BVwG - W211 2222613-2/llE: Difference between revisions

From GDPRhub
No edit summary
(No direct link to Article 25 GDPR in the ruling - deleted the hyperlink in "relevant law".)
 
(4 intermediate revisions by 2 users not shown)
Line 10: Line 10:
|ECLI=
|ECLI=


|Original_Source_Name_1=Not yet published
|Original_Source_Name_1=Rechtsinformationssystem des Bundes (RIS)
|Original_Source_Link_1=https://www.ris.bka.gv.at/Bvwg/
|Original_Source_Link_1=https://www.ris.bka.gv.at/Dokumente/Bvwg/BVWGT_20191125_W211_2210458_1_00/BVWGT_20191125_W211_2210458_1_00.html
|Original_Source_Language_1=German
|Original_Source_Language_1=German
|Original_Source_Language__Code_1=DE
|Original_Source_Language__Code_1=DE
Line 25: Line 25:
|GDPR_Article_3=Article 15 GDPR
|GDPR_Article_3=Article 15 GDPR
|GDPR_Article_Link_3=Article 15 GDPR
|GDPR_Article_Link_3=Article 15 GDPR
|GDPR_Article_4=Article 25 GDPR
|GDPR_Article_5=Article 77 GDPR
|GDPR_Article_Link_4=Article 25 GDPR
|GDPR_Article_Link_5=Article 77 GDPR




Line 54: Line 54:
}}
}}


The Federal Administrative Court Austria (BVwG) decided that a decision of the Autrian DPA to dismiss a complaint on incomplete access request has to be partially rectified. The court held that only abstract information on the storage period and lacking information on recipients of personal data are in violation of the GDPR. In this regard, [[Article 77 GDPR|Article 77 GDPR]] grants an independent right to lodge a complaint with Data Protection Authorities irrespective of restrictions or additional requirements formulated by member states national law.
The Austrian Federal Administrative Court held that mere abstract information on the storage period and lacking information on recipients of personal data constitute a violation of the GDPR. It also held that [[Article 77 GDPR]] grants an independent right to lodge a complaint with a DPA, irrespective of Member State law.


== English Summary ==
==English Summary==


=== Facts ===
===Facts===
In 2018, the complainant requested access to their personal data from the CRIF (the ‘respondent’), a credit scoring agency operating in Austria. After receiving the response of the agency, the complainant stated a violation of their right to access due to its insufficiency. According to the complainant, the agency failed to precisely name data sources, purposes and the storage period for the personal data. In this regard, the complainant has not been informed on new recipients of their personal data as well. Furthermore, the agency did not provide a full copy of the personal data processed on the complainant. Accordingly, it also breached the principles of data minimization and confidentiality, processing incorrect addresses and insufficiently encrypted data.
In 2018, the complainant requested access to their personal data from the CRIF (the ‘respondent’), a credit reference agency operating in Austria. After receiving the response of the agency, the complainant stated a violation of their right to access due to its insufficiency. According to the complainant, the agency failed to precisely name data sources, purposes and the storage period for the personal data. In this regard, the complainant has not been informed on new recipients of their personal data as well. Furthermore, the agency did not provide a full copy of the personal data processed on the complainant. Accordingly, it also breached the principles of data minimization and confidentiality, processing incorrect addresses and insufficiently encrypted data.


The respondent indicated certain companies as their data sources and stated that the data is stored as long as there was an interest by the respondent. Moreover, the data made available by the agency presented all the data held on the complainant and a copy would not add any value. At the same time, providing more information would reveal business secrets which therefore cannot be made available. Consequently, there was no violation and therefore no right to appeal by the complainant.
The respondent indicated certain companies as their data sources and stated that the data is stored as long as there was an interest by the respondent. Moreover, the data made available by the agency presented all the data held on the complainant and a copy would not add any value. At the same time, providing more information would reveal business secrets which therefore cannot be made available. Consequently, there was no violation and therefore no right to appeal by the complainant.


The Austrian DPA dismissed the complaint, arguing that the disclosure of data sources, recipients and as well as criteria for determining the storage period has fulfilled the access request of the complainant. The provided data was sufficient and a copy of the personal data does not include entire documents, exact copies or a facsimile of such, but it is in the choice of the controller on what and how exactly data is delivered. Moreover, [[Article 77 GDPR]] is standardized in administrative proceedings as part of the Austrian national law and therefore bound to its requirements.
The Austrian DPA dismissed the complaint, arguing that the disclosure of data sources, recipients and as well as criteria for determining the storage period has fulfilled the access request of the complainant. The provided data was sufficient and a copy of the personal data does not include entire documents, exact copies or a facsimile of such, but it is in the choice of the controller on what and how exactly data is delivered. Moreover, [[Article 77 GDPR]] is standardized in administrative proceedings as part of the Austrian national law and therefore bound to its requirements.
=== Holding ===
=== Holding===
The Federal Administrative Court of Austria limited its judgement to the objections regarding the provision of information on the origin, storage period and purposes as well as the principles of minimization and confidentiality of the data. Further objections concerning the access to a copy of personal data were referred to the CJEU for a preliminary ruling (see also [[BVwG - W211 2222613-2/12E (request for preliminary ruling under Article 267 TFEU)|here]]).
The Federal Administrative Court of Austria limited its judgement to the objections regarding the provision of information on the origin, storage period and purposes as well as the principles of minimization and confidentiality of the data. Further objections concerning the access to a copy of personal data were referred to the CJEU for a preliminary ruling (see also [[BVwG - W211 2222613-2/12E (request for preliminary ruling under Article 267 TFEU)|here]]).


Line 71: Line 71:
In terms of the storage period, however, the general information provided by the respondent (risk minimisation, identification, combating fraud, money laundering, terrorist financing) do not allow the complainant to assess how long his data will be stored. The missing possibility to assess when the data is, in the opinion of the agency,no longer necessary to process is therefore in breach of [[Article 15 GDPR#1d|Article 15(1)(d) GDPR]].
In terms of the storage period, however, the general information provided by the respondent (risk minimisation, identification, combating fraud, money laundering, terrorist financing) do not allow the complainant to assess how long his data will be stored. The missing possibility to assess when the data is, in the opinion of the agency,no longer necessary to process is therefore in breach of [[Article 15 GDPR#1d|Article 15(1)(d) GDPR]].


Furthermore, the respondent failed to inform the complainant on the disclosure of personal data to new recipients before their transmission. As the complainant could otherwise not be aware of the forwarding of their personal data, the lack of such obligatory information violates [[Article 14 GDPR|Article 14 GDPR]].
Furthermore, the respondent failed to inform the complainant on the disclosure of their personal data to new recipients. The lack of such information prevented the complainant to become aware of the transmission of their personal data to other parties and therefore violates [[Article 14 GDPR|Article 14 GDPR]].


The Court also stated that [[Article 77 GDPR|Article 77 GDPR]] allows data subjects to contact the data protection authority directly to lodge a complaint with a supervisory authority. It formulates an independent right to complaint, which is not linked to formal or substantive requirements or the provision of evidence of national law. In this regard, already violations on basic principles such as [[Article 5 GDPR|Article 5(c)(f) GDPR]] may concern the processing of the complainant's personal data and grant them that particular right. Any rejections of the complained violations based on a different assumption by the DPA may therefore be considered invalid and must be rectified.
The Court also stated that [[Article 77 GDPR|Article 77 GDPR]] allows data subjects to contact the data protection authority directly to lodge a complaint with a supervisory authority. It formulates an independent right to complaint, which is not linked to formal or substantive requirements or the provision of evidence of national law. In this regard, already violations on basic principles such as [[Article 5 GDPR|Article 5(c)(f) GDPR]] may concern the processing of the complainant's personal data and grant them that particular right. Any rejections of the complained violations based on a different assumption by the DPA may therefore be considered invalid and must be rectified.


== Comment ==
==Comment==
''Share your comments here!''
''Share your comments here!''


== Further Resources ==
== Further Resources==
''Share blogs or news articles here!''
''Share blogs or news articles here!''


== English Machine Translation of the Decision ==
==English Machine Translation of the Decision==
The decision below is a machine translation of the German original. Please refer to the German original for more details.
The decision below is a machine translation of the German original. Please refer to the German original for more details.



Latest revision as of 13:15, 24 August 2022

BVwG - W211 2222613-2/llE
Courts logo1.png
Court: BVwG (Austria)
Jurisdiction: Austria
Relevant Law: Article 5 GDPR
Article 14 GDPR
Article 15 GDPR
Article 77 GDPR
Decided: 09.08.2021
Published:
Parties: CRIF
National Case Number/Name: W211 2222613-2/llE
European Case Law Identifier:
Appeal from:
Appeal to: Pending appeal
Original Language(s): German
Original Source: Rechtsinformationssystem des Bundes (RIS) (in German)
Initial Contributor: n/a

The Austrian Federal Administrative Court held that mere abstract information on the storage period and lacking information on recipients of personal data constitute a violation of the GDPR. It also held that Article 77 GDPR grants an independent right to lodge a complaint with a DPA, irrespective of Member State law.

English Summary

Facts

In 2018, the complainant requested access to their personal data from the CRIF (the ‘respondent’), a credit reference agency operating in Austria. After receiving the response of the agency, the complainant stated a violation of their right to access due to its insufficiency. According to the complainant, the agency failed to precisely name data sources, purposes and the storage period for the personal data. In this regard, the complainant has not been informed on new recipients of their personal data as well. Furthermore, the agency did not provide a full copy of the personal data processed on the complainant. Accordingly, it also breached the principles of data minimization and confidentiality, processing incorrect addresses and insufficiently encrypted data.

The respondent indicated certain companies as their data sources and stated that the data is stored as long as there was an interest by the respondent. Moreover, the data made available by the agency presented all the data held on the complainant and a copy would not add any value. At the same time, providing more information would reveal business secrets which therefore cannot be made available. Consequently, there was no violation and therefore no right to appeal by the complainant.

The Austrian DPA dismissed the complaint, arguing that the disclosure of data sources, recipients and as well as criteria for determining the storage period has fulfilled the access request of the complainant. The provided data was sufficient and a copy of the personal data does not include entire documents, exact copies or a facsimile of such, but it is in the choice of the controller on what and how exactly data is delivered. Moreover, Article 77 GDPR is standardized in administrative proceedings as part of the Austrian national law and therefore bound to its requirements.

Holding

The Federal Administrative Court of Austria limited its judgement to the objections regarding the provision of information on the origin, storage period and purposes as well as the principles of minimization and confidentiality of the data. Further objections concerning the access to a copy of personal data were referred to the CJEU for a preliminary ruling (see also here).

Regarding the information on the data sources involved, the Court held, that the disclosure of several public sources and companies, in particular regarding the origin of the complainant's address data, may be considered complete and therefore in line with Article 15(1)(g) GDPR.

In terms of the storage period, however, the general information provided by the respondent (risk minimisation, identification, combating fraud, money laundering, terrorist financing) do not allow the complainant to assess how long his data will be stored. The missing possibility to assess when the data is, in the opinion of the agency,no longer necessary to process is therefore in breach of Article 15(1)(d) GDPR.

Furthermore, the respondent failed to inform the complainant on the disclosure of their personal data to new recipients. The lack of such information prevented the complainant to become aware of the transmission of their personal data to other parties and therefore violates Article 14 GDPR.

The Court also stated that Article 77 GDPR allows data subjects to contact the data protection authority directly to lodge a complaint with a supervisory authority. It formulates an independent right to complaint, which is not linked to formal or substantive requirements or the provision of evidence of national law. In this regard, already violations on basic principles such as Article 5(c)(f) GDPR may concern the processing of the complainant's personal data and grant them that particular right. Any rejections of the complained violations based on a different assumption by the DPA may therefore be considered invalid and must be rectified.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.