. In particular, the data types (e.g. text or number) of the attributes used (= table fields), any constraints (= restrictions on the table fields), indexes (= search optimizations), referential integrity (= mandatory links to data fields), etc. would not have to be disclosed. The participating party would only have to explain the names of attributes and tables in a comprehensible manner, although these themselves cannot usually enjoy protection as a trade secret because they are usually trivial terms (e.g. first name, last name, etc.). A database extract, i.e. an export using a WHERE condition relating only to the complainant, is therefore not the same as a database work as such and does not enjoy copyright protection. Even if a trade secret exists, only those parts that actually contain trade secrets or whose provision would lead to an impairment of such secrets may be excluded from the database extract to be provided. As a result, there are neither technical nor legal reasons that prevent information from being provided in the original format in the form of database extracts. In addition to database extracts, screenshots are still missing to prove their completeness, as well as the specific credit reports on the complainant that the participating party has provided to its customers and which must be stored in accordance with Section 152 of the Trade Code. The co-participating party claims that it would necessarily be possible to draw conclusions about the scoring formula from the disclosure of partial scores.This claim is not substantiated. Even if partial conclusions about the score formula could be drawn from the partial scores, this would not automatically entail disclosure of the score formula itself. Meaningful information about the logic, scope and effects of the score formula used by XXXX in accordance with Article 15(1)(h) GDPR is no longer the subject of the present proceedings. The question of the specific calculation of a person's credit score is not relevant to the question of releasing the "second level" of the database of the co-participating party.19. In a statement dated October 9, 2023, the complainant argued that the co-participating party was distorting the concept of "true-to-original format." Every electronic file is ultimately processed as a binary sequence, which is why software is always needed to convert this binary sequence into a format that humans can understand. In terms of data protection law, a photo is provided as a “true to original” data copy within the meaning of Article 15 (3) GDPR if it has a file format that can be read in an image viewing program, but not if it is sent to the person concerned as a binary sequence. In addition, the comparison of the processing situation in question with a group photo attempted by the party involved is massively flawed and deliberately misleading. The purpose of a relational database is precisely to present data in a structured, linked and searchable manner - individual tables are brought into relation with one another. In the case of the creditworthiness database operated by the party involved, the aim is to find the relevant data records for a specific person using a specific processing logic and to use the content of selected data fields to calculate a numerical creditworthiness score according to a specific mathematical formula. Unlike photos, relational databases would at least allow an extract of certain information stored in this database using simple means. Whether the Microsoft SQL server of the co-participating party uses a Microsoft proprietary format internally is completely irrelevant: After all, Microsoft applications and export options exist to export data processed in this way in a true-to-original manner. A CSV file can be output as an export, which can be opened, for example, with the common Microsoft Excel program or any text editor, which corresponds to the "easily accessible form" within the meaning of Article 12 (1) GDPR. In order to output only those data records that relate to the complainant during the export, a so-called "WHERE condition" can be used with SQL servers, which can be used to specifically specify and restrict which data records are exported. The co-participating party must be aware of the corresponding WHERE conditions, otherwise it would not be able to provide its customers with the appropriate data as part of a credit check. Contrary to what the co-participating party claims, such a database extract would not reveal the database design. In particular, the data types (e.g. text or number) of the attributes used (=table fields), any constraints (=restrictions on the table fields), indexes (=search optimizations), referential integrity (=mandatory links to data fields), etc. would not have to be disclosed. The party involved would only have to explain the names of attributes and tables in an understandable manner, although these themselves cannot usually enjoy protection as trade secrets because they are usually trivial names (e.g. first name, last name, etc.). A database extract, i.e. an export using a WHERE condition only relating to the complainant, is therefore not the same as a database work as such and does not enjoy copyright protection. Even if a trade secret exists, only those parts of the database extract to be provided may be excluded which actually contain trade secrets or whose provision would lead to an impairment of such secrets. As a result, there are neither technical nor legal reasons that prevent the disclosure in the original format in the form of database extracts. In addition to database extracts, screenshots are still missing to prove their completeness, as well as the specific credit reports on the complainant that the party involved provided to its customers and that must be stored in accordance with Section 152 of the German Trade Regulation Act. The party involved claims that it is inevitably possible to draw conclusions about the score formula from the disclosure of partial scores. This claim is not substantiated. Even if partial conclusions about the score formula are possible based on the partial scores, this does not automatically entail disclosure of the score formula itself. Meaningful information about the logic, scope and effects of the score formula used by roman 40 in accordance with Article 15(1)(h) GDPR is no longer the subject of the present proceedings. The question of the specific calculation of a person's credit score is not relevant to the question of the release of the "second level" of the database of the co-involved party.
II. The Federal Administrative Court considered: Roman II. The Federal Administrative Court considered:
1. Findings:
The procedure described under point I. is the basis for the findings.The procedure described under point Roman one. is the basis for the findings.
1. The co-involved party operates an identity and credit database and operates as a credit agency in accordance with Section 152 of the German Trade Code, which provides information on the solvency of third parties at the request of its customers. For this purpose, it processes or stores information on those affected, such as the complainant, in a relational database system. In this relational database system, data is logically prepared by the Microsoft SQL Server software in such a way that it can be queried via a large number of tables that have defined relationships with one another. The relational database design of the co-participating party consists of XXXX tables and is known only to the co-participating party. In particular, it has been designed to avoid redundant storage of data as far as possible, while at the same time maximizing the performance of the database system. In this database, the co-participating party stores, among other things, the complainant’s master data (name, date of birth, address, gender), recipients of the complainant’s personal data, “overall scores” relating to the complainant’s creditworthiness (XXXX or a range between XXXX) and intermediate results (partial scores) for the credit scores calculated for the complainant, from which the final credit score is calculated.1. The co-participating party operates an identity and creditworthiness database and acts as a credit agency in accordance with Section 152 of the Trade Regulation Act (GewO), which provides information on the solvency of third parties at the request of its customers. For this purpose, it processes and stores information on those affected, including the complainant, in a relational database system. In this relational database system, data is logically prepared by the Microsoft SQL Server software so that it can be queried via a large number of tables that have defined relationships with each other. The relational database design of the co-participating party consists of Roman 40 tables and is known only to the co-participating party. It has been designed in particular to avoid redundant storage of data as far as possible on the one hand, and to maximize the performance of the database system on the other. In this database, the co-participating party stores, among other things, master data of the complainant (name, date of birth, address, gender), recipients of the complainant's personal data, "overall scores" relating to the complainant's creditworthiness (Roman 40 or a range between Roman 40) and intermediate results (partial scores) for the credit scores calculated for the complainant, from which the final credit score is calculated.
2.1. In a letter dated December 28, 2018, the complainant contacted the other party and, with reference to Articles 12, 15, and 26 of the GDPR, requested information regarding the personal data processed about him and a copy of the processed data in a "common technical format". 2.1. In a letter dated December 28, 2018, the complainant contacted the other party and, with reference to Articles 12, 15, and 26 of the GDPR, requested information regarding the personal data processed about him and a copy of the processed data in a "common technical format".
2.2. The co-involved party then provided the complainant with information on the personal data processed (name, date of birth, addresses, business functions) and their origin, recipients of the complainant's identity and credit data (including the credit rating transmitted), as well as general information on the purposes of processing, storage period and criteria for deletion, correspondence with the complainant, automated decision-making and profiling, and the rights of data subjects in a letter dated December 31, 2018.
2.3. In his complaint to the data protection authority dated January 16, 2019, the complainant claimed a violation of the right to information pursuant to Art. 14 GDPR and a violation of the right to information pursuant to Art. 15 GDPR and, in summary, argued that his request for information dated December 28, 2018 had been inadequately answered in the co-involved party's letter dated December 31, 2018 and that a copy of the personal data had not been transmitted.2.3. In his complaint to the data protection authority dated January 16, 2019, the complainant alleged a violation of the right to information pursuant to Article 14, GDPR, as well as a violation of the right to information pursuant to Article 15, GDPR, and argued in summary that his request for information dated December 28, 2018 had been inadequately answered in the letter from the co-participating party dated December 31, 2018, and that a copy of the personal data had not been transmitted.
2.4. In a statement dated March 18, 2019, the party involved provided information on additional data sources.
3. In the contested decision of September 11, 2019, the authority concerned rejected the complaint due to a violation of the right to information and due to a violation of information obligations under Art. 14 GDPR (ruling points 1 and 2) and due to a violation of the right to confidentiality due to a violation of the data minimization obligation and due to a violation of the data backup obligations under Art. 25 GDPR (ruling point 3).3. With the contested decision of September 11, 2019, the authority concerned rejected the complaint due to a violation of the right to information and due to a violation of information obligations under Article 14, GDPR (ruling points 1 and 2) and due to a violation of the right to confidentiality due to a violation of the data minimization obligation and due to a violation of the data backup obligations under Article 25, GDPR (ruling point 3).
4. The complainant lodged a timely complaint against this decision with the Federal Administrative Court on October 4, 2019.
5.1. In a letter dated May 5, 2021, the co-involved party provided the complainant with subsequent or updated information about his personal data (name, date of birth, addresses, business functions) as well as general information about their origin, information on the purposes of processing, storage period or criteria for deletion, correspondence with the complainant, automated decision-making and profiling, and the rights of data subjects. It was also stated that no queries about the identity and/or creditworthiness of the complainant had been made by customers of the co-involved party in the last six months.
5.2. By partial decision of August 9, 2021, reference number W211 XXXX, the Federal Administrative Court ruled on the points of complaint concerning the provision of information on the origin of the data, the storage period and the purposes of processing as well as concerning the alleged violation of information obligations pursuant to Art. 14 GDPR, concerning the alleged violation of the right to confidentiality pursuant to Section 1 DSG and the alleged violation of the data minimization obligation pursuant to Art. 5 GDPR and the data backup obligations pursuant to Art. 25 GDPR, as follows: 5.2. With a partial ruling dated August 9, 2021, No. W211 Roman 40, the Federal Administrative Court ruled as follows on the points of complaint concerning the provision of information on the origin of the data, the storage period and the purposes of processing, as well as on the alleged violation of information obligations pursuant to Article 14, GDPR, concerning the alleged violation of the right to confidentiality pursuant to paragraph one, DSG and the alleged violation of the data minimization obligation pursuant to Article 5, GDPR and the data backup obligations pursuant to Article 25, GDPR:
"A)
I.Roman one.
1. The complaint against point 1 is partially upheld and it is determined that the co-participating party violated the complainant's right to information by providing inadequate information within the meaning of Art. 15 Para. 1 lit. d GDPR regarding the planned duration for which the personal data will be stored or the criteria for determining this duration.1. The complaint against point 1 is partially upheld and it is determined that the co-participating party has violated the complainant's right to information by providing insufficient information within the meaning of Article 15, paragraph one, letter d, GDPR regarding the planned duration for which the personal data will be stored or the criteria for determining this duration.
2. The co-participating party is instructed to provide information regarding the storage period in accordance with Art. 15 GDPR within a period of two weeks, otherwise execution will be carried out.2. The co-participating party is instructed to provide information regarding the storage period in accordance with Article 15 GDPR within a period of two weeks, otherwise execution will be carried out.
3. The complaint against point 1 is rejected with regard to the points of complaint regarding the provision of information about the origin of the data and the purposes of processing.
II. The complaint against ruling point 2 is upheld and it is determined that the party involved has violated its duty to provide information under Art. 14 paragraph 1 letter e of the GDPR.3. The complaint against ruling point 1 is rejected with regard to the points of complaint concerning the provision of information about the origin of the data and the purposes of processing.
II. The complaint against ruling point 2 is upheld and it is determined that the party involved has violated its duty to provide information under Article 14 paragraph 1 letter e of the GDPR.
III.Roman III.
1. The complaint against ruling point 3 is upheld with regard to the alleged violations of the data minimization obligation under Art. 5 of the GDPR and the data backup obligations under Art. 25 of the GDPR and the contested decision is corrected without replacement in this regard.1. The appeal against point 3 is upheld with regard to the alleged violations of the data minimization obligation under Article 5, GDPR and the data backup obligations under Article 25, GDPR, and the contested decision is repealed without replacement.
2. The appeal against point 3 is dismissed with regard to the rejection of the data protection complaint due to an alleged violation of the right to confidentiality.
B)
The appeal is admissible in accordance with Art. 133, Paragraph 4, B-VG. "The appeal is admissible in accordance with Article 133, Paragraph 4, B-VG."
5.3. The authority concerned and the party involved each filed an ordinary appeal against this partial decision of August 9, 2021 with the Administrative Court.
5.4. By decision of August 9, 2021, Ref. W211 XXXX , the Federal Administrative Court referred questions to the ECJ for a preliminary ruling on the complaint regarding the provision of a copy of the personal data pursuant to Art. 15 Para. 3 GDPR under Art. 267 TFEU. 5.4. By decision of August 9, 2021, Ref. W211 Roman 40 , the Federal Administrative Court referred questions to the ECJ for a preliminary ruling on the complaint regarding the provision of a copy of the personal data pursuant to Article 15 Para. 3 GDPR under Article 267 TFEU.
5.5. By judgment of May 4, 2023, Ref. C‑487/21, the ECJ decided on the questions submitted by decision of August 9, 2021.
6.1. In a letter dated June 16, 2023, the co-participating party provided the complainant with subsequent or updated information about his personal data (name, date of birth, addresses, business functions), specific recipients of the complainant's personal data (date of query, name or company of the recipient, company registration number, address, transmitted value, transmitted "Ident Protection" category) as well as general information about their origin, information on the processing purposes, storage period or criteria for deletion, correspondence with the complainant, automated decision-making and profiling as well as the rights of data subjects.
6.2. In a statement dated July 10, 2023, the co-participating party submitted a manual list of the complainant's stored, ad hoc calculated or unprocessed data ("free text fields") as well as general information on determining the credit scores in the bands XXXX and XXXX including the parameters used. This was also sent to the complainant.6.2. In a statement dated July 10, 2023, the co-participating party submitted a manual list of the complainant's stored, ad hoc calculated or not processed data ("free text fields") as well as general information on determining the credit scores in the Roman 40 and Roman 40 bands, including the parameters used. This was also provided to the complainant.
2. Assessment of evidence:
The findings arise from the administrative act submitted and the court act in question. The co-participating party has credibly demonstrated that in the course of the complaint proceedings it has now disclosed all data stored on the complainant, calculated ad hoc or not processed at the moment ("free text fields") - with the exception of the credit reports or information that is subject to a trade secret of the co-participating party (see points 3.3.2.3. and 3.3.2.4. below) - and that it does not have any other personal data of the complainant. The Federal Administrative Court sees no evidence that the arguments of the other party in this regard do not correspond to the facts. In contrast, the complainant argues that it is unclear whether data or information is still being withheld. Ultimately, however, these are merely general statements and assumptions, which, according to the case law of the Administrative Court, amounts to inadmissible exploratory evidence, which the administrative court is not obliged to accept (cf. VwGH July 19, 2021, Ra 2021/14/0231, VwGH March 18, 2021, Ra 2020/20/0451, each with further references). The findings arise from the administrative act submitted and the court act in question. The co-participating party has credibly demonstrated that in the course of the complaint proceedings it has now disclosed all data on the complainant that has been stored, calculated ad hoc or not yet processed ("free text fields") - with the exception of the credit reports or information that is subject to a trade secret of the co-participating party (see points 3.3.2.3. and 3.3.2.4. below) - and that it does not have any other personal data on the complainant. The Federal Administrative Court sees no evidence that the co-participating party's allegations in this regard do not correspond to the facts. In contrast, the complainant argues that it is unclear whether data or information is still being withheld. Ultimately, however, these are merely general statements and assumptions, which, according to the case law of the Administrative Court, amounts to inadmissible exploratory evidence, which the administrative court is not obliged to accept (cf. VwGH 19.07.2021, Ra 2021/14/0231, VwGH 18.03.2021, Ra 2020/20/0451, each with further references).
The facts relevant to the decision are thus established. The involvement of an expert, as requested by the complainant in the oral hearing on June 19, 2023 and in the statement of August 8, 2023, was therefore no longer necessary. Furthermore, in his last statement of October 9, 2023, the complainant himself stated that the matter was to be considered ready for a decision. In this case, only legal questions remained to be clarified.
3. Legal assessment:
3.1. According to Section 6 BVwGG, the Federal Administrative Court decides by single judges, unless federal or state laws provide for a decision by senates. According to Section 27 of the Data Protection Act (DSG) as amended, the Federal Administrative Court decides in proceedings on complaints against decisions due to violation of the obligation to inform in accordance with Section 24 (7) and the obligation of the data protection authority to decide by senates. The Senate consists of a chairman and one expert lay judge from the circle of employers and one from the circle of employees. 3.1. According to Paragraph 6 of the Federal Administrative Court Act (BVwGG), the Federal Administrative Court decides by a single judge, unless federal or state laws provide for decisions by senates. According to Paragraph 27 of the Data Protection Act (DSG) as amended, the Federal Administrative Court decides by senate in proceedings on complaints against decisions due to violation of the duty to inform pursuant to Paragraph 24, Paragraph 7 and the data protection authority's duty to decide. The Senate consists of a chairman and one expert lay judge from the circle of employers and one from the circle of employees.
The procedure of the administrative courts with the exception of the Federal Finance Court is regulated by the VwGVG, Federal Law Gazette I 2013/33 as amended by Federal Law Gazette I 2013/122 (§ 1 leg.cit.). According to Section 58, Paragraph 2 of the Administrative Court Act (VwGVG), conflicting provisions that were already published at the time this federal law came into force remain in force. The procedure of the administrative courts, with the exception of the Federal Finance Court, is regulated by the Administrative Court Act (VwGVG), Federal Law Gazette Roman one 2013/33 in the version of Federal Law Gazette Roman one 2013/122 (Paragraph one, leg.cit.). According to Paragraph 58, Paragraph 2 of the Administrative Court Act (VwGVG), conflicting provisions that were already published at the time this federal law came into force remain in force.
According to Section 17 of the Administrative Court Act, unless otherwise provided for in this federal law, the provisions of the Administrative Court Act, with the exception of Sections 1 to 5 and Part IV, the provisions of the Federal Fiscal Code – BAO, Federal Law Gazette No. 194/1961, the Agricultural Procedure Act – AgrVG, Federal Law Gazette No. 173/1950, and the Civil Service Procedure Act 1984 – DVG, Federal Law Gazette No. 29/1984, and, in addition, those procedural provisions in federal or state laws that the authority applied or should have applied in the proceedings preceding the proceedings before the administrative court, shall apply mutatis mutandis to the proceedings on complaints pursuant to Article 130, Paragraph 1 of the Administrative Court Act.According to Section 17 of the Administrative Court Act, unless otherwise provided for in this federal law, the provisions of the Administrative Court Act, with the exception of Sections 1 to 5 and Part IV, the provisions of the Federal Fiscal Code – BAO, Federal Law Gazette No. 194/1961, the Agricultural Procedure Act – AgrVG, Federal Law Gazette No. 173/1950, and the Civil Service Procedure Act 1984 – DVG, Federal Law Gazette No. 29/1984, and, in addition, those procedural provisions in federal or state laws that the authority applied or should have applied in the proceedings preceding the proceedings before the administrative court, shall apply mutatis mutandis to the proceedings on complaints pursuant to Article 130, Paragraph 1 of the Administrative Court Act. one to 5 and Roman IV, the provisions of the Federal Fiscal Code - BAO, Federal Law Gazette No. 194 of 1961, the Agricultural Procedure Act - AgrVG, Federal Law Gazette No. 173 of 1950, and the Civil Service Procedure Act 1984 - DVG, Federal Law Gazette No. 29 of 1984, and in addition those procedural provisions in federal or state laws that the authority applied or should have applied in the proceedings preceding the proceedings before the administrative court are to be applied mutatis mutandis.
According to Section 28 Paragraph 1 VwGVG, the administrative court must settle the legal matter by decision, unless the appeal is to be rejected or the proceedings are to be discontinued. According to Paragraph 28, Paragraph one, VwGVG, the administrative court must settle the legal matter by decision, unless the appeal is to be rejected or the proceedings are to be discontinued.
According to Section 28 Paragraph 2 VwGVG, the administrative court must decide on the merits of complaints pursuant to Article 130 Paragraph 1 Item 1 B-VG if (1.) the relevant facts are established or (2.) the determination of the relevant facts by the administrative court itself is in the interest of speed or is associated with significant cost savings. According to Paragraph 28, Paragraph 2, VwGVG, the administrative court must decide on the merits of complaints pursuant to Article 130, Paragraph one, Item one, B-VG if (1.) the relevant facts are established or (2.) the determination of the relevant facts by the administrative court itself is in the interest of speed or is associated with significant cost savings.
3.2. Legal situation:
Article 4, paragraphs 1 and 2 of the GDPR read:Article 4, paragraphs one and 2 of the GDPR read:
"Article 4
Definitions
For the purposes of this regulation, the following terms shall apply:
1. "Personal data" means any information relating to an identified or identifiable natural person (hereinafter referred to as "data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
2. "Processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
Article 12(1) GDPR reads:Article 12, paragraph one, GDPR reads:
"Article 12 GDPR
Transparent information, communication and modalities for exercising the rights of the data subject
"(1) The controller shall take appropriate measures to provide the data subject with all information pursuant to Articles 13 and 14 and all communications pursuant to Articles 15 to 22 and Article 34 relating to the processing in a concise, transparent, intelligible and easily accessible form, using clear and plain language; this applies in particular to information specifically aimed at children. The information is transmitted in writing or in another form, including electronically where appropriate. If requested by the data subject, the information may be provided orally, provided that the identity of the data subject has been proven in another form."
Article 15 GDPR reads: Article 15, GDPR reads:
"Article 15
Right of information of the data subject
(1) The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed; where this is the case, he or she shall have the right to information about those personal data and to the following information:
a) the purposes of the processing;
b) the categories of personal data being processed;
c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
(d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
(e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning him or her or to object to such processing;
(f) the existence of the right to lodge a complaint with a supervisory authority;
(g) where the personal data are not collected from the data subject, any available information as to their origin;
(h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject.
(2) Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards relating to the transfer in accordance with Article 46.
(3) The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on the administrative costs. Where the data subject makes the request electronically, the information shall be provided in a commonly used electronic format, unless the data subject specifies otherwise.
(4) The right to obtain a copy pursuant to paragraph 3 shall not adversely affect the rights and freedoms of others.”
Recital 63 of the GDPR states:
(63) A data subject should have a right of access to the personal data concerning him or her that have been collected and should be able to exercise this right easily and at reasonable intervals in order to be aware of the processing and to be able to verify its lawfulness. This includes the right of data subjects to access their own health-related data, such as data in their medical records containing information such as diagnoses, test results, findings of the treating physicians and details of treatments or procedures. Every data subject should therefore have the right to know and be informed, in particular, of the purposes for which the personal data are processed and, where possible, the period for which they will be stored, the recipients of the personal data, the logic underlying the automated processing of personal data and the possible consequences of such processing, at least where the processing is based on profiling. Where possible, the controller should be able to provide remote access to a secure system which would allow the data subject direct access to his or her personal data. This right should not adversely affect the rights and freedoms of others, such as trade secrets or intellectual property rights, and in particular copyright in software. However, this should not lead to the data subject being denied any information. Where the controller processes a large amount of information concerning the data subject, it should be able to require the data subject to specify which information or processing operations the request for information relates to before providing the information.
Section 4, paragraph 6 of the DSG reads: Paragraph 4, paragraph 6 of the DSG reads:
"(6) The right of the data subject to information pursuant to Article 15 of the GDPR does not generally exist with respect to a controller, without prejudice to other statutory restrictions, if providing this information would endanger a business or trade secret of the controller or a third party." "(6) The right of the data subject to information pursuant to Article 15 of the GDPR does not generally exist with respect to a controller, without prejudice to other statutory restrictions, if providing this information would endanger a business or trade secret of the controller or a third party."
Section 26b, paragraph 1 of the UWG reads: Paragraph 26 b, paragraph one of the UWG reads:
"(1) A trade secret is information that
1. is secret because it is neither generally known in its entirety nor in the precise arrangement and composition of its components to the persons in the circles that normally deal with this type of information, nor without further accessible,
2. is of commercial value because it is secret, and
3. is subject to appropriate confidentiality measures in the circumstances by the person who exercises lawful control over that information."
3.3. Applied to the present case, this means the following:
3.3.1. On the subject of the proceedings:
First of all, it should be noted that on August 9, 2021, the Federal Administrative Court issued a partial ruling, among other things, on individual points of complaint regarding the provision of information and, by order of the same day, referred questions to the ECJ for a preliminary ruling regarding the provision of a copy of the personal data processed, which the ECJ answered in its judgment of May 4, 2023.
In its judgment of 4 May 2023, No. C-487/21, the ECJ states, among other things, the following:
"21 Even if the GDPR does not contain a definition of the term "copy" as used in this way, the ordinary meaning of this term must be taken into account, which, as the Advocate General stated in point 30 of his Opinion, means faithful reproduction or transcription, so that a purely general description of the data subject to processing or a reference to categories of personal data would not correspond to this definition. Furthermore, it is clear from the wording of the first sentence of Article 15(3) of that regulation that the obligation to notify relates to the personal data that are the subject of the processing in question.21 Even if the GDPR does not contain a definition of the term ‘copy’ as used, account must be taken of the ordinary meaning of that term which, as the Advocate General stated in point 30 of his Opinion, refers to faithful reproduction or transcription, so that a purely general description of the data that are the subject of the processing or a reference to categories of personal data would not correspond to that definition. Furthermore, it is clear from the wording of the first sentence of Article 15(3) of that regulation that the obligation to notify relates to the personal data that are the subject of the processing in question.
[…]
28 It therefore follows from the literal interpretation of Article 15(3), sentence 1, of the GDPR that this provision gives the data subject the right to obtain a faithful reproduction of his or her personal data, in the broad sense, which are the subject of operations that must be classified as processing by the controller.28 It therefore follows from the literal interpretation of Article 15(3), sentence 1, of the GDPR that this provision gives the data subject the right to obtain a faithful reproduction of his or her personal data, in the broad sense, which are the subject of operations that must be classified as processing by the controller.
[…]
31 Article 15(3) of the GDPR sets out the practical modalities for fulfilling the obligation incumbent on the controller by specifying, inter alia, in the first sentence, the form in which the controller must make the “personal data undergoing processing” available, namely in the form of a “copy”. Furthermore, the third sentence of this paragraph states that the information must be provided in a commonly used electronic format where the data subject makes the request electronically, unless he or she indicates otherwise.31 Article 15(3) of the GDPR sets out the practical arrangements for fulfilling the obligation incumbent on the controller by specifying, inter alia, in the first sentence, the form in which that controller must make the “personal data undergoing processing” available, namely in the form of a “copy”. Furthermore, the third sentence of this paragraph states that the information must be provided in a commonly used electronic format where the data subject makes the request electronically, unless he or she indicates otherwise.
32 Therefore, Article 15 of the GDPR cannot be interpreted as granting a right other than that provided for in the first sentence of paragraph 3. Furthermore, as the European Commission has stressed in its written observations, the term ‘copy’ does not refer to a document as such, but to the personal data it contains, which must be complete. The copy must therefore contain all the personal data that are the subject of the processing.32 Therefore, Article 15 of the GDPR cannot be interpreted as granting a right other than that provided for in paragraph 1. Furthermore, as the European Commission has stressed in its written observations, the term ‘copy’ does not refer to a document as such, but to the personal data it contains, which must be complete. The copy must therefore contain all the personal data that are the subject of the processing.
33 As regards the objectives pursued by Article 15 of the GDPR, it should be noted that, as is clear from its eleventh recital, the purpose of the GDPR is to strengthen and define precisely the rights of data subjects. Unlike Article 12(a), second indent, of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31), which merely requires ‘communication in an intelligible form of the data undergoing processing’, Article 15 of that regulation provides for a right to obtain a copy. Recital 63 of the GDPR again states: ‘[A] data subject should have a right of access to the personal data concerning him or her which have been collected and should be able to exercise that right easily and at reasonable intervals, in order to be aware of the processing and to verify its lawfulness.’33 As regards the objectives pursued by Article 15 of the GDPR, it should be noted that, as is clear from its 11th recital, the GDPR aims to strengthen and define precisely the rights of data subjects. Unlike Article 12(a), second indent, of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995, L 281, session 31), which merely requires ‘communication in an intelligible form of the data undergoing processing’, Article 15 of this Regulation provides for a right to obtain a copy. Recital 63 of the GDPR again makes it clear: “[A] data subject should have a right of access to the personal data concerning him or her that have been collected and be able to exercise that right easily and at reasonable intervals in order to be aware of the processing and to be able to verify its lawfulness.”
34 Thus, by exercising the right of access provided for in Article 15 of the GDPR, the data subject must not only be able to check whether the data concerning him or her are accurate, but also whether they are being processed lawfully (see, to that effect, judgment of 12 January 2023, Österreichische Post (Information on the recipients of personal data), C-154/21, EU:C:2023:3, paragraph 37 and the case-law cited therein).34 Thus, by exercising the right of access provided for in Article 15 of the GDPR, the data subject must not only be able to check whether the data concerning him or her are accurate, but also whether they are being processed lawfully see, to that effect, judgment of 12 January 2023, Österreichische Post (Information on recipients of personal data), C-154/21, EU:C:2023:3, paragraph 37 and the case-law cited therein).
[…]
38 As the Advocate General stated in points 54 and 55 of his Opinion, it follows from that provision that the controller must take appropriate measures to provide the data subject with all the information referred to, inter alia, in Article 15 of the GDPR in a concise, transparent, intelligible and easily accessible form, using clear and plain language, and that the information must be provided in writing or in another form, including, where appropriate, electronically, unless the data subject requests that it be provided orally. This provision, which is an expression of the principle of transparency, is intended to ensure that the data subject is in a position to fully understand the information addressed to him or her.38 As the Advocate General stated in points 54 and 55 of his Opinion, it follows from this provision that the controller must take appropriate measures to provide the data subject with all the information referred to, inter alia, in Article 15 of the GDPR in a concise, transparent, intelligible and easily accessible form, using clear and plain language, and that the information must be provided in writing or by another means, including, where appropriate, electronically, unless the data subject requests that it be provided orally. This provision, which is an expression of the principle of transparency, is intended to ensure that the data subject is in a position to fully understand the information addressed to him or her.
39 It follows that the copy of the personal data being processed that the controller must provide in accordance with Article 15(3) sentence 1 of the GDPR must have all the features that enable the data subject to effectively exercise his or her rights under this Regulation and must therefore reproduce those data completely and faithfully.39 It follows that the copy of the personal data being processed that the controller must provide in accordance with Article 15(3) sentence 1 of the GDPR must have all the features that enable the data subject to effectively exercise his or her rights under this Regulation and must therefore reproduce those data completely and faithfully.
[…]
41 In order to ensure that the information thus provided is easily understandable, as required by Article 12(1) of the GDPR, read in conjunction with recital 58, the GDPR, the reproduction of extracts from documents, or even entire documents, or even extracts from databases containing, inter alia, personal data that are the subject of the processing, may prove indispensable, as the Advocate General has stated in points 57 and 58 of his Opinion, where contextualisation of the data processed is necessary to ensure that they are intelligible.41 In order to ensure that the information thus provided is easily understandable, as required by Article 12(1) of the GDPR, read in conjunction with recital 58, the GDPR, the reproduction of extracts from documents, or even entire documents, or even extracts from databases containing, inter alia, personal data that are the subject of the processing, may prove indispensable, as the Advocate General has stated in points 57 and 58 of his Opinion, personal data which are the subject of the processing, may prove essential where contextualisation of the data being processed is necessary to ensure that they are intelligible.
42 In particular, where personal data are generated from other data or where they are based on blank fields, that is to say, on the absence of information which provides information on the data subject, the context in which those data are processed is essential in order to enable the data subject to receive transparent information and an intelligible presentation of those data.
[…]
44 Therefore, as the Advocate General observed in point 61 of his Opinion, where there is a conflict between the exercise of the right to full and comprehensive information on personal data, on the one hand, and the rights or freedoms of other persons, on the other, the rights in question must be balanced against each other. Where possible, the methods of transmitting personal data should be chosen which do not infringe the rights or freedoms of other persons, and these considerations “must not result in the data subject being denied any information”, as stated in Recital 63 of the GDPR.
45 In view of the foregoing, the answer to the first to third questions is that Article 15(3), first sentence, of the GDPR45 In view of the foregoing, the answer to the first to third questions is that Article 15(3), first sentence, of the GDPR
must be interpreted as meaning that
the right to obtain from the controller a copy of the personal data undergoing processing means that the data subject is provided with a faithful and intelligible reproduction of all of those data. This right presupposes the right to obtain a copy of extracts from documents or even of entire documents or extracts from databases which, among other things, containing those data, where the provision of such a copy is essential to enable the data subject to the effective exercise of the rights conferred on him or her by this Regulation, while taking into account the rights and freedoms of others.
53 In view of all of the above, the answer to the fourth question referred is that Article 15(3), third sentence, GDPR
is to be interpreted as meaning that
the term "information" used within the meaning of this provision refers exclusively to personal data of which the controller must provide a copy in accordance with the first sentence of this paragraph."53 In view of all of the above, the answer to the fourth question referred is that Article 15(3), third sentence, GDPR
is to be interpreted as meaning that
the term "information" used within the meaning of this provision refers exclusively to personal data of which the controller must provide a copy in accordance with the first sentence of this paragraph."
Although the ECJ stated that there is no independent "right to a copy" but that this is a matter of modalities for providing information, it is clear from the complainant's request that, with his request for a copy, he also complained about the incompleteness of the information with regard to the data processed concerning him. Since the partial ruling of the Federal Administrative Court already issued only agreed on a few expressly mentioned (additional) elements of the right to information (origin of the data, processing purposes, storage period), part of the proceedings in the present case is still open, especially since the Federal Administrative Court had not yet carried out any further investigations into the completeness of the information (e.g. with regard to the categories of data processed) beyond the partial ruling at the time of the partial ruling or could not have done so. For the sake of completeness, it should be noted that the authority concerned did not carry out any investigations into this either.
Apart from the fact that the (additional) information to be disclosed on the origin of the data, the processing purposes and the planned duration specified in Art. 15 Para. 1 GDPR has already been legally agreed upon and can therefore no longer be agreed upon for the entire complaint, the part of the proceedings now in question concerns the processed data concerning the complainant, which must be disclosed in the form of a copy - at most in contextualized form. This subject matter of the procedure can therefore be separated from the subject matter of the partial decision that has already been issued on a case-by-case basis. Apart from the fact that the (additional) information to be disclosed on the origin of the data, the purposes of processing and the planned duration, as set out in Article 15, paragraph 1, GDPR, has already been legally agreed upon and can therefore no longer be agreed upon for the entire complaint, the part of the procedure now under consideration concerns the processed data concerning the complainant, which must be disclosed in the form of a copy - at most in contextualized form. This subject matter of the procedure can therefore be separated from the subject matter of the partial decision that has already been issued on a case-by-case basis.
In particular, Article 15, paragraph 1 in conjunction with paragraph 3 GDPR grants the data subjects the right to receive a copy of extracts from documents or even entire documents or extracts from databases that contain, among other things, contain these data, if the provision of such a copy is essential to enable the data subject to effectively exercise the rights conferred on him or her by this Regulation, taking into account the rights and freedoms of others (see above ECJ 4.5.2023, C-487/21). An examination of the extent to which contextualization is necessary to enforce the rights was therefore only carried out in the continued proceedings before the Federal Administrative Court (after the de facto suspension) during the oral hearing. In particular, Article 15, paragraph one, in conjunction with paragraph 3, GDPR grants data subjects the right to obtain a copy of extracts from documents or even entire documents or extracts from databases which, among other things, containing these data, if the provision of such a copy is essential to enable the data subject to effectively exercise the rights conferred on him or her by this Regulation, taking into account the rights and freedoms of others (see above ECJ 4.5.2023, C-487/21). An examination of the extent to which contextualization is necessary to enforce the rights was therefore only carried out in the (after the de facto suspension) continued proceedings before the Federal Administrative Court during the oral hearing.
In the present case, the proceedings should therefore not be discontinued, but the matter itself should be decided on the issue of the data that may not have been disclosed and which must be disclosed in the form of a faithful reproduction. Otherwise, the complainant's rights would be curtailed.
However, the alleged violations of Articles 5, 14 and 25 GDPR and the alleged violation of the right to information due to insufficient information on the data of origin, processing purposes and the expected storage period are no longer the subject of the proceedings. This has already been decided on in a partial decision by the Federal Administrative Court dated August 9, 2021, reference number W211 XXXX. Against this background, the complainant's argument (most recently in the statement of October 9, 2023, points 3.1 and 3.2) that the information on the purposes and origin of the data within the meaning of Art. 15 (1) (a) and (g) GDPR was (was) incomplete does not need to be addressed further in the present case. However, the alleged violations of Articles 5, 14 and 25 GDPR and the alleged violation of the right to information due to insufficient information on the data of origin, processing purposes and the expected storage period are no longer the subject of the proceedings. This has already been decided in a partial decision of the Federal Administrative Court of August 9, 2021, reference W211 Roman 40. Against this background, the complainant's argument (most recently in the statement of October 9, 2023, points 3.1 and 3.2) that the information on the purposes and origin of the data within the meaning of Article 15, paragraph one, letters a and g of the GDPR was (was) incomplete does not need to be further addressed in the present case.
As the complainant himself confirms in his letter of October 9, 2023, paragraph 18), meaningful information about the logic, scope and effects of the scoring formula used by the co-involved party pursuant to Article 15, paragraph 1, letter h, GDPR is also not the subject of the proceedings. As the complainant himself confirms in his letter of October 9, 2023, paragraph 18), meaningful information about the logic, scope and effects of the scoring formula used by the co-involved party pursuant to Article 15, paragraph one, letter h, GDPR is also not the subject of the proceedings.
3.3.2. In the matter:
3.3.2.1. The complainant claims that, contrary to the provisions of Article 15, Paragraph 3 of the GDPR, he did not receive a copy of his personal data because the party involved did not provide a database extract or screenshots of the database and the credit reports provided to the recipient and the partial scores for the credit-relevant characteristics were not provided in copies. 3.3.2.1. The complainant claims that, contrary to the provisions of Article 15, Paragraph 3 of the GDPR, he did not receive a copy of his personal data because the party involved did not provide a database extract or screenshots of the database and the credit reports provided to the recipient and the partial scores for the credit-relevant characteristics were not provided in copies.
In summary, the party involved claims that all of the data held by the complainant has been disclosed, that a copy does not add any value and that business secrets would prevent the receipt of a copy.
The following should be noted:
3.3.2.2 Regarding the credit reports:
According to Section 152 of the Trade Regulations, traders are obliged to keep their business correspondence and business books for seven years. Against this background, the complainant also demands the provision of the specific credit reports that the co-participating party has made available to its customers. The complainant has plausibly argued that the transmission of a copy of the credit reports is necessary in order to be able to check whether the data provided by the co-participating party matches the data that the co-participating party has provided to its customers. The managing director of the co-participating party confirmed in the oral hearing before the Federal Administrative Court that the transmitted credit score and the transmitted and returned address data are still stored in the co-participating party's archive. According to Section 152 of the Trade Regulations, traders are obliged to keep their business correspondence and business books for seven years. Against this background, the complainant also demands the provision of the specific credit reports that the co-involved party made available to its customers. The complainant has plausibly argued that the transmission of a copy of the credit reports is necessary in order to be able to check whether the data provided by the co-involved party matches the data that the co-involved party has provided to its customers. The managing director of the co-involved party confirmed in the oral hearing before the Federal Administrative Court that the transmitted credit score and the transmitted and returned address data are still stored in the co-involved party's archive.
The co-involved party has not claimed a trade secret in this regard and has not otherwise become apparent. It is also noted that the recipients of the data have already been disclosed to the complainant and that the submission of copies of credit reports provides information about the data transmitted to the recipients. The Administrative Court has also recently ruled that this data must be disclosed (Ro 2020/04/0015-6 of August 3, 2023).
The party involved is therefore obliged to provide a copy of the credit reports relating to the complainant, whereby any personal data of third parties (such as names of natural persons as employees of the company that received the complainant's credit reports) must be made unrecognizable.
3.3.2.3. To receive a copy in the form of a database extract:
3.3.2.3.1. On the concept of "faithful reproduction":
When the co-participating party states in its statement of September 6, 2023 that a copy is the "faithful format" that consists of a sequence of binary values (0 and 1) and cannot be made available to the complainant due to a lack of knowledge of the proprietary data format, it fails to recognize that in the judgment cited above, the ECJ interprets the term "copy" in the ordinary sense of this term, according to which it refers to the faithful reproduction or transcription of the personal data. As the complainant rightly points out, the term "copy" therefore does not refer to the binary sequence underlying every electronic file, but to a representation of the personal data in a format that is understandable/readable to humans. This is already clear from Art. 12 GDPR, according to which all communications pursuant to Articles 15 to 22 and Article 34 relating to processing must be communicated in a precise, transparent, intelligible and easily accessible form, using clear and plain language. The transmission of one or more binary sequences of the personal data processed would in no way meet this requirement. When the co-participating party states in its statement of September 6, 2023 that a copy is the "true format" consisting of a sequence of binary values (0 and 1) and that it cannot be made available to the complainant due to a lack of knowledge of the proprietary data format, it fails to recognize that in the judgment cited above, the ECJ interprets the term "copy" in the ordinary sense of this term, according to which it refers to the faithful reproduction or transcription of the personal data. As the complainant rightly points out, the term "copy" does not refer to the binary sequence underlying every electronic file, but to a representation of the personal data in a human-readable format. This is clear from Article 12 of the GDPR, which states that all communications pursuant to Articles 15 to 22 and Article 34 relating to processing must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language. The transmission of one or more binary sequences of the personal data processed would in no way meet this requirement.
3.3.2.3.2. Applied to the present case, this results in the following:
As stated, the co-participating party provided the complainant with extensive information, in particular on June 16, 2023, and submitted a document with a statement dated July 10, 2023 listing all of the complainant's stored, ad hoc calculated or currently unprocessed data ("free text fields"). The co-participating party has thus fulfilled its obligation under Art. 15 (3) GDPR to provide a copy of the personal data. In this context, the co-participating party also provided explanations of the free text fields in the sense of contextualization (e.g. that certain fields are not in use and are only part of the table function for technical compatibility reasons, that a field represents purely technical timestamps and has no content-related function, or what information the verification score is). The complainant cannot be upheld when he argues that this manually created list is not a faithful reproduction of the data, since the case law of the ECJ shows that what matters is the faithfulness of the processed data, not the format. In the present case, according to the credible submission of the co-participating party, the complainant's data was exported from the co-participating party's database faithfully, i.e. the data disclosed corresponds to the data processed in the database. The faithful reproduction is not lost by the complainant's data being transferred from the database to another format - such as the transmitted table. As established, the co-participating party provided the complainant with extensive information, in particular on June 16, 2023, and submitted a document with a statement dated July 10, 2023, listing all of the complainant's stored, ad hoc calculated or currently unprocessed data ("free text fields"). The co-participating party has thus fulfilled its obligation under Article 15, paragraph 3, GDPR to provide a copy of the personal data. In this context, the co-participating party also provided explanations of the free text fields in the sense of contextualization (e.g. that certain fields are not in use and are only part of the table function for technical compatibility reasons, that a field represents purely technical timestamps and has no content-related function, or what information the verification score is). The complainant cannot be upheld when he argues that this manually created list is not a faithful reproduction of the data, since the case law of the ECJ shows that what matters is the faithfulness of the processed data, not the format. In the present case, according to the credible submission of the co-participating party, the complainant's data was exported from the co-participating party's database faithfully, i.e. the data disclosed corresponds to the data processed in the database. The faithful reproduction is not lost by the complainant's data being transferred from the database to another format - such as the transmitted table.
An additional right of the complainant, such as to receive a copy "in another form", does not exist in view of the fact that it is at the discretion of the controller in which format he fulfils his obligation to provide information in accordance with Art. 15 GDPR. In addition, according to Art. 15 Para. 4 GDPR, the right to receive a copy in accordance with paragraph 3 must not affect the rights and freedoms of other persons and, according to Section 4 Para. 6 DSG, the right of the data subject to information in accordance with Art. 15 GDPR vis-à-vis a controller does not generally exist, without prejudice to other legal restrictions, if providing this information would endanger a business or trade secret of the controller or third parties. The party involved must be followed in the view that the disclosure of the database structure - i.e. which tables are in the database and how they relate to each other - would be subject to a business and trade secret. Therefore, for example, a screenshot of the database would not represent any added value for the complainant, since the part containing the command structure, i.e. the database queries used to query the data, undoubtedly represents a trade secret of the party involved. This would reveal parts of the database structure and this part would therefore have to be made unrecognizable by the party involved anyway. The complainant has no further right, such as to receive a copy "in another form", given that it is at the discretion of the controller in which format he fulfills his obligation to provide information in accordance with Article 15 of the GDPR. In addition, according to Article 15, Paragraph 4, GDPR, the right to receive a copy according to Paragraph 3 must not affect the rights and freedoms of other persons and according to Paragraph 4, Paragraph 6, DSG, the right of the data subject to information according to Article 15, GDPR vis-à-vis a responsible party, without prejudice to other legal restrictions, does not generally exist if providing this information would endanger a business or trade secret of the responsible party or a third party. The co-involved party is to be followed in that the disclosure of the database structure - for example, which tables are present in the database and how they relate to each other - would be subject to a business and trade secret. Therefore, for example, a screenshot of the database would not represent any added value for the complainant, since the part containing the command structure, i.e. the database queries that were used to query the data, undoubtedly represents a trade secret of the co-involved party. This would reveal parts of the database structure and this part would therefore have to be made unrecognizable by the co-involved party anyway.
For the sake of completeness, it should be noted that the present case only concerns the question of whether the information was provided in the form of a true copy of the original and not the right to data portability (Article 20 GDPR). This was not asserted and the requirements for this would not have been met. For the sake of completeness, it should be noted that the present case only concerns the question of whether the information was provided in the form of a true copy of the original and not the right to data portability (Article 20 GDPR). This was not asserted and the requirements for this would not have been met.
The complaint was therefore to be dismissed in this regard.
3.3.2.4. On the partial scores:
As the co-participating party stated in its statement of September 5, 2023, intermediate results (partial scores) for the credit scores calculated for the complainant are stored. The complainant must therefore first agree that this is personal data within the meaning of Article 4, paragraph 1, GDPR, since it is assigned to the complainant and relates to him. The partial scores are therefore - like the overall score - fundamentally covered by the right to information in accordance with Article 15, GDPR.As the party involved stated in its statement of September 5, 2023, interim results (partial scores) for the credit scores calculated for the complainant are stored. The complainant must therefore first agree that this is personal data within the meaning of Article 4, paragraph 1, GDPR, since it is assigned to the complainant and relates to him. The partial scores are therefore - like the overall score - fundamentally covered by the right to information in accordance with Article 15, GDPR.
However, the party involved argues that it would be possible to draw conclusions about the score formula - and thus a trade secret - from the disclosure of partial scores.
The party involved agrees that the content of the score formula protected as a trade secret also includes the weighting of individual calculation elements (partial scores) when determining the overall score. Although it should be noted that the entire "score formula" or the entire "scoring algorithm" is not necessarily disclosed in full, the calculation formula is based in particular on the analysis of the partial scores determined. For example, the number and design of any partial scores transmitted allows a conclusion to be drawn about the underlying algorithm. The traceability of the way in which the calculation was made does not mean that it can be recalculated and verified, but in particular that it is possible to conclusively determine which factors influenced the reported rating (cf. judgment of the Federal Court of Justice of December 28, 2014, VI ZR 156/13). However, the complainant received this information, among other things, through the document attached to the statement of July 10, 2023. The specific subscores, on the other hand, are to be regarded as part of the algorithm protected by trade secrets and therefore do not need to be disclosed. The party involved must agree that the weighting of individual calculation elements (subscores) in determining the overall score is also part of the content of the score formula protected as a trade secret. Although it should be noted that the entire "score formula" or the entire "scoring algorithm" is not necessarily disclosed in full, the calculation formula is based in particular on the analysis of the partial scores determined. For example, the number and design of any partial scores transmitted allows a conclusion to be drawn about the underlying algorithm. The traceability of the creation does not mean that the calculation can be recalculated and verified, but in particular the conclusive possibility of knowing which factors influenced the reported rating (cf. judgment of the Federal Court of Justice of December 28, 2014, Roman VI ZR 156/13). However, the complainant received this information, among other things, through the document attached to the statement of July 10, 2023. The specific partial scores, on the other hand, are therefore to be regarded as part of the algorithm protected by trade secrets and therefore do not need to be disclosed.
Insofar as the complaint was directed at disclosure of these partial scores, it was therefore also to be rejected.
For the sake of completeness, we would like to point out that information pursuant to Article 15, paragraph 1, letter h, GDPR is not the subject of the proceedings (see the comments on the subject of the proceedings, point 3.3.1.). For the sake of completeness, we would like to point out that information pursuant to Article 15, paragraph one, letter h, GDPR is not the subject of the proceedings (see the comments on the subject of the proceedings, point 3.3.1.).
The decision was therefore to be made in accordance with the ruling.
3.4. On B) Admissibility of the appeal:
According to Section 25a, paragraph 1, VwGG, the administrative court must state in its ruling or decision whether the appeal is admissible in accordance with Article 133, paragraph 4, B-VG. The ruling must be briefly justified. According to paragraph 25a, paragraph one, VwGG, the administrative court must state in its ruling or decision whether the appeal is admissible in accordance with Article 133, paragraph 4, B-VG. The ruling must be briefly justified.
The appeal is admissible in the present case because there is no case law of the Administrative Court on the question of what is meant by a "true reproduction of the original". Furthermore, there is no case law of the highest court on the question of whether the disclosure of "partial scores" is a trade secret within the meaning of Section 4 paragraph 6 DSG. It was therefore necessary to state that the appeal is admissible in accordance with Article 133 paragraph 4 B-VG.The appeal is admissible in the present case because there is no case law of the Administrative Court on the question of what is meant by a "true reproduction of the original". Furthermore, there is no case law from the highest courts on the question of whether the disclosure of "partial scores" is a trade secret within the meaning of Article 4, Paragraph 6, DSG. It was therefore necessary to declare that the appeal is admissible in accordance with Article 133, Paragraph 4, B-VG.
