DSB (Austria) - 2022-0.560.569: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Austria |DPA-BG-Color= |DPAlogo=LogoAT.png |DPA_Abbrevation=DSB |DPA_With_Country=DSB (Austria) |Case_Number_Name=2022-0.560.569 |ECLI=ECLI:AT...")
 
 
(3 intermediate revisions by one other user not shown)
Line 63: Line 63:
}}
}}


The Austrian DPA held that a controller may not lodge a complaint against itself as being personally affected by the processing of personal data is a necessary precondition to assert the right to complaint pursuant [[Article 77 GDPR#1|Article 77(1) GDPR]].
The Austrian DPA held that a controller may not lodge a complaint against itself as one of the necessary preconditions to the right to complaint, pursuant to [[Article 77 GDPR#1|Article 77(1) GDPR,]] is to be personally affected by the processing of personal data.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
In his submission of 29 July 2022 to the data protection authority, the complainant argued that, in the course of a complaint to the data protection authority on 22 January 2022, he had disclosed the official e-mail address and the official telephone number of a data subject to the data protection authority on the data protection authority's form. The complaint (a self-disclosure) was therefore filed in order to clarify by way of an official decision whether a data protection violation was possible with the form of the data protection authority and whether such a violation had actually occurred.
On 22 January 2022, the complainant disclosed the official e-mail address and the official telephone number of a data subject to the Austrian data protection authority (DPA) via a form made available by the DPA. Subsequently, the complainant filed a complaint against itself in order to clarify by way of an official decision whether a data protection violation could technically occur by sharing personal data with the DPA and whether such a violation had actually occurred in practice.


=== Holding ===
=== Holding ===
The DPA noted that Article 77 (1) GDPR grants a data subject the right to lodge a complaint if there is a breach of the processing of personal data relating to him or her and that the European Court of Justice has already held that Article 8 (1) and (3) of the Charter of the EU also grants a data subject the right to submit a petition to the national supervisory authorities for the protection of his or her fundamental rights (see judgment "Schrems I" of the ECJ of 6 October 2015, para. 58 et seq.).
The DPA noted that Article 77 (1) GDPR grants a data subject the right to lodge a complaint if there is a breach of the processing of personal data relating to him or her and that the European Court of Justice has held that Article 8 (1) and (3) of the Charter of the EU also grants a data subject the right to submit a petition to the national supervisory authorities for the protection of his or her fundamental rights (see judgment "Schrems I" of the ECJ of 6 October 2015, para. 58 et seq.).


However, the court also stated that one of the necessary preconditions for asserting the right to lodge a complaint is that the person lodging the complaint is himself affected by the processing. Therefore, Article 77(1) enshrines a right that a data subject is entitled to, but not, for example, a controller or processor.
However, the DPA also stated that one of the necessary preconditions for asserting the right to lodge a complaint is that the person lodging the complaint is personally affected by the processing. Therefore, Article 77(1) enshrines a right that a data subject is entitled to, but not, for example, a controller or processor. In this case, it was clear to the DPA from the complainant's submissions that he was not himself a data subject, but rather that he may have unlawfully disclosed the personal data of another individual - as the actual data subject - and was then lodging a complaint against himself.
 
In this case, it was clear to the DPA from the complainant's submissions that he was not himself a data subject, but rather that he may have unlawfully disclosed the personal data of another individual - as the actual data subject - and was then lodging a complaint against himself.


Consequently, the DPA held that the complainant was not entitled to lodge the complaint in question.
Consequently, the DPA held that the complainant was not entitled to lodge the complaint in question.

Latest revision as of 16:20, 15 November 2022

DSB - 2022-0.560.569
LogoAT.png
Authority: DSB (Austria)
Jurisdiction: Austria
Relevant Law: Article 51(1) GDPR
Article 57(1)(f) GDPR
Article 77(1) GDPR
Type: Complaint
Outcome: Rejected
Started: 29.07.2022
Decided: 07.09.2022
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: 2022-0.560.569
European Case Law Identifier: ECLI:AT:DSB:2022:2022.0.560.569
Appeal: Unknown
Original Language(s): German
Original Source: RIS (in DE)
Initial Contributor: n/a

The Austrian DPA held that a controller may not lodge a complaint against itself as one of the necessary preconditions to the right to complaint, pursuant to Article 77(1) GDPR, is to be personally affected by the processing of personal data.

English Summary

Facts

On 22 January 2022, the complainant disclosed the official e-mail address and the official telephone number of a data subject to the Austrian data protection authority (DPA) via a form made available by the DPA. Subsequently, the complainant filed a complaint against itself in order to clarify by way of an official decision whether a data protection violation could technically occur by sharing personal data with the DPA and whether such a violation had actually occurred in practice.

Holding

The DPA noted that Article 77 (1) GDPR grants a data subject the right to lodge a complaint if there is a breach of the processing of personal data relating to him or her and that the European Court of Justice has held that Article 8 (1) and (3) of the Charter of the EU also grants a data subject the right to submit a petition to the national supervisory authorities for the protection of his or her fundamental rights (see judgment "Schrems I" of the ECJ of 6 October 2015, para. 58 et seq.).

However, the DPA also stated that one of the necessary preconditions for asserting the right to lodge a complaint is that the person lodging the complaint is personally affected by the processing. Therefore, Article 77(1) enshrines a right that a data subject is entitled to, but not, for example, a controller or processor. In this case, it was clear to the DPA from the complainant's submissions that he was not himself a data subject, but rather that he may have unlawfully disclosed the personal data of another individual - as the actual data subject - and was then lodging a complaint against himself.

Consequently, the DPA held that the complainant was not entitled to lodge the complaint in question.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

NOTICE

SAY

The data protection authority decides on Julius A***'s data protection complaint of July 29, 2022 against himself for a violation of the right to secrecy as follows:

- The complaint is rejected.

Legal basis: Art. 51 (1), Art. 57 (1) lit. f and Art. 77 (1) of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter: previous search term GDPR next search term), OJ No. L 119 of 4 May 2016 p. 1; Sections 1, 18 (1) and 24 (1) and (5) of the Data Protection Act (DSG), Federal Law Gazette I No. 165/1999 as amended; Article 8 of the Charter of Fundamental Rights of the European Union (EU-GRC), OJ No. C 364 of 18.12.2000 p. 1.

REASON

A. Submissions of the parties and course of the proceedings

In his submission of July 29, 2022 to the data protection authority, the complainant essentially submitted that, in the course of a complaint to the data protection authority on January 22, 2022, he had entered the official e-mail address and the official telephone number of Mag. Ernst N*** disclosed to the data protection authority. The complaint (“self-disclosure”) is therefore being submitted in order to clarify whether a data protection violation with the form from the data protection authority is possible and whether such a violation exists.

B. Findings of Facts

The data protection authority uses the arguments under point A as a basis for its factual finding.

C. In legal terms it follows that:

The right of a data subject to lodge a complaint is enshrined at national and European level:

Both Art. 77 Para. 1 Previous search term GDPR Next search term and Section 24 Para.

In addition, the European Court of Justice has already stated that Art. 8 para. 1 and para. 3 EU-GRC also grants a data subject the right to submit a request to the national supervisory authorities to protect their fundamental rights (cf. the judgment of ECJ of October 6, 2015, Schrems I, margin no. 58 with further references).

One of the necessary prerequisites for asserting the right to a complaint is therefore that the complainant is himself affected by the processing (cf. Schweiger in Knyrim, DatKomm, Art. 77 Previous search term GDPR Next search term (as of December 1st, 2021, rdb.at) , margin no. 8).

It is therefore a right that a data subject is entitled to, but not, for example, a person responsible or a processor (cf. Schweiger in Knyrim, DatKomm, Art. 77 previous search term GDPR (as of December 1st, 2021, rdb.at), margin no. 19).

Objectively, it follows from the complainant's argument that he is not the person concerned himself, but rather the personal data of Mag. Erwin N*** - as the person actually affected here - possibly unlawfully disclosed and is now filing a complaint against himself.

Since the complainant is not personally affected, he is therefore not entitled to file the complaint in question and the complainant's request for a complaint is not accessible.

It was therefore to be decided accordingly.

Irrespective of this, the person actually affected is free to have the disclosure made in question reviewed by the data protection authority in the course of a complaints procedure.