BVwG - W101 2208238-1: Difference between revisions
No edit summary |
No edit summary |
||
(3 intermediate revisions by 2 users not shown) | |||
Line 50: | Line 50: | ||
}} | }} | ||
The Federal Administrative court | The Federal Administrative court held that the consent given to a first controller under [[Article 6 GDPR#1a|Article 6(1)(a) GDPR]] to transfer the data to a second controller does not extend to the transfer from the second controller to third parties, unless otherwise indicated by the circumstances of the case. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
The two data subjects of this case are minors. They are visiting a private kindergarten. The private kindergarten gave – with the consent of the | The two data subjects of this case are minors. They are visiting a private kindergarten. The private kindergarten gave – with the consent of the legal guardians of the data subjects – a list to the municipality of its seat (the controller) which consisted of the name, date of birth and date of admission of all kids attending the kindergarten. Because the municipality did not want to bear the costs for children having their residence in another municipality, it sent a letter to all parents requesting them to take the letter to the municipality of their residence and ask for their financial support. This letter consisted of the already mentioned list as well as another list which additionally contained the days of absence, overall days and the calculated share of costs of each child. | ||
The controller did not ask the legal guardians of the data subjects for their consent before sending the letter out to all parents. | The controller did not ask the legal guardians of the data subjects for their consent before sending the letter out to all parents. | ||
The data subjects – represented by their legal guardians – filed a complaint with the DPA. The DPA sustained the complaint. | The data subjects – represented by their legal guardians – filed a complaint with the DPA. The DPA sustained the complaint. | ||
=== Holding === | |||
The Federal Administrative Court (Bundesverwatungsgericht – BVwG) upheld the decision of the DSB. | |||
The court concluded that the head of the kindergarten was a third party according to [[Article 4 GDPR#10|Article 4(10) GDPR]] with respect to the sending of the letters. The consent given to the head of the kindergarten did not extend to the municipality and did not encompass the disclosure of the data to the other legal guardians. | The court concluded that the head of the kindergarten was a third party according to [[Article 4 GDPR#10|Article 4(10) GDPR]] with respect to the sending of the letters. The consent given to the head of the kindergarten did not extend to the municipality and did not encompass the disclosure of the data to the other legal guardians. | ||
Latest revision as of 16:25, 2 February 2022
BVwG - W101 2208238-1 | |
---|---|
Court: | BVwG (Austria) |
Jurisdiction: | Austria |
Relevant Law: | Article 4(10) GDPR Article 6(1)(a) GDPR |
Decided: | 07.12.2021 |
Published: | 21.01.2022 |
Parties: | anonymous DSB (Austria) |
National Case Number/Name: | W101 2208238-1 |
European Case Law Identifier: | ECLI:AT:BVWG:2021:W101.2208238.1.00 |
Appeal from: | |
Appeal to: | |
Original Language(s): | German |
Original Source: | Rechtsinformationssystem des Bundes (RIS) (in German) |
Initial Contributor: | Heiko Hanusch |
The Federal Administrative court held that the consent given to a first controller under Article 6(1)(a) GDPR to transfer the data to a second controller does not extend to the transfer from the second controller to third parties, unless otherwise indicated by the circumstances of the case.
English Summary
Facts
The two data subjects of this case are minors. They are visiting a private kindergarten. The private kindergarten gave – with the consent of the legal guardians of the data subjects – a list to the municipality of its seat (the controller) which consisted of the name, date of birth and date of admission of all kids attending the kindergarten. Because the municipality did not want to bear the costs for children having their residence in another municipality, it sent a letter to all parents requesting them to take the letter to the municipality of their residence and ask for their financial support. This letter consisted of the already mentioned list as well as another list which additionally contained the days of absence, overall days and the calculated share of costs of each child.
The controller did not ask the legal guardians of the data subjects for their consent before sending the letter out to all parents.
The data subjects – represented by their legal guardians – filed a complaint with the DPA. The DPA sustained the complaint.
Holding
The Federal Administrative Court (Bundesverwatungsgericht – BVwG) upheld the decision of the DSB.
The court concluded that the head of the kindergarten was a third party according to Article 4(10) GDPR with respect to the sending of the letters. The consent given to the head of the kindergarten did not extend to the municipality and did not encompass the disclosure of the data to the other legal guardians.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
Postal address: Erdbergstrasse 192 – 196 1030 Vienna Phone: +43 1 601 49-0 Fax+43 1 711 23-889 15 41 Email: einlaufstelle@bvwg.gv.at www.bvwg.gv.at DVR: 0939579 DECISIONS D A T U M 0 7 . 1 2 . 2 0 2 1 BUSINESS NUMBER W 1 0 1 2 2 0 8 2 3 8 - 1/5 E I M N A M E N D E R E P U B L I K ! The Federal Administrative Court, through the judge Dr. Christine AMANN as Chair and the expert lay judges MMag. dr Winfried PÖCHERSTORFER and Mag. Thomas GSCHAAR as assessor on the complaint of the mayor of the market town XXXX, represented by: Winkler & Riedl RAe OG, against the decision of the data protection authority of 07.08.2018, GZ. DSB-D122.840/0005-DSB/2018, rightly recognised: a) According to § 28 paragraph 2 VwGVG in conjunction with § 24 paragraph 1 and paragraph 5 DSG idgF as rejected without reason. b) The revision is not permitted according to Art. 133 Para. 4 B-VG. Reasons for decision: I. Procedure: With a letter dated January 3, 2018, improved with briefs dated January 28, 2018 and dated 02.02.2018, brought mj. XXXX , legally represented by Mrs. XXXX , and mj. XXXX ,, - 2 - legally represented by Mrs. XXXX (= involved parties before the Federal Administrative Court and applicant before the data protection authority), a Data protection complaint against the mayor of the market town XXXX (= Complainant before the Federal Administrative Court and respondent before the data protection authority) because their right to secrecy had been violated. They basically justified their data protection complaint as follows: The complainant had in a letter regarding the assumption of costs Childcare in a private kindergarten personal data of those involved Parties passed on to other legal guardians. Specifically, this letter is a list of all children attending the private kindergarten between September 2016 and August 2017 would have visited, stating the name, date of birth, address and entry as well as the date of leaving the kindergarten. With a statement dated February 21, 2018, the complainant led to the Concerned parties' privacy complaint essentially consisted of: Since the children of the "XXXX" kindergarten, including the parties involved, for majority do not have their normal place of residence in the municipal area of the seat municipality, of the market town XXXX , were forced for financial reasons to aliquot costs on the main residential communities of the visitors or their Share parents/guardians. For the fair distribution of the funding share be the market town XXXX a list with the data of the children or their been handed over to legal guardians by the management of the kindergarten. With a letter from the market town of XXXX to the legal guardians refers, among other things, to the extraordinary financial burden of the market town XXXX pointed out and the request been expressed to visit the communities of residence with the letter and to asking for their children's support. Since the list with all data (first name, last name, date of birth, entry date, possible exit date and addresses) from the was handed over to the management of the kindergarten, this list (supplemented by the pro rata contribution to costs) has been enclosed with the letter to the parents. The one from the The list (children's list) handed over to the management of the kindergarten is also in writing been settled. The market town of XXXX assumed that the parents would have given their consent for the lists to be handed over, especially since the lists had already been were handed over to the management of the kindergarten. With a statement dated March 14, 2018, the parties involved essentially gave the following:, - 3 - You would understand that the kindergarten gives the children's data to the community XXXX had to pass on, because without this data the municipality could not Enter into a cooperation agreement with the municipalities concerned. However be the conclusion that this constitutes the consent of the parties involved to the general use of this data is not correct. By decision of August 7th, 2018, GZ. DSB-D122.840/0005-DSB/2018, gave the Data protection authority of the data protection complaint of 01/03/2018 and found that the complainant thereby infringes the parties involved in their right to secrecy violated by the complainant personal data of those involved Parties, such as name, date of birth, address, entry date, minus days, total days and the corresponding share of costs, to legal guardians of others in the same kindergarten as the parties involved in the period from September 2016 to August 2017 transmitted to visiting children. In this decision, the data protection complaint made the following findings of fact: The complainant had one closer to all the guardians of the one designated kindergarten between September 2016 and August 2017 Children directed undated letter written in which the legal guardians to have been asked to bear the costs of childcare. In a list attached to this letter "Children's list […] September 2016 - August 2017". the following data of the parties involved: name, date of birth, address and entry date. In addition, the letter in question is accompanied by a further list “Cost allocation September 1st 2016 - August 31, 2017" attached to which the following data of the parties involved are attached can be taken from: name, date of birth, entry date, minus days, total days and cost share. The letter along with the mentioned lists are the legal guardians of the list named children have been transmitted. On the basis of these factual findings, the data protection authority concluded in from a legal point of view: About this data protection complaint is procedurally according to the new legal situation (DSG idF BGBl. I No. 24/2018) according to § 24 Para. 5 DSG. Substantive law is the However, the case after the date of the alleged infringement of the right Confidentiality, applicable provisions of §§ 1 to 9 DSG 2000, Federal Law Gazette I No. 165/1999 as amended Federal Law Gazette I No. 83/2013., - 4 - According to § 1 para. 2 DSG 2000, the actual transmission is required personal data of the complainants to legal guardians of others children attending the same kindergarten as the involved parties legal basis. However, such a thing was neither mentioned by the complainant in his statement before the Data protection authority mentioned XXXX in the justification of § 8 DSG 2000 recognizable and is also not claimed by the complainant. The complainant's argument that he had assumed that the Parents would have given their consent to the handover of the lists, do not change anything that is for the Consent of the parties involved to the transfer in question within the meaning of § 4 Z 14 in connection with § 8 para. 1 Z 2 DSG 2000 would not have resulted in any indications in the proceedings. If the complainant further claims in this context that the Data was only given among parents who knew each other well and would see each other on a daily basis are, nothing can be gained from this argument either, as it is assumed that not all legal guardians are aware of all transmitted data. Irrespective of this, a breach of data protection law cannot be cured even then become when the children's personal data concerned through conversations between the legal guardians are known. The appeal was therefore allowed according to the verdict. In the timely complaint against this decision, the Complainant essentially before: The complainant had to assume that the management of the private kindergarten the relevant clarifications would have been made. Essei to be assumed that before the data is transmitted to the complainant, the Management have coordinated the data with the children's legal guardians and the legal guardians give their consent for the disclosure and use of their data would have granted. In addition, the management of the private kindergarten did not say so been informed that the data or that the municipality does not contact the parents and may transmit the information. In addition, all those affected (parents and children) have a common interest in the The continued existence of the kindergarten and the data transfer is exclusively in the interest of Parents and in the public interest, so that the financeability of the private kindergarten will be secured. The notification made by the municipality was been necessary so that the kindergarten could continue to operate and - 5 - Affordability is secured and is an overriding factor within the meaning of Section 1 (2) DSG 2000 interest of the complainant given that the data had been passed on. In addition, the justifications according to § 8 DSG 2000 are fulfilled because In principle, the municipality of residence is responsible for the financing of kindergartens be, but in the present case children from other communities attend the kindergarten would have frequented and the data determination/transmission within the meaning of § 8 Para. 1 Z 1 DSG 2000 had been required. It can also be assumed that the parents would have given their consent and be of this Reason also the exception according to § 8 Abs. 1 Z 2 DSG 2000 fulfilled. Furthermore, the disclosure was in the exclusive interest of those affected and would be the exception according to § 8 para. 1 Z 3 DSG 2000 to be used. Finally, the complainant has an overriding interest within the meaning of § 8 para. 1 no. 4 DSG 2000, because a municipality only financially for the kindergarten care of children could be held responsible who also have their place of residence in the municipality and the complainant could not bear the costs for other municipalities. be this in the interest of the "own" community citizens, which is why iSd § 8 para. 3 Z 1, Z 3 to 5 DSG 2000 the transmission of the data violated confidentiality interests that are not worthy of protection and the authority concerned would have had to weigh up the interests involved, what did not happen. The complainant thus submitted the applications that the Federal Administrative Court should 1. Decide on the matter yourself and rectify the contested decision without replacement; 2. in eventu rescind the contested decision with a resolution and the matter refer back to the data protection authority to issue a new decision and 3. conduct an oral hearing. With a letter from the data protection authority dated October 18, 2018, the complaint was Administrative act sent to the Federal Administrative Court. II. The Federal Administrative Court considered: 1. Findings: In their data protection complaint dated January 3, 2018, the parties involved improved with pleadings dated January 28, 2018 and February 2, 2018, asserted, you, - 6 - had been violated in their right to secrecy because the complainant in Frame of a letter regarding the assumption of the costs of childcare in one private kindergarten to personal data of the parties involved Legal guardians of others use the same kindergarten as the parties involved in the Passed on to visiting children between September 2016 and August 2017. Specifically, this letter is a list of all children who attended the private kindergarten in the period from September 2016 to August 2017, stating the name, des date of birth, address and the entry and exit dates for the kindergarten been taken. The complainant sent a letter to all of the children's legal guardians, which " XXXX "-kindergarten between September 2016 and August 2017, written. The following list was attached to this letter: - "Children list XXXX September 2016 - August 2017" with name, date of birth, address and entry date of the parties involved; - "Cost allocation September 1, 2016 - August 31, 2017" with name, date of birth, Entry date, negative days, total days and cost shares of the parties involved. It is certain that the complainant neither in writing nor implied consent from Parents of the involved parties obtained for the processing of the personal data has. It can therefore be stated as decisive that the complainant is the co-involved Parties through the processing (here: the disclosure through transmission) of the above two mentioned lists with personal data violated in their right to secrecy has. 2. Evidence assessment: The findings on the relevant facts result from the administrative act complaint and the court record. For the competent senate, it is indisputable that the lists in question personal data of the involved parties without the consent of their parents other legal guardians of the children attending the kindergarten from Complainants were processed by sending a letter., - 7 - With this in mind, the above statements were made. 3. Legal assessment: 3.1. According to Art. 130 Para. 1 Z 1 B-VG, the administrative courts decide on complaints against the decision of an administrative authority due to unlawfulness. According to § 6 BVwGG, the Federal Administrative Court decides through a single judge, provided that Federal or state laws do not provide for the decision to be made by senates. According to § 27 paragraph 1 DSG, the Federal Administrative Court decides through the Senate Complaints against decisions due to violation of the duty to inform according to § 24 para. 7 leg.cit. and the duty of the data protection authority to make a decision. According to § 27 paragraph 2 first According to the DSG sentence, the senate consists of a chairman and a competent lay judge from the group of employers and from the group of employees. In this case, the Senate is responsible. The procedure of the administrative courts with the exception of the Federal Finance Court is through the VwGVG, Federal Law Gazette I 2013/33 as amended by Federal Law Gazette I 2013/122 (§ 1 leg.cit.). According to § 58 paragraph 2 VwGVG remain conflicting provisions at the time of entry into force of this federal law have already been made public. According to § 17 VwGVG, unless otherwise specified in this federal law, Procedure for complaints according to Art. 130 Para. 1 B-VG with the provisions of the AVG Exception to §§ 1 to 5 and part IV, the provisions of the Federal Fiscal Code - BAO, Federal Law Gazette No. 194/1961, of the Agricultural Procedures Act - AgrVG, Federal Law Gazette No. 173/1950, and of the Service Law Procedure Act 1984 – DVG, Federal Law Gazette No. 29/1984, and otherwise those procedural provisions in federal or state laws mutatis mutandis apply, which the authority in the proceedings before the administrative court has applied or should have applied in previous proceedings. 3.2. According to § 31 paragraph 1 VwGVG, the decisions and orders are made by Decision, insofar as no knowledge is to be made. According to § 28 para. 1 VwGVG, the administrative court has the legal matter by cognizance deal with, provided that the complaint is not to be dismissed or the proceedings are to be discontinued. According to § 28 para. 2 VwGVG, the administrative court then has to deal with complaints on the merits to decide for themselves when the relevant facts have been established or the determination of - 8 - relevant facts by the administrative court itself in the interest of speed located or associated with significant cost savings. 3.3. to A) 3.3.1. Applicable Law The data protection complaint from January 3, 2018, which initiated the procedure, was at the time of Pending entry into force of the GDPR on May 25, 2018 at the data protection authority. In such a case, according to the DSG 2000, the data protection authority had the pending Procedure according to § 69 paragraph 4 DSG idgF "according to the provisions of this federal law and of the GDPR”. According to leg. cit. the data protection authority already has the new one in the present case Legal situation (DSG and DSGVO) had to apply. As a result is also dated Federal Administrative Court to apply the new legal situation. 3.3.1.1. The relevant provisions of the GDPR Article 4 definitions For the purposes of this Regulation, the term means: 1. “Personal Data” any information relating to an identified or identifiable natural person (hereinafter "data subject"); as identifiable is a natural person who, directly or indirectly, in particular by means of assignment to an identifier such as a name, to a identification number, to location data, to an online identifier or to a or several special characteristics can be identified that express the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person; 2. "Processing" any carried out with or without the aid of automated procedures Process or any such series of processes in connection with personal data Data such as collection, recording, organization, ordering, storage, the adaptation or modification, the reading, the query, the use, the Disclosure by transmission, dissemination or any other form of Providing, matching or linking, restricting, deleting or the annihilation; 3rd-6th (...) 7. "Responsible person" the natural or legal person, authority, institution or other body, alone or jointly with others, over the ends and means of processing of personal data decides; are the ends and means this processing by Union law or the law of the Member States specified, the person responsible or the specific - 9 - Criteria for its designation under Union law or the law of Member States are provided; 8th. (…) 9. "Recipient" a natural or legal person, public authority, agency or other body to which personal data is disclosed, regardless of whether it is a third party or not. Authorities, as part of a specific investigation order under Union law or the law of Member States may receive personal data, however, apply not as recipient; the processing of this data by the named authorities takes place in accordance with the applicable data protection regulations according to the purposes the processing; 10. "Third party" means a natural or legal person, authority, institution or other Body, apart from the person concerned, the person responsible, the processor and the persons who are under the direct responsibility of the person responsible or the processor are authorized to process the personal data process; 11. "Consent" of the data subject any voluntary for the specific case, in informed and unequivocal declaration of intent a statement or other unequivocal affirmative action by which the data subject indicates that they consent to the processing of them agrees to the personal data concerned; 12.- 26. (…) Article 5 Principles for the processing of personal data (1) Personal data must a) lawfully, fairly and in a manner that is fair to the data subject be processed in a comprehensible manner ("lawfulness, processing in good faith faith, transparency”); b) collected for specified, explicit and legitimate purposes and not in a further processed in a way that is incompatible with those purposes; one Further processing for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes applies in accordance with Article 89(1) not considered incompatible with the original purposes ("purpose limitation"); c) adequate and relevant to the purpose and necessary for the purposes of the processing be limited to what is necessary ("data minimization"); d) accurate and, where necessary, up to date; it is all to take reasonable measures to ensure that personal data with regard to the purposes of their processing are incorrect, be erased or rectified immediately ("Accuracy"); e) stored in a form that permits the identification of data subjects only for as long as is necessary for the purposes for which they are processed; personal data may be stored longer if the personal Data subject to the implementation of appropriate technical and organizational Measures taken by this regulation to protect the rights and freedoms of data subject may be required, exclusively for matters that are in the public interest, - 10 - Archival purposes or for scientific and historical research purposes or for statistical purposes are processed in accordance with Article 89 paragraph 1 ("storage limitation"); f) processed in a way that ensures adequate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, accidental destruction or accidental damage by appropriate technical and organizational measures Measures (“Integrity and Confidentiality”); (2) The person responsible is responsible for compliance with paragraph 1 and must Be able to demonstrate compliance (“accountability”). Article 6 lawfulness of processing (1) The processing is only lawful if at least one of the following conditions are met: a) the data subject has given their consent to the processing of data concerning them personal data given for one or more specific purposes; b) the processing is necessary for the performance of a contract to which the data subject is required, or to carry out pre-contractual measures be made at the request of the data subject; c) the processing is necessary for compliance with a legal obligation which the controller is subject; d) the processing is necessary to protect the vital interests of the data subject protect any person or other natural person; e) the processing is necessary for the performance of a task that is is in the public interest or in the exercise of public authority which has been delegated to those responsible; f) the processing is to protect the legitimate interests of the person responsible or a third party, unless the interests or fundamental rights and Fundamental freedoms of the data subject requiring the protection of personal data, prevail, especially when the data subject is a child acts. Point (f) of the first subparagraph shall not apply to public authorities in the performance of their duties processing carried out. (2) Member States may adopt more specific provisions adapting the Application of the provisions of this Regulation in relation to processing for fulfilment of paragraph 1 letters c and e maintained or introduced by specific Specify requirements for processing and other measures more precisely in order to ensure lawful and fair processing, including for other special processing situations in accordance with Chapter IX. (3) The legal basis for the processing pursuant to paragraph 1 letters c and e set by a) Union law or b) the law of the Member States to which the controller is subject. The purpose of the processing must be specified in this legal basis or with regard to the processing pursuant to paragraph 1 letter e for the performance of a task be necessary, which is in the public interest or in the exercise of public authority takes place, which has been transferred to the person responsible. This legal basis may contain specific, - 11 - contain provisions for adapting the application of the provisions of this regulation, among other things, provisions on what general conditions for the scheme the lawfulness of the processing by the controller, what types of Data is processed, which persons are affected, to which institutions and for which purposes the personal data may be disclosed, which They are subject to earmarking, how long they may be stored and which ones Processing operations and methods may be used, including Measures to ensure a lawful and good faith Processing, such as those for other special processing situations in accordance with Chapter IX. Union law or the law of the Member States must be in the public interest objective and in proportion to the legitimate objective being pursued purpose stand. (4) Is the processing based on a purpose other than that for which the personal data were collected, not on the consent of the data subjects person or on a legal basis of the Union or of the Member States in a democratic society a necessary and proportionate measure of protection of the objectives referred to in Article 23(1), the controller shall take into account - to determine whether the processing is for a different purpose than that for which the personal data was originally collected is compatible, among other things a) any link between the purposes for which the personal data were collected and the purposes of the intended further processing, b) the context in which the personal data was collected, in particular with regard to the relationship between the persons concerned and the responsible, c) the type of personal data, in particular whether special categories personal data are processed in accordance with Article 9 or whether personal Processes data on criminal convictions and offenses in accordance with Article 10 will, d) the possible consequences of the intended further processing for the persons concerned Persons, e) the existence of appropriate guarantees, including encryption or Pseudonymization may include. 3.3.1.2. The relevant provisions of the DSG article 1 (constitutional provision) fundamental right to data protection § 1. (1) Everyone has, in particular with regard to respect for his private and family life, right to confidentiality of personal data concerning him Data insofar as there is a legitimate interest in it. The existence of such Interest is excluded if data due to their general availability or because of their lack of traceability to the person concerned secrecy claim are not accessible. (2) Insofar as the use of personal data is not in the vital interest of the person concerned or with his consent, limitations of the right to Confidentiality only to protect overriding legitimate interests of another, - 12 - permissible, in the event of interference by a state authority only on the basis of laws that from the in Art. 8 para. 2 of the European Convention for the Protection of Human Rights and Fundamental Freedoms (EMRK), Federal Law Gazette No. 210/1958, are necessary. such Laws prohibit the use of data that, by their nature, deserve special protection, only provide for the protection of important public interests and must at the same time appropriate guarantees for the protection of the confidentiality interests of the persons concerned determine. Even in the case of permissible restrictions, the encroachment on the fundamental right may in each case only be undertaken in the mildest, most effective way. (...) Complaint to the data protection authority Section 24. (1) Every data subject has the right to lodge a complaint with the data protection authority, if she believes that the processing of personal data concerning her Data violates the GDPR or § 1 or Article 2 1st main part. (2) The complaint must contain: 1. the designation of the right deemed to have been infringed, 2. as far as this is reasonable, the designation of the legal entity or body to which the alleged infringement is attributed (respondent), 3. the facts from which the infringement is derived, 4. the grounds on which the allegation of illegality is based, 5. the desire to determine the alleged infringement and 6. the information necessary to assess whether the complaint is timely is introduced. (3) A complaint may include the application on which it is based and any Attach the Respondent's response. In the event of a Complaint to provide further assistance at the request of the data subject. (4) The right to have a complaint dealt with expires if the intervener fails to do so within one year after becoming aware of the adverse event, but at the latest within three years after the event is said to have taken place has, brings in. Late complaints are to be rejected. (5) If a complaint proves to be justified, it must be followed. Is a Injury to be attributed to a person responsible for the private sector, so is this to comply with the complainant's requests for information, correction, deletion, Restriction or data transfer to the extent necessary to comply to remedy the identified infringement. As far as the complaint as not proves to be justified, it is to be rejected. (6) A respondent may, until the conclusion of the proceedings before the Data protection authority subsequently eliminate the alleged infringement by Complies with the complainant's requests. If the data protection authority sees the If the complaint is irrelevant, it must hear the complainant about it. At the same time, it is important to draw attention to the fact that the data protection authority informally if he does not explain why within a reasonable period of time he still considers the originally claimed violation of rights to be at least partly non-existent considered eliminated. Does such a statement by the complainant settle the matter changed in essence (§ 13 para. 8 AVG), then the withdrawal of the original complaint and the simultaneous filing of a new complaint to go out In this case, too, the original complaint procedure is to be discontinued informally, - 13 - and to inform the complainant thereof. Late statements are not allowed consider. (7) The complainant will be addressed by the data protection authority within three months the complaint about the status and the result of the investigation. (8) Any person concerned may refer the matter to the Federal Administrative Court if the Data Protection Authority does not deal with the complaint or the data subject does not within three months of the status or outcome of the complaint lodged in has given notice. (9) The data protection authority can – if necessary – appoint official experts in the procedure call in (10) The decision period according to § 73 AVG does not include: 1. the time during which the proceedings until the final decision on a preliminary question is exposed; 2. the time during a procedure according to Art. 56, 60 and 63 DSGVO. 3.3.2.According to the constitutional provision of Section 1 Paragraph 1 DSG, everyone, in particular in view of respect for private and family life, right to secrecy of personal data concerning him, insofar as a protection worthy there is a confidentiality interest in it. Under personal data worthy of protection are not only easily recognizable as personal in this context to understand information such as a person's name, gender, address or place of residence, but, for example, value judgments and thus absolutely personal information. All personal data - i.e. both automatically processed data as well as manual data - if there is a legitimate interest in confidentiality, kept secret or processing of this data is inadmissible. The central starting point, whether a fundamental right claim according to § 1 para. 1 DSG exists at all is the existence of "worthy of protection" interests. During their examination carry out a balancing of interests. The data protection regulations apply here in particular to take account of the principles of legality and proportionality. The parties involved have asserted in the present data protection complaint claimed that their right to confidentiality of personal data had been violated been because the complainant in a letter regarding the Assumption of the costs of childcare in a private kindergarten Data of the involved parties to legal guardians of others the same Kindergarten like the parties involved in the period from September 2016 to August passed on to visiting children in 2017. Specifically, this letter is a list of all Children who attended the private kindergarten in the period from September 2016 to August 2017 - 14 - would have, stating the name, date of birth, address and the date of entry and exit date to kindergarten. According to Art. 6 Para. 1 GDPR, the processing of personal data is lawful if if, among other things, the data subject has given their consent to the processing of data relating to them provided personal data for one or more specific purposes or who processing is necessary for compliance with a legal obligation, which Responsible subject. First of all, it should be noted that the transmission of the personal data of parties involved is not legally covered by the XXXX submitted by the complainant, which was also not mentioned by the complainant. The complainant is responsible for the affected parents of those involved Parties before sending the letter with the attached objective lists their (written or implied) consent to the processing of their personal data data collected. The specific content of this letter is therefore irrelevant. If the complainant claims that he assumed that the parents of the involved parties would agree to their personal data to send other legal guardians of the children attending the kindergarten because the The head of the private kindergarten gave him the two lists, the following is the following counter: As the head of the private kindergarten (with the consent of those affected) the complainant provided the two lists, did not foresee them may require that the complainant at a later date the lists in question would process to other legal guardians by sending a letter. the In the given case constellation, the head of the private kindergarten is a "third party" in the sense of the Definition of Art. 4 Z 10 GDPR. The responsible senate therefore comes to the conclusion that the complainant as Person responsible for the personal data of the parties involved through the Sending the letter together with the two relevant lists to others Legal guardians of the children attending the kindergarten inadmissibly has processed (here: disclosure through transmission) and thereby the people involved parties violated their right to secrecy., - 15 - Since the contested decision is illegal within the meaning of Art. 130 para. 1 Z 1 B-VG is not adhered to, the complaint raised against it was according to § 28 para. 2 VwGVG to be rejected in connection with Section 24 (1) and (5) DSG as amended. 3.4. Pursuant to § 24 para. 1 VwGVG, the administrative court shall, upon application or if it is required to do so for deems it necessary to hold a public oral hearing ex officio. The complainant has indeed submitted an application for the implementation of a public hearing, however, in the present case, the omission of a oral hearing based on the fact that the facts of the case from the file was resolved. The Federal Administrative Court had only one legal question recognize (cf. ECHR June 20, 2013, Appl. No. 24510/06, Abdulgadirov/AZE, margin nos. 34ff). Also after the jurisprudence of the Constitutional Court may hold an oral hearing be omitted if the facts are undisputed and the legal issue is not of a particular nature Complexity is (VfSlg. 17.597/2005; VfSlg. 17.855/2006; most recently VfGH 18.06.2012, B 155/12). From the implementation of a verbal hearing was therefore according to § 24 paragraph 1 and paragraph. 4 VwGVG. 3.5. Re B) Inadmissibility of the revision: According to § 25a Abs. 1 VwGG, the administrative court in the ruling of its knowledge or Pronounce a resolution as to whether the revision is permissible in accordance with Art. 133 Para. 4 B-VG. the Statement must be briefly justified. The revision is not permitted according to Art. 133 Para. 4 B-VG because the decision is not from the solutionofalegalissuedependsoffundamentalimportance the present decision from the previous case law of the administrative court, there is still no case law; further is the present case law of the Administrative Court also not as inconsistent judge. There are also no other indications of a fundamental importance of the solving legal question.