BVwG - W256 2248861-1/8E: Difference between revisions

From GDPRhub
No edit summary
m (Edited short summary)
 
(6 intermediate revisions by 2 users not shown)
Line 68: Line 68:
}}
}}


A court held, that a lawyer lawfully transferred explicit sensitive personal data to the data subject’s lawyer via email.
A court held that a divorce lawyer could base the emailing of video material to the opposing side's lawyer on a legitimate interest under [[Article 6 GDPR|Article 6(1)(f) GDPR]] and the exercise of legal claims under [[Article 9 GDPR|Article 9(2)(f) GDPR]]. The video material showed the data subject’s extramarital affair.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The data subject filed a complaint on the 25 March 2021 against the controller, her former partner’s lawyer, with the Austrian DPA (DSB). The data subject alleged that the controller had violated her right to privacy under paragraph 1(1) of the Austrian Data Protection Act (Datenschutzgesetz – DSG).  
The data subject filed a complaint on the 25 March 2021 against the controller, her former partner’s lawyer, with the Austrian DPA (DSB). The data subject alleged that the controller had violated her right to privacy under [https://www.jusline.at/gesetz/dsg/paragraf/artikel1zu1 paragraph 1(1) of the Austrian Data Protection Act (''Datenschutzgesetz – DSG'']).  
 
Since 2020, the controller and the data subject’s lawyer have been engaged in settling the divorce proceedings. The data subject’s former partner demonstrated detailed knowledge of the data subject’s extramarital affair which made her conclude that he may still have access to the video surveillance cameras in her home. The data subject’s lawyer therefore requested the controller to submit the recorded video material through a data carrier.  
Since 2020, the controller and the data subject’s lawyer have been engaged in settling the divorce proceedings. The data subject’s former partner demonstrated detailed knowledge of the data subject’s extramarital affair which made her conclude that he may still have access to the video surveillance cameras in her home. The data subject’s lawyer therefore requested the controller to submit the recorded video material through a data carrier.  
The controller responded to this request by sending an unsecured zip file in an email containing 41 files showing the data subject engaging in explicit actions.  
The controller responded to this request by sending an unsecured zip file in an email containing 41 files showing the data subject engaging in explicit actions.  
The data subject argued primarily that she did not expect the transmission of such explicit content and therefore had not consented to this processing of her data. Further, she argued that the unsecured transmission of the data via email as well as the disclosure of the material to employees of the controller was unnecessary. She detailed that the transmission of the highly sensitive data should have been carried out in person, directly by her ex-partner.  
 
The DSB held that the controller processed the data to give effect to a legitimate interest under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] and that under [[Article 32 GDPR|Article 32 GDPR]] a data subject is not entitled to select which security measures are implemented for the processing.  
In her complaint, the data subject argued primarily that she did not expect the transmission of such explicit content and therefore had not consented to this processing of her data. Further, she argued that the unsecured transmission of the data via email as well as the disclosure of the material to employees of the controller was unnecessary. She further argued that the transmission of the highly sensitive data should have been carried out in person, directly by her ex-partner.  
The data subject appealed the decision to the Federal Administrative Court (Bundesverwaltungsgericht – BVwG).
 
The DSB held that the controller processed the data to give effect to a legitimate interest under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] and that under [[Article 32 GDPR]] a data subject is not entitled to select which security measures are implemented for the processing.  
 
The data subject appealed the decision to the Federal Administrative Court (''[[:Category:BVwG (Austria)|Bundesverwaltungsgericht – BVwG]]'').


=== Holding ===
=== Holding ===
The court held, that the data subject had alleged a breach of paragraph 1(1) of the Austrian Data Protection Act (DSG) due to the unlawful processing of her data by the controller in violation of Article 5(1) and [[Article 6 GDPR|Article 6 GDPR]].  
The court recalled, that the data subject had alleged only a breach of [https://www.jusline.at/gesetz/dsg/paragraf/artikel1zu1 paragraph 1(1) of the Austrian Data Protection Act (§1(1) DSG]) due to the unlawful processing of her data by the controller in violation of [[Article 5 GDPR|Article 5(1)]] and [[Article 6 GDPR|Article 6 GDPR]]. A violation of the principle of integrity and confidentiality was not part of the data subject's complaint. 
Under a national Austrian law, which provides that a lawyer must represent their client in the best way possible, the court understands that the controller carried out the data processing as part of its legitimate interest in representing their client. Further, the court held that [[Article 9 GDPR#2f|Article 9(2)(f) GDPR]] applied to the processing as the controller in his function as a lawyer had to respond to the request of the data subject.  
 
As the data subject had requested the transmission of the material through a data carrier, the court reiterated that an Austrian court previously held that email classifies as a data carrier. The court further rejected the data subject’s claim regarding the employees of the lawyer who may have viewed her data, as they are sworn to secrecy in their functions as employees in a law firm.  
Under a national Austrian law ([https://www.jusline.at/gesetz/rao/paragraf/9 §9 Rechtsanwaltsordnung - RAO]), which provides that a lawyer must represent their client in the best way possible, the court understands that the controller carried out the data processing as part of its legitimate interest in representing their client. Further, the court held that [[Article 9 GDPR#2f|Article 9(2)(f) GDPR]] applied to the processing of the sensitive data at hand as the controller in his function as a lawyer had to respond to the request of the data subject.  
Therefore, the court held that the interest of the controller to effectively represent their client outweighed the interest of the data subject and the processing was lawful under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]].
 
As the data subject had requested the transmission of the material through a data carrier, the court reiterated that the Austrian Supreme Court (''[[Oberster Gerichtshof - OGH]]'') previously held (in [https://rdb.manz.at/document/ris.just.JJT_20080520_OGH0002_0040OB00018_08P0000_000 OGH 4 Ob 18/08p]) that email classifies as a data carrier. The court further rejected the data subject’s claim regarding the employees of the lawyer who may have viewed her data, as they are sworn to secrecy in their functions as employees in a law firm.  
 
Therefore, the court held that the interest of the controller to effectively represent their client outweighed the interest of the data subject and the processing was lawful under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]].  


== Comment ==
== Comment ==

Latest revision as of 10:45, 28 November 2024

BVwG - W256 2248861-1/8E
Courts logo1.png
Court: BVwG (Austria)
Jurisdiction: Austria
Relevant Law: Article 5(1) GDPR
Article 6(1)(f) GDPR
Article 9(2)(f) GDPR
§1(1) DSG
§9 RAO
Decided: 30.09.2024
Published: 20.11.2024
Parties:
National Case Number/Name: W256 2248861-1/8E
European Case Law Identifier: ECLI:AT:BVWG:2024:W256.2248861.1.00
Appeal from: DSB (AT)
Appeal to:
Original Language(s): German
Original Source: RIS (in German)
Initial Contributor: ao

A court held that a divorce lawyer could base the emailing of video material to the opposing side's lawyer on a legitimate interest under Article 6(1)(f) GDPR and the exercise of legal claims under Article 9(2)(f) GDPR. The video material showed the data subject’s extramarital affair.

English Summary

Facts

The data subject filed a complaint on the 25 March 2021 against the controller, her former partner’s lawyer, with the Austrian DPA (DSB). The data subject alleged that the controller had violated her right to privacy under paragraph 1(1) of the Austrian Data Protection Act (Datenschutzgesetz – DSG).

Since 2020, the controller and the data subject’s lawyer have been engaged in settling the divorce proceedings. The data subject’s former partner demonstrated detailed knowledge of the data subject’s extramarital affair which made her conclude that he may still have access to the video surveillance cameras in her home. The data subject’s lawyer therefore requested the controller to submit the recorded video material through a data carrier.

The controller responded to this request by sending an unsecured zip file in an email containing 41 files showing the data subject engaging in explicit actions.

In her complaint, the data subject argued primarily that she did not expect the transmission of such explicit content and therefore had not consented to this processing of her data. Further, she argued that the unsecured transmission of the data via email as well as the disclosure of the material to employees of the controller was unnecessary. She further argued that the transmission of the highly sensitive data should have been carried out in person, directly by her ex-partner.

The DSB held that the controller processed the data to give effect to a legitimate interest under Article 6(1)(f) GDPR and that under Article 32 GDPR a data subject is not entitled to select which security measures are implemented for the processing.

The data subject appealed the decision to the Federal Administrative Court (Bundesverwaltungsgericht – BVwG).

Holding

The court recalled, that the data subject had alleged only a breach of paragraph 1(1) of the Austrian Data Protection Act (§1(1) DSG) due to the unlawful processing of her data by the controller in violation of Article 5(1) and Article 6 GDPR. A violation of the principle of integrity and confidentiality was not part of the data subject's complaint.

Under a national Austrian law (§9 Rechtsanwaltsordnung - RAO), which provides that a lawyer must represent their client in the best way possible, the court understands that the controller carried out the data processing as part of its legitimate interest in representing their client. Further, the court held that Article 9(2)(f) GDPR applied to the processing of the sensitive data at hand as the controller in his function as a lawyer had to respond to the request of the data subject.

As the data subject had requested the transmission of the material through a data carrier, the court reiterated that the Austrian Supreme Court (Oberster Gerichtshof - OGH) previously held (in OGH 4 Ob 18/08p) that email classifies as a data carrier. The court further rejected the data subject’s claim regarding the employees of the lawyer who may have viewed her data, as they are sworn to secrecy in their functions as employees in a law firm.

Therefore, the court held that the interest of the controller to effectively represent their client outweighed the interest of the data subject and the processing was lawful under Article 6(1)(f) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

Postal address:
Erdbergstrasse 192 – 196
1030 Vienna
Tel: +43 1 601 49 – 0
Fax: +43 1 711 23 – 889 15 41
E-mail: einlaufstelle@bvwg.gv.at
www.bvwg.gv.at
Decision date
September 30, 2024
Reference number
W256 2248861-1/8E
IN THE NAME OF THE REPUBLIC!
The Federal Administrative Court, through Judge Mag. Caroline KIMM as chair,
and the expert lay judge Dr. Claudia ROSENMAYR-KLEMENZ and the expert lay judge Mag. Adriana MANDL as assessors on the complaint of XXXX , represented by Ing. Mag. XXXX , lawyer in 2700 Wiener Neustadt, against the decision of the data protection authority dated September 1, 2021, No. D124.3862 (2021-0.451.790) rightly

declared:

A)

The complaint is dismissed as unfounded.

B)

The appeal is not admissible according to Art. 133 Para. 4 B-VG. - 2 -

Reasons for the decision

I. Course of proceedings

In her complaint addressed to the authority concerned on March 25, 2021, the

complainant alleged a violation of her right to confidentiality pursuant to Section 1 Para. 1 DSG

by lawyer Dr. XXXX (hereinafter: co-participant). The co-participant is the

legal representative of her husband. Since 2020, there has been written

correspondence about the possibility of a divorce, which was conducted between her legal representative

and the co-participant. The complainant has been living separately from her husband for three years. In autumn 2020 she noticed that her husband was staying near the property where she lived. In addition, the detailed knowledge of an "extramarital" relationship raised the strong suspicion that her husband still had access to the video surveillance system he had installed at the time. Her legal representative confronted the co-defendant with this in a letter dated December 3, 2020 and at the same time asked him to send all the images he had taken on a data carrier within a week. Instead of a data carrier, the co-defendant sent an unsecured "zip file" with the file name "Photos. zip" along with a cover letter to her legal representative in an email dated January 5, 2021. This zip file contained 42 photo files from the surveillance camera in her garden,
where the complainant was pictured in 41 photo files in the garden on her property engaging in intimate and sexual acts with another person. The

complainant was shocked at which images her husband had saved without her knowledge
and consent and which were processed by the co-participant without her

consent and, moreover, forwarded without technical data protection measures (password,

encrypted transmission, etc.). She had not given her consent
for the co-participant to possess or process such photos (e.g. send them in his

email system) or even to have them in any other way. The basis was in fact only her request, communicated by her

legal representative, that her husband should transmit the data on a data storage device and

this was to prevent third parties from gaining knowledge of photos from her

video surveillance system. The use of the general email address "XXXX com" also suggests that not only the - 3 -

co-participant had knowledge of the contents of this zip file, but also his

employees. The data processing of the co-participant, which led to him possessing and forwarding images

that clearly depicted the complainant in intimate and sexual acts, therefore constitutes a violation of Art. 9 GDPR. 3 exemplary and blacked-out images as well as the aforementioned

correspondence were enclosed with the complaint.

In his statement of May 25, 2021, the co-participant stated that it was correct

that he represented Mr. XXXX, the complainant's "still"

husband, in the divorce proceedings that were still out of court. It is also true that, at the request of the complainant's representative, Attorney Ing. Mag. XXXX, he sent photos showing the complainant naked during sexual intercourse. However, this was done solely on the basis of the letter of request from the complainant's lawyer dated December 3, 2020. Based on this letter of request, he immediately informed his client of the facts in a letter dated December 4, 2020 and asked him to comply with the request to send the images. After urgent requests, he then received his client's response to his letter dated December 4, 2020 by email on December 22, 2020 and the photos in question in a ZIP file. Due to the fact that the documents were sent three days before Christmas, they were not forwarded to the applicant's representative immediately. After the latter had urged the transmission, he instructed his

employees in the law firm to securely transmit the images to the complainant's representative, whereby the employees would of course be subject to confidentiality.

The complainant stated in her statement of June 22, 2021 that she did not know that her husband was filming her during sexual intercourse. In this respect, she did not ask the

co-defendant to send such images. The co-defendant would have been obliged,

particularly due to his function as a lawyer, to transmit the

"highly explosive" images under special protective precautions. With such highly sensitive images, it would have been imperative to use a secure

form of transmission and under no circumstances to choose an electronic form of transmission. The co-defendant could, for example, have offered to have the data carrier picked up from his law firm. A secure transmission did not take place. In her complaint, the
complainant did not complain that the co-participant

had illegally gained access to these photos, but that he had these photos sent to him by

e-mail from her husband, viewed these photos and subsequently - 4 -

sent them unprotected to the complainant's legal representative by e-mail.

The contested decision dismissed the complainant's complaint as unfounded due to

a violation of the right to confidentiality. The subject of the complaint is the question of whether the co-participant violated the complainant's right to confidentiality by

processing - in particular by electronically transmitting several images

in which the complainant is depicted. The co-participant represented the complainant's husband, who and

the complainant were in out-of-court divorce negotiations at the time the complaint in question was filed. The

complainant's legal representative addressed a (verbatim) letter dated 3 December 2020

to the co-participant and requested that he send all of the complainant's image material on a data carrier. The

co-participant then sent several

images of the complainant in a zip file to the

complainant's legal representative in a (verbatim) letter dated 7 January 2021. Legally, the authority concerned stated that the relevant norms regarding the professional duties of a lawyer are set out in Section 9 of the RAO. A lawyer is therefore obliged to conduct the representations he has taken on in accordance with the law and to represent the rights of his party against everyone with zeal, loyalty and conscientiousness. The lawyer is also obliged to handle the business assigned to him by the authorization contract with care. Anyone who entrusts a lawyer can assume that the lawyer is particularly well-suited to protecting him from disadvantages and to take all steps required by the legal system to achieve the business purpose known to him. He is authorized to present everything he considers to be useful under the law to represent his party, to use his means of attack and defense in any way that does not conflict with his request, his conscience and the law. Section 9, paragraph 1, second sentence of the RAO represents a justification. From a data protection perspective, Article 6, paragraph 1, letter b of the GDPR is particularly relevant for the processing of personal data by a lawyer within the framework of the contractual relationship with the client. In addition, Article 6, paragraph 1, letter f of the GDPR is conceivable for the assertion, exercise or defense of legal claims - especially those of third parties. With regard to sensitive data, Article 9, paragraph 2, letter f of the GDPR comes into consideration, which contains an exception to the processing ban in Article 9, paragraph 1 of the GDPR for processing for the assertion, exercise or defense of legal claims. As established, the - 5 -

legal representative of the complainant requested that all images be sent within 7 days at the latest. It can therefore be assumed that the data processing was carried out for the purpose of defending against possible legal action by the complainant, which represents a legitimate interest. The transmission is also necessary to achieve the purpose. In particular, with regard to the confidentiality obligations to which the party involved is subject, the interests of the complainant cannot be seen to outweigh the interests of the complainant, especially since she herself had requested the transmission through her legal representative (albeit via a different transmission method). With regard to a violation of the fundamental right to confidentiality through inadequate "special data protection safeguards", it must be stated that no right can be derived from the GDPR according to which a data subject can demand specific data security measures within the meaning of Art. 32 GDPR from a controller. Although it is in principle possible that a data subject's fundamental right to confidentiality is violated due to inadequate data security measures by a controller (for example, because this leads to disclosure to unauthorized third parties), in this case a specific violation must have occurred and secondly the data subject would not have the right to choose a specific data security measure in this case either. In the present case, it could not be established that the complainant's data protection rights had been violated by the email transmission as a result of inadequate data security measures. As a result, the decision had to be made in accordance with the ruling.

This is what the present complaint is directed against. In the correspondence between the legal representatives of the

complainant and her husband, the

complainant asked her husband to send all the images he had taken of her using a video surveillance system on a data storage device. Only after receiving this image material did she become aware of the content of these

highly personal and sensitive images. The complainant did not consent to such data processing by the co-participant and such processing was not necessary for the

defense of the mutual legal positions. For this reason, she lodged a complaint with the authority concerned. In the present case, it is not about specific transmission processes - as the authority concerned wrongly assumed - but about the fact that the co-participant violated the complainant's right to confidentiality by processing the photos. In order to meet the complainant's request, it would have been sufficient if the complainant's husband had transmitted the photos directly on a data storage device - 6 - or if he had had to hand the data storage device directly to the co-participant so that he could in turn physically transmit this data to her or her legal representative. Instead, the procedure whereby the co-participant receives the data affecting her sexual integrity by email from the husband, processes this data in the email system and subsequently sends it in this form unprotected to the complainant's legal representative by email leads to an infringement of her right to confidentiality. This intervention was the result of the fact that the party involved had not taken the necessary data security measures. However, it was emphasized that her complaint did not relate to compliance with the data security measures, but only to the fact that the processing took place without there being any justification for it. She did not assert a right to enforce a specific data security measure when transmitting data, but rather complained about the unlawful data processing by the party involved. The justification in Article 6 (1) (f) GDPR used by the authority concerned does not apply here, since this justification can only relate to the processing of data that is exchanged between the client and his lawyer and not to that which is exchanged with the opposing party. The complainant therefore essentially requests that the complaint be upheld - if necessary after an oral hearing. The authority concerned has submitted the complaint together with the administrative act to the Federal Administrative Court. In its statement on the complaint submitted during the hearing of the parties, the co-participating party essentially repeated its previous submissions. Based on the order of the Business Allocation Committee of October 20, 2023, the case in question was taken from Court Division W245 and reassigned to Court Division W256. II. The Federal Administrative Court considered: 1. Findings The co-participating party is a lawyer and as such represents the complainant's husband. - 7 -

Since 2020, there has been out-of-court written correspondence between the complainant's lawyer and the co-participant about the possibility of a

divorce between the complainant and the co-participant's client.

In a letter dated December 3, 2020, the complainant's representative sent the following letter (reproduced in part) to the co-participant in the course of this correspondence:

"...

Subject: XXXX - Divorce

[..]

Dear colleague,

[..]

2. Unauthorized video surveillance of my client:

Your client has continued to have access to the video surveillance system concerning the

marital home and has apparently been monitoring my client continuously since he moved out.

With his groundless move out in February 2018, your client lost all legitimacy

to monitor my client's living area.

The information obtained from this is now evidently also being used

to document my client's highly personal affairs and

to support allegations of alleged marital misconduct on my client.

I therefore hereby request your client to immediately - within 7 days at the latest -
transmit on a data carrier all images that he has taken of my client since he moved out of the

marital home. [..]"

The co-participant informed his client, the complainant's husband, of this in a letter dated December 4, 2020. At the same time, he asked the

husband to comply with the complainant's request.

By email dated December 22, 2020, the husband sent the co-defendant the requested image material in a ZIP file. This ZIP file contained several - 8 -

photos of the complainant, including 41 photo files showing her engaging in intimate and sexual acts in her garden.

The co-defendant's law firm, which is sworn to confidentiality, sent the following letter from the co-defendant, including the above ZIP file, to the complainant's lawyer by email on January 5, 2021 on behalf of the co-defendant:

"..

Dear colleague!

In response to your email dated December 3, 2020, I am enclosing the ZIP file containing the photos of your client, [...]." 2. Assessment of evidence The findings result from the administrative act, in particular the consistent statements of the parties, and are otherwise undisputed. 3. Legal assessment On point A) The essential provisions here are as follows: Section 1 of the Data Protection Act - DSG, Federal Law Gazette I No. 165/1999 as amended (DSG) reads in part as follows: "Basic right to data protection Section 1. (1) Everyone has the right to keep personal data concerning him or her confidential, in particular with regard to respect for his or her private and family life, insofar as there is a legitimate interest in doing so. The existence of such an interest is excluded if data are not accessible to a confidentiality claim due to their general availability or due to their inability to be traced back to the data subject. (2) If the use of personal data is not in the vital interest of the data subject or with his consent, restrictions on the right to confidentiality are only permissible to protect the overriding legitimate interests of another person, and in the case of interventions by a state authority only on the basis of laws that are necessary for the reasons stated in Article 8 paragraph 2 of the European Convention for the Protection of Human Rights and - 9 - Fundamental Freedoms (ECHR), Federal Law Gazette No. 210/1958. Such laws may only provide for the use of data that are particularly worthy of protection by their nature to protect important public interests and must at the same time establish appropriate guarantees for the protection of the data subject's interests in confidentiality. Even in the case of permissible restrictions, the interference with the fundamental right may only be carried out in the mildest way that achieves the objective.

[…]“

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation; GDPR) reads in part as follows:

“

Article 5

Principles for the processing of personal data

(1) Personal data must

a) be processed lawfully, fairly and in a manner that is transparent to the data subject (“lawfulness, fairness and transparency”);

b) be collected for specified, explicit and legitimate purposes and must not be further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes shall not be considered incompatible with the original purposes pursuant to Article 89(1) (‘purpose limitation’);

c) be adequate, relevant and limited to what is necessary for the purposes of the processing (‘data minimisation’);

d) be accurate and, where necessary, kept up to date; all reasonable measures shall be taken to ensure that personal data which are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’); - 10 -

e) be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which they are processed;

personal data may be stored for a longer period provided that the personal data are processed exclusively for archiving purposes in the public interest or for scientific and historical research purposes or statistical purposes in accordance with Article 89(1), subject to the implementation of appropriate technical and organisational measures required by this Regulation to protect the rights and freedoms of the data subject (‘storage limitation’);

f) are processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, by means of appropriate technical and organisational measures (‘integrity and confidentiality’);

[…]

Article 6

Legality of processing

(1) Processing shall be lawful only if at least one of the following

conditions is met:

a) the data subject has given consent to the processing of personal data concerning him or her for one or more specific purposes;

b) the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

c) the processing is necessary for compliance with a legal obligation to which the controller is subject;

d) the processing is necessary to protect the vital interests of the data subject

or of another natural person;

e) the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; - 11 -

f) processing is necessary to protect the legitimate interests of the controller or

a third party, except where such interests are overridden by the interests or fundamental rights and freedoms

of the data subject which require protection of personal data,

in particular where the data subject is a child.

[…]

Article 9

Processing of special categories of personal data

(1) The processing of personal data revealing racial or ethnic

origin, political opinions, religious or philosophical beliefs, or

trade union membership, as well as the processing of

genetic data, biometric data for the purpose of uniquely identifying a

natural person, data concerning health or data concerning a natural person’s sex life or

sexual orientation is prohibited.

(2) Paragraph 1 shall not apply in the following cases:

[..]

f) the processing is necessary for the establishment, exercise or defence of

legal claims or for actions by the courts in the context of their judicial activities,

[..]“

Section 9 of the Lawyers’ Act, RGBl. No. 96/1868 last amended by Federal Law Gazette I No. 19/2020

(RAO):

"(1) The lawyer is obliged to conduct the representations he has undertaken in accordance with the law

and to represent the rights of his party against everyone with zeal, loyalty and

conscientiousness. He is authorized to present everything that he considers to be useful for representing his party under the law, and to use their means of attack and

defense in any way that does not conflict with his mandate, his conscience

and the law.

(2) [..] - 12 -

(3) The lawyer is obliged to maintain confidentiality about the matters entrusted to him

and about the facts that have otherwise become known to him in his professional capacity and whose

confidentiality is in the interest of his party. He has the right to this confidentiality in court and other administrative proceedings in accordance with the procedural regulations. The same applies to the partners and members of the supervisory bodies of a law firm provided for by law or partnership agreement. If these partners or supervisory bodies are not lawyers, the lawyer must oblige them to confidentiality and take sufficient precautions to ensure that this obligation is reliably complied with; the same applies to the assistants employed by the lawyer. [..]“

First of all, it should be noted that the complainant in her

data protection complaint was directed exclusively against a violation of the right to confidentiality

according to Section 1 Paragraph 1 DSG due to unlawful data processing (within the meaning of Article 5 Paragraph 1 Letter a in conjunction with Article 6 GDPR) and this also corresponds to the complainant’s own

submission in her complaint to the Federal Administrative Court.

In it, the complainant expressly stated that her data protection complaint

was directed solely against a violation of the right to confidentiality due to unlawful

data processing, but that she had not asserted an (additional) violation of the data security measures.

Against this background, it is unnecessary in the present case to go into more detail about a violation of the principle of data security stipulated in Article 5 paragraph 1 letter f (see VwGH, March 6, 2024, Ro 2021/04/0030, para. 51ff, according to which a data protection complaint can be used to assert both a violation of Section 1 paragraph 1 and of the (principles of the) GDPR (separately), especially since the authority concerned did not discuss this in the contested decision anyway.

Regarding the asserted right to confidentiality:

In the present case, the complainant specifically objects to the fact that the lawyer involved requested highly personal image material concerning her from her husband without justification, accepted it electronically and subsequently forwarded it electronically to the complainant's lawyer. - 13 -

It is undisputed that the co-participant carried out the data processing in question in his

function as a lawyer, namely on the basis of the mandate of the complainant's husband

to represent him out of court in the divorce case with the complainant.

It is also beyond doubt that the co-participating lawyer

was informed by the complainant's lawyer in the course of the correspondence in this divorce case that the complainant

assumed that her husband was documenting "highly personal matters" concerning her using a video surveillance system and that the co-participant's client

was therefore requested to send all the images he had taken of her since she moved out of the marital home on a data storage device. Based on this request, the co-participant requested the images in question from his client

and subsequently forwarded them to the complainant's lawyer.

It should also be noted at this point that there are no concerns about the independent responsibility of the co-involved lawyer within the meaning of Article 4(2)7 of the GDPR with regard to the data processing in question. The data processing in question did indeed take place on the basis of the mandate and thus on behalf of the husband. However, the decision on the purposes and means of the data processing(s) carried out in the course of this mandate lay with the co-involved lawyer himself due to the independence of his activity stipulated in Section 9(12) of the RAO (see Hartung in Kühling/Buchner, 4 General Data Protection Regulation BDSG [2020], Article 28, marginal no. 47) and nothing to the contrary emerged in the proceedings. Section 1 (1) of the Data Protection Act stipulates that everyone, in particular with regard to respect for their private and family life, has the right to keep personal data concerning them confidential, provided that there is a legitimate interest in doing so. A restriction of this right arises from paragraph 2 leg. cit., whereby the GDPR and in particular the principles enshrined therein for the interpretation of the right to confidentiality must in any case be taken into account (Thiele/Wagner, Practical Commentary on the Data Protection Act [DSG]2 Section 1, Rz 39 [as of February 1, 2022, rdb.at]). According to Section 1 (2) of the Data Protection Act, restrictions on the fundamental right to data protection are essentially permissible if the data processing is sufficiently legitimate or lawful and is carried out in the mildest manner that achieves the goal. The requirements for lawful data processing are specified in Art. 6 of the GDPR. According to this, the legality of any processing requires that the processing - 14 -

must satisfy at least one of the legal grounds conclusively defined in Art. 6 Para. 1 GDPR.

According to Art. 5 Para. 1 lit. c GDPR, personal data must be appropriate to the purpose

and relevant and limited to the extent necessary for the purposes of the processing (principle of data minimization). In accordance with this principle, the last sentence of Section 1 Para. 2 DSG stipulates that any interference with the fundamental right to data protection may only be carried out in the

mildest way that leads to the goal (Dopplinger in

Bresich/Dopplinger/Dörnhöfer/Kunnert/Riedl, DSG § 1 [as of June 12, 2018], rdb.at). The

processing of personal data should be reduced to what is unavoidable.

This ensures that the processing is actually limited by the specified purpose (cf. OGH 22.12.2021, 6 Ob214/21w, with reference to

Hötzendorfer/Tschohl/Kastelitz in Knyrim, DatKomm Art. 5 GDPR Rz 21 and 34). Data is

significant if it is conducive to achieving the purpose, i.e. suitable in the sense of the fundamental right to proportionality. If, on the other hand, the processing of certain data can be imagined away without making it more difficult to achieve the purpose, then it is not

significant (Hötzendorfer/Tschohl/Kastelitz in Knyrim, DatKomm Art. 5 GDPR Rz 34ff. [as of 7.5.2020], rdb.at).

According to Art. 6 (1)(f) GDPR, the processing of personal data is permitted if

the processing is necessary to protect the legitimate interests of the controller or of a

third party, unless the interests or fundamental rights and freedoms of the

data subject which require the protection of personal data prevail,

in particular if the data subject is a child.

Thus, according to this provision, the processing of personal data is permitted under three cumulative conditions: First, the controller or a third party must have a legitimate interest, second, the processing of personal data must be necessary to achieve the legitimate interest, thus must have been carried out in the mildest manner possible to achieve the objective, and third, the interests or fundamental rights and freedoms of the person whose data is to be protected must not prevail (see, among others, VwGH Ro 2020/04/0037, para. 52; ECJ 4.7.2023, C-252/21, ECLI:EU:C:2023:537, para. 106). Furthermore, Recital 47 of the GDPR states that the interests and fundamental rights of the data subject may override the interests of the controller, in particular when personal data are processed in situations in which a data subject does not reasonably expect such processing. Compared to Article 6, Article 9 formulates stricter legality requirements, which remain valid when Article 9 is applied. In the case of sensitive data, the intensity of the intervention is usually higher, which is why stricter intervention requirements are required. This means that Article 9 does not supersede Article 6 (see Weichert in Kühling/Buchner, General Data Protection Regulation BDSG [2020], Article 9, para. 4).

The pursuit, enforcement and defense of legal claims is recognized by the GDPR

as a legitimate interest that generally legitimizes the processing of (also) sensitive data

(see Weichert in Kühling/Buchner, General Data Protection Regulation

BDSG [2020], Art.9 Rn.85). The processing of sensitive data is permitted under Article 9 (2) (f) GDPR

and Recital 52, Sentence 3, if it is necessary to assert or enforce claims in court,

out of court or in an administrative procedure

or to defend oneself against claims by third parties. This permission

therefore represents a special case of the general permission of legitimate interest for sensitive data. This variant gives the individual's right to

effective legal enforcement priority over the interests of data subjects in protecting

their data, otherwise the individual would be prevented from enforcing his rights and the

judicial system from carrying out its duties (see Schiff in

Ehmann/Selmayr, General Data Protection Regulation, Article 9, paragraph 48).

As already explained above, the data processing in question took place in the course of the

out-of-court divorce case between the client of the co-participant

and the complainant, and at the express request of the complainant

herself. As part of the out-of-court correspondence, the complainant requested the co-participant that the client of the co-participant should send her or her lawyer images concerning her that had been taken after he moved out of the marital home.

As a lawyer, the co-participant is obliged under Section 9 RAO to represent his client

in the best possible way. It was therefore not only in the legitimate interest of the client of the

co-participant, but also in the legitimate interest of the co-participant himself that he

informed his client about the legal claim asserted against him by the

complainant and, for the purpose of the mandatory legal defense assigned to him, obtained the image material in question from his client and

subsequently - as requested - forwarded it to the complainant's lawyer himself - 16 -

(see Weichert in Kühling/Buchner, General Data Protection Regulation BDSG 4

[2020], Art 9 para. 85 with reference to VG Wiesbaden, judgment of January 19, 2022, 6 K 361/21.WI).

Since the complainant herself requested the image material in question,

there are no reasons to cast doubt on the necessity of the data processing in question

for the present mandatory legal defense assigned to the co-participant. It cannot be ignored that the complainant

did not explicitly request “highly personal” image material – as she stated. However, her request was directed without restriction to “all” and thus also to the “highly personal” image material in question, especially since in her letter she assumed that

her husband had documented highly personal matters concerning her as support for his claims of alleged marital misconduct. It cannot therefore be assumed that the

complainant could not have expected that her request (also)

involved “highly personal” image material.

The balancing of interests to be carried out within the framework of Art. 6 Para. 1 lit. f GDPR between

the legitimate interest of the controller or a third party (here the client) in the processing and the complainant's interest in the confidentiality of her data therefore works in favor of the co-participating lawyer.

There are therefore no reasons to doubt the legality of the co-participating party's collection of data from the client and its forwarding to the complainant's lawyer by the co-participating party.

It has not emerged that the co-participating party would otherwise have improperly processed the image material in question

or forwarded it to unauthorized third parties, and this was not even claimed by the complainant. The mere fact that the co-participant's office employees, who were sworn to secrecy, forwarded the image material to the complainant's lawyer on behalf of the co-participant does not, in itself, justify the illegality of the data processing by the co-participating lawyer. The same applies to the investigation and transmission of the image material by email, which was criticized by the complainant. There is no evidence that the image material was disclosed to unauthorized third parties as a result, nor was any such evidence claimed by the complainant. For the sake of completeness, it should be noted that the complainant herself requested in her letter to the other party that the information be transmitted on a data storage device and thus also by email (see OGH, 28.05.2008, 4 Ob 18/08p, according to which an email is also to be regarded as a "permanent data storage device"). The decision was therefore to be taken in accordance with the ruling. On the omission of an oral hearing: According to Section 24 Paragraph 4 of the Administrative Court Act, the administrative court can - unless otherwise provided by federal or state law - refrain from holding a hearing, regardless of a party's application, if the files show that the oral discussion is not expected to provide further clarification of the legal matter and neither Article 6 Paragraph 1 of the ECHR nor Article 47 of the Charter of Fundamental Rights stand in the way of the omission of the hearing. The The oral hearing requested by the complainant could be omitted pursuant to Section 24
para. 4 VwGVG because the solution to the case depends on purely legal questions

and an oral discussion cannot be expected to provide any further clarification (see, for example, VwGH

28.05.2014, Ra 2014/20/0017 and 0018; 01.09.2016, 2013/17/0502; VfGH 18.06.2012, B

155/12; ECHR Tusnovics v. Austria, 07.03.2017, 24.719/12). According to the case law of the

European Court of Human Rights on Article 6 of the ECHR, whose guarantees under Article

47 paragraph 2 of the EU Charter of Fundamental Rights also apply in the present case,

an oral hearing may be omitted under certain conditions, for example if

the case can be appropriately decided on the basis of the files and the written statements of the parties

(ECtHR 12.11.2002, Appl. No. 28.394/95, Döry v.

Sweden; 08.02.2005, Appl. No. 55.853/00, Miller v. Sweden).

In the present case, there is no apparent deficiency in the procedure and the relevant facts are established (cf. VwGH 17.10.2006, 2005/20/0329; 23.11.2006,

2005/20/0406).

Regarding B) Inadmissibility of the appeal:

According to Section 25a Paragraph 1 VwGG, the administrative court must state in its ruling or

decision whether the appeal is admissible in accordance with Article 133 Paragraph 4 B-VG. The

ruling must be briefly justified.

The present decision does not depend on the solution of a legal question that is of

fundamental importance. There is neither a lack of case law from the Administrative Court nor does the decision in question deviate from the case law of the Administrative Court; furthermore, the present case law - 18 -

of the Administrative Court cannot be judged to be inconsistent. There are also no other indications of a fundamental importance of the legal questions to be resolved. It was therefore necessary to declare that the appeal is not admissible in accordance with Article 133 Paragraph 4 of the Federal Constitutional Law.