BVwG - W258 2247028-1: Difference between revisions
No edit summary |
mNo edit summary |
||
(4 intermediate revisions by one other user not shown) | |||
Line 64: | Line 64: | ||
}} | }} | ||
The Federal Administrative Court of Austria held that | The Federal Administrative Court of Austria held that the Austrian Data Protection Authority only has the power to declare processing activities unlawful in proceedings following a complaint, and not when they were initiated by the DSB itself. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
The controller is an employer who allegedly surveilled its employees work phones and work email accounts from January until March 2021. The DSB ( | The controller is an employer who allegedly surveilled its employees work phones and work email accounts from January until March 2021. The DSB (Austrian Data Protection Authority) heard of this conduct in media reports and initiated an ex officio investigation into the matter on 31 March 2021. On 29 July 2021 the DSB adopted an administrative act in which it declared the processing of the controller unlawful. | ||
The controller initiated court proceedings against the act claiming that its conduct was lawful and that the DSB - neither under national law nor under the GDPR - had the power | The controller initiated court proceedings against the act claiming that its conduct was lawful and that the DSB - neither under national law nor under the GDPR - had the power to declare the processing unlawful. It argued that Article 58(2) GDPR does not provide a DPA with such a power, because "declaring the unlawfulness" is not listed there. Moreover, § 24 DSG (Austrian Data Protection Act) which provides the DPA with the power to make such a declaration only applies to proceedings which were initiated by a complaint and not by the DSB itself. | ||
=== Holding === | === Holding === | ||
The Federal Administrative Court (Bundesverwaltungsgericht – BVwG) decided in favour of the controller and set the administrative act aside. | The Federal Administrative Court (Bundesverwaltungsgericht – BVwG) decided in favour of the controller and set the administrative act aside. It found that there is no provision in national law or the GDPR that gave the DSB the power to declare the processing unlawful. | ||
The court | The court first established that § 24 DSG, which provides the DSB with such a power, only applies to complaint proceedings and not ex officio proceedings. The court also rejected an analogous application of § 24 DSG, because it found that the legislator purposefully regulated complaint and ex officio proceedings differently so that there is no room for an analogous application. Moreover, it reasoned that in a complaint proceeding there is a data subject who may have a legal interest in the declaration in order to pursue further individual claims against the controller like a claim for damages; in ex officio proceedings no such interest exists. | ||
The court further found that there is no legal basis in the GDPR either, since [[Article 58 GDPR#2|Article 58(2) GDPR]] does not include a power to declare the processing unlawful, but only the power to issue a reprimand or to fine the controller. | |||
== Comment == | == Comment == | ||
The BVwG mainly based its | The BVwG mainly based its holding on a decision (Ro 2020/04/0032-8) by the Supreme Administrative Court of Austria (Verwaltungsgerichtshof – VwGH) regarding the same subject matter. However, in my opinion, both Austrian courts were incorrect. German Courts and scholars (see ''Grittmann'' in ''Taeger/Gabel'', DSGVO - BDSG – TTDSG, Art. 58 Para 24) are of the opinion that a reprimand under [[Article 58 GDPR#2b|Article 58(2)(b) GDPR]] entails a declaration of unlawfulness. According to this view a reprimand consists of two parts: The declaration that the processing was unlawful and the warning that the controller should not violate the GDPR again. Therefore, by way of an ''argumentum a fortiori'' (''a maiore ad minus''), it may be concluded that a DPA actually has the power to declare the processing unlawful. | ||
== Further Resources == | == Further Resources == |
Latest revision as of 14:36, 2 July 2022
BVwG - W258 2247028-1 | |
---|---|
Court: | BVwG (Austria) |
Jurisdiction: | Austria |
Relevant Law: | Article 58(2) GDPR § 24 DSG |
Decided: | 29.04.2022 |
Published: | 03.06.2022 |
Parties: | anonymous DSB |
National Case Number/Name: | W258 2247028-1 |
European Case Law Identifier: | ECLI:AT:BVWG:2022:W258.2247028.1.00 |
Appeal from: | |
Appeal to: | |
Original Language(s): | German |
Original Source: | Rechtsinformationssystem des Bundes (RIS) (in German) |
Initial Contributor: | Heiko Hanusch |
The Federal Administrative Court of Austria held that the Austrian Data Protection Authority only has the power to declare processing activities unlawful in proceedings following a complaint, and not when they were initiated by the DSB itself.
English Summary
Facts
The controller is an employer who allegedly surveilled its employees work phones and work email accounts from January until March 2021. The DSB (Austrian Data Protection Authority) heard of this conduct in media reports and initiated an ex officio investigation into the matter on 31 March 2021. On 29 July 2021 the DSB adopted an administrative act in which it declared the processing of the controller unlawful.
The controller initiated court proceedings against the act claiming that its conduct was lawful and that the DSB - neither under national law nor under the GDPR - had the power to declare the processing unlawful. It argued that Article 58(2) GDPR does not provide a DPA with such a power, because "declaring the unlawfulness" is not listed there. Moreover, § 24 DSG (Austrian Data Protection Act) which provides the DPA with the power to make such a declaration only applies to proceedings which were initiated by a complaint and not by the DSB itself.
Holding
The Federal Administrative Court (Bundesverwaltungsgericht – BVwG) decided in favour of the controller and set the administrative act aside. It found that there is no provision in national law or the GDPR that gave the DSB the power to declare the processing unlawful.
The court first established that § 24 DSG, which provides the DSB with such a power, only applies to complaint proceedings and not ex officio proceedings. The court also rejected an analogous application of § 24 DSG, because it found that the legislator purposefully regulated complaint and ex officio proceedings differently so that there is no room for an analogous application. Moreover, it reasoned that in a complaint proceeding there is a data subject who may have a legal interest in the declaration in order to pursue further individual claims against the controller like a claim for damages; in ex officio proceedings no such interest exists.
The court further found that there is no legal basis in the GDPR either, since Article 58(2) GDPR does not include a power to declare the processing unlawful, but only the power to issue a reprimand or to fine the controller.
Comment
The BVwG mainly based its holding on a decision (Ro 2020/04/0032-8) by the Supreme Administrative Court of Austria (Verwaltungsgerichtshof – VwGH) regarding the same subject matter. However, in my opinion, both Austrian courts were incorrect. German Courts and scholars (see Grittmann in Taeger/Gabel, DSGVO - BDSG – TTDSG, Art. 58 Para 24) are of the opinion that a reprimand under Article 58(2)(b) GDPR entails a declaration of unlawfulness. According to this view a reprimand consists of two parts: The declaration that the processing was unlawful and the warning that the controller should not violate the GDPR again. Therefore, by way of an argumentum a fortiori (a maiore ad minus), it may be concluded that a DPA actually has the power to declare the processing unlawful.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
Postal address: Erdbergstrasse 192 – 196 1030 Vienna Phone: +43 1 601 49-0 Fax: + 43 1 711 23-889 15 41 Email: einlaufstelle@bvwg.gv.at www.bvwg.gv.at DECISIONS D A T U M 2 9 . 0 4 . 2 0 2 2 BUSINESS NUMBER W 2 5 8 2 2 4 7 0 2 8 - 1 / 1 1 E I M N A M E N D E R E P U B L I K ! The Federal Administrative Court has judge Mag. Gerold PAWELKA-SCHMIDT as Chairman and the expert lay judges Dr. Gerd TRÖTZMÜLLER and Gerhard RAUB as assessor on the complaint of XXXX, represented by CERHA HEMPEL Rechtsanwälte GmbH, 1010 Vienna, against the decision of the data protection authority of July 29, 2021, GZ DSB- D213.1303 2021-0.412.072, in circulation on a data protection matter rightly recognised: A) The complaint will be followed and the notice will be removed without replacement. B) The revision is not permitted according to Art. 133 Para. 4 B-VG. Reasons for decision: I. Procedure: 1. Based on media reports that the complainant (in the proceedings before the Data protection authority "responsible") company mobile phones and company e-mail accounts some of their employees is said to have been monitored by the relevant authority on March 31, 2021 ex officio investigation proceedings initiated against the complainant and asked her, - 2 - within three weeks, various questions about the procedure and the extent of the monitoring as well as to answer about a obtained consent and to present related documents. 2. In a letter dated April 28, 2021, the complainant submitted various documents Declarations of consent and non-disclosure clauses and answered the questions summarized as follows: In the course of the sale of a business unit, a competitive bidding process lasting several months. Just before the end of Negotiations there was a "leak" in which strictly confidential information of the bidding process had become public, causing the complainant damage in millions had been created. The board of the complainant then had a internal investigation initiated. The purpose of the investigation is to clarify the facts and the relief of the suspected employees. For this are the official e-mail accounts - after obtaining the consent of the persons concerned certain keywords, as well as in the partially anonymous Individual call records of the employees involved have been inspected. the Complainant was under company law to an investigation of the facts been obliged to comply with data protection regulations have performed. 3. With a decision dated July 29, 2021, the relevant authority stated that "the ex officio Inspection method was authorized and it is found that processing personal data of 73 individuals between January and March 2021 for purposes internal investigations based on the stated justification facts (§1 Abs.2 DSG, Article 6 paragraph 1 lit. a and alternatively lit. f GDPR) was unlawful.” As a reason, the relevant authority summarized the consent obtained was due to the imbalance between the complainant as an employer and the employees as their employees is not made voluntarily and is therefore invalid. Since the If the legal basis for the processing cannot be changed later, the Complainant also does not base the data processing on the permission of the "legitimate interest" according to Art 6 Para 1 lit f GDPR. The data processing can but in any case not based on Art. 6 Para. 1 lit f GDPR, because relevant Legislation should have been complied with, which was not the case. So is subject to the investigation carried out as a control measure which the touch human dignity, the consent of the works council, which the complainant have not caught up., - 3 - 4. The present complaint of August 27, 2021 is directed against this decision Procedural errors and substantive illegality in which the complainant requested that the Federal Administrative Court decide in the matter itself and determine that the processing by the complainant was lawful, in eventu revoke the contested decision and issue a new decision referred back to the relevant authority. In essence, the complainant submitted that the authority concerned had the Facts insufficiently determined and incorrectly legally assessed, especially in relation on the voluntariness of the consent obtained from the employees. Also have the competent authority violated the surprise ban because for the Complainant had not been foreseeable that the last of 18 questions asked will be particularly relevant to the decision and they also have the proceedings are expected to be discontinued after the questions have been answered. About that Furthermore, the verdict of the notice was too vague. Contrary to the view of those concerned Authority it is also permissible to process data with several permissions to secure. There was also no company agreement or The works council's consent is required, which the complainant claims with a have substantiated legal opinions. Regarding the admissibility of several Justification reasons, the necessity of a works agreement and the admissibility of consent to data processing in employment relationships encourage them to do so to request a preliminary ruling from the ECJ. 5. The data protection authority submitted the complaint to the adjudicating court Connection of the administrative act with a brief dated October 4th, 2021, received on 05.10.2021, and stated in summary that the complainant had relevant time of data collection from the staff exclusively on the Justification of the consent under Art 6 Para 1 lit a GDPR supported. the Officials could not have expected that the consent would only be "pro forma" will be obtained and processing, regardless of consent - based on a legitimate interest according to Art 6 Para 1 lit f GDPR -, nevertheless takes place. It is inadmissible in the event of problems with the consent, subsequently refer to other justifications to support. In this respect, the complainant's arguments are justified Interest according to Art 6 Para 1 lit f GDPR and the explanations of the submitted legal opinion into emptiness. Furthermore, the Respondent is all investigation results essential to the decision have been disclosed and they have to do so be able to comment on why the objection of the ban on surprises is misguided., - 4 - 6. In a brief dated November 18, 2021, the complainant summarized that not all affected employees would be subject to the ArbVG. The authority concerned have the decision-relevance of the existence of a works agreement is not sufficient communicated, as a result of which the complainant had been deprived of the opportunity to to submit an expert opinion on this subject, which was already available before the decision was issued. Furthermore, neither the verdict nor the reasoning indicated “which Processing(s) of which personal data […] with regard to which employees due to which specific circumstances should have been unlawful”, whereby this be too vague. With the consent obtained from the employees, the relevant authority only selectively and in a generalizing manner, without considering the circumstances of the to enter into individual cases that would speak in favor of the voluntary nature of the consent. The complainant does not have the legal basis for the use of the data later changed, rather all employees are the internal ones Data protection guidelines known, which inform that the complainant at Violations of laws or company policies Inspection of documents and can take correspondence. 7. The authority concerned responded with a brief about hearings from the parties on November 26, 2021 December 20, 2021, essentially as before. 8. Based on the decree of the hg business allocation committee of December 16, 2021 the case was taken from Judicial Division W211 and Judicial Division W258 reassigned as of 01/03/2022. 9. With a hearing of April 11, 2022, the authority concerned was informed of the decision of the Administrative Court of December 14, 2021, Ro 2020/04/0032, that she did not have any in an officially initiated examination procedure Competence to determine infringements in a manner capable of having legal force, why the notice would have to be remedied without replacement. 9. In a brief dated April 25, 2022, the authority concerned submitted that The finding cited is not applicable to the case in question because the decision of the data protection authority on an ongoing infringement reason. In the present case, however, the infringement has already been completed and thus (also) a violation of § 1 DSG has been agreed. It is not justifiable,, - 5 - which is why, in the case of identical facts, one in the past and already Completed violation of rights in the case of an individual complaint according to § 1 in conjunction with § 24 DSG, cannot, however, be determined in an official examination procedure. It is typical for violations of the fundamental right to data protection according to § 1 DSG that they already Are completed. However, the Austrian (constitutional) legislature could not be assumed to issue a provision that cannot be enforced ex officio, because Article 58 (2) GDPR does not provide for a corresponding right to remedy the situation. Therefore have the Decision of the competent authority - in contrast to the decision, which said knowledge of the Administrative Court is based - also contain only one ruling and not several. In general, Art 58 GDPR only applies to currently existing or to interpret possible legal infringements in the future. Ultimately, a violation of the GDPR should be discussed in the form of a notification, so that both in official proceedings and in individual proceedings for those subject to the law the possibility of an appeal in the sense of legal protection is open. Evidence was collected by inspecting the administrative file. II. The Federal Administrative Court considered: 1. The following facts are established: With a decision dated July 29, 2021, the relevant authority spoke in an officially initiated manner Examination procedure on the admissibility of data use by the complainant away. The statement of the notice reads: "The official examination procedure was justified and it is determined that the Processing of personal data of 73 individuals between January and March 2021 for the purposes of internal investigations based on the information provided Justification facts (§ 1 Abs. 2 DSG, Art. 6 Abs. 1 lit. a and alternatively lit. f GDPR) was unlawful." 2. The findings result from the following assessment of evidence: The findings are based on the harmless administrative act., - 6 - 3. Legally it follows: The admissible complaint is justified. 3.1. Regarding the relevant legal provisions: Article 58 GDPR entitled “Powers” reads: “[…] (2) Each supervisory authority shall have all of the following remedial powers that allow her a) to warn a controller or a processor that intended processing operations are likely to violate this regulation violate b) to warn a controller or a processor if he is using processing operations has violated this regulation, c) instruct the controller or the processor to comply with the requests of the data subject to exercise the rights to which they are entitled under this regulation correspond to, d) instruct the controller or the processor to Processing operations, if necessary, in a specific way and within a to bring them into line with this regulation within a certain period of time, e) to instruct the person responsible of a breach of protection to notify the data subject of personal data accordingly, f) a temporary or permanent restriction of processing, including a ban on imposing g) the correction or deletion of personal data or the Restriction of processing pursuant to Articles 16, 17 and 18 and the Informing the recipients to whom these personal data pursuant to Article 17 paragraph 2 and Article 19 were disclosed to order such measures, h) to revoke a certification or to instruct the certification body to revoke the certification granted in accordance with Articles 42 and 43, or the instruct certification bodies not to issue certification if the Requirements for certification are not or no longer met, - 7 - i) to impose a fine pursuant to Article 83, in addition to or instead of in measures referred to in this paragraph, depending on the circumstances of the individual case, j) the suspension of the transfer of data to a recipient in a third country or to an international organization. […] (6) Any Member State may provide by law that its Supervisory authority in addition to the powers listed in paragraphs 1, 2 and 3 has additional powers. The exercise of these powers shall not be effective impair the implementation of Chapter VII.” Section 24 DSG entitled “Complaint to the data protection authority” reads: "Section 24. (1) Every data subject has the right to lodge a complaint with the Data Protection Authority when it considers that the processing of you personal data concerned against the GDPR or against § 1 or article 2 1. Chapter violates. (2) The complaint must contain: […] 5. the desire to determine the alleged infringement [...] (5) If a complaint proves to be justified, it must be followed. Is a Injury to be attributed to a person responsible for the private sector, so is this to comply with the complainant's requests for information, correction, deletion, restriction or data transfer to the extent which is required to eliminate the identified infringement. As far as the If the complaint proves to be unjustified, it must be dismissed." 3.2. Applied to the situation, this means: The authority concerned has to deal with the challenged decision in an ex officio manner initiated test procedure agreed that the ex officio test procedure is justified had been and established that the processing of personal data by 73 Persons between January and March 2021 for the purpose of internal investigations based on various stated facts of justification was unlawful., - 8 - However, the authority concerned has no legal basis for a self-employed person Objection to the possible authorization to carry out a procedure within the meaning of Art 58 para 2 GDPR or the possible illegality of the respective cause Processing operation: Art 58 DSGVO contains no express legal basis for an independent determination of the possible illegality of a data protection law relevant processing operation in a procedure initiated ex officio by the Data Protection Authority. § 24 DSG in turn regulates what you think in your opinion Right to protection of the personal data concerning them Individual complaint and is thus officially on the of the data protection authority initiated proceedings not directly applicable. (VwGH 14.12.2021, Ro 2020/04/0032) Also an analogous application of § 24 DSG, which the data protection authority Competence grants, in the case of individual complaints, violations of data protection law legally binding, on examination procedures initiated ex officio, separates in the absence of an unplanned gap, because the legislature has the powers of Data protection authority aware of individual complaints and official intervention has regulated differently (see also VwGH 14.12.2021, Ro 2020/04/0032 mwN). 3.3. The objections of the authority concerned are not convincing. 3.3.1. If the authority concerned believes that the previously cited finding of Administrative Court of December 14, 2021, AZ Ro 2020/04/0032, on the subject matter case is not applicable because the Administrative Court in this decision only has dealt with ongoing violations of the law, which Infringements of rights in the case in question have already been completed is her to counter that the Verwaltungsgerichtshofin the above-mentioned decision also dealt with infringements that had already been completed, namely with the transfer of personal data to third parties (margin no. 3). 3.3.2. However, the authority concerned must be agreed that the Administrative Court in this decision only on violations of the GDPR, but not - as here - referred to a violation of § 1 DSG. But that means nothing to her win, because the main considerations of the Administrative Court also refer to violations can be taken over against § 1 DSG: Regarding the procedural rules and the competence of the data protection authority the Data Protection Act makes no difference whether a breach of the GDPR or the § 1 DSG is objective. With regard to violations of § 1 DSG, there is no - 9 - express legal basis for the authority concerned, infringements in one officially initiated procedures in a legally binding manner. An analogous application of § 24 DSG (only there - apart from the one here not relevant § 22 para. 6 DSG - a determination competence of the data protection authority standardized) is excluded in the case of violations of § 1 DSG, because the statements of the VwGH, according to which the Legislators of the possibility of Art. 58 Para. 6 GDPR, according to which each Member State through Legislation can provide that its supervisory authority, in addition to the provisions of Art. 58 para 1, 2 and 3 GDPR has additional powers according to the Materials on § 22 DSG deliberately not used (cf. AB 1761 BlgNR 25. GP, 14), which is why he extends the powers of the data protection authority to individual complaints and official intervention deliberately regulated differently, which is why an analogy due to a lack of gaps contrary to the plan, also apply to procedures that refer to § 1 DSG support. With the same justification, the Administrative Court also has that in this decision - argument now used by the authority concerned that it is not comprehensible why the authority concerned in proceedings on individual complaints, but not has a determination authority in procedures initiated ex officio. If the authority concerned argues that it is typical for violations of § 1 DSG that they have already been completed and it can be submitted to the Austrian (constitutional) legislature not be assumed to enact a provision that is not carried out ex officio can, it starts from the incorrect assumption that data protection law - here this Fundamental right to data protection according to § 1 DSG - would only be enforceable if Violations of rights can be determined in a way that is legally binding. On the contrary, the determination competence of the data protection authority in Complaints procedure according to §24DSG has not been standardized to a person responsible or to cause a processor to behave in accordance with the law or to to help enforce data protection law itself, but to allow those affected to do so enable illegality in an official procedure that is simple for them to have a binding determination of data processing in order to inform the data subject based on this finding to allow further individual claims - about Claims for damages - to be pursued (VwGH 14.12.2021, Ro 2020/04/0032 Rz 38 f). Rather, the enforcement of data protection law is carried out by other legal institutions, such as Remedial powers of the authority, in particular according to Art. 58 GDPR, or fines, - 10 - ensured or a restriction of data processing in accordance with Art 58 Para 2 lit f GDPR comes - the authority concerned has the competence to be responsible according to Art. 58 para. 2 lit b GDPR to issue a warning or a fine pursuant to Art. 83 GDPR, if necessary to impose administrative penalties in accordance with § 62 DSG. If profit or damage intent In addition, a violation of § 1 DSG is even threatened with criminal penalties (§ 63 DSG). Ultimately, the authority concerned may argue that violations of the GDPR (probably also meant against § 1 DSG) is to be agreed in the form of a notification in order to Enabling the addressee of a decision to appeal is a suitable justification be sure that performance orders have to be issued in the form of a notification, but not that the DSB has a determination authority. 3.4. The contested decision was therefore issued without a legal basis, which is why the Complaints directed against him already for this reason and the decision could be repaired without replacement. 3.4. It was therefore to be decided accordingly. 3.5. According to § 24 para. 2Z 1 2nd case VwGVG are disregarded. Regarding point B) Inadmissibility of the revision: According to § 25a Abs 1 VwGG, the administrative court in its decision or Pronounce a resolution as to whether the revision is permissible in accordance with Art. 133 Para. 4 B-VG. This Statement must be briefly justified. The revision is not admissible because there were no legal issues to be resolved, which were fundamental importance within the meaning of Art. 133 Para. 4 B-VG. To answer the question of whether the data protection authority in an ex officio initiated test procedure is entitled to establish legal violations in a legally binding manner, or about the To deny the authorization of the official examination procedure, that could be Administrative Court based on the cited case law of the Administrative Court. Although the citation cited did not expressly refer to violations of § 1 DSG, his However, the underlying considerations could undoubtedly be transferred to violations of § 1 DSG will.