BVwG - W211 2231475-1: Difference between revisions
(Created page with "{{COURTdecisionBOX |Jurisdiction=Austria |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=BVwG |Court_With_Country=BVwG (Austria) |Case_Number_Name=W211 22314...") |
No edit summary |
||
Line 8: | Line 8: | ||
|Case_Number_Name=W211 2231475-1 | |Case_Number_Name=W211 2231475-1 | ||
|ECLI= | |ECLI=ECLI:AT:BVWG:2021:W211.2231475.1.00 | ||
|Original_Source_Name_1=Rechtsinformationssystem des Bundes (RIS) | |Original_Source_Name_1=Rechtsinformationssystem des Bundes (RIS) |
Revision as of 19:11, 25 January 2022
BVwG - W211 2231475-1 | |
---|---|
Court: | BVwG (Austria) |
Jurisdiction: | Austria |
Relevant Law: | Article 4(2) GDPR Article 6(1)(c) GDPR Article 28 GDPR § 13(8) AVG § 25(1) VStG |
Decided: | 20.10.2021 |
Published: | |
Parties: | anonymous DSB (Austria) |
National Case Number/Name: | W211 2231475-1 |
European Case Law Identifier: | ECLI:AT:BVWG:2021:W211.2231475.1.00 |
Appeal from: | |
Appeal to: | Unknown |
Original Language(s): | German |
Original Source: | Rechtsinformationssystem des Bundes (RIS) (in German) |
Initial Contributor: | Heiko Hanusch |
The Federal Administrative Court held that the transmission of personal data from the controller to the processor does not need to be justified under Art. 6 GDPR because the processor is to be seen as a mere - dependent – extension of the controller.
English Summary
Facts
The data subject called the helpline of the Österreichsiche Post AG (Austrian Postal PLC). He gave his phone number to the employee with the request for a callback, thereby stating that he does not want the phone number to be given to a third party. Afterwards the data subject was called twice by a market research institute – the processor. The controller and the processor had concluded a processing-contract under Art. 28 GDPR.
The data subject filed a complaint with the DSB (Austria) arguing that the transmission of his data (name and phone number) to the processor was illegitimate since he literally expressed that he does not want his data to be given to a third party. During these proceedings the data subject amended their submission by also tackling the use of cookies by the controller.
The DSB dismissed the complaint.
Holding
The Federal Administrative Court (Bundesverwatungsgericht – BVwG) upheld the decision of the DSB.
The court determined that the processor is to be seen as a dependent extension of the controller (“verlängerter Arm”) (cmp. Art. 29 GDPR). If the processing of data is in accordance with Art. 6 GDPR, the controller is free to deploy a processor. As a result, the transmission of data from the controller to the processor itself does not need to be justified under Art. 6 GDPR.
In the case at hand, the court came to the conclusion that the processing of data by the controller - and therefore also the transmission to the processor - is justified under Art. 6(1)(c) GDPR. The controller in this case - the Österreichsiche Post AG - is obliged under national law (§§ 6(8), 32(3) PMG) to provide for a complaint management system to improve their services.
Besides, the court decided the amendment of the data subject’s complaint was inadmissible pursuant to § 13(8) AVG and a data subject has no subjective right to the initiation of administrative fine proceedings under the GDPR and according to § 25(1) VStG.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
Postal address: Erdbergstrasse 192 – 196 1030 Vienna Phone: +43 1 601 49-0 Fax: +43 1 711 23-889 15 41 Email: einlaufstelle@bvwg.gv.at www.bvwg.gv.at DECISIONS D A T U M 2 0 . 1 0 . 2 0 2 1 BUSINESS NUMBER W 2 1 1 2 2 3 1 4 7 5 - 1/9 E I M N A M E N D E R E P U B L I K ! The Federal Administrative Court recognizes through the judge Mag. Barbara SIMMA LL.M. as Chair and the expert lay judge Margareta MAYER-HAINZ and the expert lay judge Dr. Ulrich E. ZELLENBERG as assessor on the Complaint by XXXX against the decision of the data protection authority of XXXX, Zl. XXXX in closed session rightly: a) The complaint is dismissed as unsubstantiated. b) The revision is permissible according to Art. 133 Para. 4 B-VG. - 2 - Reasons for decision: I. Procedure: 1. With a data protection complaint dated XXXX .2018 (received at the data protection authority on XXXX .2018), the complainant claimed a violation of the right to secrecy according to § 1 and §§ 8 as well as 62 para. 1 Z 1 Data Protection Act (DSG) by the Austrian Post AG (the involved party). The complainant stated in summary that the party involved was in form of a "company", but is de facto a state-owned company. At the postal customs office be on XXXX received a letter in 2018 containing goods ordered by the complainant. Due to irregularities in connection with the shipment, the Complainant contacted the involved party's "hotline" on XXXX .2018. He has left his cell phone number there with a request to call him back, which he also shared expressly asked the party not to pass this number on to third parties under any circumstances. He was expressly assured of this. He was then from the party involved been called back and was able to fix the shipment. On XXXX .2018 he was called by XXXX. Upon specific request from Complainant, where XXXX got his phone number and his name from, was him been informed by the caller that she was entitled to this by the party involved received for survey purposes. On the same day he was contacted by another number been made, whereby the caller had obviously suppressed the number display. After hearing "Do you want to take part in a survey", he immediately hung up. At no time did he give his consent to the disclosure of his name and his Telephone number given, but expressly requested, his contact details not to pass on. Nor is there any public interest. Since he is from the If I had no knowledge of the data being passed on, an objection is also not possible been. The complainant was therefore violated in his right under § 1 para. 1 DSG been. In any case, § 61 Para. 1 Z 2 DSG is also applicable. 2. With a statement dated XXXX .2018, the party involved led to this Data protection complaint that XXXX is a processor in within the meaning of Art. 28 GDPR. Obtaining consent for the present - 3 - Data transmission is therefore not necessary. The customer satisfaction survey is not by employees of the party involved, but by an external company Have been carried out. This ensures that the party involved does not personal results of the survey. The data transmission is under Compliance with all data protection regulations, in particular Art. 28 ff DSGVO, However, the complaint was taken to cause the complainant to Block future customer satisfaction surveys. 3. By letter dated XXXX .2018, the data protection authority requested the involved party again for comment. In particular, the party involved was pointed out pointed out that the mere fact that the company in question is allegedly to be a processor, nothing about the legality of the processing statement. 4. The involved party submitted in a statement dated XXXX .2019 that they Postal service providers within the meaning of the Postal Market Act (PMG) and also Universal service operator according to § 12 PMG. According to the one assigned to her Among other things, she has obligations to set up a complaints management system, to publish information about the quality of their services at least annually (§ 32 PMG), to show the regulatory authority, among other things, the number of complaints (§ 6 Para. 7 PMG) and the universal service in terms of the needs of users develop and through appropriate measures and suggestions to secure the supply to contribute to the further development of the universal service with postal services (§ 6 Para. 8 PMG). In order to adequately meet this obligation, the party involved has the Postal customer service set up, which was also used by the complainant may be. So that the quality is further developed in accordance with the legal obligation and also could be published, the survey of the users is the most suitable and most recognized method. The survey itself will be considered by the XXXX Processor carried out within the framework of the agreement under Art. 28 GDPR act. Purposes and means are specified by the party involved, whereby the XXXX nor can it be qualified as a third party within the meaning of Art. 4 Z 10 GDPR. In the sense of the Data minimization only get the phone number and the name of the interviewer to enable proper addressing. the to interviewers would only be contacted once per case, and the - 4 - survey can be declined at any time. If at all, only one could hardly do it noticeable impairment. If customers contact the postal customer service, they would according to Art. 13 GDPR in the form of a taped announcement on the information on the topic data protection on the website of the party involved. This Information can be clearly inferred that appropriate surveys have been carried out can become. Under point 3.2. of the website are market research institutes as possible external service providers listed. When people post customer service would contact, so be sure that they have the information in accordance with Art. 13 GDPR would receive. Between contacting Post Customer Service and being contacted by the XXXX exists for a certain period of time, within which there are already contradictions can be done. Participation in the survey is therefore voluntary and possible be rejected at any time. Only when contacted by XXXX did he Complainant lodged an objection, which is why no questioning have taken place. The establishment of customer service is based on a legal obligation. One Questionnaire must be carried out to explain the complaints or to check the service will. The survey is the most suitable and recognized or only method. In order to the lawfulness of the data processing results from Art. 6 Para. 1 lit. c GDPR. In addition, the party involved is also acting in the public interest, since the postal Basic care including the associated quality check /obligation to publish/obligation to improve had been transferred. Thus Art. 6 is also Paragraph 1 lit. e GDPR relevant. In addition, Art. 6 Para. 1 lit. f GDPR are used. The party involved does not act as an authority in the sense the reason for exclusion. Interest in quality control /obligation to publish/obligation to improve result from the legal requirements PMG and is therefore legitimate. In this respect, there is a benefit for those involved party as the responsible party, as they continuously ensure their service quality in accordance with the legal requirements can be improved as well as a benefit for the general public than this receive better basic care viewed if this is for the perception of direct mail or advertising itself or will also be tracked for processing for market research purposes. - 5 - Likewise, this results from the basic right of entrepreneurial freedom (Article 16 of the GRC). legitimate interest of the party involved, from their customers their assessment of the To learn about complaint management in order to better to be fair. Even without the existence of a legal obligation the processing of personal data in question is therefore lawful. Only with the The contact data used can be used to carry out a survey, with which the processing was also necessary. The interest of the party involved and that The interest of the general public in data processing outweighs the interest of the complainant. In addition, the contact details are not particularly worthy of protection Data. The input was the agreement on order processing according to Art. 28 GDPR in copy connected. 5. By letter dated XXXX .2019, the complainant made the following statement on the Statements of the party involved: Initially, he wanted to add a "crass" Inform the party involved of data misuse. The involved party uses on Cookies and "spyware" that are not permitted on their website, especially since a direct objection is not possible. This becomes more objective as a further objection Complaint added. For the opinion of the party involved, it can be stated that neither § 32 para. 6 PMG nor § 6 para. 7 and para. 8 PMG a justification for the transfer of data to third parties contain. The argument of increasing efficiency would also include data transfer to third parties not justify. In the course of his request, he received no information within the meaning of Art. 13 GDPR has been granted. It is irrelevant whether participation in the survey is voluntary The subject of the complaint was the transfer of data to third parties. At no time did he consent is given, whereby in particular a call to the "hotline" is not as such can be rated. The market research company is not subject to the supervision of with the party involved The contract concluded is not applicable in the present case, as it explicitly allows data to be passed on have objected. It would also have to be clarified whether the contract per se is moral and be illegal. 6. With the contested decision of XXXX, the data protection authority rejected the Privacy complaint regarding the illegal setting of cookies (Point 1.). In addition, she dismissed the complaint as unfounded (paragraph - 6 - 2.). The complainant's application for a fine was granted rejected (point 3.) The data protection authority explained insofar as essential that the letter of the Complainant from XXXX .2019 on the basis of the proceedings Complaint submission of XXXX 2018 regarding the illegal setting of cookies represents a significant change in the application within the meaning of Section 13 (8) AVG, which is why the arguments to that effect had to be rejected. However, it was taken as an opportunity been asked to initiate a separate complaints procedure. In the present case, the "passing on" of the personal data of the complainant by the party involved to the market research institute. the Subsequent customer satisfaction requests from this company have the complaint case of the complainant and is therefore exclusively in the interest and in the Order of the involved party takes place. The pursuit of one's own purposes Market research company was never intended, which means that a independent responsibility of the market research company is to be denied. the the present "passing on" is therefore one that can be attributed to the party involved data processing. The complainant's data was not transmitted or disclosed to "third parties", but within the meaning of Art. 28 GDPR by the market research institute on behalf of involved party has been processed as agreed. A right to that responsible persons do not use any processors, does not exist. the On the one hand, the involved party is obliged to do so due to the provisions of the PMG to set up a complaints management system and, on the other hand, to ensure the quality of the Universal service, ie postal delivery, services offered by suitable Measures to improve, and thus to take certain measures. Even if of the involved party in these regulations no concrete measure and also none certain data processing is ordered, should not be subject to the legislature that he gives the party involved the possibility of data processing want to withdraw, because otherwise the provision would be meaningless. The handling of a complaint from a customer and the The quality assurance measures to be carried out are without name and contact address unthinkable if the data required for this should not be processed. At - 7 - Name and contact option there is no doubt that the data processing in given minimal scope is also required. Finally, it was stated that a subjective right to initiate a Administrative penal proceedings against specific persons responsible under Art. 77 Para. 1 DSGVO or § 24 para. 1 and 5 DSG cannot be derived, and the principle of expediency according to § 25 para. 1 VStG applies. Administrative penal proceedings can therefore only be carried out by a person concerned be suggested, there is no entitlement to initiation. 7. In the complaint, which was raised within the time limit, the complainant went so far summarized here essentially that the data protection complaint the disclosure of data to third parties. It is completely irrelevant whether this transfer based on private law contracts or other agreements. The fundamental right to data protection is a constitutionally protected legal interest, which is not can be overridden by private law contracts. It is also irrelevant whether the data protection authority wants to see a third party as an "extended arm" or not. At the request of the involved party's hotline, the complainant only Otherwise processing is not possible, his (former) telephone number was announced, this with the express note not to pass the same on to third parties. The two Companies that ultimately receive these phone numbers and the complainant contacted are market research companies whose business purpose is the survey of customer requests for advertising purposes. It is not clear in what way Advertising company could be useful for quality assurance. §§ 6 and 32 PMG would also offer no indication that the involved party is thereby authorized to use customer data to pass on to third parties. Art. 28 para. 2 GDPR stipulates that processors must not Processors without prior separate or general written consent permission of the person responsible. Sohin be the Passing on of the data to an advertising company in any case without a basis under data protection law he follows. There is therefore a violation of data protection by the party involved, since this without consent within the meaning of Art 7 GDPR and contrary to an explicit request by the complainant's data to a third-party company. In the contested decision, the complaint regarding the inadmissible setting of Cookies have been rejected. With the same date, however, the Data Protection Authority issue an order to remedy defects with a deadline without delivery, which - 8 - could have been followed, since the matter had been discussed immediately. It there is therefore already a violation of the AVG insofar as no hearing of the parties is granted had been. The use of cookies falls under the term data processing, as well as under the term data transfer. It is therefore incorrect if the Data Protection Authority believes the use of cookies by the affiliated party would not be included in the content of the complaint. Moreover, the question of an administrative fine is not addressed in the contested decision followed up, reflecting the unwillingness of the Data Protection Authority to deal with certain make things clear again. II. The Federal Administrative Court considered: 1. Findings: 1.1. The complainant contacted due to delivery issues related with a postal item on XXXX .2018 the "hotline" of the party involved. left there he left his cell phone number with a request to call him back, stating that he was the party involved expressly requested not to pass this number on to third parties under any circumstances. On XXXX .2018 the complainant was called by XXXX. On concrete The complainant asked where the XXXX got his telephone number and his name have, he was informed by the caller that she was from the involved party received for survey purposes. On the same day, the complainant was contacted another number for survey purposes, with the caller using the had suppressed caller ID. The complainant ended that call immediately, after his interlocutor had asked if he wanted to take part in a survey. 1.2. The following contract was concluded between the party involved and XXXX on XXXX .2018 completed (reproduced in excerpts): "AGREEMENT ON ORDER PROCESSING according to Art. 28 GDPR concluded between XXXX (hereinafter "Responsible") and XXXX XXXX (hereinafter "processor") 1. Subject of the agreement - 9 - a) The area of responsibility of the processor includes conducting surveys of all kinds and as required, but in particular the implementation of the regular ongoing survey of "satisfaction with Swiss Post customer service". In the context of this contract, “personal data” includes such to understand personal data that the person responsible dem processors within the framework of the contract described in more detail above or the processing of which is assigned to the processor in that contract. b) Categories of personal data and categories of data subjects are processed Persons according to Annex 1. 2. Processor Obligations a) The processor undertakes to process personal data and Processing results exclusively within the framework of the written (e-mail sufficient) to process orders from the person responsible. All Data processing activities take place exclusively in a member state of European Union instead. b) The processor is not authorized to process personal data of the disclosure to third parties without the written consent of the person responsible. So far the processor is obliged to do so by law to inform the person responsible immediately in advance. c) The transfer of personal data to third parties, to which no legal obligation of the processor exists, sets a written (e-mail sufficient) order of the person responsible. d) Processing of personal data for the company's own purposes Processor may only be used with the prior written consent of the responsible. e) The processor undertakes to maintain data secrecy and declares in a legally binding manner that he is responsible for all data processing has obligated persons to maintain confidentiality before starting the activity or these are subject to an appropriate statutory obligation of confidentiality. He has all persons entrusted with data processing are obliged to Data provided to them solely because of their professional activity be entrusted or accessible, without prejudice to other statutory provisions To keep confidentiality obligations secret, unless legally permissible There is a reason for the transmission/disclosure of the data. In particular, the remains Confidentiality obligation of the persons responsible for data processing even after they have finished their job or left the company Processor upright. f) The Processor declares in a legally binding manner that it has all the necessary Measures to ensure the security of processing in accordance with Art. 32 GDPR has taken. The processor assures that the data described in Appendix 2 and selected, risk-appropriate, technical and organizational - 10 - have taken and will continue to take action to personal data against accidental or unlawful destruction and against to protect against loss as well as their proper processing and the Ensure non-accessibility for unauthorized third parties. The Processor undertakes to implement the technical and organizational measures in the above Keeping it up to date with the latest technology and looking for technical progress or to update or adapt to a changed threat situation. g) The processor ensures that the person responsible respects the rights of the data subject according to Chapter III of the GDPR (information, access, correction and deletion, data portability, objection and automated Decision-making in individual cases) and taking into account the Austrian Federal law for the protection of natural persons during processing (DSG idgF) within the statutory deadlines at any time, leaves the responsible for all the necessary information and supports them in the process Fulfillment of related obligations to the best of our ability. Will a corresponding Application, with which the rights of the data subject are asserted, to the Processor directed and it is evident from the content of the application that the Applicant mistook the application processor for the person in charge of his processing activity carried out for the person responsible, the Processor to forward the request to the person responsible immediately and this to the applicant, stating the date of receipt of the to communicate the application. h) The processor supports the person responsible in complying with the regulations Articles 32 to 36 DSGVO mentioned obligations (data security measures, reports of personal data breaches to the supervisory authority, Notification of a Personal Data Breach data subject, data protection impact assessment, prior consultation). best efforts. In particular, the processor undertakes to those responsible immediately, but no later than within 36 hours of this Notice to notify of data breaches. i) The processor is informed that he has a processing directory has to be set up in accordance with Art. 30 Para. 2 GDPR. j) The processor undertakes to provide the person responsible with that information to provide the means to monitor compliance with this Agreement mentioned obligations are necessary. In particular, the Processor, the person responsible immediately upon request appropriate written evidence of the implementation and effectiveness of the in Annex 2 to transmit the technical and organizational measures described. Over At the request of the person responsible, the declaration of the Protection of data secrecy regarding the person who is presented with the execution of the order is entrusted. k) With regard to the processing, the person responsible is given the personal data granted the right, even by qualified and for Employees sworn to secrecy or by a professional secrecy - 11 - obligated person (court-certified expert etc.) Processor to check the correctness of the data processing Announcement to check. This during normal office hours and in coordination with the data protection officer of the processor or another person responsible for person responsible for data protection. The data protection officer/responsible for data protection at Processor is: Mr. Mrs XXXXXXX l ) After completion of the order, the processor is obliged to responsible for all processing results and documents that contain contractual personal data; of that The storage of the data left to the processor remains unaffected personal data and processing results to the extent and as long as this is for to guarantee its services. After the warranty period has expired, the processor has all to delete contractual personal data or to post them Request of the person responsible before carrying out the deletion keep. This applies in particular if the processor is to another Storage of personal data not due to mandatory legal requirements provisions is required. At the request of the controller, the processor confirms the data erasure in writing. If the processor processes the personal data in a special technical format processed, he is obliged to post the personal data Completion of the order either in this format or at the request of the Responsible in the format in which he received the personal data from person responsible or in another common format to release. m) The processor must inform the controller immediately if he is of the opinion that an instruction of the person responsible violates EU or Member State data protection regulations. 3. Sub-processors a) The processor is without the prior written consent of the Controller not entitled to use a sub-processor. b) In the event of written consent, the processor closes the necessary agreements within the meaning of Art. 28 Para. 4 GDPR with the sub- processor. It must be ensured that the sub-processor enters into the same obligations as the processor based on this agreement. The processor has the responsible person Override of the obligations under the present agreement upon request to be documented at any time. - 12 - c) If the sub-processor does not meet his data protection obligations, he is liable the processor towards the person responsible for compliance Obligations of the sub-processor. d) The person responsible gives his consent to the use of the information in Annex 3 named sub-processor. 4. Duration of Agreement □ The term of the agreement is based on the contract mentioned in point 1a). x The agreement is concluded for an indefinite period and can be changed by either party be terminated in writing with a notice period of three months to the end of the month. the The possibility of termination without notice for important reasons remains unaffected. In this respect, a data protection service provider agreement between the contracting parties in relation to the main service described in more detail in the contract referred to in point 1a), already exists, it is determined by the present agreement on a Order data processing replaced. 5. Miscellaneous Provisions a) All disputes arising from and in connection with this contract Austrian law, to the exclusion of the UN sales law and conflict of laws provisions. For all disputes, this will be factual and for XXXX Vienna locally competent court agreed. b) Only what has been agreed in writing is binding; there are no oral ones ancillary agreements. Changes and additions to the agreement require their validity of the written form; this also applies to a waiver of the formal requirement writtenness. c) All rights and obligations arising from this agreement are transferred to any Legal successors of both contracting parties. d) The parties agree to the conclusion of this agreement and its content to be treated confidentially. This does not apply to the extent that a party in accordance with the provisions of the present agreement or due to legal obligation to disclosure of this Agreement or any content thereof. This applies, insofar as the present agreement does not contain any conflicting provisions contains and there are no legal obligations to provide information. e) Processor undertakes (i) that its legal representatives, Employees and employed and/or commissioned subcontractors to all applicable legal provisions in connection with anti- comply with anti-corruption regulations and (ii) take appropriate measures to prevent the Ensure compliance with anti-corruption regulations. A breach of anti- Corruption regulations entitle the person responsible - without prejudice to others Right of withdrawal and termination - for extraordinary termination without notice agreement and to assert any claims for damages. - 13 - f) Should any provision of this agreement be invalid or ineffective or become, the contracting parties will agree a valid or effective Set a provision that will invalidate or ineffective provisions economically closest. The invalidity or ineffectiveness of individual provisions has no effect on the validity or effectiveness of the entire contract. g) This contract is drawn up in two originals, of which each contracting party has one receives. h) Appendices 1, 2 and 3 are considered to be an integral part of the contract. [...]" The processed data categories are included in the annex to the present contract “Personal master data” (e.g. first and last name) and “contact data” (e.g. telephone number) mentioned. The affected persons are employees and called customers. The order processing contract also contains technical and organizational measures, including confidentiality and integrity. 1.3. The complainant sent a letter dated XXXX .2019 to the The data protection authority also provides that the party involved also unlawful set cookies on their website and filed a privacy complaint to that effect. 2. Evidence assessment: The findings result from the file in connection with the arguments of the parties, in particular from the contract submitted between the party involved and XXXX dated XXXX .2018, and are not disputed. 3. Legal assessment: to A) 1. Section 1 of the Federal Act on the Protection of Natural Persons in Processing personal data (Data Protection Act - DSG) reads (in excerpts): (constitutional provision) fundamental right to data protection § 1. (1) Everyone has, in particular with regard to respect for his private and family life, right to confidentiality of personal data concerning him Data insofar as there is a legitimate interest in it. The existence of such - 14 - Interestisexcludedifdataduetotheirgeneralavailabilityorbecause due to their lack of traceability to the person concerned, no claim to secrecy are accessible. (2) Insofar as the use of personal data is not in the vital interest of the person concerned or with his consent, limitations of the right to Confidentiality only to protect overriding legitimate interests of another permissible, in the event of interference by a state authority only on the basis of laws that from the in Art. 8 para. 2 of the European Convention for the Protection of Human Rights and Fundamental Freedoms (EMRK), Federal Law Gazette No. 210/1958, are necessary. such Laws prohibit the use of data that, by their nature, deserve special protection, only provide for the protection of important public interests and must at the same time appropriate guarantees for the protection of the confidentiality interests of the persons concerned determine. Even in the case of permissible restrictions, the encroachment on the fundamental right may in each case only be undertaken in the mildest, most effective way. [...] The relevant provisions of Regulation (EU) 2016/679 of the European Parliament and Council of April 27, 2016 on the protection of natural persons in the Processing of personal data, the free movement of data and the cancellation of the Directive 95/46/EG (General Data Protection Regulation), read (in excerpts): Article 4 Definitions For the purposes of this Regulation, the term means: 1. “Personal Data” any information relating to an identified or identifiable natural person (hereinafter "data subject"); as identifiable is a natural person who directly or indirectly, in particular by association with an identifier such as a name, an identification number location data, an online identifier or one or more specific characteristics expressing the physical, physiological, genetic, psychological, economic, cultural or social identity of this natural person are identified can be; 2. “Processing” any operation carried out with or without the aid of automated processes or any such series of operations involving personal data such as that Collecting, capturing, organizing, arranging, storing, adapting or Modification, reading, querying, use, disclosure by transmission, distribution or any other form of provision, comparison or linking, restriction, deletion or destruction; - 15 - 3rd – 6th […] 7. "Responsible person" the natural or legal person, authority, institution or other Body alone or jointly with others on the purposes and means of processing of personal data decides; are the purposes and means of this processing stipulated by Union law or the law of the Member States, the Responsible person or can use the specific criteria according to his designation provided for by Union law or the law of the Member States; 8."Processor" means a natural or legal person, public authority, agency or another entity that processes personal data on behalf of the controller; 9. […] 10. “Third party” means a natural or legal person, public authority, agency or other body, other than the data subject, the controller, the processor and the Persons who are under the direct responsibility of the person responsible or the processors are authorized to process the personal data; 11th – 26th […] Article 6 Lawfulness of processing (1) The processing is only lawful if at least one of the following conditions are met: [...] c) the processing is necessary for compliance with a legal obligation imposed by the Controller is subject to; [...] (2) Member States may have more specific provisions adapting the application the provisions of this regulation in relation to processing to comply with paragraph 1 Maintain or introduce subparagraphs c and e by providing specific requirements for the Processing as well as other measures more precisely to determine a lawful and according ensure fair processing, including for others special processing situations according to Chapter IX. (3) The legal basis for the processing pursuant to paragraph 1 letters c and e set by a) Union law or b) the law of the Member States to which the controller is subject. - 16 - The purpose of the processing must be specified in this legal basis or in relation to the Processing pursuant to paragraph 1 letter e may be necessary for the performance of a task that is in the public interest or in the exercise of official authority which responsible has been transferred. This legal basis may have specific provisions to adapt the application of the provisions of this regulation, among others Provisions on what general conditions for the regulation of Lawfulness of the processing by the controller apply, what types of data are processed, which persons are affected, to which institutions and for which Purposes the personal data may be disclosed, what purpose they are subject to how long they may be stored and what processing operations and procedures may be applied, including measures to ensure a lawful and fair processing, such as for others special processing situations according to Chapter IX. Union law or the law of Member States must pursue an objective in the public interest and in a proportionate to the legitimate purpose pursued. [...] Article 28 Processors (1) If processing is carried out on behalf of a person responsible, then this person only cooperates Processors who offer sufficient guarantees that appropriate technical and organizational measures are carried out in such a way that the processing is in accordance with the requirements of this regulation and the protection of the rights of the persons concerned person guaranteed. (2) The processor will not take on any other processor without prior approval separate or general written approval of the person responsible. in the In the event of general written approval, the processor will inform the always inform those responsible about any intended change in relation to the addition or the replacement of other processors, giving the controller the option entitled to object to such changes. (3) Processing by a processor is based on a contract or any other legal instrument under Union law or the law of the Member States that control the processor in relation to the controller binds and in the subject and duration of the processing, type and purpose of the processing, the type of personal data, the categories of data subjects and the obligations and rights of the person responsible are defined. This contract or this other Legal instrument provides in particular that the processor a) the personal data only on documented instructions from the controller — also with regard to the transfer of personal data to a third country or a - 17 - international organization — processed, unless required by Union or EU law Member States to which the processor is subject is obliged to do so; in one In such a case, the processor shall notify the controller of these legal Requirements prior to processing with, provided that the relevant right such notice not prohibited because of important public interest; b) ensures that those authorized to process the personal data Persons have committed to confidentiality or an appropriate statutory are subject to a duty of confidentiality; c) take all measures required under Article 32; d) the conditions for using the services referred to in paragraphs 2 and 4 of another processor; e) in view of the nature of the processing, the person responsible, if possible with suitable ones technical and organizational measures to fulfill its obligation to Responding to requests to exercise the rights referred to in Chapter III comply with the data subject; f) taking into account the type of processing and those available to him Information to those responsible for compliance with the provisions of Articles 32 to 36 supports the above obligations; g) after completion of the provision of the processing services, all personal data either deletes or returns at the discretion of the person responsible, unless after the Union law or the law of the Member States an obligation to store the personal data exists; h) provide the controller with all the necessary information to demonstrate compliance with the provides the obligations set out in this Article and reviews — including inspections - carried out by the controller or another of the controller commissioned auditors are carried out, enables and contributes to this. With regard to subparagraph 1 letter h, the processor informs the Responsible immediately if he believes that an instruction against this Regulation or against other data protection regulations of the Union or the violates Member States. (4) If the processor engages the services of another processor Right to request certain processing activities on behalf of the controller to be carried out, this further processor will be assigned by way of a contract or - 18 - another legal instrument under Union law or the law of the person concerned Member State imposes the same data protection obligations as those in the Treaty or others Legal instrument between the controller and the processor in accordance with Paragraph 3 are set, whereby in particular sufficient guarantees are offered for this must ensure that the appropriate technical and organizational measures are implemented in this way that the processing is carried out in accordance with the requirements of this regulation. If the other processor does not meet his data protection obligations, he is liable first processor towards the person responsible for compliance with the obligations that other processor. (5) - (6) [...] The relevant provisions of the Postal Market Act (PMG) are (excerpts): universal service term and scope § 6. (1) - (7) [...] (8) The universal service operator is obliged to provide the universal service in accordance with the needs further developed by users and through appropriate measures and Proposals for securing the supply of postal services and for the further development of the contribute to universal service. In this context, in particular longer Opening hours, better accessibility and all possibilities of securing the location, especially by third-party post offices. (9) […] Obligations of Postal Service Providers § 32. (1) - (2) [...] (3) Postal service providers have to set up a complaints management system so that users and users can raise disputes or complaints. (4) - (5) [...] (6) Postal service providers shall have comparable, appropriate and up-to-date information at least annually Information on the quality of their services, in particular the transit times of those carried postal items using the methodology specified by ÖNORM EN 13850 publish and the regulatory authority at their request prior to publication in paper form and electronically processable form. - 19 - 2. Application of the legal bases to the present complaint: The object of the complaint is the question of whether the party involved thereby violated the right to secrecy by providing the contact details of the Complainant (name and cell phone number) to the XXXX, from which this Data was subsequently used for the purposes of a customer satisfaction survey. 2.1. Regarding point 1 of the contested decision: Rejection of the Data protection complaint about illegal setting of cookies: In the contested decision, the data protection authority stated that the entry of the Complainant from XXXX .2019 on the basis of the proceedings Complaint of XXXX .2018 regarding the illegal setting of cookies represent a significant change in the application within the meaning of Section 13 (8) AVG and therefore this arguments to that effect should be rejected. However, the input was taken as an opportunity been asked to initiate a separate data protection complaints procedure. According to § 13 para. 8 AVG, an application change is only permissible if this changes the matter its essence is not changed, the legislature the vagueness of this consciously accepted the turn. However, the AB emphasize the ease of change of the law, so that in case of doubt there is no change in the application that would change the nature of the application to go out. However, an application change should then affect the essence of the matter and therefore continue to do so in any case be inadmissible if it is not actually a matter of changing the original application, but a new, "different project" if that The project thus acquires a different quality in the light of the material laws to be applied (see Hengstschläger/Leeb, AVG § 13 Rz 45 (as of January 1st, 2014, rdb.at)). In the present case, the original data protection complaint dated XXXX .2018, the relates exclusively to the violation of the right to secrecy through the transmission of the contact details of the complainant to the XXXX and the use of the same by obtained this for the purpose of a customer satisfaction survey by entering the XXXX 2019, which the unlawful setting of cookies by the involved party to The subject matter was a significant change in the application within the meaning of Section 13 (8) AVG. The additional, cookies-related, submissions of the complainant in his statement of XXXX .2019 affects the essence of the subject of the proceedings insofar as it is related to the complaint of XXXX 2018 was presented as going far beyond this - 20 - and a new, different, supplementary submission and thus a new - different - subject of the complaint. Against this background, the data protection complaint was rejected the setting of cookies by the data protection authority. In the light of the fact that in relation to the additional - new -, submissions regarding cookies of the complainant by the data protection authority opened a further procedure moreover, there is no lack of legal protection in relation to this complaint. 2.2. Regarding point 2 of the contested decision: Rejection of the Privacy Complaint Regarding the Alleged Violation in the Right to Confidentiality according to § 1 DSG: The complainant submitted in the privacy complaint that the intervening party unlawfully gave his name and phone number to a "third party" who is XXXX , passed on and thus violate confidentiality obligations. A name and phone number are indisputably personal data of the complainant according to Art. 4 Z 1 DSGVO, which also according to Art. 4 Z 2 GDPR were processed (i.e. transmitted, provided). The question therefore arises whether the data processing carried out by XXXX for Customer Satisfaction Survey constitutes processing by third parties. In Art. 4 Z 10 GDPR, the processor is expressly excluded from the concept of third parties exempt. Art. 4 Z 8 GDPR in turn defines the term processor. And a responsible person is characterized by the fact that she alone or together with others about the purposes and means of processing personal data decides (Art. 4 Z 7 GDPR). In the present case, the party involved determines the purposes and means of the Processing, as can be seen from the submitted by her, with the XXXX on XXXX .2018 concluded contract results. Art. 28 GDPR then regulates the specific processing by a processor. Regarding the question of privileging the examination of the lawfulness of the processing by the processor compared to other data processing is in the - 21 - Literature The following stated [cf. on the following paragraphs Bogendorfer in Knyrim, DatKomm Art 28 GDPR margin nos. 23 - 28 (status 1.10.2018, rdb.at)]: “A comparable distinction in relation to the data flows between the different Actors in data processing as in DSG 2000 and correspondingly clear privileges does not include the GDPR. It summarizes all processing steps in a flat rate and without further Differences in the definition of "processing" in Art 4 Z 2 together and understands including “any operation performed with or without the aid of automated processes, or any such series of operations related to personal data such as collecting, collecting, organizing, arranging, storing, adapting or Modification, reading, querying, use, disclosure by transmission, distribution or any other form of provision, comparison or association, restriction, deletion or destruction”. lack of differentiation within the very broad disclosure options mentioned in Art 4 Z 2 (transmission, dissemination or other form of provision) and in the absence of inclusion of the Order processing in the canon of the legal basis according to Art. 6 and 9 the question of whether the "privileging" of the data flow between the person responsible and the Processor has ceased to exist and there is now a legal basis for this got to. However, the majority of opinions in the literature see this differently Interpretation approaches differently and considers its own justification for the Data transfer to the processor still not required for: It is argued that Art 28 can be understood as an independent power norm. On the other hand, it is critically noted that types 6 and 9 have a final character and no indication of the possibility of expanding what is standardized there canons of legality exist. Based on a systematic and teleological view, [...] in the literature rightly noted that Art 28 is geared precisely to the fact that when processing process, there is a close bond between the controller and the processor is produced, for which as compensation there is a "release" from the requirement of existence of a legal basis should take place. The Disclosure personal data by transmission iSd Art 4 Z 2 therefore only mean the transfer to third parties within the meaning of Art 4 Z 10 and not to every recipient. The risk of losing control of Articles 28 and 29 do not specify who is responsible. The same thing pursued with the GDPR - 22 - If a legal basis cannot be achieved. From systematic considerations it is argued that the requirement for a Legal basis of data flow between a controller and a Processor puts the processor on an equal footing with a controller would effect, whereas Art 28 para. 10 with the decision attribution Purpose and use of means of data processing (see margin nos. 6 and 8). The approach that data processing by a processor on the basis of a Balancing interests according to Art. 6 Para. 1 lit f is permissible, can be used as an argument for a "privileged" data flow between controller and processor convince, since there is already a separate legality check of the data transmission the processor takes place. From a practical point of view, it is used for non-sensitive data regularly be correct that the balancing of interests the legality of the Data flow to the processor results. For special personal information Art 9, however, there is no possibility of weighing up interests, which is why in these cases order processing is then not possible without special justification in accordance with Article 9 is. A linguistic approach that Art 28 as a general weighing up of interests also in the case of special The GDPR does not indicate whether personal data can be evaluated. Another approach in the literature guides the "privileging" of order processing convincing from the definitions of data processing (Art 4 Z 2), the person responsible (Art 4 Z 7), the processor (Art 4 Z 8), the recipient (Art 4 Z 9) and the third party (Art 4 Z10). Both data transmission to the processor are disclosed to a recipient, but no transmission within the meaning of Art 4 Z 2 takes place, as this indicates the existence of a "third party" in accordance with Art 4 Z 10 and the processor is not such. According to Art. 4 Z 9, the "recipient" is defined as "a natural or legal person, authority, Institution or other body to which personal data is disclosed, independent whether it is a third party or not [...]," defined. [...] A third party iSd Art 4 Z 10 is a natural or legal person, authority, institution or other body, apart from the data subject, the person responsible, the processor and the persons who are under the direct responsibility of the person responsible or the processors are authorized to process the personal data. - 23 - "Receiver" can be understood as an umbrella term that includes all actors The data subject itself includes, while the definition of "third party" includes a partial exclusion from the includes the group of recipients in that, in addition to those affected, it also includes the (original) Those responsible, the processors and those under their immediate Authorized persons (e.g. employees or sub-processors) are not responsible assigned to the group of third parties. Because the processor by definition personal data only processed on behalf and is not a third party within the meaning of Art 4 Z 10, he is fictitious an "internal" recipient who has no personal competence in using the transmitted data and who is bound by instructions. Data processing can therefore be evaluated as a uniform processing operation, for which only one uniform legality check is required. This unified view is permissible because the broad definition of the term processing in Art 4 Z 2 is not only isolated individual processes, but also a series of processes. The justification of Order processing follows accessory to the reason for permission of the underlying Processing by the person responsible. The processor is due to the close According to Art. 29, only the “alter ego” of the responsible person is bound by instructions "extended arm". This argument is also found in the Article 29 Working Party's Opinion on the terms "controller" and "processor". Support. The controller and the processor become regarded as the "inner circle of data processing" and not as a third party. The legality the data processing activity of the processor is determined by the order placed by the responsible. The processor is ultimately functional with a Comparable to employees of the person responsible, who differ from this through his organizational autonomy differs: it is up to the person responsible decide whether to carry out data processing within his organization or entirely or partially delegated to external organizations.” Similarly also Bertermann in Ehmann/Selmayr, DS-GVO2, K5 to 7 to Art 28: "Therefore, only the understanding remains, order processing as a permissible means of Processing to understand which is the controller under the premise of Compliance with the requirements of Art. 28 may be used. If the processing itself after a of the conditions specified in Art. 6 Para. 1 is lawful, the person responsible can or use several processors according to his instructions. In this respect, it is significant that the factually identical definition of "processing" in Art. 2d DS-RL and Art. 4 No. 2 DS- - 24 - GMO as processing not only isolated individual processes, but also a series of processes knows. Therefore, if processing is not considered at the micro level, but at the At macro level, an order processing can be considered part of the processing let understand. However, the prerequisite is always that a transmission only to processors bound by instructions. Once a transmission to a third party takes place, the framework of the permissible means of processing is breached and it is required a separate legal basis for the transfer." For the present case, this means against the background that a contract between the involved party and the XXXX, in which the order is clearly defined is (customer satisfaction surveys) that there is in any case a contractual relationship. The XXXX became an "extended arm" and thus as a processor for the party involved active. The order processing that has taken place is therefore part of the processing by the To see the responsible persons themselves and the legality of the same according to Art. 6 DSGVO check. As the data protection authority correctly explains in the contested decision, the involved party based on Art. 6 Para. 1 lit. c GDPR, according to which the processing for Compliance with a legal obligation is required. This results from §§ 32 para. 3 and 6 para. 8 PMG, which on the one hand provide for the establishment of a complaints management system and on the other hand to take appropriate measures to improve quality of the services offered as part of the universal service, namely postal delivery oblige. Likewise, the assessment of the data protection authority is to be followed, that the disclosure of the complainant's name and telephone number to the Processor was required within the meaning of the provision, namely to fulfill her order, determining customer satisfaction. The procedural processing of the personal data of the Complainant was therefore lawful, which is why the dismissal of the complaint by the Data Protection Authority in this regard was right. 2.3. Regarding point 3 of the contested decision: rejection of the application for Imposition of a fine: In his data protection complaint dated XXXX .2018, the complainant stated that § 62 Para. 1 Z 2 DSG, thus the regulation on the imposition of administrative penalties, applicable is what the data protection authority in the contested decision as an application imposed a fine on the party involved. - 25 - In line with this, the complainant also referred to the from his point of view, the admissibility of imposing an administrative fine against the related party reference. There is therefore no doubt that the request of complainant to the imposition of an administrative fine against the co-involved party is directed. However, as the data protection authority correctly explained in the contested decision, a subjective right to initiate administrative penal proceedings against a Responsible_nneither from Article 77 paragraph 1 GDPR nor from Article 24 paragraph 1 and 5 GDPR. The principle of ex officio according to Section 25 (1) of the VStG applies. So basically no one has a legal claim that someone for whatever reason in prosecution is taken. The authority has both in the initiation and in the Carrying out the administrative penal proceedings ex officio (cf. Fister in Lewisch/Fister/Weilguni, VStG § 25 Rz 3f (as of May 1st, 2017, rdb.at)). Administrative penal proceedings can therefore only be initiated by a person concerned there is no entitlement to initiation. The rejection by the data protection authority therefore also took place on this point Law. 3. Since only legal questions had to be clarified in the procedure, according to § 24 para. 4 VwGVG to waive the holding of an oral hearing (VwGH, 09/19/2017, Ra 2017/01/0276). Regarding B) Admissibility of the revision: According to § 25a Abs. 1 VwGG, the administrative court in the ruling of its knowledge or Pronounce a resolution as to whether the revision is permissible in accordance with Art. 133 Para. 4 B-VG. the Statement must be briefly justified. The revision is permissible according to Art. 133 Para. 4 B-VG because it is at the highest court Case law, in particular on the qualification of the processor Processor as an "extended arm" of the person responsible is missing. It was therefore to be decided accordingly.