BVwG - W101 2208238-1: Difference between revisions

From GDPRhub
No edit summary
No edit summary
 
(3 intermediate revisions by 2 users not shown)
Line 50: Line 50:
}}
}}


The Federal Administrative court decided that the consent given to a first controller under [[Article 6 GDPR#1a|Article 6(1)(a) GDPR]] to transfer the data to a second controller does not encompass the transfer from the second controller to third parties unless otherwise indicated by the circumstances of the case.
The Federal Administrative court held that the consent given to a first controller under [[Article 6 GDPR#1a|Article 6(1)(a) GDPR]] to transfer the data to a second controller does not extend to the transfer from the second controller to third parties, unless otherwise indicated by the circumstances of the case.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The two data subjects of this case are minors. They are visiting a private kindergarten. The private kindergarten gave – with the consent of the affected – a list to the municipality of its seat (the controller) which consisted of the name, date of birth and date of admission of all kids attending the kindergarten. Because the municipality did not want to bear the costs for children having their residence in another municipality, it sent a letter to all parents requesting them to take the letter to the municipality of their residence and ask for their financial support. This letter consisted of the already mentioned list as well as another list which additionally contained the days of absence, overall days and the calculated share of costs of each child.  
The two data subjects of this case are minors. They are visiting a private kindergarten. The private kindergarten gave – with the consent of the legal guardians of the data subjects – a list to the municipality of its seat (the controller) which consisted of the name, date of birth and date of admission of all kids attending the kindergarten. Because the municipality did not want to bear the costs for children having their residence in another municipality, it sent a letter to all parents requesting them to take the letter to the municipality of their residence and ask for their financial support. This letter consisted of the already mentioned list as well as another list which additionally contained the days of absence, overall days and the calculated share of costs of each child.  


The controller did not ask the legal guardians of the data subjects for their consent before sending the letter out to all parents.
The controller did not ask the legal guardians of the data subjects for their consent before sending the letter out to all parents.


The data subjects – represented by their legal guardians – filed a complaint with the DPA. The DPA sustained the complaint.
The data subjects – represented by their legal guardians – filed a complaint with the DPA. The DPA sustained the complaint.
=== Holding ===
The Federal Administrative Court (Bundesverwatungsgericht – BVwG) upheld the decision of the DSB. 


=== Holding ===
The Federal Administrative Court (Bundesverwatungsgericht – BVwG) upheld the decision of the DSB.
The court concluded that the head of the kindergarten was a third party according to [[Article 4 GDPR#10|Article 4(10) GDPR]] with respect to the sending of the letters. The consent given to the head of the kindergarten did not extend to the municipality and did not encompass the disclosure of the data to the other legal guardians.  
The court concluded that the head of the kindergarten was a third party according to [[Article 4 GDPR#10|Article 4(10) GDPR]] with respect to the sending of the letters. The consent given to the head of the kindergarten did not extend to the municipality and did not encompass the disclosure of the data to the other legal guardians.  



Latest revision as of 16:25, 2 February 2022

BVwG - W101 2208238-1
Courts logo1.png
Court: BVwG (Austria)
Jurisdiction: Austria
Relevant Law: Article 4(10) GDPR
Article 6(1)(a) GDPR
Decided: 07.12.2021
Published: 21.01.2022
Parties: anonymous
DSB (Austria)
National Case Number/Name: W101 2208238-1
European Case Law Identifier: ECLI:AT:BVWG:2021:W101.2208238.1.00
Appeal from:
Appeal to:
Original Language(s): German
Original Source: Rechtsinformationssystem des Bundes (RIS) (in German)
Initial Contributor: Heiko Hanusch

The Federal Administrative court held that the consent given to a first controller under Article 6(1)(a) GDPR to transfer the data to a second controller does not extend to the transfer from the second controller to third parties, unless otherwise indicated by the circumstances of the case.

English Summary

Facts

The two data subjects of this case are minors. They are visiting a private kindergarten. The private kindergarten gave – with the consent of the legal guardians of the data subjects – a list to the municipality of its seat (the controller) which consisted of the name, date of birth and date of admission of all kids attending the kindergarten. Because the municipality did not want to bear the costs for children having their residence in another municipality, it sent a letter to all parents requesting them to take the letter to the municipality of their residence and ask for their financial support. This letter consisted of the already mentioned list as well as another list which additionally contained the days of absence, overall days and the calculated share of costs of each child.

The controller did not ask the legal guardians of the data subjects for their consent before sending the letter out to all parents.

The data subjects – represented by their legal guardians – filed a complaint with the DPA. The DPA sustained the complaint.

Holding

The Federal Administrative Court (Bundesverwatungsgericht – BVwG) upheld the decision of the DSB.

The court concluded that the head of the kindergarten was a third party according to Article 4(10) GDPR with respect to the sending of the letters. The consent given to the head of the kindergarten did not extend to the municipality and did not encompass the disclosure of the data to the other legal guardians.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

                                                                           Postal address:
                                                                  Erdbergstrasse 192 – 196
                                                                            1030 Vienna
                                                                     Phone: +43 1 601 49-0
                                                                Fax+43 1 711 23-889 15 41

                                                            Email: einlaufstelle@bvwg.gv.at
                                                                        www.bvwg.gv.at
                                                                          DVR: 0939579


                   DECISIONS D A T U M
                               0 7 . 1 2 . 2 0 2 1

                          BUSINESS NUMBER

                      W 1 0 1 2 2 0 8 2 3 8 - 1/5 E





               I M N A M E N D E R E P U B L I K !


The Federal Administrative Court, through the judge Dr. Christine AMANN as Chair

and the expert lay judges MMag. dr Winfried PÖCHERSTORFER and Mag. Thomas
GSCHAAR as assessor on the complaint of the mayor of the market town XXXX,

represented by: Winkler & Riedl RAe OG, against the decision of the data protection authority of

07.08.2018, GZ. DSB-D122.840/0005-DSB/2018, rightly recognised:

a)


According to § 28 paragraph 2 VwGVG in conjunction with § 24 paragraph 1 and paragraph 5 DSG idgF as
rejected without reason.


b)


The revision is not permitted according to Art. 133 Para. 4 B-VG.









                           Reasons for decision:

I. Procedure:


With a letter dated January 3, 2018, improved with briefs dated January 28, 2018 and dated

02.02.2018, brought mj. XXXX , legally represented by Mrs. XXXX , and mj. XXXX ,, - 2 -


legally represented by Mrs. XXXX (= involved parties before the

Federal Administrative Court and applicant before the data protection authority), a
Data protection complaint against the mayor of the market town XXXX (=

Complainant before the Federal Administrative Court and respondent before the

data protection authority) because their right to secrecy had been violated.
They basically justified their data protection complaint as follows:

The complainant had in a letter regarding the assumption of costs

Childcare in a private kindergarten personal data of those involved
Parties passed on to other legal guardians. Specifically, this letter is a list

of all children attending the private kindergarten between September 2016 and August 2017

would have visited, stating the name, date of birth, address and entry
as well as the date of leaving the kindergarten.


With a statement dated February 21, 2018, the complainant led to the

Concerned parties' privacy complaint essentially consisted of:
Since the children of the "XXXX" kindergarten, including the parties involved, for

majority do not have their normal place of residence in the municipal area of the seat municipality,

of the market town XXXX , were forced for financial reasons to
aliquot costs on the main residential communities of the visitors or their

Share parents/guardians. For the fair distribution of the funding share

be the market town XXXX a list with the data of the children or their
been handed over to legal guardians by the management of the kindergarten. With

a letter from the market town of XXXX to the legal guardians refers, among other things, to the

extraordinary financial burden of the market town XXXX pointed out and the request
been expressed to visit the communities of residence with the letter and to

asking for their children's support. Since the list with all data (first name, last name,

date of birth, entry date, possible exit date and addresses) from the
was handed over to the management of the kindergarten, this list (supplemented by the

pro rata contribution to costs) has been enclosed with the letter to the parents. The one from the

The list (children's list) handed over to the management of the kindergarten is also in writing
been settled. The market town of XXXX assumed that the parents

would have given their consent for the lists to be handed over, especially since the lists had already been

were handed over to the management of the kindergarten.

With a statement dated March 14, 2018, the parties involved essentially gave

the following:, - 3 -


You would understand that the kindergarten gives the children's data to the community XXXX
had to pass on, because without this data the municipality could not

Enter into a cooperation agreement with the municipalities concerned. However be

the conclusion that this constitutes the consent of the parties involved to the general
use of this data is not correct.


By decision of August 7th, 2018, GZ. DSB-D122.840/0005-DSB/2018, gave the

Data protection authority of the data protection complaint of 01/03/2018 and found that
the complainant thereby infringes the parties involved in their right to secrecy

violated by the complainant personal data of those involved

Parties, such as name, date of birth, address, entry date, minus days, total days and the
corresponding share of costs, to legal guardians of others in the same kindergarten

as the parties involved in the period from September 2016 to August 2017

transmitted to visiting children.

In this decision, the data protection complaint made the following findings of fact:

The complainant had one closer to all the guardians of the one

designated kindergarten between September 2016 and August 2017
Children directed undated letter written in which the legal guardians to

have been asked to bear the costs of childcare.
In a list attached to this letter "Children's list […] September 2016 - August 2017".

the following data of the parties involved: name, date of birth, address and

entry date.
In addition, the letter in question is accompanied by a further list “Cost allocation September 1st

2016 - August 31, 2017" attached to which the following data of the parties involved are attached

can be taken from: name, date of birth, entry date, minus days, total days and
cost share.

The letter along with the mentioned lists are the legal guardians of the list

named children have been transmitted.

On the basis of these factual findings, the data protection authority concluded in

from a legal point of view:

About this data protection complaint is procedurally according to the new legal situation (DSG idF
BGBl. I No. 24/2018) according to § 24 Para. 5 DSG. Substantive law is the

However, the case after the date of the alleged infringement of the right
Confidentiality, applicable provisions of §§ 1 to 9 DSG 2000, Federal Law Gazette I No. 165/1999 as amended

Federal Law Gazette I No. 83/2013., - 4 -


According to § 1 para. 2 DSG 2000, the actual transmission is required
personal data of the complainants to legal guardians of others

children attending the same kindergarten as the involved parties

legal basis.
However, such a thing was neither mentioned by the complainant in his statement before the

Data protection authority mentioned XXXX in the justification of § 8 DSG 2000

recognizable and is also not claimed by the complainant.
The complainant's argument that he had assumed that the

Parents would have given their consent to the handover of the lists, do not change anything that is for the

Consent of the parties involved to the transfer in question within the meaning of § 4
Z 14 in connection with § 8 para. 1 Z 2 DSG 2000 would not have resulted in any indications in the proceedings.

If the complainant further claims in this context that the

Data was only given among parents who knew each other well and would see each other on a daily basis
are, nothing can be gained from this argument either, as it is assumed

that not all legal guardians are aware of all transmitted data.

Irrespective of this, a breach of data protection law cannot be cured even then
become when the children's personal data concerned through conversations

between the legal guardians are known.
The appeal was therefore allowed according to the verdict.


In the timely complaint against this decision, the

Complainant essentially before:
The complainant had to assume that the

management of the private kindergarten the relevant clarifications would have been made. Essei

to be assumed that before the data is transmitted to the complainant, the
Management have coordinated the data with the children's legal guardians and

the legal guardians give their consent for the disclosure and use of their data

would have granted. In addition, the management of the private kindergarten did not say so
been informed that the data or that the municipality does not contact the parents

and may transmit the information.

In addition, all those affected (parents and children) have a common interest in the
The continued existence of the kindergarten and the data transfer is exclusively in the interest of

Parents and in the public interest, so that the financeability of the
private kindergarten will be secured. The notification made by the municipality was

been necessary so that the kindergarten could continue to operate and - 5 -


Affordability is secured and is an overriding factor within the meaning of Section 1 (2) DSG 2000
interest of the complainant given that the data had been passed on.

In addition, the justifications according to § 8 DSG 2000 are fulfilled because

In principle, the municipality of residence is responsible for the financing of kindergartens
be, but in the present case children from other communities attend the kindergarten

would have frequented and the data determination/transmission within the meaning of § 8 Para. 1 Z 1 DSG 2000

had been required.
It can also be assumed that the parents would have given their consent and be of this

Reason also the exception according to § 8 Abs. 1 Z 2 DSG 2000 fulfilled.

Furthermore, the disclosure was in the exclusive interest of those affected and
would be the exception according to § 8 para. 1 Z 3 DSG 2000 to be used.

Finally, the complainant has an overriding interest within the meaning of § 8 para. 1 no. 4 DSG

2000, because a municipality only financially for the kindergarten care of children
could be held responsible who also have their place of residence in the municipality and

the complainant could not bear the costs for other municipalities. be this

in the interest of the "own" community citizens, which is why iSd § 8 para. 3 Z 1, Z 3 to 5 DSG 2000
the transmission of the data violated confidentiality interests that are not worthy of protection and

the authority concerned would have had to weigh up the interests involved,
what did not happen.


The complainant thus submitted the applications that the Federal Administrative Court should

    1. Decide on the matter yourself and rectify the contested decision without replacement;
    2. in eventu rescind the contested decision with a resolution and the matter

       refer back to the data protection authority to issue a new decision

       and
    3. conduct an oral hearing.


With a letter from the data protection authority dated October 18, 2018, the complaint was

Administrative act sent to the Federal Administrative Court.




II. The Federal Administrative Court considered:

1. Findings:


In their data protection complaint dated January 3, 2018, the parties involved

improved with pleadings dated January 28, 2018 and February 2, 2018, asserted, you, - 6 -


had been violated in their right to secrecy because the complainant in
Frame of a letter regarding the assumption of the costs of childcare in one

private kindergarten to personal data of the parties involved

Legal guardians of others use the same kindergarten as the parties involved in the
Passed on to visiting children between September 2016 and August 2017.

Specifically, this letter is a list of all children who attended the private kindergarten in the period from

September 2016 to August 2017, stating the name, des
date of birth, address and the entry and exit dates for the kindergarten

been taken.


The complainant sent a letter to all of the children's legal guardians, which "
XXXX "-kindergarten between September 2016 and August 2017,

written. The following list was attached to this letter:


    - "Children list XXXX September 2016 - August 2017" with name, date of birth, address
       and entry date of the parties involved;


    - "Cost allocation September 1, 2016 - August 31, 2017" with name, date of birth,

       Entry date, negative days, total days and cost shares of the parties involved.

It is certain that the complainant neither in writing nor implied consent from

Parents of the involved parties obtained for the processing of the personal data
has.


It can therefore be stated as decisive that the complainant is the co-involved

Parties through the processing (here: the disclosure through transmission) of the above two
mentioned lists with personal data violated in their right to secrecy

has.


2. Evidence assessment:

The findings on the relevant facts result from the administrative act

complaint and the court record.


For the competent senate, it is indisputable that the lists in question
personal data of the involved parties without the consent of their parents

other legal guardians of the children attending the kindergarten from

Complainants were processed by sending a letter., - 7 -


With this in mind, the above statements were made.

3. Legal assessment:


3.1. According to Art. 130 Para. 1 Z 1 B-VG, the administrative courts decide on complaints

against the decision of an administrative authority due to unlawfulness.

According to § 6 BVwGG, the Federal Administrative Court decides through a single judge, provided that

Federal or state laws do not provide for the decision to be made by senates.


According to § 27 paragraph 1 DSG, the Federal Administrative Court decides through the Senate
Complaints against decisions due to violation of the duty to inform according to § 24 para.

7 leg.cit. and the duty of the data protection authority to make a decision. According to § 27 paragraph 2 first

According to the DSG sentence, the senate consists of a chairman and a competent lay judge
from the group of employers and from the group of employees.


In this case, the Senate is responsible.


The procedure of the administrative courts with the exception of the Federal Finance Court is through
the VwGVG, Federal Law Gazette I 2013/33 as amended by Federal Law Gazette I 2013/122 (§ 1 leg.cit.). According to § 58 paragraph 2

VwGVG remain conflicting provisions at the time of entry into force

of this federal law have already been made public.

According to § 17 VwGVG, unless otherwise specified in this federal law,

Procedure for complaints according to Art. 130 Para. 1 B-VG with the provisions of the AVG
Exception to §§ 1 to 5 and part IV, the provisions of the Federal Fiscal Code

- BAO, Federal Law Gazette No. 194/1961, of the Agricultural Procedures Act - AgrVG, Federal Law Gazette No. 173/1950, and

of the Service Law Procedure Act 1984 – DVG, Federal Law Gazette No. 29/1984, and otherwise those
procedural provisions in federal or state laws mutatis mutandis

apply, which the authority in the proceedings before the administrative court

has applied or should have applied in previous proceedings.

3.2. According to § 31 paragraph 1 VwGVG, the decisions and orders are made by

Decision, insofar as no knowledge is to be made.


According to § 28 para. 1 VwGVG, the administrative court has the legal matter by cognizance
deal with, provided that the complaint is not to be dismissed or the proceedings are to be discontinued.


According to § 28 para. 2 VwGVG, the administrative court then has to deal with complaints on the merits

to decide for themselves when the relevant facts have been established or the determination of - 8 -


relevant facts by the administrative court itself in the interest of speed
located or associated with significant cost savings.


3.3. to A)


3.3.1. Applicable Law

The data protection complaint from January 3, 2018, which initiated the procedure, was at the time of

Pending entry into force of the GDPR on May 25, 2018 at the data protection authority.


In such a case, according to the DSG 2000, the data protection authority had the pending
Procedure according to § 69 paragraph 4 DSG idgF "according to the provisions of this federal law and

of the GDPR”.


According to leg. cit. the data protection authority already has the new one in the present case
Legal situation (DSG and DSGVO) had to apply. As a result is also dated

Federal Administrative Court to apply the new legal situation.


3.3.1.1. The relevant provisions of the GDPR

                                         Article 4

                                  definitions

For the purposes of this Regulation, the term means:

       1. “Personal Data” any information relating to an identified or
       identifiable natural person (hereinafter "data subject"); as
       identifiable is a natural person who, directly or indirectly,
       in particular by means of assignment to an identifier such as a name, to a

       identification number, to location data, to an online identifier or to a or
       several special characteristics can be identified that express the
       physical, physiological, genetic, psychological, economic, cultural
       or social identity of that natural person;
       2. "Processing" any carried out with or without the aid of automated procedures

       Process or any such series of processes in connection with personal data
       Data such as collection, recording, organization, ordering, storage,
       the adaptation or modification, the reading, the query, the use, the
       Disclosure by transmission, dissemination or any other form of
       Providing, matching or linking, restricting, deleting

       or the annihilation;
       3rd-6th (...)
       7. "Responsible person" the natural or legal person, authority, institution or
       other body, alone or jointly with others, over the ends and means of

       processing of personal data decides; are the ends and means
       this processing by Union law or the law of the Member States
       specified, the person responsible or the specific - 9 -


       Criteria for its designation under Union law or the law of
       Member States are provided;
       8th. (…)
       9. "Recipient" a natural or legal person, public authority, agency or

       other body to which personal data is disclosed, regardless of
       whether it is a third party or not. Authorities, as part of a
       specific investigation order under Union law or the law of
       Member States may receive personal data, however, apply

       not as recipient; the processing of this data by the named authorities
       takes place in accordance with the applicable data protection regulations according to the purposes
       the processing;
       10. "Third party" means a natural or legal person, authority, institution or other
       Body, apart from the person concerned, the person responsible, the processor

       and the persons who are under the direct responsibility of the person responsible
       or the processor are authorized to process the personal data
       process;
       11. "Consent" of the data subject any voluntary for the specific case, in

       informed and unequivocal declaration of intent
       a statement or other unequivocal affirmative action by which the
       data subject indicates that they consent to the processing of them
       agrees to the personal data concerned;
       12.- 26. (…)



                                         Article 5
                Principles for the processing of personal data


(1) Personal data must
a) lawfully, fairly and in a manner that is fair to the data subject

be processed in a comprehensible manner ("lawfulness, processing in good faith
faith, transparency”);
b) collected for specified, explicit and legitimate purposes and not in a
further processed in a way that is incompatible with those purposes; one
Further processing for archiving purposes in the public interest, for

scientific or historical research purposes or for statistical purposes applies in accordance with
Article 89(1) not considered incompatible with the original purposes ("purpose limitation");
c) adequate and relevant to the purpose and necessary for the purposes of the processing
be limited to what is necessary ("data minimization");
d) accurate and, where necessary, up to date; it is all

to take reasonable measures to ensure that personal data with regard to
the purposes of their processing are incorrect, be erased or rectified immediately
("Accuracy");
e) stored in a form that permits the identification of data subjects only

for as long as is necessary for the purposes for which they are processed;
personal data may be stored longer if the personal
Data subject to the implementation of appropriate technical and organizational
Measures taken by this regulation to protect the rights and freedoms of
data subject may be required, exclusively for matters that are in the public interest, - 10 -


Archival purposes or for scientific and historical research purposes or for
statistical purposes are processed in accordance with Article 89 paragraph 1 ("storage limitation");
f) processed in a way that ensures adequate security of the
personal data, including protection against unauthorized or

unlawful processing and against accidental loss, accidental destruction
or accidental damage by appropriate technical and organizational measures
Measures (“Integrity and Confidentiality”);
(2) The person responsible is responsible for compliance with paragraph 1 and must

Be able to demonstrate compliance (“accountability”).

                                         Article 6
                             lawfulness of processing


(1) The processing is only lawful if at least one of the following
conditions are met:

a) the data subject has given their consent to the processing of data concerning them
personal data given for one or more specific purposes;
       b) the processing is necessary for the performance of a contract to which the
data subject is required, or to carry out pre-contractual measures

be made at the request of the data subject;
       c) the processing is necessary for compliance with a legal obligation which
the controller is subject;
       d) the processing is necessary to protect the vital interests of the data subject
protect any person or other natural person;

       e) the processing is necessary for the performance of a task that is
is in the public interest or in the exercise of public authority which
has been delegated to those responsible;
       f) the processing is to protect the legitimate interests of the person responsible

or a third party, unless the interests or fundamental rights and
Fundamental freedoms of the data subject requiring the protection of personal data,
prevail, especially when the data subject is a child
acts.
       Point (f) of the first subparagraph shall not apply to public authorities in the performance of their duties

processing carried out.
       (2) Member States may adopt more specific provisions adapting the
Application of the provisions of this Regulation in relation to processing for fulfilment
of paragraph 1 letters c and e maintained or introduced by specific
Specify requirements for processing and other measures more precisely in order to

ensure lawful and fair processing,
including for other special processing situations in accordance with Chapter IX.
       (3) The legal basis for the processing pursuant to paragraph 1 letters c and e
set by

       a) Union law or
       b) the law of the Member States to which the controller is subject.
       The purpose of the processing must be specified in this legal basis or
with regard to the processing pursuant to paragraph 1 letter e for the performance of a task
be necessary, which is in the public interest or in the exercise of public authority

takes place, which has been transferred to the person responsible. This legal basis may contain specific, - 11 -


contain provisions for adapting the application of the provisions of this regulation,
among other things, provisions on what general conditions for the scheme
the lawfulness of the processing by the controller, what types of
Data is processed, which persons are affected, to which institutions and for

which purposes the personal data may be disclosed, which
They are subject to earmarking, how long they may be stored and which ones
Processing operations and methods may be used, including
Measures to ensure a lawful and good faith

Processing, such as those for other special processing situations in accordance with Chapter IX.
Union law or the law of the Member States must be in the public interest
objective and in proportion to the legitimate objective being pursued
purpose stand.
       (4) Is the processing based on a purpose other than that for which the

personal data were collected, not on the consent of the data subjects
person or on a legal basis of the Union or of the Member States in a
democratic society a necessary and proportionate measure of protection
of the objectives referred to in Article 23(1), the controller shall take into account -

to determine whether the processing is for a different purpose than that for which the
personal data was originally collected is compatible, among other things
       a) any link between the purposes for which the personal data
were collected and the purposes of the intended further processing,
       b) the context in which the personal data was collected,

in particular with regard to the relationship between the persons concerned and the
responsible,
       c) the type of personal data, in particular whether special categories
personal data are processed in accordance with Article 9 or whether personal

Processes data on criminal convictions and offenses in accordance with Article 10
will,
       d) the possible consequences of the intended further processing for the persons concerned
Persons,
       e) the existence of appropriate guarantees, including encryption or

Pseudonymization may include.

3.3.1.2. The relevant provisions of the DSG

                                        article 1
                               (constitutional provision)

                              fundamental right to data protection

§ 1. (1) Everyone has, in particular with regard to respect for his private and
family life, right to confidentiality of personal data concerning him

Data insofar as there is a legitimate interest in it. The existence of such
Interest is excluded if data due to their general availability or
because of their lack of traceability to the person concerned
secrecy claim are not accessible.
(2) Insofar as the use of personal data is not in the vital interest

of the person concerned or with his consent, limitations of the right to
Confidentiality only to protect overriding legitimate interests of another, - 12 -


permissible, in the event of interference by a state authority only on the basis of laws that
from the in Art. 8 para. 2 of the European Convention for the Protection of Human Rights and
Fundamental Freedoms (EMRK), Federal Law Gazette No. 210/1958, are necessary. such
Laws prohibit the use of data that, by their nature, deserve special protection,

only provide for the protection of important public interests and must at the same time
appropriate guarantees for the protection of the confidentiality interests of the persons concerned
determine. Even in the case of permissible restrictions, the encroachment on the fundamental right may in each case
only be undertaken in the mildest, most effective way.

(...)

                          Complaint to the data protection authority


Section 24. (1) Every data subject has the right to lodge a complaint with the data protection authority,
if she believes that the processing of personal data concerning her
Data violates the GDPR or § 1 or Article 2 1st main part.
(2) The complaint must contain:

1. the designation of the right deemed to have been infringed,
2. as far as this is reasonable, the designation of the legal entity or body to which the
alleged infringement is attributed (respondent),
3. the facts from which the infringement is derived,

4. the grounds on which the allegation of illegality is based,
5. the desire to determine the alleged infringement and
6. the information necessary to assess whether the complaint is timely
is introduced.
(3) A complaint may include the application on which it is based and any

Attach the Respondent's response. In the event of a
Complaint to provide further assistance at the request of the data subject.
(4) The right to have a complaint dealt with expires if the intervener fails to do so
within one year after becoming aware of the adverse event,

but at the latest within three years after the event is said to have taken place
has, brings in. Late complaints are to be rejected.
(5) If a complaint proves to be justified, it must be followed. Is a
Injury to be attributed to a person responsible for the private sector, so is this
to comply with the complainant's requests for information, correction, deletion,

Restriction or data transfer to the extent necessary to comply
to remedy the identified infringement. As far as the complaint as not
proves to be justified, it is to be rejected.
(6) A respondent may, until the conclusion of the proceedings before the
Data protection authority subsequently eliminate the alleged infringement by

Complies with the complainant's requests. If the data protection authority sees the
If the complaint is irrelevant, it must hear the complainant about it.
At the same time, it is important to draw attention to the fact that the data protection authority
informally if he does not explain why within a reasonable period of time

he still considers the originally claimed violation of rights to be at least partly non-existent
considered eliminated. Does such a statement by the complainant settle the matter
changed in essence (§ 13 para. 8 AVG), then the withdrawal of the
original complaint and the simultaneous filing of a new complaint
to go out In this case, too, the original complaint procedure is to be discontinued informally, - 13 -


and to inform the complainant thereof. Late statements are not allowed
consider.
(7) The complainant will be addressed by the data protection authority within three months
the complaint about the status and the result of the investigation.

(8) Any person concerned may refer the matter to the Federal Administrative Court if the
Data Protection Authority does not deal with the complaint or the data subject does not
within three months of the status or outcome of the complaint lodged in
has given notice.

(9) The data protection authority can – if necessary – appoint official experts in the procedure
call in
(10) The decision period according to § 73 AVG does not include:
1. the time during which the proceedings until the final decision on a preliminary question
is exposed;

2. the time during a procedure according to Art. 56, 60 and 63 DSGVO.


3.3.2.According to the constitutional provision of Section 1 Paragraph 1 DSG, everyone, in particular
in view of respect for private and family life, right to secrecy of

personal data concerning him, insofar as a protection worthy

there is a confidentiality interest in it. Under personal data worthy of protection
are not only easily recognizable as personal in this context

to understand information such as a person's name, gender, address or place of residence,
but, for example, value judgments and thus absolutely personal information.

All personal data - i.e. both automatically processed data

as well as manual data - if there is a legitimate interest in confidentiality,
kept secret or processing of this data is inadmissible.


The central starting point, whether a fundamental right claim according to § 1 para. 1 DSG

exists at all is the existence of "worthy of protection" interests. During their examination
carry out a balancing of interests. The data protection regulations apply here in particular

to take account of the principles of legality and proportionality.


The parties involved have asserted in the present data protection complaint
claimed that their right to confidentiality of personal data had been violated

been because the complainant in a letter regarding the

Assumption of the costs of childcare in a private kindergarten
Data of the involved parties to legal guardians of others the same

Kindergarten like the parties involved in the period from September 2016 to August

passed on to visiting children in 2017. Specifically, this letter is a list of all
Children who attended the private kindergarten in the period from September 2016 to August 2017 - 14 -


would have, stating the name, date of birth, address and the date of entry and
exit date to kindergarten.


According to Art. 6 Para. 1 GDPR, the processing of personal data is lawful if

if, among other things, the data subject has given their consent to the processing of data relating to them
provided personal data for one or more specific purposes or who

processing is necessary for compliance with a legal obligation, which

Responsible subject.

First of all, it should be noted that the transmission of the personal data of

parties involved is not legally covered by the XXXX submitted by the complainant,

which was also not mentioned by the complainant.

The complainant is responsible for the affected parents of those involved

Parties before sending the letter with the attached objective lists

their (written or implied) consent to the processing of their personal data
data collected. The specific content of this letter is therefore irrelevant.


If the complainant claims that he assumed that the parents of the

involved parties would agree to their personal data
to send other legal guardians of the children attending the kindergarten because the

The head of the private kindergarten gave him the two lists, the following is the following
counter: As the head of the private kindergarten (with the consent of those affected)

the complainant provided the two lists, did not foresee them

may require that the complainant at a later date the lists in question
would process to other legal guardians by sending a letter. the

In the given case constellation, the head of the private kindergarten is a "third party" in the sense of the

Definition of Art. 4 Z 10 GDPR.

The responsible senate therefore comes to the conclusion that the complainant as

Person responsible for the personal data of the parties involved through the

Sending the letter together with the two relevant lists to others
Legal guardians of the children attending the kindergarten inadmissibly

has processed (here: disclosure through transmission) and thereby the people involved

parties violated their right to secrecy., - 15 -


Since the contested decision is illegal within the meaning of Art. 130 para.

1 Z 1 B-VG is not adhered to, the complaint raised against it was according to § 28 para. 2 VwGVG
to be rejected in connection with Section 24 (1) and (5) DSG as amended.


3.4. Pursuant to § 24 para. 1 VwGVG, the administrative court shall, upon application or if it is required to do so for

deems it necessary to hold a public oral hearing ex officio.

The complainant has indeed submitted an application for the implementation of a

public hearing, however, in the present case, the omission of a

oral hearing based on the fact that the facts of the case from the file
was resolved. The Federal Administrative Court had only one legal question

recognize (cf. ECHR June 20, 2013, Appl. No. 24510/06, Abdulgadirov/AZE, margin nos. 34ff). Also after

the jurisprudence of the Constitutional Court may hold an oral hearing
be omitted if the facts are undisputed and the legal issue is not of a particular nature

Complexity is (VfSlg. 17.597/2005; VfSlg. 17.855/2006; most recently VfGH 18.06.2012, B

155/12).

From the implementation of a verbal hearing was therefore according to § 24 paragraph 1 and paragraph.

4 VwGVG.


3.5. Re B) Inadmissibility of the revision:

According to § 25a Abs. 1 VwGG, the administrative court in the ruling of its knowledge or

Pronounce a resolution as to whether the revision is permissible in accordance with Art. 133 Para. 4 B-VG. the

Statement must be briefly justified.

The revision is not permitted according to Art. 133 Para. 4 B-VG because the decision is not from the

solutionofalegalissuedependsoffundamentalimportance

the present decision from the previous case law of the
administrative court, there is still no case law; further is the

present case law of the Administrative Court also not as inconsistent

judge. There are also no other indications of a fundamental importance of the
solving legal question.