DSB (Austria) - 2020-0.349.984: Difference between revisions

From GDPRhub
No edit summary
m (Mg moved page DSB - DSB-D205.023 to DSB (Austria) - 2020-0.349.984: consistency)
 
(One intermediate revision by one other user not shown)
Line 11: Line 11:


|Original_Source_Name_1=Rechtsinformationssystem des Bundes
|Original_Source_Name_1=Rechtsinformationssystem des Bundes
|Original_Source_Link_1=https://www.ris.bka.gv.at/Dokument.wxe?ResultFunctionToken=69253fd5-484d-443d-a8d6-453678ce520b&Position=1&Abfrage=Dsk&Entscheidungsart=Undefined&Organ=Undefined&SucheNachRechtssatz=True&SucheNachText=True&GZ=&VonDatum=01.01.1990&BisDatum=&Norm=&ImRisSeitVonDatum=&ImRisSeitBisDatum=&ImRisSeit=Undefined&ResultPageSize=100&Suchworte=&Dokumentnummer=DSBT_20200626_2020_0_349_984_00
|Original_Source_Link_1=https://www.ris.bka.gv.at/Dokument.wxe?ResultFunctionToken=0550900a-9407-48d6-91aa-6070a4fc1b5b&Position=1&Abfrage=Dsk&Entscheidungsart=Undefined&Organ=Undefined&SucheNachRechtssatz=True&SucheNachText=True&GZ=&VonDatum=01.01.1990&BisDatum=&Norm=&ImRisSeitVonDatum=&ImRisSeitBisDatum=&ImRisSeit=Undefined&ResultPageSize=100&Suchworte=&Dokumentnummer=DSBT_20200626_2020_0_349_984_00
|Original_Source_Language_1=German
|Original_Source_Language_1=German
|Original_Source_Language__Code_1=DE
|Original_Source_Language__Code_1=DE
Line 23: Line 23:
|Currency=
|Currency=


|GDPR_Article_1=Article 4(22) GDPR
|GDPR_Article_1=Article 4(2) GDPR
|GDPR_Article_Link_1=Article 4 GDPR#22
|GDPR_Article_Link_1=Article 4 GDPR#2
|GDPR_Article_2=Article 5(1)(a) GDPR
|GDPR_Article_2=Article 5(1)(f) GDPR
|GDPR_Article_Link_2=Article 5 GDPR#1a
|GDPR_Article_Link_2=Article 5 GDPR#1f
|GDPR_Article_3=Article 5(1)(b) GDPR
|GDPR_Article_3=Article 6(1)(c) GDPR
|GDPR_Article_Link_3=Article 5 GDPR#1b
|GDPR_Article_Link_3=Article 6 GDPR#1c
|GDPR_Article_4=Article 5(1)(f) GDPR
|GDPR_Article_4=Article 6(1)(f) GDPR
|GDPR_Article_Link_4=Article 5 GDPR#1f
|GDPR_Article_Link_4=Article 6 GDPR#1f
|GDPR_Article_5=Article 6(1)(c) GDPR
|GDPR_Article_5=Article 13 GDPR
|GDPR_Article_Link_5=Article 6 GDPR#1c
|GDPR_Article_Link_5=Article 13 GDPR
|GDPR_Article_6=Article 6(1)(f) GDPR
|GDPR_Article_6=Article 51(1) GDPR
|GDPR_Article_Link_6=Article 6 GDPR#1f
|GDPR_Article_Link_6=Article 51 GDPR#1
|GDPR_Article_7=Article 57(1)(f) GDPR
|GDPR_Article_Link_7=Article 57 GDPR#1f
|GDPR_Article_8=Article 77(1) GDPR
|GDPR_Article_Link_8=Article 77 GDPR#1




|National_Law_Name_1=§ 1 Abs. 1, 2 DSG - Datenschutzgesetz (Data Protection Act)
|National_Law_Name_1= § 1(1) DSG (Datenschutzgesetz)
|National_Law_Link_1=https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=bundesnormen&Gesetzesnummer=10001597
|National_Law_Link_1=https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=Bundesnormen&Gesetzesnummer=10001597
|National_Law_Name_2=§ 4 Abs. 1 DSG - Datenschutzgesetz (Data Protection Act)
|National_Law_Name_2= § 1(2) DSG (Datenschutzgesetz)
|National_Law_Link_2=https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=bundesnormen&Gesetzesnummer=10001597
|National_Law_Link_2=https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=Bundesnormen&Gesetzesnummer=10001597
|National_Law_Name_3=§ 3 (4) PMG - Postmarktgestez (Postal Market Law)
|National_Law_Name_3= § 18(1) DSG (Datenschutzgesetz)
|National_Law_Link_3=https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=Bundesnormen&Gesetzesnummer=20006582
|National_Law_Link_3=https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=Bundesnormen&Gesetzesnummer=10001597
|National_Law_Name_4=§ 5 (3) PMG - Postmarktgestez (Postal Market Law)
|National_Law_Name_4= § 24(1) DSG (Datenschutzgesetz)
|National_Law_Link_4=https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=Bundesnormen&Gesetzesnummer=20006582
|National_Law_Link_4=https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=Bundesnormen&Gesetzesnummer=10001597
|National_Law_Name_5=§ 12 (1) PMG - Postmarktgestez (Postal Market Law)
|National_Law_Name_5= § 24(5) DSG (Datenschutzgesetz)
|National_Law_Link_5=https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=Bundesnormen&Gesetzesnummer=20006582
|National_Law_Link_5=https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=Bundesnormen&Gesetzesnummer=10001597
|National_Law_Name_6=§ 20(1) PMG - Postmarktgestez (Postal Market Law)
|National_Law_Name_6= § 3(4) PMG (Postmarktgesetz)
|National_Law_Link_6=https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=Bundesnormen&Gesetzesnummer=20006582
|National_Law_Link_6=https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=Bundesnormen&Gesetzesnummer=20006582
|National_Law_Name_7= § 3(12) PMG (Postmarktgesetz)
|National_Law_Link_7=https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=Bundesnormen&Gesetzesnummer=20006582
|National_Law_Name_8= § 12 PMG (Postmarktgesetz)
|National_Law_Link_8=https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=Bundesnormen&Gesetzesnummer=20006582
|National_Law_Name_9= § 17 PMG (Postmarktgesetz)
|National_Law_Link_9=https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=Bundesnormen&Gesetzesnummer=20006582
|National_Law_Name_10= § 20 PMG (Postmarktgesetz)
|National_Law_Link_10=https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=Bundesnormen&Gesetzesnummer=20006582


|Party_Name_1=Österreichische Post AG
|Party_Name_1=
|Party_Link_1=
|Party_Link_1=
|Party_Name_2=
|Party_Name_2=
Line 63: Line 75:
|Appeal_To_Body=
|Appeal_To_Body=
|Appeal_To_Case_Number_Name=
|Appeal_To_Case_Number_Name=
|Appeal_To_Status=Unknown
|Appeal_To_Status=
|Appeal_To_Link=
|Appeal_To_Link=


|Initial_Contributor=n/a
|Initial_Contributor=Agnieszka Rapcewicz
|
|
}}
}}


The Austrian DPA (DSB) decided that the electronic recording and storing of identity card data in the course of collecting a postal item is lawful.
The Austrian DPA holds that making by the post office a copy of a recipient's identity card does not infringe complainant's right to privacy and the post office has a legitimate interest in processing the personal data contained in the identity document to safeguard or defend its legal claims.


==English Summary==
== English Summary ==


===Facts===
=== Facts ===
The complainant was not at home when a registered mail has been tried to be handed over. Therefore, he needed to collect it at the postal office. In order to identify the complainant as the adressee of the registered mail, an employee asked for his identity card and "scanned" it with a special identity card reader, however, no copy of the document itself was made.
The complainant went to a post office to receive a letter addressed to him. From the post office employee, he was informed that the letter had not been delivered to him and that it had been left at that post office and that a notice had been left to the complainant (the so-called “yellow slip”). This was a non-official, recomanded (with a take-over certificate) registered letter. The post office clerk asked the complainant to show his identity document with a photo in order to take the letter. The complainant showed his identity card. Subsequently, the post office employee electronically (using a scanning device) recorded identity card data: type of ID card, ID card number, issuing authority, date of birth and the corresponding name. It was  stored for 6 months. After the retention period expired, the data in question were deleted. However, no copy of the ID document itself was made. The complainant alleged that the post office infringed confidentiality obligations by making a copy of his identity card. The complainant pointed out that even the general terms and conditions of the Post Office, in the event of doubts as to the identity of a person, refer to a presentation of a document and not to data collection. That is why he lodged a complaint with the supervisory authority.


The complainant alleges that the Post AG infringed confidentiality obligations by making a copy of the identity card (recording by means of a scanning device and the storage of the identity card data).
=== Dispute ===
Has the complainant's right to privacy been infringed by the action of a postal worker to electronically register and save the complainant's identity card when he receives his registered letter at the post office?


===Dispute===
=== Holding ===
Has the Österreichische Post AG infringed the complainant's right to confidentiality by an employee who was electronically recording and storing identity card data of the complainant in the course of collecting a postal item (registered mail)?
The DPA rejected the complaint. It held that making by the post office a copy of a recipient's identity card does not infringe complainant's right to privacy and the post office has a legitimate interest in processing the personal data contained in the identity document to safeguard or defend its legal claims.


===Holding===
== Comment ==
The processing of identity card data in order to verify the person collecting registered mail is lawful.
The DPA examined whether the provisions of the PMG (Postmarktgesetz) may create a legal obligation for the Post Office to process personal data under [[Article 6 GDPR#1c|Article 6(1)(c)]]. The DPA pointed out that the national law stipulates the need to confirm receipt or delivery of the consignment. However, it doesn't say anything about the recording or storage of personal (ID) data. The law does not impose any legal obligation to process personal data. Moreover, the DPA noted that even the respondent's General Terms and Conditions cannot constitute a legal obligation due to the lack of substantive legal quality. Therefore scanning and storage of the complainant's identity document cannot be based onthe PMg provisions in concjuntion with [[Article 6 GDPR#1c|Article 6(1)(c)]].


As a universal service provider within the meaning of Article 3(4) in conjunction with Article 12(1) of the PMG, the defendant is subject to the provisions of the PMG and must therefore be regarded as the addressee of the legal obligations arising from that law.
However, the supervisory authority considered that the post office has a legitimate interest in processing the personal data contained in the identity document. The defendant might have been exposed to warranty claims and/or claims for damages by the sender and the processing was therefore necessary to safeguard or defend its legal claims, which constitute a legitimate interest. Furthermore, the DPA considered that it was justified to keep a copy of the document, because it could be used to prove that the data had been handed over to the correct recipient in the event of a dispute. The supervisory authority stressed, taht also reasonable expectations of the complainant were to be taken into account, i.e. in particular whether he could reasonably foresee, at the time of the collection of the identification data and in view of the circumstances under which it was carried out, that processing for this purpose might possibly take place. The DPA found that the collection and storage of identification data for the purpose of defending legal claims relating to postal items is within the scope of general life experience and was in this respect also easily foreseeable by the complainant.  
Private entities, § 26 (4) DSG, may base their actions on an enabling norm in the sense of Article 6 (1) (c) and Article 5 (1) (a) GDPR.


The provisions of the PMG do not create a legal obligation to process personal data under Article 6 (1) (c) GDPR.
What is more, in the DPA's opinion the categories of data processed by the respondent are in no way excessive and the storage period of six months is in no way to be regarded as disproportionate.  


Article 6 (1) (f) GDPR data can be procesed if they constitute the legitimate interests of a party. Here, the Post AG might have been exposed to warranty claims, damage etc. if the claimant would not have been identified correctly. These data are also necessary to defend their legal claims and the fundamental rights and freedoms of the data subject, i.e. secrecy, are not overriding the one of the Post AG.  
In the light of above the DPA came to the conclusion that the legitimate interests of the respondent outweighed the fundamental rights and freedoms of the complainant and that the processing was lawfully carried out on the basis of "legitimate interests" pursuant to [[Article 6 GDPR#1f|Article 6(1)(f)]].


The collection and storage of identification data for the purpose of defending legal claims relating to postal items is within the scope of general life experience and was in this respect also easily foreseeable by the complainant, no special categories of data were processed, the storage period of six months is also proportionate.
The complaint was therefore dismissed.


==Comment==
''Share your comments here!''


==Further Resources==
 
 
== Further Resources ==
''Share blogs or news articles here!''
''Share blogs or news articles here!''


==English Machine Translation of the Decision==
== English Machine Translation of the Decision ==
The decision below is a machine translation of the German original. Please refer to the German original for more details.
The decision below is a machine translation of the German original. Please refer to the German original for more details.


<pre>
<pre>


Decision-making authority
Data Protection Authority
Document type
Decision text
Decision type
Decision Complaint
Business figures
2020-0.349.984
Decision date
26.06.2020
Appeal to the BVwG/VwGH/VfGH
This decision is final.
Standard
DSG §1 Abs1
DSG §1 Abs2
DSG §4 Abs1
PMG §3 Z4
PMG §3 Z12
PMG §5 Abs3
PMG §12 Abs1
PMG §20 Abs1
DSGVO Art4 Z2
DSGVO Art5 Abs1 lita
DSGVO Art5 Abs1 litb
DSGVO Art5 Abs1 litf
DSGVO Art6 Abs1 litc
DSGVO Art6 Abs1 litf
Text


GZ: 2020-0.349.984 of 26 June 2020 (procedure number: DSB-D205.023)
Decisive authority
Data protection authority


Note Processor: Names and companies, legal forms and product names, addresses (including URLs, IP and e-mail addresses), file numbers (and similar), etc., as well as their initials and abbreviations may be abbreviated and/or changed for reasons of pseudonymisation. Obvious spelling, grammar and punctuation errors have been corrected.


The respondent's company name was not pseudonymised here, since according to the reasons for the decision, the universal service provider pursuant to Section 12 (1) PMG was involved in the procedure in this role, and the respondent is listed as such in the cited Act. Moreover, a meaningful pseudonymisation was not possible due to multiple references to the respondent's business activities as a universal service provider in the facts of the case (e.g. registered letter, "yellow slip"). However, the interest in secrecy of the respondent who won the proceedings and whose actions were found to be lawful does not outweigh here the public interest in the publication of the decision required by law under section 23(2) of the DSG].
Decision date
06/26/2020


DECISION


SPEECH
Business number
2020-0.349.984


The data protection authority decides on the data protection complaint of Gustav A*** (complainant) of 17 April 2019 against Österreichische Post AG (respondent) for violation of the right to secrecy as follows


- The complaint is dismissed as unfounded.
Appeal at the BVwG / VwGH / VfGH
This decision is final.


Legal basis: Article 4(2), Article 5(1)(f), Article 6(1)(c) and (f), Article 13, Article 51(1), Article 57(1)(f) and Article 77(1) of Regulation (EU) 2016/679 (Basic Regulation on data protection, hereinafter referred to as the DSGVO), OJ No Article 119 of 4 May 2016, p. 1; Articles 1(1) and (2), 18(1) and 24(1) and (5) of the Data Protection Act (Datenschutzgesetz, DSG), Federal Law Gazette I No 165/1999 as amended; Article 3(4) and (12), Article 12, Article 17 and Article 20 of the Postal Market Act (Postal Market Act, PMG), Federal Law Gazette I No 123/2009 as amended;


EXPLANATIONS


A. Arguments of the parties and procedure


1 In his submission of 17 April 2019 initiating the proceedings, repeated on 23 June 2019 and 26 July 2019, the complainant alleged a violation of the right to confidentiality as well as a violation of the respondent's information duties.
text
GZ: 2020-0.349.984 of June 26, 2020 (case number: DSB-D205.023)


The alleged breach of the duty to provide information is the subject of separate proceedings concerning the business number DSB-D205.246.
[Note processor: names and companies, legal forms and product names, addresses (incl. URLs, IP and e-mail addresses), file numbers (and the like), etc., as well as their initials and abbreviations can be shortened and / or changed for reasons of pseudonymisation his. Obvious spelling, grammar, and punctuation errors have been corrected.
The respondent's company was not pseudonymized here because, according to the reasons for the decision, the universal service operator was involved in this role in accordance with Section 12 (1) PMG, and the respondent is listed as such in the cited law. A meaningful pseudonymization was also not possible due to multiple references to the business activity of the Respondent as a universal service operator in the matter (e.g. registered letter, "yellow note"). However, the interest in secrecy of the respondent who won the proceedings, whose actions were found to be lawful, does not outweigh the public interest in the publication of the decision, as required by law in Section 23 (2) DSG.]


As regards the alleged breach of confidentiality, the complainant submitted the following summarised submissions:
NOTIFICATION
SPEECH
The data protection authority decides on the data protection complaint by Gustav A *** (complainant) of April 17, 2019 against Österreichische Post AG (respondent) due to violation of the right to secrecy as follows:
- The complaint is dismissed as unsubstantiated.
Legal basis: Art. 4 no. 2, Art. 5 para. 1 lit. f, Art. 6 Para. 1 lit. c and lit. f, Art. 13, Art. 51 Para. 1, Art. 57 Para. 1 lit. f and Art. 77 Para. 1 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter: GDPR), ABl. No. L 119 of 4.5.2016 p. 1; §§ 1 Paragraph 1 and Paragraph 2, 18 Paragraph 1 and 24 Paragraph 1 and Paragraph 5 of the Data Protection Act (DSG), Federal Law Gazette I No. 165/1999 as amended; § 3 Z 4 and Z 12, § 12, § 17, § 20 of the Postal Market Act (PMG), Federal Law Gazette I No. 123/2009 as amended;


The complainant had remedied a letter addressed to him by means of a so-called "yellow slip" on 29 March 2019 at a branch of the respondent. In the course of that repair, an employee of the defendant requested the production of an identity card of the complainant, which was produced by the complainant. Subsequently, however, the employee made a copy against his will and without his permission. The identity card was placed on a scanner and the data was recorded electronically. The complainant further submits that even in the respondent's General Terms and Conditions ("AGB-Brief National") under point 3.5.2, there is only reference to a document in case of doubt as to identity, and not to data collection.
REASON
A. Arguments of the parties and course of the procedure
1. With the preliminary filing of April 17, 2019, repeated on June 23, 2019 and July 26, 2019, the complainant alleged a violation of the right to secrecy and a violation of the information obligations by the respondent.
The alleged breach of the duty to provide information is reported in a separate procedure for reference number DSB-D205.246.
2. With regard to the alleged breach of the right to secrecy, the complainant summarized the following:
The complainant had corrected a letter addressed to him by means of a so-called "yellow note" on March 29, 2019 in a branch of the respondent. In the course of this, an employee of the respondent requested that the complainant be presented with an ID, which was also presented by the complainant. As a result, however, the employee made a copy against his will and without his permission. The ID card was placed on a scanner and the data was recorded electronically. The complainant further explains that even in the general terms and conditions of the respondent ("AGB-Brief National") under point 3.5.2 there is only talk of a submission in case of doubt of identity, and not of data collection.
3. With the settlement of July 22, 2019 (GZ: DSB-D205.023 / 0001-DSB-2019), the data protection authority requested the respondent to comment.
4. With the submission dated August 20, 2019, the Respondent commented as follows:
It is correct that the complainant repaired a returned (= with acceptance note) registered mail in a branch of the respondent because he was not found at the time of the attempted delivery. He was therefore informed by means of a “yellow slip of paper” about the attempted delivery and the deposit of the shipment and about the need to present an official photo ID when removing the shipment. The notification of deposit also contains a reference to the data protection information of the respondent, which in particular also provides information on the processing of ID data.
When the complainant rectified the consignment, an employee of the respondent asked the complainant to present a photo ID and, as a result, automatically recorded the specific ID data, as is usual when a person is not personally known to the employee. A scanner is used to record the ID data, which only reads out specific data from the respective ID, namely ID type, ID number, issuing authority and date of birth as well as the corresponding name - a copy is not made. The complainant also acknowledged acceptance of the registered mail on the.
The criticized processing of the ID data is necessary to fulfill a legal obligation to which the respondent as the person responsible is subject (Art. 6 Para. 1 lit. c GDPR): According to § 3 Z 12 PMG, the acceptance of registered mail to the correct recipient must be acknowledged. The handover to the right person - if this is not known personally to the respondent - is only possible as part of an identification / authentication process to be carried out, i.e. by presenting an official photo ID. The Respondent had issued general terms and conditions (in particular "AGB Brief") in accordance with § 20 PMG, which were also approved by the regulatory authority. This also results in the need for a confirmation of acceptance and identification (points 3.3 and 3.5.2 of the General Terms and Conditions for letters nationally and point 4.1 of the product and price list ("PVV") for return receipt letters, which also include registered mail). These documents (GTC and PVV) show that the handover of a registered item is only permitted after prior identification or authentication. The respondent had collected the identification data for the purpose of identification or authentication and, consequently, for any processing of potential inquiries (point 3.10 of the national letter terms and conditions) and any warranty cases (point 4 of the national letter terms and conditions), i.e. for the assertion, exercise or defense of Legal claims and also to implement the contractual relationship with the sender are kept for 6 months and then deleted. The fact that the Respondent is exposed to possible warranty and / or claims for damages if a shipment is not properly handed over, in particular to the correct recipient, gives rise to a processing and storage authorization. It must therefore be possible to defend oneself at least within the statutory warranty period. Also in the context of any proceedings before the data protection authority, the respondent must be able to prove freely, for example that she has fulfilled her duty of care and verifiably checked the identity of the transferee. The respondent relied on the deadline set out in Section 24 (4) DSG and a more detailed decision by the data protection authority regarding the admissibility of a copy of an identity card for identity verification.
Furthermore, the processing of the ID data to safeguard the legitimate interests of the respondent and the respective sender in the sense of Art. 6 para. 1 lit. f GDPR required to ensure correct allocation to the actually addressed recipient and to be able to provide the sender with proof. This is the only way to prevent any abuse. The interests of the respondent and those of her contractual partner would outweigh the interests or fundamental rights and freedoms of the complainant. There was no noticeable impairment of the complainant, since only the necessary data would be stored, which is also protected according to § 5 PMG and by extensive technical and organizational measures.
The Respondent also stated that she had complied with her information obligations and referred to the “data protection information”, which can be found on her website.
5. With the settlement dated September 19, 2019 (GZ: DSB-D205.023 / 0003-DSB / 2019), the data protection authority granted the complainant a hearing and the opportunity to comment.
6. No further submissions were made on the part of the complainant.
B. Subject matter of the complaint
The subject of the complaint is the question of whether the respondent has violated the complainant's right to secrecy in that an employee of the respondent electronically recorded and saved the complainant's identification data when collecting a mail item (registered mail).
The alleged violation of the information obligations is dealt with separately in the proceedings relating to reference number DSB-D205.246 and was therefore not the subject of the complaint in the present proceedings.
C. Factual Findings
1. On March 29, 2019, the complainant removed a letter from the (post) branch ****, **** XY, *** - Strasse *. The respondent had informed the complainant about an unsuccessful delivery attempt and the subsequent deposit in the post office mentioned by means of a notification of a deposited item (“yellow slip”) at a point in time that could not be determined in detail. This was a non-official, recommended (with transfer note) registered mail.
2. After being asked to do so by an employee of the respondent, the complainant presented his official photo ID in the course of repairing the shipment. Subsequently, the ID data: ID type, ID number, issuing authority, date of birth and the corresponding name were electronically recorded using a scanner and saved for 6 months. After the retention period expired, the relevant data was deleted. A copy of the identity document itself, however, was not made.
Assessment of evidence: The findings result from consistent submissions of the parties, in particular the complainant's submission of April 17, 2019 and the respondent's submission of August 20, 2019.
3. The following General Terms and Conditions of the Respondent were in effect on March 29, 2019:


By decision of 22 July 2019 (ref. no.: DSB-D205.023/0001-DSB-2019), the data protection authority invited the respondent to submit comments.


4 By submission of 20 August 2019, the defendant submitted the following observations:
Evidence assessment: The findings result from the respondent's submission of August 20, 2019 and remained undisputed by the complainant.
D. In legal terms it follows:
The complainant believes the respondent has violated confidentiality obligations by making a copy of the ID (recording with a scanner and saving the ID data).
As a result, the statements are not justified:
D.1. On Art. 6 Para. 1 lit. c GDPR:
According to Section 1 (1) DSG, everyone, especially with regard to respect for their private and family life, has the right to confidentiality of their personal data, provided that there is a legitimate interest in it.
Pursuant to Section 1 (2) DSG, restrictions on the right to confidentiality are only permitted in order to safeguard the overriding legitimate interests of another, insofar as the use of personal data is not in the vital interest of the person concerned or with his consent.
The data processing in question was not carried out in the complainant's vital interest, nor was consent given, which is why the legality had to be checked on the basis of the safeguarding of overriding legitimate interests: According to the case law of the data protection authority, there is no violation of confidentiality obligations, in particular if the implementation provisions are violated According to Section 4 (1) GDPR, the rules of the GDPR and the principles anchored therein have not been violated (see the decision of October 31, 2018, GZ DSB-D123.076 / 0003-DSB / 2018).
According to Art. 5 Para. 1 lit. b GDPR, personal data must be collected for specified, clear and legitimate purposes and may not be further processed in a way that is incompatible with these purposes ("earmarking"). The processing of personal data is justified, among other things, if it is necessary to fulfill a legal obligation to which the person responsible is subject (Art. 6 Para. 1 lit. c GDPR) or to safeguard the legitimate interests of the person responsible or a third party unless the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, prevail (Art. 6 Para. 1 lit. f GDPR).
In this context, Art. 6 Para. 1 lit. c GDPR in conjunction with the PMG and Art. 6 Para. 1 lit. f GDPR relevant:
The Respondent also correctly relied on the legal obligations of the PMG:
Section 3 no.4 and no.12 PMG including the heading reads as follows (emphasis by the data protection authority):
Definitions
§ 3.
For the purposes of this federal law:
[...]


It was correct that the complainant had remedied a recommanded (= with a take-over certificate) registered letter in a branch of the defendant, since he had not been found at the time of the attempted delivery. He had therefore been informed, by means of a "yellow slip", of the attempted delivery and of the deposit of the item and of the need to produce an official identity document with a photograph when the item was rectified. The notice of deposit also contained a reference to the defendant's data protection notices, which provided information in particular on the processing of identity card data.


When the complainant rectified the consignment, an employee of the defendant asked the complainant to present a photo ID and subsequently automatically recorded the specific ID data, as is usual when a person is not personally known to the employee. A scanning device was used to record the ID card data, which merely reads out concrete data from the respective ID card, namely the type of ID card, the ID card number, the issuing authority and date of birth as well as the corresponding name - no copy was made. The complainant had acknowledged receipt of the registered mail on the card.
4th
“Universal service operator” one or more named universal service operators in accordance with Section 12 Paragraph 1 or one or more named postal service providers in accordance with Section 12 Paragraph 2;


The challenged processing of the identity card data was necessary in order to fulfil a legal obligation to which the respondent was subject as the person responsible (Article 6(1)(c) DSGVO): under Section 3(12) PMG, the acceptance of registered mailings to the correct recipient had to be acknowledged. Unless the respondent is personally known to the respondent, the handover to the correct person is only possible within the framework of an identification/authentication procedure to be carried out, i.e. by presenting an official photo ID. In accordance with Section 20 PMG, the respondent had issued general terms and conditions (in particular "AGB Brief"), which had also been approved by the regulatory authority. This also resulted in the need for a confirmation of takeover and a determination of identity (points 3.3 and 3.5.2 of the national letter contract terms and point 4.1 of the product and price list ("PVV") for return receipt letters, including registered letters). It was apparent from these documents (GTC and PVV) that the handing over of a registered letter was only permissible after prior identification or authentication. The respondent had collected the identification data for the purpose of identification or authentication and thus kept them for 6 months for the possible handling of potential investigations (item 3.10 of the GTC Letter national) as well as possible warranty cases (item 4 of the GTC Letter national), i.e. for the assertion, exercise or defence of legal claims and also for the implementation of the contractual relationship with the sender, and deleted them afterwards. A processing and storage authorisation is also based on the fact that the respondent is exposed to possible warranty claims and/or claims for damages if a consignment is not handed over properly, in particular to the correct recipient. It must therefore be possible to defend oneself at least within the statutory warranty period. In the context of any proceedings before the data protection authority, the defendant must also be able to prove its freedom, for example, that it has complied with its duty of care and has verifiably verified the identity of the transferee. The respondent referred to the time-limit laid down in Paragraph 24(4) of the DSG and a more detailed decision of the data protection authority concerning the admissibility of a copy of the identity document for the purpose of checking identity.


Furthermore, the processing of the identity card data in order to safeguard the legitimate interests of the respondent and the respective sender in the sense of Article 24(4) of the DSG. Art. 6 para. 1 lit. f DSGVO in order to ensure correct allocation to the actually addressed recipient and to be able to provide the sender with proof of this. This was the only way to prevent any possible abuse. The interests of the respondent and its contractual partner outweighed the interests or fundamental rights and freedoms of the complainant. There would be no noticeable impairment of the complainant, as only the necessary data would be stored, which would be protected in accordance with Section 5 of the PMG and by comprehensive technical and organisational measures.


The defendant also stated that it had complied with its duties to provide information and referred to the "data protection notices" which were available on its website.


By decision of 19 September 2019 (ref. DSB-D205.023/0003-DSB/2019), the data protection authority granted the complainant the right to be heard and to submit comments.


The complainant made no further submissions.


B. Object of the complaint
[...]
 
The subject of the complaint is the question whether the respondent has infringed the complainant's right to confidentiality by an employee of the respondent electronically recording and storing identity card data of the complainant in the course of collecting a postal item (registered mail).
 
The alleged violation of the information duties is dealt with separately in the procedure concerning the business number DSB-D205.246 and was therefore not the subject of the present proceedings.
 
C. Findings of the facts
 
1 On 29 March 2019, the complainant replied to a letter sent at the (post) office ****, **** XY, *** street *. The respondent had informed the complainant at a point in time which could not be further specified about an unsuccessful delivery attempt and the subsequent deposit in the said post office by means of a notification about a deposited item ("yellow slip"). This was a non-official, recomanded (with a take-over certificate) registered letter.
 
(2) The complainant, after having been requested to do so by an employee of the respondent, presented his official photo identification in the course of the rectification of the consignment. Subsequently, the identity card data: type of ID card, ID card number, issuing authority, date of birth and the corresponding name were recorded electronically using a scanning device and stored for 6 months. After the retention period expired, the data in question were deleted. However, no copy of the ID document itself was made.
 
Evaluation of evidence: The findings result from the concurring submissions of the parties, in particular the submission of the complainant of 17 April 2019 and the submission of the respondent of 20 August 2019.
 
3 The following General Terms and Conditions of the respondent were valid as of 29 March 2019:
 
Assessment of evidence: The findings result from the respondent's submission of 20 August 2019 and were not disputed by the complainant.
 
D. From a legal point of view, the following follows:
 
The complainant alleges that the respondent infringed confidentiality obligations by making a copy of the identity card (recording by means of a scanning device and the storage of the identity card data).
 
In conclusion, there is no justification for these statements:
 
D.1 Re Art. 6 (1) lit. c DSGVO:
 
Under Section 1(1) of the DSGVO, everyone has the right to the confidentiality of personal data relating to him or her, in particular with regard to respect for his or her private and family life, provided there is an interest worthy of protection.
 
Under Section 1, paragraph 2 of the DSG, restrictions on the right to secrecy, insofar as the use of personal data is not in the vital interest of the person concerned or with his or her consent, are only permissible in order to safeguard the overriding legitimate interests of another.
 
The data processing in question was neither carried out in the vital interest of the complainant nor did consent exist, which is why its lawfulness had to be examined on the basis of the protection of overriding legitimate interests: According to the case law of the data protection authority, a breach of confidentiality obligations does not exist in particular if the rules of the DPA and the principles enshrined therein, which are to be regarded as implementing provisions under Article 4 (1) DPA, have not been breached (cf. the notice of 31 October 2018, GZ DSB-D123.076/0003-DSB/2018).
 
Under Article 5 (1) (b) of the DPA, personal data must be collected for specified, explicit and legitimate purposes and may not be further processed in a way incompatible with those purposes ("purpose limitation"). The processing of personal data is justified, inter alia, if it is necessary to fulfil a legal obligation to which the controller is subject (Art. 6 para. 1 lit. c DSGVO) or to safeguard the legitimate interests of the controller or of a third party, provided that the interests or fundamental rights and freedoms of the data subject which require the protection of personal data do not prevail (Art. 6 para. 1 lit. f DSGVO).
 
Art. 6 para. 1 lit. c DSGVO in conjunction with the PMG and Art. 6 para. 1 lit. f DSGVO are relevant in this context:
 
However, the respondent also correctly referred to the legal obligations under the PMG:
 
§ Section 3 no. 4 and no. 12 PMG reads as follows (emphasis added by the data protection authority):
 
Definitions


§ 3.


For the purposes of this Act
12th


[...]
"Registered item" means a piece of mail that is insured by the postal service provider against loss, theft or damage and for which the sender, if necessary at his or her request, provides a confirmation of receipt of the item and / or its delivery to the recipient or the recipient is granted;


4.


"Universal service operator" means one or more designated universal service operators under section 12(1) or one or more designated postal service providers under section 12(2);


[...]


12.


"Registered item" shall mean a postal item which is insured by the postal service provider against loss, theft or damage on a flat-rate basis and in respect of which the sender is provided, where appropriate at his or her request, with a confirmation of receipt of the item and/or its delivery to the addressee;




§ Section 12 PMG reads as follows (emphasis added by the data protection authority)
Universal service provider


Section 12 PMG including the heading reads as follows (emphasis by the data protection authority):
Universal service operator
§ 12.
§ 12.
 
(1) With the entry into force of this federal act, Austrian Post will be named as the universal service operator.
(1) Upon entry into force of this Federal Act, Austrian Post will be designated as the universal service operator.
 
[...]
[...]


§ Section 20 of the PMG and its title reads as follows (emphasis added by the data protection authority):
Section 20 PMG including the heading reads as follows (emphasis by the data protection authority):
 
General terms and conditions of the universal service provider
General Terms and Conditions of the Universal Service Operator
 
§ 20.
§ 20.
 
(1) The universal service operator shall issue general terms and conditions in accordance with the provisions of this Act and the ordinances issued on the basis of this Act for services in the universal service area.
(1) The universal service operator shall, in accordance with the provisions of this Act and the regulations for services in the universal service area adopted on the basis of this Act, issue general terms and conditions of business.
 
[...]
[...]
 
Under a legal obligation according to Art 6 para. 1 lit. c GDPR is in any case an obligation based on objective law (Frenzel in Paal / Pauly, General Data Protection Regulation Art. 6 Rz. 16), which can arise in particular from a legal basis in member states or Union law and which also relates directly to data processing (Kastelitz / Hötzendorfer / Tschohl in Knyrim, DatKomm Art 6 GDPR margin no.39).
In any event, a legal obligation under Article 6(1)(c) of the DSGVO is to be understood as an obligation under objective law (Frenzel in Paal/Pauly, Datenschutz-Grundverordnung Art. 6, margin no. 16) which may result in particular from a legal basis in a Member State or in Union law and which, moreover, relates directly to data processing (Kastelitz/Hötzendorfer/Tschohl in Knyrim, DatKomm Art. 6 DSGVO, margin no. 39).
As a universal service operator within the meaning of Section 3 no. 4 in conjunction with Section 12 (1) PMG, the Respondent is subject to the provisions of the PMG and is therefore to be seen as the addressee of the legal obligations resulting from this law.
 
According to the constant jurisprudence of the Constitutional Court on the quality of an encroachment norm within the meaning of Section 1 (2) DSG (2000), it must “be sufficiently precise, i.e. predictable for everyone, to specify the conditions under which the determination or use of the data for the performance of specific administrative tasks is permitted is. The respective legislator must therefore iSd. Section 1 (2) DSG 2000 provides for a material-specific regulation in the sense that the cases of permissible interference with the fundamental right to data protection are specified and limited (VfSlg. 18.146 / 2007).
As a universal service provider within the meaning of Article 3(4) in conjunction with Article 12(1) of the PMG, the defendant is subject to the provisions of the PMG and must therefore be regarded as the addressee of the legal obligations arising from that law.
The data protection authority does not overlook the fact that this jurisprudence refers to an interference norm that is intended to legitimize official action, which is not the case here.
 
Nevertheless, this jurisprudence can also apply accordingly if those responsible in the private sector (Section 26 Paragraph 4 DSG) rely on an authorization norm within the meaning of Article 6 Paragraph 1 lit. c GDPR. This also results from Art. 5 Para. 1 lit. a GDPR, according to which personal data are processed in a lawful manner, in good faith and in a manner that is understandable for the person concerned.
According to the consistent case-law of the Constitutional Court on the quality of an obligatory standard in the sense of Section 1 (2) of the German Data Protection Act (2000), this standard must "specify with sufficient precision, i.e. predictable for everyone, under which conditions the determination or use of data for the performance of specific administrative tasks is permissible. The respective legislator must therefore, in the sense of Section 1 (2) of the Data Protection Act (2000) § 1 (2) DSG 2000, the respective legislator must therefore provide for a substantive regulation in the sense that the cases of permissible encroachments on the fundamental right to data protection are specified and limited (VfSlg. 18.146/2007).
It must therefore be checked whether the provisions of the PMG create a legal obligation to process personal data according to Art. 6 Para. 1 lit. c GDPR.
 
§ 3 Z 12 PMG standardizes the need for confirmation of receipt or delivery of the shipment. On the other hand, § 3 Z 12 PMG does not make any statement about the mere determination, i.e. the additional collection or storage of personal (ID) data. This also applies to Section 20 (1) PMG, which only standardizes the constitution of general terms and conditions, but not a legal obligation to process personal data.
In doing so, the data protection authority does not overlook the fact that this case law refers to an overriding norm which is intended to legitimise official action, which is not the case here.
It should also be noted that the Respondent's General Terms and Conditions cannot constitute a legal obligation due to a lack of material legal quality.
 
As a result, the provisions of the PMG put forward by the Respondent in conjunction with Art. 6 Para. 1 lit. c GDPR does not constitute a legal basis for scanning and saving the complainant's ID.
Nevertheless, this case law can also apply mutatis mutandis if those responsible in the private sector (Section 26 (4) DSG) base their actions on an enabling norm in the sense of Article 6 (1) (c) DSGVO. This also follows from Art. 5 (1) lit. a DSGVO, according to which personal data are processed in a lawful manner, in good faith and in a manner comprehensible to the data subject.
D.2. To safeguard legitimate interests (Art. 6 Para. 1 lit.f GDPR):
 
As a result, it must be checked whether the processing of the complainant's personal data is necessary to safeguard the legitimate interests of the respondent or a third party within the meaning of Article 6 (1) lit. f GDPR was required.
It must therefore be examined whether the provisions of the PMG may create a legal obligation to process personal data under Art. 6 (1) lit. c DSGVO.
According to the Rsp of the ECJ, processing on the legal basis of “legitimate interest” is permissible under three cumulative conditions: i) Perception of a legitimate interest by the person responsible or the third party (s) to whom the data is transmitted, ii) Requirement of processing personal data Data for the realization of the legitimate interest and iii) no predominance of the fundamental rights and freedoms of the person affected by data protection over the perceived legitimate interest (see with regard to Directive 95/46 / EC the judgment of the ECJ of December 11, 2019, C- 708/18 [TK] margin no. 40 with further references).
 
i) Legitimate interests of those responsible or a third party
§ Section 3 no. 12 PMG stipulates the need to confirm receipt or delivery of the consignment. However, Section 3 No. 12 PMG does not make any statement about the mere determination, i.e. the recording or storage of personal (ID) data beyond this. This applies equally to Section 20 (1) PMG, which merely sets out the constitution of general terms and conditions, but does not impose any legal obligation to process personal data.
It must first be checked whether the respondent or a third party had a legitimate interest in processing the complainant's ID data:
 
In addition, the Respondent submitted, among other things, that it could possibly be exposed to warranty and / or claims for damages by the sender and that the processing was therefore necessary to safeguard or defend its legal claims.
Moreover, it should be noted that even the respondent's General Terms and Conditions cannot constitute a legal obligation due to the lack of substantive legal quality.
It should be noted that the Respondent's interest in being able to adequately defend itself in the event of a legal dispute, at least within the statutory warranty period, and to be able to provide evidence of the lawful transfer to the correct person, was to be regarded as justified (see Kastelitz / Hötzendorfer / Tschohl in Knyrim, DatKomm Art 6 GDPR margin no. 54).
 
As a result, the provisions of the PMG in conjunction with Article 6(1)(c) of the DSGVO put forward by the respondent do not constitute a legal basis for the scanning and storage of the complainant's identity document.
 
D.2 To safeguard legitimate interests (Art. 6 para. 1 lit. f DSGVO):
 
It must then be examined whether the processing of the complainant's personal data was necessary to safeguard the legitimate interests of the respondent or a third party within the meaning of Article 6 paragraph 1 letter f DSGVO.
 
According to the ECJ's rulings, the processing is permissible on the legal basis of "legitimate interest" under three cumulative conditions: i) the controller or the third party(ies) exercising a legitimate interest third parties to whom the data are disclosed, (ii) the necessity of the processing of personal data for the purposes of the legitimate interest and (iii) the fundamental rights and freedoms of the data subject do not prevail over the legitimate interest perceived (see, with regard to Directive 95/46/EC, ECJ judgment of 11 December 2019, C-708/18 [TK] Rz 40 mwN).
 
(i) Legitimate interests of the data controller or a third party
 
It must first be examined whether the respondent or a third party had a legitimate interest in processing the identity card data of the complainant in question:
 
To this end, the respondent argued, inter alia, that it might have been exposed to warranty claims and/or claims for damages by the sender and that the processing was therefore necessary to safeguard or defend its legal claims.
 
In this respect, it must be noted that the respondent's interest in being able to defend itself sufficiently in the event of a legal dispute, at least within the statutory warranty period, and to provide proof of the lawful transfer to the correct person, was certainly to be regarded as justified (cf. Kastelitz/Hötzendorfer/Tschohl in Knyrim, DatKomm Art 6 DSGVO Rz. 54).
 
Against this background, the existence of a legitimate interest of the respondent in the processing of the identity card data in question was to be affirmed.
Against this background, the existence of a legitimate interest of the respondent in the processing of the identity card data in question was to be affirmed.
ii) Necessity of data processing
In addition, it should also be recognized that the processing of the complainant's identification data could serve to prove the transfer to the correct recipient in the event of a legal dispute.
iii) No predominance of the fundamental rights and freedoms of the data subject
Finally, the respondent's established interest in data processing had to be compared with the complainant's claim to secrecy and a possible predominance to be checked.
In doing so, the reasonable expectations of the complainant must also be taken into account, i.e. in particular whether he could reasonably foresee at the time the identification data was collected and in view of the circumstances under which it was carried out that processing for this purpose might possibly take place (cf. Recital 47 of the GDPR). The collection and storage of ID data for the purpose of defending legal claims regarding mail is in any case within general life experience and was therefore easily foreseeable for the complainant.
In order to weigh up specific interests, it should also be noted that there are no special categories of personal data pursuant to Art. 9 Para. 1 GDPR, no criminally relevant data pursuant to Art. 10 GDPR and no other personal data that were processed with a particularly intensive interference with the fundamental right related to secrecy.
The data categories processed by the Respondent are by no means excessive and the storage period of six months is in no way to be regarded as disproportionate. Also with regard to the case law of the ECJ, no excessive data processing can be seen here: the processing was moreover to the absolute minimum, both with regard to the scope of the processed data and with regard to the storage duration (see for example ECJ December 11, 2014, C-212/13 , Ryneš), as the Respondent saved the ID data for only six months and therefore only for a non-excessive period that was clearly defined in advance.
D.3 Result:
Against this background, the data protection authority comes to the conclusion that the legitimate interests of the respondent outweigh the fundamental rights and freedoms of the complainant and that the processing is lawful on the basis of "legitimate interests" according to Art. 6 para. 1 lit. f GDPR took place.
The complaint had to be dismissed according to the ruling.


ii) Necessity of the data processing
Furthermore, it should also be recognised that the processing of the complainant's identity card data could be used to prove that the data had been handed over to the correct recipient in the event of a dispute.
iii) No overriding of the fundamental rights and freedoms of the data subject
Finally, the respondent's established interest in data processing had to be compared with the complainant's claim to secrecy and a possible predominance had to be examined.
In doing so, the reasonable expectations of the complainant were to be taken into account, i.e. in particular whether he could reasonably foresee, at the time of the collection of the identification data and in view of the circumstances under which it was carried out, that processing for this purpose might possibly take place (see ErwG. 47 of the DSGVO). In any event, the collection and storage of identification data for the purpose of defending legal claims relating to postal items is within the scope of general life experience and was in this respect also easily foreseeable by the complainant.
In order to weigh up the specific interests involved, it should also be noted that no special categories of personal data pursuant to Article 9(1) DSGVO, no data relevant to criminal law pursuant to Article 10 DSGVO and no other personal data were processed which would involve a particularly intensive encroachment on the fundamental right to secrecy.
The categories of data processed by the respondent are in no way excessive and the storage period of six months is in no way to be regarded as disproportionate. Also in view of the case law of the European Court of Justice, no excessive data processing can be seen here: Moreover, the processing was limited to the absolutely necessary, both in terms of the volume of data processed and the storage period (cf. e.g. ECJ 11.12.2014, C-212/13, Ryneš), as the respondent stored the ID card data for only six months and thus only for a clearly defined, non excessive period of time.


D.3 Result:
European Case Law Identifier
ECLI: AT: DSB: 2020: 2020.0.349.984


Against this background, the data protection authority comes to the conclusion that the legitimate interests of the respondent outweigh the fundamental rights and freedoms of the complainant and that the processing was lawfully carried out on the basis of "legitimate interests" pursuant to Article 6 (1) lit. f of the DPA.


The complaint was therefore to be dismissed as inadmissible.
Keywords
Confidentiality, lawfulness of processing, postal service, universal service provider, registered letter, person collecting, scanning of photo identification, authorisation standard, general terms and conditions, balancing of interests
European Case Law Identifier (ECLI)
ECLI:AT:DSB:2020:2020.0.349.984
Last updated on
29.09.2020
Document number
DSBT_20200626_2020_0_349_984_00
</pre>
</pre>

Latest revision as of 14:00, 12 May 2023

DSB - DSB-D205.023
LogoAT.png
Authority: DSB (Austria)
Jurisdiction: Austria
Relevant Law: Article 4(2) GDPR
Article 5(1)(f) GDPR
Article 6(1)(c) GDPR
Article 6(1)(f) GDPR
Article 13 GDPR
Article 51(1) GDPR
Article 57(1)(f) GDPR
Article 77(1) GDPR
§ 1(1) DSG (Datenschutzgesetz)
§ 1(2) DSG (Datenschutzgesetz)
§ 18(1) DSG (Datenschutzgesetz)
§ 24(1) DSG (Datenschutzgesetz)
§ 24(5) DSG (Datenschutzgesetz)
§ 3(4) PMG (Postmarktgesetz)
§ 3(12) PMG (Postmarktgesetz)
§ 12 PMG (Postmarktgesetz)
§ 17 PMG (Postmarktgesetz)
§ 20 PMG (Postmarktgesetz)
Type: Complaint
Outcome: Rejected
Started:
Decided: 26.06.2020
Published:
Fine: None
Parties: n/a
National Case Number/Name: DSB-D205.023
European Case Law Identifier: ECLI:AT:DSB:2020:2020.0.349.984
Appeal: n/a
Original Language(s): German
Original Source: Rechtsinformationssystem des Bundes (in DE)
Initial Contributor: Agnieszka Rapcewicz

The Austrian DPA holds that making by the post office a copy of a recipient's identity card does not infringe complainant's right to privacy and the post office has a legitimate interest in processing the personal data contained in the identity document to safeguard or defend its legal claims.

English Summary

Facts

The complainant went to a post office to receive a letter addressed to him. From the post office employee, he was informed that the letter had not been delivered to him and that it had been left at that post office and that a notice had been left to the complainant (the so-called “yellow slip”). This was a non-official, recomanded (with a take-over certificate) registered letter. The post office clerk asked the complainant to show his identity document with a photo in order to take the letter. The complainant showed his identity card. Subsequently, the post office employee electronically (using a scanning device) recorded identity card data: type of ID card, ID card number, issuing authority, date of birth and the corresponding name. It was stored for 6 months. After the retention period expired, the data in question were deleted. However, no copy of the ID document itself was made. The complainant alleged that the post office infringed confidentiality obligations by making a copy of his identity card. The complainant pointed out that even the general terms and conditions of the Post Office, in the event of doubts as to the identity of a person, refer to a presentation of a document and not to data collection. That is why he lodged a complaint with the supervisory authority.

Dispute

Has the complainant's right to privacy been infringed by the action of a postal worker to electronically register and save the complainant's identity card when he receives his registered letter at the post office?

Holding

The DPA rejected the complaint. It held that making by the post office a copy of a recipient's identity card does not infringe complainant's right to privacy and the post office has a legitimate interest in processing the personal data contained in the identity document to safeguard or defend its legal claims.

Comment

The DPA examined whether the provisions of the PMG (Postmarktgesetz) may create a legal obligation for the Post Office to process personal data under Article 6(1)(c). The DPA pointed out that the national law stipulates the need to confirm receipt or delivery of the consignment. However, it doesn't say anything about the recording or storage of personal (ID) data. The law does not impose any legal obligation to process personal data. Moreover, the DPA noted that even the respondent's General Terms and Conditions cannot constitute a legal obligation due to the lack of substantive legal quality. Therefore scanning and storage of the complainant's identity document cannot be based onthe PMg provisions in concjuntion with Article 6(1)(c).

However, the supervisory authority considered that the post office has a legitimate interest in processing the personal data contained in the identity document. The defendant might have been exposed to warranty claims and/or claims for damages by the sender and the processing was therefore necessary to safeguard or defend its legal claims, which constitute a legitimate interest. Furthermore, the DPA considered that it was justified to keep a copy of the document, because it could be used to prove that the data had been handed over to the correct recipient in the event of a dispute. The supervisory authority stressed, taht also reasonable expectations of the complainant were to be taken into account, i.e. in particular whether he could reasonably foresee, at the time of the collection of the identification data and in view of the circumstances under which it was carried out, that processing for this purpose might possibly take place. The DPA found that the collection and storage of identification data for the purpose of defending legal claims relating to postal items is within the scope of general life experience and was in this respect also easily foreseeable by the complainant.

What is more, in the DPA's opinion the categories of data processed by the respondent are in no way excessive and the storage period of six months is in no way to be regarded as disproportionate.

In the light of above the DPA came to the conclusion that the legitimate interests of the respondent outweighed the fundamental rights and freedoms of the complainant and that the processing was lawfully carried out on the basis of "legitimate interests" pursuant to Article 6(1)(f).

The complaint was therefore dismissed.



Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.



Decisive authority
Data protection authority


Decision date
06/26/2020


Business number
2020-0.349.984


Appeal at the BVwG / VwGH / VfGH
This decision is final.




text
GZ: 2020-0.349.984 of June 26, 2020 (case number: DSB-D205.023)

[Note processor: names and companies, legal forms and product names, addresses (incl. URLs, IP and e-mail addresses), file numbers (and the like), etc., as well as their initials and abbreviations can be shortened and / or changed for reasons of pseudonymisation his. Obvious spelling, grammar, and punctuation errors have been corrected.
The respondent's company was not pseudonymized here because, according to the reasons for the decision, the universal service operator was involved in this role in accordance with Section 12 (1) PMG, and the respondent is listed as such in the cited law. A meaningful pseudonymization was also not possible due to multiple references to the business activity of the Respondent as a universal service operator in the matter (e.g. registered letter, "yellow note"). However, the interest in secrecy of the respondent who won the proceedings, whose actions were found to be lawful, does not outweigh the public interest in the publication of the decision, as required by law in Section 23 (2) DSG.]

NOTIFICATION
SPEECH
The data protection authority decides on the data protection complaint by Gustav A *** (complainant) of April 17, 2019 against Österreichische Post AG (respondent) due to violation of the right to secrecy as follows:
- The complaint is dismissed as unsubstantiated.
Legal basis: Art. 4 no. 2, Art. 5 para. 1 lit. f, Art. 6 Para. 1 lit. c and lit. f, Art. 13, Art. 51 Para. 1, Art. 57 Para. 1 lit. f and Art. 77 Para. 1 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter: GDPR), ABl. No. L 119 of 4.5.2016 p. 1; §§ 1 Paragraph 1 and Paragraph 2, 18 Paragraph 1 and 24 Paragraph 1 and Paragraph 5 of the Data Protection Act (DSG), Federal Law Gazette I No. 165/1999 as amended; § 3 Z 4 and Z 12, § 12, § 17, § 20 of the Postal Market Act (PMG), Federal Law Gazette I No. 123/2009 as amended;

REASON
A. Arguments of the parties and course of the procedure
1. With the preliminary filing of April 17, 2019, repeated on June 23, 2019 and July 26, 2019, the complainant alleged a violation of the right to secrecy and a violation of the information obligations by the respondent.
The alleged breach of the duty to provide information is reported in a separate procedure for reference number DSB-D205.246.
2. With regard to the alleged breach of the right to secrecy, the complainant summarized the following:
The complainant had corrected a letter addressed to him by means of a so-called "yellow note" on March 29, 2019 in a branch of the respondent. In the course of this, an employee of the respondent requested that the complainant be presented with an ID, which was also presented by the complainant. As a result, however, the employee made a copy against his will and without his permission. The ID card was placed on a scanner and the data was recorded electronically. The complainant further explains that even in the general terms and conditions of the respondent ("AGB-Brief National") under point 3.5.2 there is only talk of a submission in case of doubt of identity, and not of data collection.
3. With the settlement of July 22, 2019 (GZ: DSB-D205.023 / 0001-DSB-2019), the data protection authority requested the respondent to comment.
4. With the submission dated August 20, 2019, the Respondent commented as follows:
It is correct that the complainant repaired a returned (= with acceptance note) registered mail in a branch of the respondent because he was not found at the time of the attempted delivery. He was therefore informed by means of a “yellow slip of paper” about the attempted delivery and the deposit of the shipment and about the need to present an official photo ID when removing the shipment. The notification of deposit also contains a reference to the data protection information of the respondent, which in particular also provides information on the processing of ID data.
When the complainant rectified the consignment, an employee of the respondent asked the complainant to present a photo ID and, as a result, automatically recorded the specific ID data, as is usual when a person is not personally known to the employee. A scanner is used to record the ID data, which only reads out specific data from the respective ID, namely ID type, ID number, issuing authority and date of birth as well as the corresponding name - a copy is not made. The complainant also acknowledged acceptance of the registered mail on the.
The criticized processing of the ID data is necessary to fulfill a legal obligation to which the respondent as the person responsible is subject (Art. 6 Para. 1 lit. c GDPR): According to § 3 Z 12 PMG, the acceptance of registered mail to the correct recipient must be acknowledged. The handover to the right person - if this is not known personally to the respondent - is only possible as part of an identification / authentication process to be carried out, i.e. by presenting an official photo ID. The Respondent had issued general terms and conditions (in particular "AGB Brief") in accordance with § 20 PMG, which were also approved by the regulatory authority. This also results in the need for a confirmation of acceptance and identification (points 3.3 and 3.5.2 of the General Terms and Conditions for letters nationally and point 4.1 of the product and price list ("PVV") for return receipt letters, which also include registered mail). These documents (GTC and PVV) show that the handover of a registered item is only permitted after prior identification or authentication. The respondent had collected the identification data for the purpose of identification or authentication and, consequently, for any processing of potential inquiries (point 3.10 of the national letter terms and conditions) and any warranty cases (point 4 of the national letter terms and conditions), i.e. for the assertion, exercise or defense of Legal claims and also to implement the contractual relationship with the sender are kept for 6 months and then deleted. The fact that the Respondent is exposed to possible warranty and / or claims for damages if a shipment is not properly handed over, in particular to the correct recipient, gives rise to a processing and storage authorization. It must therefore be possible to defend oneself at least within the statutory warranty period. Also in the context of any proceedings before the data protection authority, the respondent must be able to prove freely, for example that she has fulfilled her duty of care and verifiably checked the identity of the transferee. The respondent relied on the deadline set out in Section 24 (4) DSG and a more detailed decision by the data protection authority regarding the admissibility of a copy of an identity card for identity verification.
Furthermore, the processing of the ID data to safeguard the legitimate interests of the respondent and the respective sender in the sense of Art. 6 para. 1 lit. f GDPR required to ensure correct allocation to the actually addressed recipient and to be able to provide the sender with proof. This is the only way to prevent any abuse. The interests of the respondent and those of her contractual partner would outweigh the interests or fundamental rights and freedoms of the complainant. There was no noticeable impairment of the complainant, since only the necessary data would be stored, which is also protected according to § 5 PMG and by extensive technical and organizational measures.
The Respondent also stated that she had complied with her information obligations and referred to the “data protection information”, which can be found on her website.
5. With the settlement dated September 19, 2019 (GZ: DSB-D205.023 / 0003-DSB / 2019), the data protection authority granted the complainant a hearing and the opportunity to comment.
6. No further submissions were made on the part of the complainant.
B. Subject matter of the complaint
The subject of the complaint is the question of whether the respondent has violated the complainant's right to secrecy in that an employee of the respondent electronically recorded and saved the complainant's identification data when collecting a mail item (registered mail).
The alleged violation of the information obligations is dealt with separately in the proceedings relating to reference number DSB-D205.246 and was therefore not the subject of the complaint in the present proceedings.
C. Factual Findings
1. On March 29, 2019, the complainant removed a letter from the (post) branch ****, **** XY, *** - Strasse *. The respondent had informed the complainant about an unsuccessful delivery attempt and the subsequent deposit in the post office mentioned by means of a notification of a deposited item (“yellow slip”) at a point in time that could not be determined in detail. This was a non-official, recommended (with transfer note) registered mail.
2. After being asked to do so by an employee of the respondent, the complainant presented his official photo ID in the course of repairing the shipment. Subsequently, the ID data: ID type, ID number, issuing authority, date of birth and the corresponding name were electronically recorded using a scanner and saved for 6 months. After the retention period expired, the relevant data was deleted. A copy of the identity document itself, however, was not made.
Assessment of evidence: The findings result from consistent submissions of the parties, in particular the complainant's submission of April 17, 2019 and the respondent's submission of August 20, 2019.
3. The following General Terms and Conditions of the Respondent were in effect on March 29, 2019:


Evidence assessment: The findings result from the respondent's submission of August 20, 2019 and remained undisputed by the complainant.
D. In legal terms it follows:
The complainant believes the respondent has violated confidentiality obligations by making a copy of the ID (recording with a scanner and saving the ID data).
As a result, the statements are not justified:
D.1. On Art. 6 Para. 1 lit. c GDPR:
According to Section 1 (1) DSG, everyone, especially with regard to respect for their private and family life, has the right to confidentiality of their personal data, provided that there is a legitimate interest in it.
Pursuant to Section 1 (2) DSG, restrictions on the right to confidentiality are only permitted in order to safeguard the overriding legitimate interests of another, insofar as the use of personal data is not in the vital interest of the person concerned or with his consent.
The data processing in question was not carried out in the complainant's vital interest, nor was consent given, which is why the legality had to be checked on the basis of the safeguarding of overriding legitimate interests: According to the case law of the data protection authority, there is no violation of confidentiality obligations, in particular if the implementation provisions are violated According to Section 4 (1) GDPR, the rules of the GDPR and the principles anchored therein have not been violated (see the decision of October 31, 2018, GZ DSB-D123.076 / 0003-DSB / 2018).
According to Art. 5 Para. 1 lit. b GDPR, personal data must be collected for specified, clear and legitimate purposes and may not be further processed in a way that is incompatible with these purposes ("earmarking"). The processing of personal data is justified, among other things, if it is necessary to fulfill a legal obligation to which the person responsible is subject (Art. 6 Para. 1 lit. c GDPR) or to safeguard the legitimate interests of the person responsible or a third party unless the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, prevail (Art. 6 Para. 1 lit. f GDPR).
In this context, Art. 6 Para. 1 lit. c GDPR in conjunction with the PMG and Art. 6 Para. 1 lit. f GDPR relevant:
The Respondent also correctly relied on the legal obligations of the PMG:
Section 3 no.4 and no.12 PMG including the heading reads as follows (emphasis by the data protection authority):
Definitions
§ 3.
For the purposes of this federal law:
[...]


4th
“Universal service operator” one or more named universal service operators in accordance with Section 12 Paragraph 1 or one or more named postal service providers in accordance with Section 12 Paragraph 2;






[...]


12th

"Registered item" means a piece of mail that is insured by the postal service provider against loss, theft or damage and for which the sender, if necessary at his or her request, provides a confirmation of receipt of the item and / or its delivery to the recipient or the recipient is granted;








Section 12 PMG including the heading reads as follows (emphasis by the data protection authority):
Universal service operator
§ 12.
(1) With the entry into force of this federal act, Austrian Post will be named as the universal service operator.
[...]

Section 20 PMG including the heading reads as follows (emphasis by the data protection authority):
General terms and conditions of the universal service provider
§ 20.
(1) The universal service operator shall issue general terms and conditions in accordance with the provisions of this Act and the ordinances issued on the basis of this Act for services in the universal service area.
[...]
Under a legal obligation according to Art 6 para. 1 lit. c GDPR is in any case an obligation based on objective law (Frenzel in Paal / Pauly, General Data Protection Regulation Art. 6 Rz. 16), which can arise in particular from a legal basis in member states or Union law and which also relates directly to data processing (Kastelitz / Hötzendorfer / Tschohl in Knyrim, DatKomm Art 6 GDPR margin no.39).
As a universal service operator within the meaning of Section 3 no. 4 in conjunction with Section 12 (1) PMG, the Respondent is subject to the provisions of the PMG and is therefore to be seen as the addressee of the legal obligations resulting from this law.
According to the constant jurisprudence of the Constitutional Court on the quality of an encroachment norm within the meaning of Section 1 (2) DSG (2000), it must “be sufficiently precise, i.e. predictable for everyone, to specify the conditions under which the determination or use of the data for the performance of specific administrative tasks is permitted is. The respective legislator must therefore iSd. Section 1 (2) DSG 2000 provides for a material-specific regulation in the sense that the cases of permissible interference with the fundamental right to data protection are specified and limited (VfSlg. 18.146 / 2007).
The data protection authority does not overlook the fact that this jurisprudence refers to an interference norm that is intended to legitimize official action, which is not the case here.
Nevertheless, this jurisprudence can also apply accordingly if those responsible in the private sector (Section 26 Paragraph 4 DSG) rely on an authorization norm within the meaning of Article 6 Paragraph 1 lit. c GDPR. This also results from Art. 5 Para. 1 lit. a GDPR, according to which personal data are processed in a lawful manner, in good faith and in a manner that is understandable for the person concerned.
It must therefore be checked whether the provisions of the PMG create a legal obligation to process personal data according to Art. 6 Para. 1 lit. c GDPR.
§ 3 Z 12 PMG standardizes the need for confirmation of receipt or delivery of the shipment. On the other hand, § 3 Z 12 PMG does not make any statement about the mere determination, i.e. the additional collection or storage of personal (ID) data. This also applies to Section 20 (1) PMG, which only standardizes the constitution of general terms and conditions, but not a legal obligation to process personal data.
It should also be noted that the Respondent's General Terms and Conditions cannot constitute a legal obligation due to a lack of material legal quality.
As a result, the provisions of the PMG put forward by the Respondent in conjunction with Art. 6 Para. 1 lit. c GDPR does not constitute a legal basis for scanning and saving the complainant's ID.
D.2. To safeguard legitimate interests (Art. 6 Para. 1 lit.f GDPR):
As a result, it must be checked whether the processing of the complainant's personal data is necessary to safeguard the legitimate interests of the respondent or a third party within the meaning of Article 6 (1) lit. f GDPR was required.
According to the Rsp of the ECJ, processing on the legal basis of “legitimate interest” is permissible under three cumulative conditions: i) Perception of a legitimate interest by the person responsible or the third party (s) to whom the data is transmitted, ii) Requirement of processing personal data Data for the realization of the legitimate interest and iii) no predominance of the fundamental rights and freedoms of the person affected by data protection over the perceived legitimate interest (see with regard to Directive 95/46 / EC the judgment of the ECJ of December 11, 2019, C- 708/18 [TK] margin no. 40 with further references).
i) Legitimate interests of those responsible or a third party
It must first be checked whether the respondent or a third party had a legitimate interest in processing the complainant's ID data:
In addition, the Respondent submitted, among other things, that it could possibly be exposed to warranty and / or claims for damages by the sender and that the processing was therefore necessary to safeguard or defend its legal claims.
It should be noted that the Respondent's interest in being able to adequately defend itself in the event of a legal dispute, at least within the statutory warranty period, and to be able to provide evidence of the lawful transfer to the correct person, was to be regarded as justified (see Kastelitz / Hötzendorfer / Tschohl in Knyrim, DatKomm Art 6 GDPR margin no. 54).
Against this background, the existence of a legitimate interest of the respondent in the processing of the identity card data in question was to be affirmed.
ii) Necessity of data processing
In addition, it should also be recognized that the processing of the complainant's identification data could serve to prove the transfer to the correct recipient in the event of a legal dispute.
iii) No predominance of the fundamental rights and freedoms of the data subject
Finally, the respondent's established interest in data processing had to be compared with the complainant's claim to secrecy and a possible predominance to be checked.
In doing so, the reasonable expectations of the complainant must also be taken into account, i.e. in particular whether he could reasonably foresee at the time the identification data was collected and in view of the circumstances under which it was carried out that processing for this purpose might possibly take place (cf. Recital 47 of the GDPR). The collection and storage of ID data for the purpose of defending legal claims regarding mail is in any case within general life experience and was therefore easily foreseeable for the complainant.
In order to weigh up specific interests, it should also be noted that there are no special categories of personal data pursuant to Art. 9 Para. 1 GDPR, no criminally relevant data pursuant to Art. 10 GDPR and no other personal data that were processed with a particularly intensive interference with the fundamental right related to secrecy.
The data categories processed by the Respondent are by no means excessive and the storage period of six months is in no way to be regarded as disproportionate. Also with regard to the case law of the ECJ, no excessive data processing can be seen here: the processing was moreover to the absolute minimum, both with regard to the scope of the processed data and with regard to the storage duration (see for example ECJ December 11, 2014, C-212/13 , Ryneš), as the Respondent saved the ID data for only six months and therefore only for a non-excessive period that was clearly defined in advance.
D.3 Result:
Against this background, the data protection authority comes to the conclusion that the legitimate interests of the respondent outweigh the fundamental rights and freedoms of the complainant and that the processing is lawful on the basis of "legitimate interests" according to Art. 6 para. 1 lit. f GDPR took place.
The complaint had to be dismissed according to the ruling.


European Case Law Identifier
ECLI: AT: DSB: 2020: 2020.0.349.984