DSB (Austria) - D130.206/0006-DSB/2019: Difference between revisions
No edit summary |
m (Mg moved page DSB - DSB-D130.206/0006-DSB/2019 to DSB (Austria) - D130.206/0006-DSB/2019: consistency) |
||
(7 intermediate revisions by 3 users not shown) | |||
Line 17: | Line 17: | ||
|Type=Complaint | |Type=Complaint | ||
|Outcome=Partly Upheld | |Outcome=Partly Upheld | ||
|Date_Decided= | |Date_Decided=02.12.2019 | ||
|Date_Published= | |Date_Published=20.03.2020 | ||
|Year=2020 | |Year=2020 | ||
|Fine=None | |Fine=None | ||
Line 89: | Line 89: | ||
|Appeal_To_Status=Not appealed | |Appeal_To_Status=Not appealed | ||
|Appeal_To_Link= | |Appeal_To_Link= | ||
|Initial_Contributor=Marco Blocher | |||
| | | | ||
}} | }} | ||
DSB | The Austrian Data Protection Authority (DSB) held that a Swiss based company violated Articles [[Article 13 GDPR|13]] and [[Article 14 GDPR|14]] GDPR by not providing all information required in the email sent for its newsletter subscription to the complainant and even failed to provide such information later, in the course of the proceeding before the DSB. | ||
== English Summary == | ==English Summary== | ||
=== Facts === | ===Facts=== | ||
The data subject, an Austrian resident, filed a complaint under Article 77 GDPR against the controller, a Swiss based company that offers its services (including hotels) i.a. in Austria under http://www.alpen***.at. After rejecting an offer by the controller for a stay in one of the controller's hotels, the data subject received an email with advertisement for the controller's newsletter including a subscription link. The data subject did not receive any information | The data subject, an Austrian resident, filed a complaint under Article 77 GDPR against the controller, a Swiss based company that offers its services (including hotels) i.a. in Austria under http://www.alpen***.at. After rejecting an offer by the controller for a stay in one of the controller's hotels, the data subject received an email with advertisement for the controller's newsletter including a subscription link. The data subject did not receive any information in line with Article 13 GDPR. | ||
On the DSB's request, the controller declared R*** Hotels GmbH as its representative under Article 27 GDPR and sent a reply to the data subject's complaint stating that any violation of Article 13 GDPR has been rectified under § 24(6) DSG by the information given in that reply. | On the DSB's request, the controller declared R*** Hotels GmbH as its representative under Article 27 GDPR and sent a reply to the data subject's complaint stating that any violation of Article 13 GDPR has been rectified under § 24(6) DSG by the information given in that reply. | ||
The data subject replied that § 24(6) DSG does not apply on violations of Article 13 GDPR and that - even if it would apply - the controller had still failed to provide all information required under Article 13 GDPR. | The data subject replied that § 24(6) DSG does not apply on violations of Article 13 GDPR and that - even if it would apply - the controller had still failed to provide all information required under Article 13 GDPR. | ||
=== Dispute === | ===Dispute=== | ||
In essence, the DSD had to decide whether or not §24(6) DSG that allows a controller to rectify data protection violations until the end of the proceedings before the DSB also applies on violations of Article 13 (and 14) GDPR. | In essence, the DSD had to decide whether or not §24(6) DSG that allows a controller to rectify data protection violations until the end of the proceedings before the DSB also applies on violations of Article 13 (and 14) GDPR. | ||
=== Holding === | ===Holding=== | ||
The DSB held that § 24(6) DSG also applies on violations of Article 13 and 14 GDPR. A controller may therefore rectify any violation of the GDPR information obligations until the end of the proceedings before the DSB. If a controller does so, the DSB stops proceedings and no formal decision is issued. | The DSB held that § 24(6) DSG also applies on violations of Article 13 and 14 GDPR. A controller may therefore rectify any violation of the GDPR information obligations until the end of the proceedings before the DSB. If a controller does so, the DSB stops proceedings and no formal decision is issued. | ||
Nevertheless, as the controller failed to provide information under Article 13(1)(a) to (f) GDPR even until the end of proceedings, the DSD held that the controller was still under the obligation to provide this information within four weeks. Also the controller was put under the obligation to adapt its data protection notice accordingly within a period of four weeks and to submit the adapted notice to the DSB. | Nevertheless, as the controller failed to provide information under Article 13(1)(a) to (f) GDPR even until the end of proceedings, the DSD held that the controller was still under the obligation to provide this information within four weeks. Also the controller was put under the obligation to adapt its data protection notice accordingly within a period of four weeks and to submit the adapted notice to the DSB. | ||
== Comment == | ==Comment== | ||
The possibility to rectify violations of Article 13 and 14 GDPR in the course of a proceeding before the DSB cannot be found in the wording of § 24(6) DSG; the DSB's | The possibility to rectify violations of Article 13 and 14 GDPR in the course of a proceeding before the DSB cannot be found in the wording of § 24(6) DSG; the DSB's holding is therefore based on an analogy. Before the decision at hand, the DSB had applied §24(6) DSG only on violations of subjective data protection rights under Art 15 et seqq. GDPR. | ||
As the dispute was only on the violation of Article 13 GDPR, it is still unclear, whether - | As the dispute was only on the violation of Article 13 GDPR, it is still unclear, whether - according to the DSB - the rectification of the violation of Article 13 GDPR would also rectify the violation of Article 5(1)(a) GDPR (principle of transparency) and therefore lead to the rejection of a data subject's deletion request based on Article 17(1)(d) GDPR. | ||
== Further Resources == | ==Further Resources== | ||
''Share blogs or news articles here!'' | ''Share blogs or news articles here!'' | ||
== English Machine Translation of the Decision == | ==English Machine Translation of the Decision== | ||
The decision below is a machine translation of the German original. Please refer to the German original for more details. | The decision below is a machine translation of the German original. Please refer to the German original for more details. | ||
Latest revision as of 13:59, 12 May 2023
DSB - DSB-D130.206/0006-DSB/2019 | |
---|---|
Authority: | DSB (Austria) |
Jurisdiction: | Austria |
Relevant Law: | Article 3(2)(a) GDPR Article 3(3) GDPR Article 4(7) GDPR Article 5(1)(a) GDPR Article 5(2) GDPR Article 12(1) GDPR Article 12(2) GDPR Article 12(3) GDPR Article 13(1)(a) GDPR Article 13(2) GDPR Article 13(3) GDPR Article 15(1)(e) GDPR Article 15(1)(f) GDPR Article 15(3) GDPR Article 27(1) GDPR Article 27(5) GDPR Article 57(1)(f) GDPR Article 58(1)(b) GDPR Article 58(2)(c) GDPR Article 58(2)(d) GDPR § 24(1) DSG § 24(5) DSG § 24(6) DSG |
Type: | Complaint |
Outcome: | Partly Upheld |
Started: | |
Decided: | 02.12.2019 |
Published: | 20.03.2020 |
Fine: | None |
Parties: | Dr. Ludwig A*** N***Group AG |
National Case Number/Name: | DSB-D130.206/0006-DSB/2019 |
European Case Law Identifier: | ECLI:AT:DSB:2019:DSB.D130.206.0006.DSB.2019 |
Appeal: | Not appealed |
Original Language(s): | German |
Original Source: | Rechtsinformationssystem des Bundes - RIS (in DE) |
Initial Contributor: | Marco Blocher |
The Austrian Data Protection Authority (DSB) held that a Swiss based company violated Articles 13 and 14 GDPR by not providing all information required in the email sent for its newsletter subscription to the complainant and even failed to provide such information later, in the course of the proceeding before the DSB.
English Summary
Facts
The data subject, an Austrian resident, filed a complaint under Article 77 GDPR against the controller, a Swiss based company that offers its services (including hotels) i.a. in Austria under http://www.alpen***.at. After rejecting an offer by the controller for a stay in one of the controller's hotels, the data subject received an email with advertisement for the controller's newsletter including a subscription link. The data subject did not receive any information in line with Article 13 GDPR. On the DSB's request, the controller declared R*** Hotels GmbH as its representative under Article 27 GDPR and sent a reply to the data subject's complaint stating that any violation of Article 13 GDPR has been rectified under § 24(6) DSG by the information given in that reply. The data subject replied that § 24(6) DSG does not apply on violations of Article 13 GDPR and that - even if it would apply - the controller had still failed to provide all information required under Article 13 GDPR.
Dispute
In essence, the DSD had to decide whether or not §24(6) DSG that allows a controller to rectify data protection violations until the end of the proceedings before the DSB also applies on violations of Article 13 (and 14) GDPR.
Holding
The DSB held that § 24(6) DSG also applies on violations of Article 13 and 14 GDPR. A controller may therefore rectify any violation of the GDPR information obligations until the end of the proceedings before the DSB. If a controller does so, the DSB stops proceedings and no formal decision is issued. Nevertheless, as the controller failed to provide information under Article 13(1)(a) to (f) GDPR even until the end of proceedings, the DSD held that the controller was still under the obligation to provide this information within four weeks. Also the controller was put under the obligation to adapt its data protection notice accordingly within a period of four weeks and to submit the adapted notice to the DSB.
Comment
The possibility to rectify violations of Article 13 and 14 GDPR in the course of a proceeding before the DSB cannot be found in the wording of § 24(6) DSG; the DSB's holding is therefore based on an analogy. Before the decision at hand, the DSB had applied §24(6) DSG only on violations of subjective data protection rights under Art 15 et seqq. GDPR. As the dispute was only on the violation of Article 13 GDPR, it is still unclear, whether - according to the DSB - the rectification of the violation of Article 13 GDPR would also rectify the violation of Article 5(1)(a) GDPR (principle of transparency) and therefore lead to the rejection of a data subject's deletion request based on Article 17(1)(d) GDPR.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
The data protection authority has decided on the data protection complaint of Dr. Ludwig A*** (complainant), represented by A*** E*** & Partner Rechtsanwälte OG, of 28 January 2019 against N***Group AG, established in ****, Switzerland (respondent), represented by B*** and C***Rechtsanwälte in the present appeal proceedings and by R*** Hotels GmbH, represented within the territory of the European Union, on the grounds of violation of the right to information pursuant to Art. 13 DSGVO as follows:
1) The complaint is upheld in part and it is found that the respondent has infringed the complainant's right to information by collecting personal data of the complainant but, contrary to the provisions of Article 13 of the DSGVO, by failing to provide complete information at the time of the collection of this data and also until the conclusion of the proceedings before the data protection authority
2. the respondent is ordered to provide the complainant with the following information within a period of four weeks, failing which it will be executed:
(a) sufficiently comprehensible and precise information with regard to the name and contact details of the controller and, where applicable, of his representative, explaining in particular what is meant by the term "data controller";
(b) the specific recipients of the personal data and, if this is not possible or would involve a disproportionate effort, the reasons for this, and in any case more precise information with regard to the category of recipients "business partners";
(c) sufficiently intelligible and precise information as to the period for which the personal data are stored or, if this is not possible, the criteria for determining that period;
(d) whether the provision of the personal data is required by law or contract or necessary for the conclusion of a contract, whether the data subject (the complainant) is obliged to provide the personal data and the possible consequences of not providing it;
e) the existence of automated decision making, including profiling, as referred to in Article 22(1) and (4) and, at least in these cases, meaningful information about the logic involved and the scope and intended consequences of such processing for the data subject (the complainant); and
(f) whether the personal data are intended to be further processed for a purpose other than that for which the personal data were collected and, if so, information on that other purpose.
3. the remainder of the complaint is dismissed.
4 The respondent is instructed to supplement the information it is required to provide pursuant to Article 13 DPA within a period of four weeks ("data protection declaration") in accordance with the conditions set out in points 2(a) to (f) of the decision in question, taking into account the requirements of Article 12(1) and (2) DPA, and to submit a copy of the reformulated information ("data protection declaration") to the data protection authority within the aforementioned period.
Legal bases: Art. 3 para. 2 lit. a, Art. 5 para. 1 lit. a, Art. 12 para. 1, para. 2 and para. 3, Art. 13, Art. 27, Art. 57 para. 1 lit. f, Art. 58 para. 1 lit. b and para. 2 lit. c and lit. d, and Art. 77 (1) of Regulation (EU) 2016/679 (Basic Data Protection Regulation - DSGVO), OJ No. L 119 of 4 May 2016, p. 1; Sections 24 (1) and (5) of the Data Protection Act - DSG, Federal Law Gazette I No. 165/1999 as amended.
EXPLANATIONS
A. Arguments of the parties and procedure
1 In his submission of 28 January 2019, the complainant alleged a violation of the right to information under Article 13 of the DPA and of the right to secrecy. In summary, the respondent was a company in Switzerland which appeared on the Internet under the domain http://www.alpen***.at and also offered services in Austria and also operated hotels. The complainant was resident in Austria. At the complainant's request, the defendant had made an offer for a holiday trip by e-mail on 22 January 2019. The complainant had sent a refusal by e-mail on the same day. On 23 January 2019, the defendant contacted the complainant with an advertisement for the company's own newsletter including a link to register.
The complainant had not been provided with any information on data processing, in particular the following had not been communicated to him: 1) the name and contact details of the controller, 2) the contact details of the data protection officer, 3) the purposes for which the personal data were to be processed and the legal basis for the processing, 4) the legitimate interests pursued by the controller or a third party, 5) the duration for which the personal data were stored or, if this was not possible, the criteria for determining this duration, 6) the existence of a right of access by the controller to the personal data concerned and the right to rectification or erasure or to have the processing operations carried out or to object to the processing operations, as well as the right to transfer the data, 7) the existence of a right of appeal to a supervisory authority, 8) whether the provision of the personal data is required by law or by contract or necessary for the conclusion of a contract, whether the data subject is obliged to provide the personal data and the possible consequences of not providing it, and 8) Information on the intended further processing of the personal data for a purpose other than that for which the personal data were collected
(2) By decision of 11 February 2019, the data protection authority requested the respondent to notify its representative pursuant to Article 27 of the DPA. In its opinion of 8 May 2019, the respondent finally notified R*** Hotels GmbH as its representative in the territory of the Union.
(3) In its opinion of 9 April 2019, the respondent, who was represented by a lawyer, submitted in summary that, by letter of 9 April 2019, the complainant had subsequently been provided with the information in question pursuant to Article 24.6 of the DPA.
4 In his comments of 16 April 2019 and of 24 April 2019, the complainant replied in summary - after hearing the parties on the results of the preliminary proceedings - that § 24.6 of the DSG did not apply to the situation in which a person responsible did not comply with the duty to inform. The purpose of Article 13 of the DPA was to give the data subject the opportunity, when collecting the data, to decide to avail himself of a certain service and to make it available to the controller for a certain purpose. This purpose could not be achieved by "catching up" on the information.
Furthermore, the information provided was not complete and/or incorrect. The respondent referred to a "data protection officer", but this was not designated as a representative within the meaning of Article 27 DSGVO. Under the item "collection of data", credit agencies are mentioned within the scope of the purpose, but in the following, these credit agencies are not mentioned as recipients of data (categories), but are only generically referred to as "the data are processed within the group of companies" and passed on to "business partners". This was not sufficiently precise. The respondent also did not fulfil the obligation to indicate the storage period in the necessary manner, since no periods for storage were indicated, for example with reference to provisions of tax law. The respondent also restricted the rights of the data subject (obviously meant: the exercise of rights) to written applications and requests by e-mail ("exclusively"), a restriction to "certain channels" was not permissible. Furthermore, no information pursuant to Article 13.2 letters e and f of the DPA had been provided.
5 The data protection authority contacted the complainant by telephone on 26 April 2019. In the course of this telephone conversation, the complainant announced that the complaint in question did not relate to the right to secrecy under Article 1.1 of the DPA. A corresponding file note is available on GZ DSB-D130.206/0004-DSB/2019.
B. Subject of the complaint
On the basis of the complainant's submissions, it follows that the object of the complaint is the question of whether the respondent infringed the complainant's right to information by collecting personal data of the complainant but, contrary to the provisions of Article 13 of the DPA, failed to provide the relevant information at the time of the collection of this data and also until the conclusion of the proceedings before the data protection authority.
A violation of the right to secrecy could not be examined against the background of the restriction of the complaint to a violation of the right to information under Article 13 of the DSGVO.
C. Findings of the facts
1. the respondent is a company established in Switzerland, the complainant is a natural person and resident in Austria The complainant is a registered lawyer.
2. the respondent operates a hotel booking platform under the website https://www.alpen***.at/ and others. The content of the webpage is written in German.
3 On 22 January 2019, at the complainant's request, the respondent submitted an offer for a holiday trip by e-mail. The complainant sent a refusal by e-mail on the same day.
(4) In response to this request, the defendant stored at least the complainant's first name, surname and e-mail address in its system.
5 On 23 January 2019, the respondent sent the following e-mail to the complainant (formatting not reproduced 1:1):
Editor's note: The e-mail inserted here in the original as a facsimile/graphic reproduction cannot be pseudonymised with reasonable effort. It is the offer sent by an employee of the respondent to order a newsletter from the respondent (with a link to the relevant registration website)].
6. within the scope of the present complaint proceedings, the respondent has provided the complainant with the following information before the conclusion of the proceedings (formatting not reproduced 1:1):
"Privacy Policy
We process your personal data within the framework of the provisions of the Basic Data Protection Regulation (DSGVO) and the national data protection law. In the following we inform you about us as well as the type, scope and purpose of data collection and use:
Who we are
Responsible for data processing is N***Group AG, G***straße 3*, ****, Switzerland. The person responsible for data protection in our company is Emilie O***, who can be reached by e-mail at emilie.o***@n***group.com or by telephone at +41 *3* 7*4*3*. Please send your data protection queries in writing or by e-mail directly to our data protection officer.
Collection and processing of data
We process the personal data that you provide us as a user of the website and/or as a customer of our products or as a person interested in our products. The processing of your personal data is carried out within the framework of the initiation of a contract, as well as for the purpose of fulfilling our contractual obligations with you, for obtaining credit information from credit information agencies, for answering your inquiries, or for advertising measures. Legal basis of the data processing is
- Article 6 (1) lit. b DS-GVO, insofar as the processing of your personal data is necessary for the initiation or performance of a contract;
- Art. 6 (1) lit. c DS-GVO, insofar as the processing of your personal data is necessary due to a legal obligation on our part (for example, due to storage periods to be observed vis-à-vis the tax authorities)
- Art. 6 para. 1 lit. a DS-GVO, if you have consented to the processing of your data by us (e.g. within the framework of registration, or participation in a competition organised by us);
- Art. 6 para. 1 lit. f DS-GVO, if we have a legitimate interest in processing your data which outweighs your interest in protecting your personal data (e.g. if we obtain creditworthiness information from credit agencies before concluding a legal transaction or for advertising purposes if you have already appeared as a customer or interested in our services [ErwGr 47 DS-GVO]).
Use and disclosure of personal data
As far as you have made personal data available to us as a user of our website and/or customer or interested party in our product world, we will only process these data for the aforementioned data processing purposes.
For this purpose, personal data is processed by us within the group of companies and transmitted to our business partners.
Stored personal data will be deleted if you, as a user of the website and/or customer, revoke your consent to the processing of your personal data, or if your data is no longer required to fulfil the purpose pursued by the processing, or if the processing is or becomes inadmissible for other legal reasons. Data that is required for billing and accounting purposes or to fulfil legal obligations shall remain unaffected by a request for deletion.
Information, correction, deletion
We would like to draw your attention to the fact that according to the basic data protection regulation you have a right to information (Art. 15 DS-GVO), a right to correction (Art. 16 DS-GVO), a right to deletion (Art. 17 DS-GVO), a right to restriction of processing (Art. 18 DS-GVO), a right to data transferability (Art. 20 DS-GVO) and a right of objection (Art. 21 DS-GVO).
Please address your data protection queries exclusively in writing or by e-mail to the following address:
N***Group AG
G***road 3*
Switzerland
e-mail: info@n***group.com
We will immediately comply with your data protection concerns - if necessary after an identity check - and inform you of this. If legal reasons prevent us from fulfilling your request, we will also inform you of this, stating the exact reasons. In this context, we also draw your attention to your right of complaint to the data protection authority.
Evaluation of evidence: The findings made are based on the complainant's submissions in the context of the submission of 28 January 2019, which at no time was disputed by the respondent. Furthermore, the findings are based on an official search of the website https://www.alpen***.at/ (accessed on 21 August 2019). The finding that the complainant is a registered lawyer is based on knowledge known to the authorities.
D. From a legal point of view, the following follows:
1. the respondent and its representative in the Union
By way of introduction, it should be pointed out that the "one-stop shop" mechanism under Article 60 DPA does not apply in the present case, since the respondent, as is clear from its statement of 9 April 2019, is to be regarded as the person responsible within the meaning of Article 4(7) DPA and is domiciled only in Switzerland (cf. the decision of the data protection authority of 7 March 2019, GZ DSB-D130.033/0003-DSB/2019).
In its opinion of 8 May 2019, the respondent names R*** Hotels GmbH as its representative in the territory of the Union pursuant to Article 3 para. 3 in conjunction with Article 27 para. 1 DPA. Since the appointment of a representative in accordance with the explicit text of the regulation pursuant to Art. 27 para. 5 DSGVO does not entail a transfer of responsibility - and since the respondent has at no time brought into discussion that R*** Hotels GmbH is to be regarded as (jointly) responsible for the processing in question in connection with the booking platform https://www.alpen***.at/ and in particular for the processing of the complainant's personal data - the present decision of the data protection authority is directed against the respondent.
2. the territorial scope of the DSGVO
Although the defendant is not established in the Union, the processing of the complainant's personal data (at least first name, surname and e-mail address), who is resident in Austria, is related to the offering of goods or services (in this case: operation of a German booking platform under the domain - https://www.alpen***.at/ thus an Austrian top-level domain - and the offer to participate in a newsletter with current travel offers).
Against this background, the DSGVO is applicable in spatial terms pursuant to Art. 3 Para. 2 lit. a DSGVO (cf. ErwGr 23 DSGVO, according to which the use of the language of a person concerned in connection with the possibility of ordering goods and services in that language indicates that the person responsible intends to offer goods or services to persons in the Union as well as the decision of the data protection authority of 7 March 2019 loc. cit.)
3) Art. 13 DSGVO as a subjective right of data subjects
The data protection authority has already dealt with the question of whether the "information obligations" pursuant to Art. 13 and Art. 14 DPA can conversely also be invoked as subjective rights of data subjects and, according to stRsp, assumes that a data subject can rely on Art. 13 and Art. 14 DPA independently of the application (cf. the decision of the data protection authority dated 31 October 2018, GZ DSB-D123.076/0003-DSB/2018).
4. on the term "collection", on the provision of information
In the present case, the data protection authority assumes that the respondent "collected" the complainant's data (at least first name, surname and e-mail address) within the meaning of Article 13 (1) of the DPA by providing a contact facility for the purpose of booking enquiries and submitting offers, which the complainant also used. In other words: If a public e-mail address or a contact form is provided, a responsible person must assume that a data subject also uses this opportunity to contact the responsible person in connection with the offer.
However, as the second sentence of Article 58 of the DPA clarifies, the standard required by Article 12(1) of the DPA with regard to "easy accessibility" of the information under Article 13 of the DPA can be achieved by making the information available in electronic form, "for example on a website if it is intended for the public".
A reaction in the form that the information under Art. 13 DPA is to be proactively transmitted to a data subject by e-mail when collected is therefore not required (at least in the online context), provided that the requirement of "easy accessibility" is met (cf. Art. 29 Data Protection Working Party, Guidelines for Transparency under Regulation 2016/679, WP 260 rev.01, 17/EN, p. 22, according to which the obligation to provide information can also be fulfilled by "actively directing a data subject to the place where the information is available", e.g. via a direct link).
In the present case, however, the respondent has at no time argued that the information was "easily accessible" to the complainant on a publicly accessible website pursuant to Article 13 of the DPA in the sense of the considerations. The respondent's e-mail of 23 January 2019 also contains no indication that the respondent has complied with its duty to provide information (for example, an analogous reference: "Information on our handling of your personal data can be found under [link]").
In this context, it should be pointed out that, pursuant to Art. 5 para. 2 in conjunction with Art. 24 para. 1 DPA, it is the responsibility of the controller to provide evidence that the processing (in this case: the provision of the information pursuant to Art. 13 at the time of collection) is in compliance with the DPA
Against this background, it must be assumed that the respondent did not fulfil its obligation to provide information at the time when the complainant's personal data were collected.
It must subsequently be clarified whether it has fulfilled its duty to inform until the conclusion of the proceedings before the data protection authority:
4. on point 2.
a) On point 2. a)
The respondent has named a "data protection officer" together with contact details in connection with its duty to provide information under Article 13 (1) lit. a DSGVO.
It should be noted that the DSGVO does not use the term "data protection officer" or, at most, the term "responsible person" (see Article 4(7) DSGVO).
On this basis, it is unclear whether the "data protection officer" referred to by the respondent is a kind of internal contact point at the respondent or a data protection officer as defined in Article 37 et seqq. of the DPA. From the point of view of the complainant (who had no knowledge of it at the time), it could also have been the representative under Article 27 DSGVO.
Taking into account the requirement of precision and comprehensibility laid down in Article 12.1, the respondent is therefore required to provide sufficiently comprehensible and precise information with regard to the name and contact details of the controller and, where appropriate, of his or her representative, explaining in particular what is meant by the term "data protection controller".
(b) Regarding point 2(b)
The respondent has generally limited itself to naming categories of recipients of personal data in its duty to inform under Art. 13 Para. 1 lit. e DSGVO.
Although the DSGVO uses the term "or", the data protection authority assumes, against the background of the principle of transparency expressly enshrined in Article 5.1(a) DSGVO, that priority must at least be given to naming specific recipients.
If this would involve a disproportionate amount of effort or if the specific recipients are not yet known, the responsible party can limit itself to naming categories of recipients (on the legal situation under Directive 95/46/EC, cf. the ruling of the Constitutional Court of 2 October 2007, B 227/05, according to which a weighing must be carried out in each individual case on the question of whether recipients or groups of recipients must be named in the right to information (in the terminology used at the time).
With regard to the naming of "business partners" and "credit reporting agencies", it is in any case incomprehensible why the specific "business partners" and "credit reporting agencies" are not mentioned, in the absence of further details from the respondent. In any event, the category of recipient "business partners" is too general and must be differentiated more closely in this respect.
The respondent is therefore required to provide the specific recipients of the personal data and, if this is not possible or would involve a disproportionate effort, the corresponding reasons for this, but in any case more precise information with regard to the recipient category "business partners".
c) Regarding point 2. c)
In its duty to inform pursuant to Art. 13 para. 2 lit. a DSGVO, the respondent stated that data required for invoicing and accounting purposes or to fulfil legal obligations would remain unaffected by a request for deletion.
It should be noted that the duty to inform under Art. 12 para. 2 DSGVO under the express text of the ordinance only applies if this is necessary to ensure fair and transparent processing. The respondent apparently regards this requirement of Article 12.2 of the DSGVO as being fulfilled in that, without going into this requirement, it has provided the information under Article 12.2 of the DSGVO in accordance with Article 12.2 of the DSGVO. cit. at least in part.
With regard to the information on storage duration, it must be noted that the general reference to "accounting and bookkeeping purposes" or the "fulfilment of legal obligations" is not sufficient:
On the one hand, this is essentially a repetition of the principle of storage limitation anchored in Art. 5 para. 1 lit. e DSGVO, which is just as generally linked to the fact that personal data may only be stored for as long as it is necessary for the purposes. On the other hand, this information does not comply with the requirement of precision and comprehensibility enshrined in Art. 12 para. 1 DPA, as it cannot be imposed on a data subject to research time limits (for example with regard to accounting or other obligations of an entrepreneur in Switzerland).
The respondent is therefore required to provide sufficiently comprehensible and precise information as to the duration for which personal data are stored or, if this is not possible, the criteria for determining this duration.
d) On point 2. d)
On the basis of the information subsequently provided on 23 January 2019, it is clear that the respondent has manifestly failed to comply with its duty to provide information under Article 15(2)(e) DPA until the conclusion of the proceedings before the data protection authority.
The respondent is therefore required to state whether the provision of the personal data is required by law or contract or necessary for the conclusion of a contract, whether the data subject is obliged to provide the personal data and what the possible consequences of not providing the data would be.
e) Regarding point 2. e)
On the basis of the information subsequently provided on 23 January 2019, it is clear that the respondent has manifestly failed to comply with its obligation to provide information under Article 15(2)(f) DPA until the conclusion of the proceedings before the data protection authority.
The respondent is therefore required to provide information on the existence of automated decision making including profiling pursuant to Art. 22 (1) and (4) and - at least in these cases - meaningful information on the logic involved and the scope and intended effects of such processing on the data subject (the complainant).
f) On point 2. f)
The respondent has used the complainant's personal data - in addition to the original purpose, namely to answer a customer inquiry - as stated, to contact the complainant by e-mail in order to make the complainant an offer to participate in a newsletter with current travel offers.
Irrespective of the admissibility of this inquiry, which is not the subject of the proceedings, it should be noted that this has given rise to an obligation to provide information under Article 13.3 DSGVO.
On the basis of the information subsequently provided on 23 January 2019, it is apparent that the respondent has manifestly failed to comply with its duty to inform under Article 15(3) DPA until the conclusion of the proceedings before the data protection authority.
The respondent is therefore required to state whether it intends to further process the personal data for a purpose other than that for which the personal data were collected and, if so, to provide information on this other purpose.
g) On the performance mandate
It should be noted that in the event of a successful complaint pursuant to Section 24 (5) DSG, a performance mandate shall only be issued if a complaint is asserted in connection with the right to information, correction, deletion, restriction or data transmission.
According to the stRsp of the VwGH, an analogy is also admissible in public law, however, a prerequisite is the existence of a genuine legal loophole (cf. VwGH 10.10.2018, Ra 2018/08/0189 Rs 4 mwN).
It should be pointed out that in the course of adapting the DPA to the DPA Regulation in Article 24 para. 5 and para. 6 DPA, the Austrian legislator apparently did not assume that the information obligations under Articles 13 and 24 DPA Regulation can conversely also be asserted as information rights independent of an application from the perspective of a data subject.
On this basis, it should be noted that Article 24 (5) and (6) DSG also apply by analogy to complaints in connection with the right to information under Articles 13 and 14 DSGVO.
Furthermore, it should be noted that the authority of the data protection authority to issue a performance mandate, which is directly standardised in the DSGVO, also applies pursuant to Article 58 paragraph 2 letter c DSGVO:
Even though leg. cit. assumes that a supervisory authority can instruct a person responsible to "comply with the requests of the data subject to exercise the rights to which he or she is entitled under this Regulation", it must be clear from the legal basis of the provision that the data protection authority's power to grant a performance mandate is also applicable. Conversely, in the sense of an interpretation oriented towards the interests of legal protection, the legal provision must also refer all the more to the rights to information under Articles 13 and 14 DPA.
A period of four weeks is reasonable to provide the relevant information.
For the sake of completeness, it should be noted that with regard to Article 24 (6) DPA this means that the information under Articles 13 and 14 DPA may also be provided retrospectively until the conclusion of the proceedings (although Article 24 (6) DPA is not relevant in the final analysis):
This consideration is in fact covered by Art. 57 para. 1 lit. f DSGVO, according to which the data protection authority must investigate complaints "to an appropriate extent".
This consideration is further covered by the first sentence of Recital 131 of the DPA, according to which the Regulation is fully aware of such an "amicable settlement" between the controller and the data subject and the supervisory authority as the mediator of the DPA. In other words: Provided that the complaint of a data subject is resolved, the legal protection objective of the provision under Article 77 (1) DPA (which is linked to the fact that a processing operation "infringes" the Regulation and not "has infringed or has infringed") is achieved.
5. on point 3.
Under Article 13.4, paragraphs 1, 2 and 3 of Article 13.4 find legal grounds for refusal of access. cit. do not apply - and therefore the information is not to be communicated to the data subject - if the data subject already has the information.
As stated, the complainant is a registered lawyer. Against this background, it must be assumed that the complainant, as a person with legal knowledge, already has the existence of his or her rights as a data subject under data protection law (Article 13.2 lit. b DPA) and the right of appeal to a supervisory authority (lit. d leg. cit.) at the time of the survey (or in general).
The data protection authority does not ignore the fact that the information pursuant to Art. 13 DPA must be made available to a general group of addressees and that the provision of inadequate information constitutes an objective violation of the Regulation; however, this must be addressed in an official review procedure ("data protection review") pursuant to Art. 58 para. 1 lit. b DPA.
The success of a complaint pursuant to Article 77.1 in conjunction with Article 24.1 DPA is in any case conditional on the existence of a concrete complaint which is not objectively recognisable with regard to Article 13.2 letters b and d DPA (cf. on the lack of a subjective violation of rights, for example, VwSlg 11.568 A/1984 mwN).
With regard to the complainant's argument that the respondent restricts the rights of the data subject (obviously meant: the exercise of these rights) to written applications and applications by e-mail ("exclusively"), but a restriction to "certain channels" is not admissible and insofar as there is a violation of Article 12.2 of the DSGVO, the considerations just made apply mutatis mutandis.
Although the complainant is right as regards content, it must be noted with regard to the specific complaint procedure that a complaint is nevertheless not recognisable, since the complainant has at no time claimed that he had, for example, made an application to the respondent by post under Article 12.3 of the DSGVO, which would have remained unanswered subsequently.
6 On point 4.
Since under Article 13 of the DPA (from the point of view of the person responsible) it is a duty to provide information, and the information is to be made available not only to the complainant but to a general circle of addressees, the data protection authority in the present case makes official use of its power under Article 58.2 lit. d of the DPA.
The respondent is therefore required to supplement the information (its "data protection statement") which it shared with the data protection authority in its opinion of 24 January 2019, in accordance with the conditions set out in Admission 2 lit. a to lit. f - taking into account the requirements of Article 12.1 and 12.2 DPA.
A period of four weeks is appropriate to implement the instruction accordingly.
It was therefore to be decided in accordance with the ruling.
- DSB (Austria)
- Austria
- Article 3(2)(a) GDPR
- Article 3(3) GDPR
- Article 4(7) GDPR
- Article 5(1)(a) GDPR
- Article 5(2) GDPR
- Article 12(1) GDPR
- Article 12(2) GDPR
- Article 12(3) GDPR
- Article 13(1)(a) GDPR
- Article 13(2) GDPR
- Article 13(3) GDPR
- Article 15(1)(e) GDPR
- Article 15(1)(f) GDPR
- Article 15(3) GDPR
- Article 27(1) GDPR
- Article 27(5) GDPR
- Article 57(1)(f) GDPR
- Article 58(1)(b) GDPR
- Article 58(2)(c) GDPR
- Article 58(2)(d) GDPR
- 2020
- German