BVwG - W252 2247092-1: Difference between revisions
(Created page with "{{COURTdecisionBOX |Jurisdiction=Austria |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=BVwG |Court_Original_Name=Bundesverwaltungsgericht |Court_English_Name=Federal Administrative Court |Court_With_Country=BVwG (Austria) |Case_Number_Name=W252 2247092-1 |ECLI=ECLI:AT:BVWG:2023:W252.2247092.1.00 |Original_Source_Name_1=RIS (Austria) |Original_Source_Link_1=https://www.ris.bka.gv.at/Dokument.wxe?ResultFunctionToken=eef1a70f-0c87-4939-950d-19ec0af307fb...") |
m (→Facts) |
||
Line 68: | Line 68: | ||
=== Facts === | === Facts === | ||
The data subject filed a complaint against the controller for the unnecessary storage of payment data. The data subject claimed that data were outdated and no longer useful to check their creditworthiness. | The data subject filed a complaint against the controller for the unnecessary storage of payment data. The data subject claimed that data were outdated and no longer useful to check their creditworthiness. | ||
The Austrian DPA held that storage was contrary to the GDPR. | |||
The Austrian DPA held that storage was excessive and contrary to the GDPR. | |||
The controller appealed the decision, pointing out to have meanwhile erased data. This was, according to the controller, not on the basis of a legal obligation, but as a spontaneous gesture of good will. | The controller appealed the decision, pointing out to have meanwhile erased data. This was, according to the controller, not on the basis of a legal obligation, but as a spontaneous gesture of good will. | ||
=== Holding === | === Holding === | ||
The Austrian Federal Administrative Court (Bundesverwaltungsgericht – BVwG) upheld the controller’s appeal. | The Austrian Federal Administrative Court (''Bundesverwaltungsgericht – BVwG'') upheld the controller’s appeal. | ||
According to the court, in lack of a law stating the contrary, a judge should assess the existence of a violation with regard to the time of the adoption of their decision. The court pointed out that § 24(6) of the Austrian Data Protection Law (Datenschutzgesetz – DSG) enables controllers to remedy to violations during proceedings before the DPA. | |||
The court stressed that such a national provision is not contrary to the GDPR. As matter of fact, [[ | According to the court, in lack of a law stating the contrary, a judge should assess the existence of a violation with regard to the time of the adoption of their decision. The court pointed out that § 24(6) of the Austrian Data Protection Law (''Datenschutzgesetz – DSG'') enables controllers to remedy to violations during proceedings before the DPA. | ||
The court stressed that such a national provision is not contrary to the GDPR. As matter of fact, [[Article 58 GDPR]] does not provide the DPAs with any power to adopt declaratory binding decisions about the existence of certain violations. What [[Article 58 GDPR#6|Article 58(6) GDPR]] does is exclusively to enable Member States to confer additional powers to the DPAs under national law. Austria decided to implement this provision by giving its DPA the power to ascertain the existence of ongoing violations, not violations that occurred in the past. | |||
In light of the above, the court invalidated the DPA’s decision. | In light of the above, the court invalidated the DPA’s decision. | ||
Latest revision as of 14:10, 12 September 2023
BVwG - W252 2247092-1 | |
---|---|
Court: | BVwG (Austria) |
Jurisdiction: | Austria |
Relevant Law: | Article 58(6) GDPR § 24(6) DSB |
Decided: | 22.08.2023 |
Published: | 31.08.2023 |
Parties: | |
National Case Number/Name: | W252 2247092-1 |
European Case Law Identifier: | ECLI:AT:BVWG:2023:W252.2247092.1.00 |
Appeal from: | DSB (Austria) |
Appeal to: | Unknown |
Original Language(s): | German |
Original Source: | RIS (Austria) (in German) |
Initial Contributor: | mg |
An Austrian court annulled a DPA declaratory decision on the basis of a national provision enabling controllers to remedy to GDPR violations during the administrative procedure against them.
English Summary
Facts
The data subject filed a complaint against the controller for the unnecessary storage of payment data. The data subject claimed that data were outdated and no longer useful to check their creditworthiness.
The Austrian DPA held that storage was excessive and contrary to the GDPR.
The controller appealed the decision, pointing out to have meanwhile erased data. This was, according to the controller, not on the basis of a legal obligation, but as a spontaneous gesture of good will.
Holding
The Austrian Federal Administrative Court (Bundesverwaltungsgericht – BVwG) upheld the controller’s appeal.
According to the court, in lack of a law stating the contrary, a judge should assess the existence of a violation with regard to the time of the adoption of their decision. The court pointed out that § 24(6) of the Austrian Data Protection Law (Datenschutzgesetz – DSG) enables controllers to remedy to violations during proceedings before the DPA.
The court stressed that such a national provision is not contrary to the GDPR. As matter of fact, Article 58 GDPR does not provide the DPAs with any power to adopt declaratory binding decisions about the existence of certain violations. What Article 58(6) GDPR does is exclusively to enable Member States to confer additional powers to the DPAs under national law. Austria decided to implement this provision by giving its DPA the power to ascertain the existence of ongoing violations, not violations that occurred in the past.
In light of the above, the court invalidated the DPA’s decision.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
Decision date August 22, 2023 standard B-VG Art 133 Paragraph 4 DSG §24 Paragraph 1 DSG §24 Paragraph 5 DSG §24 Paragraph 6 GDPR Art 17 B-VG Art. 133 today B-VG Art. 133 valid from January 1st, 2019 to May 24th, 2018 last changed by Federal Law Gazette I No. 138/2017 B-VG Art. 133 valid from January 1st, 2019 last changed by Federal Law Gazette I No. 22/2018 B-VG Art. 133 valid from May 25, 2018 to December 31, 2018 last changed by Federal Law Gazette I No. 22/2018 B-VG Art. 133 valid from August 1, 2014 to May 24, 2018 last changed by Federal Law Gazette I No. 164/2013 B-VG Art by BGBl amended by BGBl. No. 211/1946 B-VG Art. 133 valid from December 19, 1945 to December 24, 1946 last amended by StGBl. No. 4/1945 B-VG Art. 133 valid from January 3, 1930 to June 30, 1934 DSG Art. 2 § 24 today DSG Art. 2 § 24 valid from May 25th, 2018 last changed by Federal Law Gazette I No. 120/2017 DSG Art No. 133/2009 DSG Art. 2 § 24 valid from January 1st, 2000 to December 31st, 2009 DSG Art. 2 § 24 today DSG Art. 2 § 24 valid from May 25th, 2018 last changed by Federal Law Gazette I No. 120/2017 DSG Art No. 133/2009 DSG Art. 2 § 24 valid from January 1st, 2000 to December 31st, 2009 DSG Art. 2 § 24 today DSG Art. 2 § 24 valid from May 25th, 2018 last changed by Federal Law Gazette I No. 120/2017 DSG Art No. 133/2009 DSG Art. 2 § 24 valid from January 1st, 2000 to December 31st, 2009 saying W252 2247092-1/8E IN THE NAME OF THE REPUBLIC! The Federal Administrative Court, through judge Mag.a Elisabeth SCHMUT LL.M. as chairwoman and the expert lay judges Dr. Claudia ROSENMAYR-KLEMENZ and Mag.a Adriana MANDL as assessors on the complaint of XXXX (co-involved party before the administrative court XXXX against the data protection authority's decision of August 11, 2021, GZ XXXX in a non-public session in a Data protection matter rightly recognized: The Federal Administrative Court, through the judge Mag.a Elisabeth SCHMUT LL.M. as chairman and the expert lay judges Dr. Claudia ROSENMAYR-KLEMENZ and Mag.a Adriana MANDL as assessors, heard the complaint from Roman XXXX (co-participants Party before the Roman Administrative Court XXXX against the data protection authority's decision of August 11, 2021, GZ Roman XXXX in a non-public session in a data protection matter rightly recognized: A) The complaint will be followed up and the contested decision will be remedied without replacement. B) The revision is permitted. text Reasons for the decision: I. Process: Roman one. Process: 1. With a submission dated November 28th, 2019, amended on January 10th, 2020, the party involved (hereinafter “MP”) lodged a data protection complaint with the authority concerned and summarized that the complainant (hereinafter “BF”) had violated them due to the excessive length of time Storage of eight specified payment experience data violated your right to deletion. The payment experiences listed by the MP are all paid, only concern small amounts and date back a long time, which is why they should be deleted. 2. During the course of the proceedings before the authority concerned, the BF stated that it had deleted four of the eight disputed payment experiences of the BF, as these were now more than ten years ago. 3. In a decision dated August 11, 2021, the relevant authority upheld the complaint due to a violation of the right to deletion and determined that the BF had violated MP's right to deletion by not deleting four specified claims from its credit database have (point 1). Furthermore, in the event of other execution, she ordered the BF to comply with the MP's request for deletion and to delete the data mentioned in ruling point 1 (ruling point 2). The relevant authority explained that due to the low amounts of the claims in connection with their age, the MP's interest in deletion outweighed the claims. 4. The present complaint from the BF dated September 16, 2021 is directed against this decision. In this, the BF asserted that the decision was illegal and also stated that it had since deleted the remaining four entries mentioned by the BF from its database “as a gesture of goodwill and without recognizing a legal obligation”. 5. The authority concerned submitted the complaint following the administrative act in a letter dated October 5th, 2021, filed on October 7th, 2021, and requested that the complaint be dismissed - with more detailed reasons. Evidence was collected by examining the administrative and court files. II. The Federal Administrative Court has considered: Roman II. The Federal Administrative Court has considered: 1. Findings: 1.1. On October 31, 2019, the MP sent a deletion request to the BF (OZ 1, S 14 ff). 1.2. In its data protection complaint, the MP asserted a violation of the right to deletion with regard to eight payment history data, four of which were “opened” in 2010, another three in 2011 and one in 2012 (OZ 1, S 11; 17 f). 1.3. By July 24, 2020 at the latest, the BF deleted four of the required payment history data from 2010 (OZ 1, S 79, 89). 1.4. By September 15, 2021 at the latest, the BF deleted the remaining four payment history data required by the MP. The BF no longer processes any of the payment experiences requested by the BF in its data protection complaint (OZ 1, S 180, 183). 2. Assessment of evidence: The findings are based on the harmless administrative act. In the course of the data protection complaint, the MP submitted its request for deletion to the BF (see OZ 1, p. 14 ff). The finding that MP complained about the failure to delete eight payment experiences results from MP's data protection complaint. The MP listed eight payment history data and named them with the date and exact amount. In conjunction with the information also provided on July 25, 2018, these could be clearly assigned to the MP data sets (OZ 1, S 11, 17 f). The findings that the BF deleted four of the payment history data mentioned by the MP in 2020 and another four in 2021 arise from the BF's credible submissions in this regard, which it supported with current extracts from its database. These clearly show that none of the eight payment experience data mentioned by the BF in its data protection complaint are now processed by the BF (OZ 1, S 79, 89, 180, 183). In its statement dated July 29, 2020, the MP noted the first partial deletion and continued to insist on the deletion of the remaining data (OZ 1, p. 118). The MP did not comment on the BF's decision complaint including the information showing that the data requested by it has now been deleted. However, there were no indications that the BF was further processing the data listed by the MP contrary to the information provided or its statements. Legal assessment: To A) The admissible complaint is justified. 2.1. Regarding the subject of the complaint: The subject matter of a procedure requiring an application is - as in the present case - generally determined by the application (see VwGH May 24, 2022, Ro 2022/04/0011). The only subject of the complaint is the question of whether the BF violated MP's right to deletion with regard to the eight payment history data that it specifically identified. An examination of the data otherwise stored by the BF on the MP was therefore not necessary. The subject of a procedure requiring an application is - as in the present case - fundamentally determined by the application (see VwGH May 24, 2022, Ro 2022/04/0011). The only subject of the complaint is the question of whether the BF violated MP's right to deletion with regard to the eight payment history data that it specifically identified. An examination of the data otherwise stored by the BF for the MP was therefore not carried out. 2.2. About the right to deletion: Using the right to deletion in accordance with Article 17 of the GDPR, the data subject can request the deletion of their data from the person responsible under the conditions of paragraph 1 (see Haidinger in Knyrim, DatKomm Art 17 of the GDPR, paragraph 2). Using the right of deletion in accordance with Article 17 of the GDPR Under the conditions of paragraph one, the data subject can request that the person responsible delete their data (see Haidinger in Knyrim, DatKomm Article 17, GDPR Rz 2). In its data protection complaint, the MP alleged a violation of the right to deletion with regard to eight precisely identified payment experience data. The BF has now deleted all eight of these payment history data. The administrative court must (unless the law states otherwise) base its decision on the factual and legal situation relevant at the time of its decision - in this case, that after deletion (see VwGH September 23, 2020, Ra 2020/14/0175 mwN) .The administrative court must (unless the law states otherwise) base its decision on the factual and legal situation relevant at the time of its decision - in this case that after deletion - see VwGH September 23, 2020, Ra 2020/14/0175 with further references) . 2.2.1. Regarding past violations of the right to erasure: According to Section 24 Paragraph 1 DSG, every data subject has the right to lodge a complaint with the data protection authority if they are of the opinion that the processing of personal data concerning them violates the GDPR or Section 1 or Article 2, 1st part of the DSG. According to Section 24 Paragraph 5 DSG, a justified complaint must be followed up. If a violation is attributable to a person responsible for the private sector, they must be instructed to comply with the complainant's requests - for example for deletion. Section 24 (6) DSG, which is to be applied mutatis mutandis in administrative court proceedings in accordance with Section 17 VwGVG, accordingly provides that a respondent can subsequently eliminate the alleged violation of the law by complying with the complainant's requests until the end of the procedure before the data protection authority. In this case, the authority concerned must generally terminate the procedure informally. According to paragraph 24, paragraph one, DSG, every data subject has the right to lodge a complaint with the data protection authority if they are of the opinion that the processing of personal data concerning them violates the GDPR or against Paragraph one, or Article 2, 1st part of the DSG violates. According to paragraph 24, paragraph 5, DSG, a justified complaint must be followed up. If a violation is attributable to a person responsible for the private sector, they must be instructed to comply with the complainant's requests - for example for deletion. Paragraph 24, Paragraph 6, DSG, which is to be applied mutatis mutandis in administrative court proceedings in accordance with Paragraph 17, VwGVG, provides that a respondent can subsequently eliminate the alleged violation of the law by complying with the complainant's requests until the end of the proceedings before the data protection authority . In this case, the authority concerned must generally terminate the proceedings informally. § 24 DSG is intended to grant data subjects a right to enforce any violations of rights that arise from the DSG or the GDPR (see Bresich/Riedl in Bresich/Dopplinger/Dörnhöfer/Kunnert/Riedl, DSG § 24 Rz 7). Paragraph 24, DSG is intended to grant data subjects a right to enforce any violations of rights that arise from the DSG or the GDPR (see Bresich/Riedl in Bresich/Dopplinger/Dörnhöfer/Kunnert/Riedl, DSG paragraph 24, paragraph 7) . The VwGH has already stated in relation to the previous provision of Section 24 DSG (Section 31 DSG 2000) that no right to a determination of a past violation of the right to deletion of data can be derived from this (VwGH September 27, 2007, 2006/06/ 0330). The VwGH has transferred this case law to the current legal situation (see VwGH October 19, 2022, Ro 2022/04/0001, Rz 24 ff). The VwGH has already stated that in relation to the previous provision of Paragraph 24, DSG (Paragraph 31, DSG 2000). No right to establish that the right to delete data has been violated in the past can be derived from this (VwGH September 27, 2007, 2006/06/0330). The VwGH has transferred this case law to the current legal situation (see VwGH October 19, 2022, Ro 2022/04/0001, Rz 24 ff). In its decision VfGH June 26, 1991, B 811/89, the Constitutional Court stated that a data protection complaint filed due to an alleged violation of the rights to rectification or deletion has the sole aim of providing the complainant with a decision by the (then still) Data Protection Commission if necessary their “enforcement” to help enforce the right to rectification or deletion. Once the correction or deletion has been carried out (or caused), the possibility of violating the subjective rights granted by Section 1 Paragraph 4 DSG 2000 no longer exists. A meritorious decision due to violation of these rights can only be considered if and as long as the desired correction or deletion has not yet been carried out (or caused). The Constitutional Court stated in its decision VfGH June 26, 1991, B 811/89, that , a data protection complaint raised due to an alleged violation of the right to rectification or deletion has the sole aim of helping the complainant, if necessary, to enforce the right to rectification or deletion through a decision of the (then) Data Protection Commission and its “enforcement”. Once the correction or deletion has been carried out (or caused), the possibility of violating the subjective rights granted by paragraph one, paragraph 4, DSG 2000 no longer exists. A meritorious decision due to a violation of these rights can only be considered if and as long as the desired correction or deletion has not yet been carried out (or caused). European law considerations do not conflict with this because, on the one hand, the GDPR does not grant the supervisory authorities the right to determine violations of the GDPR in a legally binding manner (Article 58 Paragraphs 1 to 3 GDPR), but on the other hand it grants the member states the power to grant their supervisory authorities additional remedial powers (Article 58(1) to (3) GDPR). 58 Paragraph 6 GDPR). Considerations under European law do not conflict with this because, on the one hand, the GDPR does not grant the supervisory authorities the right to determine violations of the GDPR in a legally binding manner (Article 58, paragraphs one to 3 GDPR), but on the other hand it grants the member states the power to to grant their supervisory authorities additional remedial powers (Article 58, paragraph 6, GDPR). In this case this means: The procedural goal of the complaint regarding a violation of the right to deletion was achieved by the deletion of the data by the BF. A violation of this right is therefore no longer possible. A subjective public right to determine a past violation of the right to deletion - or a delayed deletion - is not covered by the right of appeal according to Section 24 DSG in conjunction with Art 17 GDPR. The procedural aim of the complaint due to a violation of the right to deletion was determined by the Deletion of the data achieved by the BF. A violation of this right is therefore no longer possible. A subjective public right to determine a past violation of the right to deletion - or delayed deletion - is not covered by the right of appeal according to Paragraph 24, DSG in conjunction with Article 17, DSGVO. Point 1 of the contested decision therefore had to be remedied without replacement. 2.2.2. Regarding the service mandate: Due to the deletion that has already taken place, the basis for issuing a service order no longer exists. Point 2 of the contested decision therefore also had to be remedied without replacement. 2.3. The decision therefore had to be made in accordance with the verdict. 2.4. According to Section 24 Paragraph 1 VwGVG, the administrative court must conduct a public oral hearing upon request or, if it considers this necessary, of its own motion.2.4. According to paragraph 24, paragraph one, VwGVG, the administrative court must conduct a public oral hearing upon request or, if it deems it necessary, on its own initiative. The oral hearing - which was not requested - could be dispensed with in accordance with Section 24 Paragraph 4 VwGVG, as it was clear from the files that no further clarification of the case could be expected through an oral discussion. As requested by the MP, the BF deleted all payment history data listed by the MP. No further clarification of this matter was necessary. The omission of the hearing did not conflict with Article 6 Paragraph 1 ECHR or Article 47 GRC. The oral hearing - which was not requested - could be dispensed with in accordance with Paragraph 24, Paragraph 4, VwGVG, as it was clearly evident from the files that an oral discussion would take place no further clarification of the legal matter could be expected. As requested by the MP, the BF deleted all payment history data listed by the MP. No further clarification of this matter was necessary. The cancellation of the hearing did not conflict with Article 6, paragraph one, ECHR or Article 47, CFR. Regarding B) Admissibility of the revision: According to Section 25a Paragraph 1 VwGG, the administrative court must state in its ruling or decision whether the appeal is permissible in accordance with Art 133 Paragraph 4 B-VG. This statement must be briefly justified. According to paragraph 25 a, paragraph one, VwGG, the administrative court must state in its decision or decision whether the appeal is permissible in accordance with Article 133, paragraph 4, B-VG. This statement needs to be briefly justified. The appeal is permissible because the question at hand is whether a data subject still has a subjective public right to have their right to deletion violated even if the data to be deleted has been deleted after the administrative procedure has been completed but before the judicial complaint procedure has been completed , there is no established case law from the Administrative Court. In its ruling of October 19, 2022, Ro 2022/04/0001, the Administrative Court adopts its case law on the DSG 2000 on the right to establish past violations of the right to secrecy and distinguishes it from its case law, also issued on the DSG 2000, on the lack of right to establish past ones Violations of the right to erasure. However, the Administrative Court did not have to decide on a past violation of the right to deletion, nor did it expressly adopt its case law in this regard.