BVwG - W211 2231475-1: Difference between revisions

From GDPRhub
(Created page with "{{COURTdecisionBOX |Jurisdiction=Austria |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=BVwG |Court_With_Country=BVwG (Austria) |Case_Number_Name=W211 22314...")
 
No edit summary
 
(16 intermediate revisions by 3 users not shown)
Line 8: Line 8:


|Case_Number_Name=W211 2231475-1
|Case_Number_Name=W211 2231475-1
|ECLI=
|ECLI=ECLI:AT:BVWG:2021:W211.2231475.1.00


|Original_Source_Name_1=Rechtsinformationssystem des Bundes (RIS)
|Original_Source_Name_1=Rechtsinformationssystem des Bundes (RIS)
|Original_Source_Link_1=https://www.ris.bka.gv.at/Dokumente/Bvwg/BVWGT_20211020_W211_2231475_1_00/BVWGT_20211020_W211_2231475_1_00.pdf
|Original_Source_Link_1=https://www.ris.bka.gv.at/Dokument.wxe?ResultFunctionToken=338ae3c0-a817-4450-a3bc-f0eccd78f81a&Position=1&SkipToDocumentPage=True&Abfrage=Bvwg&Entscheidungsart=Undefined&SucheNachRechtssatz=True&SucheNachText=True&GZ=&VonDatum=&BisDatum=&Norm=DSGVO&ImRisSeitVonDatum=&ImRisSeitBisDatum=&ImRisSeit=Undefined&ResultPageSize=100&Suchworte=&Dokumentnummer=BVWGT_20211020_W211_2231475_1_00
|Original_Source_Language_1=German
|Original_Source_Language_1=German
|Original_Source_Language__Code_1=DE
|Original_Source_Language__Code_1=DE


|Date_Decided=20.10.2021
|Date_Decided=20.10.2021
|Date_Published=
|Date_Published=14.01.2022
|Year=2021
|Year=2021


Line 49: Line 49:
|Appeal_To_Body=
|Appeal_To_Body=
|Appeal_To_Case_Number_Name=
|Appeal_To_Case_Number_Name=
|Appeal_To_Status=Unknown
|Appeal_To_Status=
|Appeal_To_Link=
|Appeal_To_Link=


Line 56: Line 56:
}}
}}


The Federal Administrative Court held that the transmission of personal data from the controller to the processor does not need to be justified under Art. 6 GDPR because the processor is to be seen as a mere - dependent – extension of the controller.
The Federal Administrative Court held that the transmission of personal data from the controller to the processor does not need to be justified under [[Article 6 GDPR]] because the processor is to be seen as a mere extension of the controller.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The data subject called the helpline of the Österreichsiche Post AG (Austrian Postal PLC). He gave his phone number to the employee with the request for a callback, thereby stating that he does not want the phone number to be given to a third party. Afterwards the data subject was called twice by a market research institute – the processor. The controller and the processor had concluded a processing-contract under Art. 28 GDPR.  
The data subject called the helpline of the Österreichsiche Post AG (Austrian Postal PLC). He gave his phone number to the employee with the request for a callback, thereby stating that he did not want the phone number be given to a third party. Afterwards the data subject was called twice by a market research institute – the processor. The controller and the processor had concluded a processing-contract under [[Article 28 GDPR]].  
 
The data subject filed a complaint with the DSB (Austria) arguing that the transmission of his data (name and phone number) to the processor was illegitimate since he literally expressed that he does not want his data to be given to a third party.
During these proceedings the data subject amended their submission by also tackling the use of cookies by the controller.
 
The DSB dismissed the complaint.
 
 


The data subject filed a complaint with the DSB (Austria) arguing that the transmission of his data (name and phone number) to the processor was illegitimate since he had already denied consent to any form of data sharing with a third party. During these proceedings the data subject amended their submission by also tackling the use of cookies by the controller. The DSB dismissed the complaint. 
=== Holding ===
=== Holding ===
The Federal Administrative Court (Bundesverwatungsgericht – BVwG) upheld the decision of the DSB.  
The Federal Administrative Court (''Bundesverwatungsgericht – BVwG'') upheld the decision of the DSB.  


The court determined that the processor is to be seen as a dependent extension of the controller (“verlängerter Arm”) (cmp. Art. 29 GDPR). If the processing of data is in accordance with Art. 6 GDPR, the controller is free to deploy a processor. As a result, the transmission of data from the controller to the processor itself does not need to be justified under Art. 6 GDPR.  
The court determined that the processor is to be seen as a dependent extension of the controller (“verlängerter Arm”) (cmp. [[Article 29 GDPR]]). If the processing of data is in accordance with Article 6 GDPR, the controller is free to deploy a processor. As a result, the transmission of data from the controller to the processor itself does not need to be justified under [[Article 6 GDPR]].  


In the case at hand, the court came to the conclusion that the processing of data by the controller - and therefore also the transmission to the processor - is justified under Art. 6(1)(c) GDPR. The controller in this case - the  Österreichsiche Post AG - is obliged under national law (§§ 6(8), 32(3) PMG) to provide for a complaint management system to improve their services.  
In the case at hand, the court came to the conclusion that the processing of data by the controller - and therefore also the transmission to the processor - is justified under [[Article 6 GDPR#1c|Article 6(1)(c) GDPR]]. The controller in this case - the  Österreichsiche Post AG - is obliged under national law (§§ 6(8), 32(3) PMG) to provide for a complaint management system to improve their services. According to § 6(8) PMG a postal service must further develop its service in accordance with the needs of users and to contribute to securing the provision of postal services and to the further development of them by means of appropriate measures and proposals. Pursuant to § 32(3) PMG postal service providers must have a complaints management system in place so that users can raise disputes or complaints.  


Besides, the court decided the amendment of the data subject’s complaint was inadmissible pursuant to § 13(8) AVG and a data subject has no subjective right to the initiation of administrative fine proceedings under the GDPR and according to § 25(1) VStG.
Besides, the court decided the amendment of the data subject’s complaint was inadmissible pursuant to § 13(8) AVG and a data subject has no subjective right to the initiation of administrative fine proceedings under the GDPR and according to § 25(1) VStG.
== Comment ==
== Comment ==
''Share your comments here!''
''Share your comments here!''
Line 90: Line 82:


<pre>
<pre>
                                                                              Postal address:
Saying
                                                                    Erdbergstrasse 192 – 196
                                                                              1030 Vienna


                                                                        Phone: +43 1 601 49-0
                                                                  Fax: +43 1 711 23-889 15 41
                                                              Email: einlaufstelle@bvwg.gv.at
                                                                          www.bvwg.gv.at


W211 2231475-1/9E


IN THE NAME OF THE REPUBLIC!


The Federal Administrative Court, by Judge Barbara SIMMA LL.M. as chairperson and the expert lay judge Margareta MAYER-HAINZ and the expert lay judge Dr. Ulrich E. ZELLENBERG as associate judge, rules on the complaint of XXXX against the decision of the data protection authority of XXXX, Zl. XXXX in closed session:


                    DECISIONS D A T U M
A)


                                2 0 . 1 0 . 2 0 2 1
The complaint is dismissed as unfounded.


                            BUSINESS NUMBER
B)


The appeal is admissible pursuant to Art. 133 para. 4 B-VG.




Text




Reasons for decision:


                        W 2 1 1 2 2 3 1 4 7 5 - 1/9 E
I. Course of proceedings:


                I M N A M E N D E R E P U B L I K !
By data protection complaint of XXXX .2018 (received by the data protection authority on XXXX .2018), the complainant alleged a violation of the right to confidentiality pursuant to section 1 and sections 8 as well as 62 para. 1 line 1 of the Data Protection Act (DSG) by Österreichische Post AG (the co-participating party).


The complainant summarised that although the co-participating party appeared in the form of a "company", it was de facto a state-owned enterprise. On XXXX 2018, the postal customs office received a letter containing goods ordered by the complainant. Due to irregularities in connection with the consignment, the complainant contacted the "hotline" of the involved party on XXXX 2018. He had left his mobile phone number there with the request to call him back, whereby he had expressly requested the involved party not to pass this number on to third parties under any circumstances. This had been expressly assured to him. He was then called back by the other party and was able to resolve the consignment.


The Federal Administrative Court recognizes through the judge Mag. Barbara SIMMA LL.M. as
On XXXX.2018, he had been called by XXXX. When the complainant specifically asked where the XXXX had obtained his telephone number and name, he was informed by the caller that she had obtained them from the co-operating party for survey purposes. On the same day, he had been contacted by another number, with the caller apparently suppressing the caller ID. After hearing "Do you want to participate in a survey", he immediately hung up.


Chair and the expert lay judge Margareta MAYER-HAINZ and the
At no time had he given his consent to the disclosure of his name and telephone number, but had expressly requested that his contact details not be disclosed. There was also no public interest. As he had not been aware of the disclosure of his data, it had not been possible for him to object. The complainant's right under Article 1(1) of the Data Protection Act had therefore been violated. Section 61(1)(2) of the FADP was also applicable in any case.


expert lay judge Dr. Ulrich E. ZELLENBERG as assessor on the
In its statement of XXXX.2018, the involved party stated in response to this data protection complaint that XXXX was a processor within the meaning of Article 28 of the GDPR. It was therefore not necessary to obtain consent for the data transfer in question. The customer satisfaction survey was not carried out by employees of the involved party, but by an external company. This ensured that the involved party did not receive any personal results of the survey. The data transfer had been carried out in compliance with all provisions of data protection law, in particular Art. 28 ff DSGVO. However, the complaint had been taken as an opportunity to block the complainant from future customer satisfaction surveys.
Complaint by XXXX against the decision of the data protection authority of XXXX, Zl. XXXX in


closed session rightly:
By letter of XXXX .2018, the data protection authority again invited the involved party to comment. In particular, it was pointed out to the involved party that the mere fact that the company in question was allegedly a processor did not say anything about the lawfulness of the processing.


In its statement of XXXX .2019, the intervening party argued that it was a postal service provider within the meaning of the Postal Market Act (PMG) and also a universal service provider pursuant to Section 12 PMG. In accordance with the obligations assigned to it, it had to establish a complaints management system, publish information on the quality of its services at least once a year (section 32 PMG), present the number of complaints to the regulatory authority (section 6(7) PMG) and further develop the universal service in line with the needs of users and contribute to the further development of the universal service by means of appropriate measures and proposals to ensure the provision of postal services (section 6(8) PMG). In order to adequately fulfil this obligation, the party involved had set up the postal customer service, which had also been used by the complainant.


a)
In order to further develop and publish the quality in accordance with the legal obligation, the survey of users was the most suitable and recognised method. The survey itself was carried out by XXXX as a processor acting within the framework of the agreement according to Article 28 of the GDPR. The purposes and means were specified by the involved party, which meant that XXXX could not be qualified as a third party within the meaning of Article 4(10) of the GDPR. In terms of data minimisation, the third party only receives the telephone number and the name of the person to be interviewed in order to enable a proper approach. The persons to be interviewed would only be contacted once per occasion, and the interview could also be refused at any time. If at all, one could only speak of a barely noticeable impairment.


When customers contacted the postal customer service, they were expressly informed of the information on data protection on the website of the party involved in accordance with Article 13 of the GDPR in the form of a recorded message. This information clearly stated that corresponding surveys could be carried out. Under point 3.2 of the website, market research institutes were listed as possible external service providers. If people contacted the post customer service, it was therefore ensured that they would receive the information pursuant to Article 13 of the GDPR.


The complaint is dismissed as unsubstantiated.
There is a certain period of time between contacting the post customer service and being contacted by the XXXX, within which objections can be made. Participation in the survey is therefore voluntary and can be refused at any time. The complainant had only lodged an objection when contacted by XXXX, which was why no survey had taken place.


b)
The establishment of the customer service was based on a legal obligation. A survey had to be carried out to explain the complaints or to check the service. The survey was the most suitable and recognised or only method. The lawfulness of the data processing was therefore based on Article 6(1)(c) of the GDPR.


In addition, the party involved was also acting in the public interest, as it had been entrusted with the basic postal service, including the associated obligation to review/publish/improve quality. Therefore, Article 6(1)(e) of the GDPR was also relevant. In addition, Article 6(1)(f) of the GDPR could also be used as a legal basis. The involved party does not act as an authority in the sense of the ground for exclusion. The interest in the quality review/publication obligation/improvement obligation resulted from the legal requirements of the PMG and was therefore lawful. In this respect, there is a benefit for the party involved as the responsible party, as it can continuously improve its service quality in accordance with the legal requirements, as well as a benefit for the general public, as it receives a better basic service. An interest is considered legitimate, for example, if it is pursued for the purposes of direct advertising or advertising per se or for the processing of market research.


The revision is permissible according to Art. 133 Para. 4 B-VG. - 2 -
Likewise, the fundamental right of freedom to conduct a business (Art. 16 of the CFR) gives rise to the legitimate interest of the party involved to learn from its customers their assessment of the complaint management in order to subsequently better meet their needs and wishes. Even in the absence of a legal obligation, the processing of personal data in question was therefore lawful. A survey could only be carried out with the contact data used, which meant that the processing was also necessary. The interest of the involved party and the interest of the general public in the data processing outweighed the complainant's interest. Moreover, the contact details were not particularly sensitive data.


A copy of the agreement on commissioned processing pursuant to Article 28 of the GDPR was attached to the submission.


In his letter of XXXX 2019, the complainant made the following comments on the observations of the co-operating party: First of all, he wanted to add that there had been a "blatant" misuse of data by the co-operating party. The co-operating party used inadmissible cookies and "spyware" on its website, as, in particular, an immediate objection was not possible. This was added as a further grievance to the present complaint.


Regarding the statement of the co-participating party, it could be stated that neither § 32 (6) PMG nor § 6 (7) and (8) PMG contained a justification for the transfer of data to third parties. The argument of increasing efficiency would also not justify the transfer of data to third parties. In the course of his request, he had not been provided with any information within the meaning of Article 13 of the GDPR. Whether participation in the survey was voluntary was irrelevant, as the subject of the complaint was the disclosure of data to third parties. At no time had he given his consent, and in particular a call to the "hotline" could not be regarded as such. The market research company was not subject to the supervision of the co-participating party. Moreover, the contract concluded between XXXX and the co-participating party was not applicable in this case, as the co-participating party had explicitly objected to the transfer of data. It would also have to be clarified whether the contract was not per se immoral and unlawful.


In the contested decision of XXXX, the data protection authority rejected the data protection complaint regarding the unlawful setting of cookies (decision point 1). Furthermore, it dismissed the complaint as unfounded (decision point 2.). The complainant's request for the imposition of a fine was rejected (decision point 3).


The data protection authority essentially stated that the complainant's letter of XXXX.2019, based on the complaint of XXXX 2018 initiating the proceedings concerning the unlawful setting of cookies, constituted a substantial amendment of the application within the meaning of section 13(8) AVG, which is why the submission had to be rejected in this respect. However, it had been taken as an opportunity to initiate separate appeal proceedings.


                            Reasons for decision:
In the present case, the "disclosure" of the complainant's personal data by the involved party to the market research institute had taken place. The subsequent customer satisfaction enquiry by this company had been about the complainant's complaint and had thus been carried out exclusively in the interest of and on behalf of the co-operating party. The pursuit of the market research company's own purposes had not been intended at any time, which meant that the market research company's independent responsibility had to be denied. The "transfer" in question was therefore data processing attributable to the co-participating party.


The complainant's data had not been transferred or disclosed to "third parties", but had been processed by the market research company on behalf of the involved party in accordance with Article 28 of the GDPR. There was no right for data controllers not to use processors. On the basis of the provisions of the PMG, the co-operating party is obliged to set up a complaints management system and to improve the quality of the services offered in the course of the universal service, i.e. postal delivery, by taking appropriate measures, and thus to take certain measures. Even if these provisions do not order the co-operating party to take any specific measures or to process any specific data, it cannot be assumed that the legislator intended to deprive the co-operating party of the possibility to process data, because otherwise the provision would be meaningless.


I. Procedure:
The handling of a complaint by a client and a customer as well as the quality assurance measures to be carried out were inconceivable without a name and contact address if the data required for this were not allowed to be processed. In the case of name and contact possibility, there was no doubt that the data processing was also necessary to the given minimal extent.


1. With a data protection complaint dated XXXX .2018 (received at the data protection authority on
Finally, it was stated that a subjective right to initiate administrative penal proceedings against specific data controllers could not be derived from Art. 77(1) DPA or Art. 24(1) and (5) DPA, and that the principle of official channels pursuant to Art. 25(1) VStG applied. Therefore, administrative criminal proceedings could only be initiated by a data subject; there was no right to initiation.


XXXX .2018), the complainant claimed a violation of the right to secrecy
In his complaint, which was filed in due time, the complainant stated, in so far as it is relevant here, that the data protection complaint concerned the transfer of data to third parties. It was completely irrelevant whether this disclosure was based on contracts under private law or other agreements.


according to § 1 and §§ 8 as well as 62 para. 1 Z 1 Data Protection Act (DSG) by the Austrian
The fundamental right to data protection was a constitutionally protected legal right that could not be overridden by contracts under private law. It was also irrelevant whether the data protection authority wanted to regard a third body as an "extended arm" or not. The complainant had only provided his (then) telephone number in response to a request by the hotline of the other party that it would otherwise not be possible to process the complaint, with the express instruction not to pass it on to third parties. The two companies that had ultimately received these telephone numbers and had contacted the complainant were market research companies whose business purpose was to collect customer requests for advertising purposes. It was not apparent in what way an advertising company could be useful for quality assurance. Sections 6 and 32 of the PMG also did not provide any indication that the co-operating party was thereby authorised to pass on customer data to third parties.
Post AG (the involved party).


Article 28(2) of the GDPR stipulates that processors may not use other processors without the prior separate or general written consent of the controller. Thus, the transfer of the data to an advertising company had in any case taken place without a basis in data protection law. There was therefore a violation of data protection by the involved party, as it had passed on the complainant's data to a third party company without consent as defined in Article 7 of the GDPR and contrary to an explicit request by the complainant.


The complainant stated in summary that the party involved was in form
In the contested decision, the complaint regarding the inadmissible setting of cookies was also rejected. On the same date, however, the data protection authority had issued an order to remedy the deficiencies, setting a deadline without service, which could therefore not have been complied with, as the matter had been settled immediately. There had therefore already been a violation of the General Administrative Procedures Act insofar as the parties had not been granted a hearing. The use of cookies fell under both the term data processing and the term data transfer. It was therefore incorrect for the data protection authority to assume that the use of cookies by the party involved was not covered by the content of the complaint.
of a "company", but is de facto a state-owned company. At the postal customs office be on


XXXX received a letter in 2018 containing goods ordered by the complainant.
Moreover, the question of an administrative penalty was not pursued further in the contested decision, which again made clear the unwillingness of the data protection authority to deal with certain matters.


Due to irregularities in connection with the shipment, the
II. the Federal Administrative Court considered:
Complainant contacted the involved party's "hotline" on XXXX .2018. He has


left his cell phone number there with a request to call him back, which he also shared
1. findings:


expressly asked the party not to pass this number on to third parties under any circumstances.
1.1 The complainant contacted the "hotline" of the involved party on XXXX .2018 due to delivery problems in connection with a postal item. There he left his mobile phone number with the request to call him back, whereby he expressly requested the co-participating party not to pass this number on to third parties under any circumstances.
He was expressly assured of this. He was then from the party involved


been called back and was able to fix the shipment.
On XXXX .2018, the complainant was called by XXXX. When the complainant specifically asked where the XXXX had obtained his telephone number and name, he was informed by the caller that she had obtained them from the co-operating party for survey purposes. On the same day, the complainant was contacted by another number for survey purposes and the caller had suppressed the caller ID. The complainant ended this call immediately after the other party asked if he wanted to participate in a survey.


1.2 The following contract was concluded between the co-operating party and XXXX on XXXX .2018 (reproduced in extracts):


On XXXX .2018 he was called by XXXX. Upon specific request from
"AGREEMENT ON A CONTRACT PROCESSING pursuant to Art. 28 of the GDPR.
Complainant, where XXXX got his phone number and his name from, was him


been informed by the caller that she was entitled to this by the party involved
concluded between
 
received for survey purposes. On the same day he was contacted by another number
been made, whereby the caller had obviously suppressed the number display.
 
After hearing "Do you want to take part in a survey", he immediately hung up.
 
At no time did he give his consent to the disclosure of his name and his
 
Telephone number given, but expressly requested, his contact details not
 
to pass on. Nor is there any public interest. Since he is from the
If I had no knowledge of the data being passed on, an objection is also not possible
 
been. The complainant was therefore violated in his right under § 1 para. 1 DSG
 
been. In any case, § 61 Para. 1 Z 2 DSG is also applicable.
 
2. With a statement dated XXXX .2018, the party involved led to this
 
Data protection complaint that XXXX is a processor in
 
within the meaning of Art. 28 GDPR. Obtaining consent for the present - 3 -
 
 
Data transmission is therefore not necessary. The customer satisfaction survey is not
by employees of the party involved, but by an external company
 
Have been carried out. This ensures that the party involved does not
 
personal results of the survey. The data transmission is under
Compliance with all data protection regulations, in particular Art. 28 ff DSGVO,
 
However, the complaint was taken to cause the complainant to
 
Block future customer satisfaction surveys.
 
3. By letter dated XXXX .2018, the data protection authority requested the involved party
 
again for comment. In particular, the party involved was pointed out
 
pointed out that the mere fact that the company in question is
allegedly to be a processor, nothing about the legality of the
 
processing statement.
 
 
4. The involved party submitted in a statement dated XXXX .2019 that they
Postal service providers within the meaning of the Postal Market Act (PMG) and also
 
Universal service operator according to § 12 PMG. According to the one assigned to her
 
Among other things, she has obligations to set up a complaints management system,
to publish information about the quality of their services at least annually (§ 32
 
PMG), to show the regulatory authority, among other things, the number of complaints (§
6 Para. 7 PMG) and the universal service in terms of the needs of users
 
develop and through appropriate measures and suggestions to secure the supply
 
to contribute to the further development of the universal service with postal services (§ 6 Para. 8 PMG).
In order to adequately meet this obligation, the party involved has the
 
Postal customer service set up, which was also used by the complainant
 
may be.
 
So that the quality is further developed in accordance with the legal obligation and also
 
could be published, the survey of the users is the most suitable and
 
most recognized method. The survey itself will be considered by the XXXX
Processor carried out within the framework of the agreement under Art. 28 GDPR
 
act. Purposes and means are specified by the party involved, whereby the XXXX
 
nor can it be qualified as a third party within the meaning of Art. 4 Z 10 GDPR. In the sense of the
Data minimization only get the phone number and the name of the
 
interviewer to enable proper addressing. the to
interviewers would only be contacted once per case, and the - 4 -
 
 
survey can be declined at any time. If at all, only one could hardly do it
noticeable impairment.
 
 
If customers contact the postal customer service, they would
 
according to Art. 13 GDPR in the form of a taped announcement on the information on the topic
data protection on the website of the party involved. This
 
Information can be clearly inferred that appropriate surveys have been carried out
 
can become. Under point 3.2. of the website are market research institutes as possible
external service providers listed. When people post customer service
 
would contact, so be sure that they have the information in accordance with Art. 13 GDPR
 
would receive.
 
Between contacting Post Customer Service and being contacted by
 
the XXXX exists for a certain period of time, within which there are already contradictions
 
can be done. Participation in the survey is therefore voluntary and possible
be rejected at any time. Only when contacted by XXXX did he
 
Complainant lodged an objection, which is why no questioning
 
have taken place.
 
The establishment of customer service is based on a legal obligation. One
 
Questionnaire must be carried out to explain the complaints or to check the service
will. The survey is the most suitable and recognized or only method. In order to
 
the lawfulness of the data processing results from Art. 6 Para. 1 lit. c GDPR.
 
 
In addition, the party involved is also acting in the public interest, since the postal
Basic care including the associated quality check
 
/obligation to publish/obligation to improve had been transferred. Thus Art. 6 is also
 
Paragraph 1 lit. e GDPR relevant. In addition, Art. 6 Para. 1 lit. f
GDPR are used. The party involved does not act as an authority in the sense
 
the reason for exclusion. Interest in quality control
 
/obligation to publish/obligation to improve result from the legal requirements
PMG and is therefore legitimate. In this respect, there is a benefit for those involved
 
party as the responsible party, as they continuously ensure their service quality in accordance with the
 
legal requirements can be improved as well as a benefit for the general public than this
receive better basic care
 
viewed if this is for the perception of direct mail or advertising itself or
will also be tracked for processing for market research purposes. - 5 -
 
 
Likewise, this results from the basic right of entrepreneurial freedom (Article 16 of the GRC).
legitimate interest of the party involved, from their customers their assessment of the
 
To learn about complaint management in order to better
 
to be fair. Even without the existence of a legal obligation
the processing of personal data in question is therefore lawful. Only with the
 
The contact data used can be used to carry out a survey, with which the
 
processing was also necessary. The interest of the party involved and that
The interest of the general public in data processing outweighs the interest
 
of the complainant. In addition, the contact details are not particularly worthy of protection
 
Data.
 
The input was the agreement on order processing according to Art. 28 GDPR in copy
 
connected.
 
 
5. By letter dated XXXX .2019, the complainant made the following statement on the
Statements of the party involved: Initially, he wanted to add a "crass"
 
Inform the party involved of data misuse. The involved party uses on
 
Cookies and "spyware" that are not permitted on their website, especially since a direct
objection is not possible. This becomes more objective as a further objection
 
Complaint added.
 
For the opinion of the party involved, it can be stated that neither § 32 para.
 
6 PMG nor § 6 para. 7 and para. 8 PMG a justification for the transfer of data to third parties
 
contain. The argument of increasing efficiency would also include data transfer to third parties
not justify. In the course of his request, he received no information within the meaning of Art. 13
 
GDPR has been granted. It is irrelevant whether participation in the survey is voluntary
 
The subject of the complaint was the transfer of data to third parties. At no time did he
consent is given, whereby in particular a call to the "hotline" is not as such
 
can be rated. The market research company is not subject to the supervision of
 
with the party involved
The contract concluded is not applicable in the present case, as it explicitly allows data to be passed on
 
have objected. It would also have to be clarified whether the contract per se is moral and
 
be illegal.
 
6. With the contested decision of XXXX, the data protection authority rejected the
 
Privacy complaint regarding the illegal setting of cookies
(Point 1.). In addition, she dismissed the complaint as unfounded (paragraph - 6 -
 
 
2.). The complainant's application for a fine was granted
rejected (point 3.)
 
 
The data protection authority explained insofar as essential that the letter of the
 
Complainant from XXXX .2019 on the basis of the proceedings
Complaint submission of XXXX 2018 regarding the illegal setting of cookies
 
represents a significant change in the application within the meaning of Section 13 (8) AVG, which is why the
 
arguments to that effect had to be rejected. However, it was taken as an opportunity
been asked to initiate a separate complaints procedure.
 
 
In the present case, the "passing on" of the personal data of the
 
complainant by the party involved to the market research institute. the
Subsequent customer satisfaction requests from this company have the complaint case
 
of the complainant and is therefore exclusively in the interest and in the
 
Order of the involved party takes place. The pursuit of one's own purposes
Market research company was never intended, which means that a
 
independent responsibility of the market research company is to be denied. the
 
the present "passing on" is therefore one that can be attributed to the party involved
data processing.
 
 
The complainant's data was not transmitted or disclosed to "third parties",
but within the meaning of Art. 28 GDPR by the market research institute on behalf of
 
involved party has been processed as agreed. A right to that
 
responsible persons do not use any processors, does not exist. the
On the one hand, the involved party is obliged to do so due to the provisions of the PMG
 
to set up a complaints management system and, on the other hand, to ensure the quality of the
 
Universal service, ie postal delivery, services offered by suitable
Measures to improve, and thus to take certain measures. Even if
 
of the involved party in these regulations no concrete measure and also none
 
certain data processing is ordered, should not be subject to the legislature
that he gives the party involved the possibility of data processing
 
want to withdraw, because otherwise the provision would be meaningless.
 
 
The handling of a complaint from a customer and the
The quality assurance measures to be carried out are without name and contact address
 
unthinkable if the data required for this should not be processed. At - 7 -
 
 
Name and contact option there is no doubt that the data processing in
given minimal scope is also required.
 
 
Finally, it was stated that a subjective right to initiate a
 
Administrative penal proceedings against specific persons responsible under Art. 77 Para. 1 DSGVO or §
24 para. 1 and 5 DSG cannot be derived, and the principle of expediency according to § 25 para.
 
1 VStG applies. Administrative penal proceedings can therefore only be carried out by a person concerned
 
be suggested, there is no entitlement to initiation.
 
7. In the complaint, which was raised within the time limit, the complainant went so far
 
summarized here essentially that the data protection complaint the disclosure of
 
data to third parties. It is completely irrelevant whether this transfer
based on private law contracts or other agreements.
 
 
The fundamental right to data protection is a constitutionally protected legal interest, which is not
 
can be overridden by private law contracts. It is also irrelevant
whether the data protection authority wants to see a third party as an "extended arm" or not.
 
At the request of the involved party's hotline, the complainant only
 
Otherwise processing is not possible, his (former) telephone number was announced,
this with the express note not to pass the same on to third parties. The two
 
Companies that ultimately receive these phone numbers and the complainant
contacted are market research companies whose business purpose is the survey
 
of customer requests for advertising purposes. It is not clear in what way
 
Advertising company could be useful for quality assurance. §§ 6 and 32 PMG would also offer
no indication that the involved party is thereby authorized to use customer data
 
to pass on to third parties.
 
 
Art. 28 para. 2 GDPR stipulates that processors must not
Processors without prior separate or general written consent
 
permission of the person responsible. Sohin be the
 
Passing on of the data to an advertising company in any case without a basis under data protection law
he follows. There is therefore a violation of data protection by the party involved,
 
since this without consent within the meaning of Art 7 GDPR and contrary to an explicit request by the
 
complainant's data to a third-party company.
 
In the contested decision, the complaint regarding the inadmissible setting of
 
Cookies have been rejected. With the same date, however, the Data Protection Authority
issue an order to remedy defects with a deadline without delivery, which - 8 -
 
 
could have been followed, since the matter had been discussed immediately. It
there is therefore already a violation of the AVG insofar as no hearing of the parties is granted
 
had been. The use of cookies falls under the term data processing,
 
as well as under the term data transfer. It is therefore incorrect if the
Data Protection Authority believes the use of cookies by the affiliated party
 
would not be included in the content of the complaint.
 
 
Moreover, the question of an administrative fine is not addressed in the contested decision
followed up, reflecting the unwillingness of the Data Protection Authority to deal with certain
 
make things clear again.
 
 
II. The Federal Administrative Court considered:
 
1. Findings:
 
 
1.1. The complainant contacted due to delivery issues related
 
with a postal item on XXXX .2018 the "hotline" of the party involved. left there
he left his cell phone number with a request to call him back, stating that he was the party involved
 
expressly requested not to pass this number on to third parties under any circumstances.
 
 
On XXXX .2018 the complainant was called by XXXX. On concrete
The complainant asked where the XXXX got his telephone number and his name
 
have, he was informed by the caller that she was from the involved
party received for survey purposes. On the same day, the complainant was
 
contacted another number for survey purposes, with the caller using the
 
had suppressed caller ID. The complainant ended that call immediately,
after his interlocutor had asked if he wanted to take part in a survey.
 
 
1.2. The following contract was concluded between the party involved and XXXX on XXXX .2018
 
completed (reproduced in excerpts):


"AGREEMENT ON ORDER PROCESSING according to Art. 28 GDPR
XXXX (hereinafter referred to as the "Controller")


concluded between
      XXXX (hereinafter "Responsible")
and
and
XXXX


      XXXX (hereinafter "processor")
XXXX


1. Subject of the agreement - 9 -
XXXX (hereinafter "Processor")


1. subject matter of the agreement


a) The area of responsibility of the processor includes conducting surveys
a) The scope of duties of the Processor includes the performance of surveys of all kinds and as required, but in particular the performance of the regularly ongoing survey of "Satisfaction with Postal Customer Service".
      of all kinds and as required, but in particular the implementation of the regular
      ongoing survey of "satisfaction with Swiss Post customer service".


      In the context of this contract, “personal data” includes such
In the context of this agreement, "personal data" shall be understood to mean those personal data which the controller transfers to the processor in the context of the agreement described in more detail above or the processing of which is instructed to the processor in that agreement.


      to understand personal data that the person responsible dem
b) The categories of personal data processed and the categories of data subjects are as follows
      processors within the framework of the contract described in more detail above
      or the processing of which is assigned to the processor in that contract.


b) Categories of personal data and categories of data subjects are processed
persons in accordance with Appendix 1.


      Persons according to Annex 1.
2. obligations of the processor


2. Processor Obligations
a) The Processor undertakes to process personal data and processing results exclusively within the framework of the written (e-mail sufficient) orders of the Controller. All data processing activities shall take place exclusively in a member state of the European Union.


a) The processor undertakes to process personal data and
b) The Processor is not authorised to disclose personal data of the Controller to third parties without the written consent of the Controller. As far as
      Processing results exclusively within the framework of the written (e-mail
      sufficient) to process orders from the person responsible. All


      Data processing activities take place exclusively in a member state of
the Processor is obliged to do so by law, the Processor shall not
      European Union instead.


b) The processor is not authorized to process personal data of the
the data controller without undue delay in advance.
      disclosure to third parties without the written consent of the person responsible. So far


      the processor is obliged to do so by law
c) The transfer of personal data to third parties, for which the processor is not legally obliged, requires a written (e-mail sufficient) order from the controller.
      to inform the person responsible immediately in advance.


c) The transfer of personal data to third parties, to which no legal
d) Personal data may only be processed for the processor's own purposes with the prior written consent of the controller.
      obligation of the processor exists, sets a written (e-mail
      sufficient) order of the person responsible.


e) The Processor undertakes to maintain data secrecy and declares in a legally binding manner that it has obliged all persons entrusted with the data processing to maintain confidentiality prior to commencement of the activity or that they are subject to an appropriate legal obligation of confidentiality. He/she has obliged all persons entrusted with data processing to keep confidential personal data entrusted or accessible to them exclusively on the basis of their professional employment, without prejudice to other statutory confidentiality obligations, insofar as there is no legally permissible reason for transfer/disclosure of the data. In particular, the confidentiality obligation of the persons entrusted with the data processing shall remain in force even after the termination of their employment or their departure from the Processor.


d) Processing of personal data for the company's own purposes
f) The Processor declares in a legally binding manner that it has taken all necessary measures to ensure the security of the Processing pursuant to Art. 32 GDPR. The Processor represents and warrants that it has taken and will continue to take the risk-appropriate technical and organisational measures described and selected in Appendix 2 to protect the Personal Data from accidental or unlawful destruction or loss and to ensure its proper processing and inaccessibility to unauthorised third parties. The Processor undertakes to maintain the technical and organisational measures in the above sense at the state of the art and to update or adapt them in accordance with technical progress or changes in the threat situation.
      Processor may only be used with the prior written consent of the
      responsible.


e) The processor undertakes to maintain data secrecy and
g) The Processor shall ensure that the Controller is able to fulfil the rights of the data subject pursuant to Chapter III of the GDPR (information, access, correction and deletion, data portability, objection and automated decision-making in individual cases) and taking into account the Austrian Federal Act on the Protection of Individuals with regard to Processing (DSG as amended) within the statutory time limits at any time, shall provide the Controller with all information necessary for this purpose and shall support the Controller in fulfilling the relevant obligations to the best of its ability. If a corresponding request asserting data subject rights is addressed to the processor and if it is evident from the content of the request that the applicant mistakenly believes the processor to be the controller of the processing activity carried out by the processor on behalf of the controller, the processor shall forward the request to the controller without undue delay and inform the applicant thereof, indicating the date of receipt of the request.
      declares in a legally binding manner that he is responsible for all data processing


      has obligated persons to maintain confidentiality before starting the activity or these
h) The Processor shall support the Controller in complying with the obligations set out in Articles 32 to 36 of the GDPR (data security measures, notifications of personal data breaches to the supervisory authority, notification of the person affected by a personal data breach, data protection impact assessment, prior consultation) to the best of its ability. In particular, the Processor undertakes to notify the Controller of any personal data breach without undue delay, but no later than 36 hours after becoming aware of it.
      are subject to an appropriate statutory obligation of confidentiality. He has
      all persons entrusted with data processing are obliged to
      Data provided to them solely because of their professional activity


      be entrusted or accessible, without prejudice to other statutory provisions
i) The Processor is advised that it must establish a processing directory in accordance with Article 30 (2) of the GDPR.
      To keep confidentiality obligations secret, unless legally permissible
      There is a reason for the transmission/disclosure of the data. In particular, the remains
      Confidentiality obligation of the persons responsible for data processing
      even after they have finished their job or left the company


      Processor upright.
j)      The Processor undertakes to provide the Controller with the information necessary to monitor compliance with the obligations set out in this Agreement. In particular, the Processor undertakes to provide the Controller with appropriate written evidence of the implementation and effectiveness of the technical and organisational measures described in Annex 2 without undue delay upon the Controller's request. At the request of the controller, the declaration of data secrecy with regard to the person entrusted with the performance of the contract shall also be submitted to the controller in individual cases.


f) The Processor declares in a legally binding manner that it has all the necessary
k) With regard to the processing of the personal data provided by the data controller, the data controller shall be granted the right to verify the correctness of the data processing at the data processor's premises by means of qualified employees who are bound to secrecy or by means of a person who is bound to professional secrecy (court-certified expert, etc.). This shall be done during normal office hours and in coordination with the Data Protection Officer of the Processor or another person responsible for data protection.
      Measures to ensure the security of processing in accordance with Art. 32 GDPR
The data protection officer/person responsible for data protection at the Processor is:
      has taken. The processor assures that the data described in Appendix 2 and
Mr/Mrs


      selected, risk-appropriate, technical and organizational - 10 -
XXXXXXX


l ) The Processor shall be obliged to hand over to the Controller all processing results and documents containing personal data which are the subject matter of the contract after termination of the contract; this shall not affect the storage of the personal data and processing results handed over to the Processor to the extent and for as long as the Processor has to guarantee its performance.


      have taken and will continue to take action to
After the expiry of the warranty period, the processor shall delete all personal data which are the subject of the contract or, at the request of the controller, store them securely before the deletion is carried out. This shall apply in particular insofar as the Processor is not obliged to continue to store personal data on the basis of mandatory statutory provisions.
      personal data against accidental or unlawful destruction and against
      to protect against loss as well as their proper processing and the
      Ensure non-accessibility for unauthorized third parties. The Processor


      undertakes to implement the technical and organizational measures in the above
statutory provisions.
      Keeping it up to date with the latest technology and looking for technical progress or
      to update or adapt to a changed threat situation.


g) The processor ensures that the person responsible respects the rights of the
Upon request of the controller, the processor shall confirm the deletion of the data in writing.


      data subject according to Chapter III of the GDPR (information, access, correction
If the Processor processes the Personal Data in a special technical format, it shall be obliged to release the Personal Data after the termination of the contract either in that format or, at the request of the Controller, in the format in which it received the Personal Data from the Controller or in another commonly used format.
      and deletion, data portability, objection and automated
      Decision-making in individual cases) and taking into account the Austrian
      Federal law for the protection of natural persons during processing (DSG idgF)
      within the statutory deadlines at any time, leaves the


      responsible for all the necessary information and supports them in the process
(m) The processor shall inform the controller without undue delay in the event that the processor
      Fulfillment of related obligations to the best of our ability. Will a corresponding
      Application, with which the rights of the data subject are asserted, to the
      Processor directed and it is evident from the content of the application that the


      Applicant mistook the application processor for the person in charge of his
(m) The Processor shall inform the Controller without undue delay if the Processor considers that any instruction given by the Controller is in breach of EU or Member State data protection law.
      processing activity carried out for the person responsible, the
      Processor to forward the request to the person responsible immediately
      and this to the applicant, stating the date of receipt of the
      to communicate the application.


3. sub-processors


h) The processor supports the person responsible in complying with the regulations
a) The Processor shall not be entitled to use a sub-processor without the prior written consent of the Controller.
      Articles 32 to 36 DSGVO mentioned obligations (data security measures, reports
      of personal data breaches to the supervisory authority,
      Notification of a Personal Data Breach


      data subject, data protection impact assessment, prior consultation).
b) In the event of written consent, the Processor shall conclude the necessary agreements within the meaning of Article 28(4) of the GDPR with the sub-processor. In doing so, it shall be ensured that the sub-processor enters into the same obligations as those incumbent on the processor on the basis of this agreement. The Processor shall provide the Controller with documentary evidence of the transfer of the obligations under this Agreement at any time upon request.
      best efforts. In particular, the processor undertakes to
      those responsible immediately, but no later than within 36 hours of this
      Notice to notify of data breaches.


i) The processor is informed that he has a processing directory
c) If the sub-processor fails to comply with its data protection obligations, the processor shall be liable to the controller for compliance with the obligations of the sub-processor.


      has to be set up in accordance with Art. 30 Para. 2 GDPR.
d) The Controller gives its consent to the use of the sub-processors named in Annex 3.


j) The processor undertakes to provide the person responsible with that information
4 Duration of the Agreement
      to provide the means to monitor compliance with this Agreement
      mentioned obligations are necessary. In particular, the
      Processor, the person responsible immediately upon request


      appropriate written evidence of the implementation and effectiveness of the in Annex 2
The duration of the agreement shall be governed by the contract referred to in point 1a).
      to transmit the technical and organizational measures described. Over
      At the request of the person responsible, the declaration of the
      Protection of data secrecy regarding the person who is presented with the


      execution of the order is entrusted.
x The agreement is concluded for an indefinite period and may be terminated in writing by either party with three months' notice to the end of the month. The possibility of termination without notice for good cause remains unaffected.


k) With regard to the processing, the person responsible is given the
Insofar as a service provider agreement under data protection law already exists between the contracting parties with regard to the main service, which is described in more detail in the contract referred to in point 1a), it shall be replaced by the present agreement on commissioned data processing.
      personal data granted the right, even by qualified and for
      Employees sworn to secrecy or by a professional secrecy - 11 -


5 Other provisions


      obligated person (court-certified expert etc.)
a) All disputes arising from and in connection with this Agreement shall be subject to the following
      Processor to check the correctness of the data processing
      Announcement to check. This during normal office hours and in coordination
      with the data protection officer of the processor or another person responsible for


      person responsible for data protection.
Austrian law, excluding the UN Convention on Contracts for the International Sale of Goods and conflict of laws provisions. For all disputes, the competent court for XXXX Vienna shall be agreed.
      The data protection officer/responsible for data protection at
      Processor is:
      Mr. Mrs


      XXXXXXX
b) Only what is agreed in writing shall be binding; there shall be no oral collateral agreements. Amendments and supplements to the agreement must be made in writing in order to be valid; this also applies to any waiver of the formal requirement of writing.


l ) After completion of the order, the processor is obliged to
c) All rights and obligations arising from this agreement shall pass to any legal successors of both contracting parties.
      responsible for all processing results and documents that
      contain contractual personal data; of that
      The storage of the data left to the processor remains unaffected


      personal data and processing results to the extent and as long as this is for
d) The parties agree to treat the conclusion of this agreement and its contents as confidential. This shall not apply insofar as a party is obliged to disclose this agreement or the contents thereof in accordance with the provisions of this agreement or due to a legal obligation. This shall apply insofar as the present agreement does not contain any provisions to the contrary and no statutory obligations to provide information exist.
      to guarantee its services.
      After the warranty period has expired, the processor has all
      to delete contractual personal data or to post them


      Request of the person responsible before carrying out the deletion
e) The Processor undertakes (i) to ensure that its legal representatives, employees and subcontractors used and/or commissioned comply with all applicable statutory provisions in connection with anti-corruption regulations and (ii) to take appropriate measures to ensure compliance with anti-corruption regulations. A breach of anti-corruption regulations entitles the responsible party - without prejudice to other rights of rescission and termination - to terminate the agreement without notice and to assert any claims for damages.
      keep. This applies in particular if the processor is to another
      Storage of personal data not due to mandatory legal requirements
      provisions is required.
      At the request of the controller, the processor confirms the


      data erasure in writing.
f) Should individual provisions of this agreement be or become invalid or ineffective, the contracting parties shall mutually agree on a valid or effective provision that comes as close as possible to the invalid or ineffective provisions in economic terms.
      If the processor processes the personal data in a special
      technical format processed, he is obliged to post the personal data
      Completion of the order either in this format or at the request of the


      Responsible in the format in which he received the personal data from
The invalidity or ineffectiveness of individual provisions shall not affect the validity or effectiveness of the entire contract.
      person responsible or in another common format
      to release.


m) The processor must inform the controller immediately if he
g) This contract shall be drawn up in two originals, one of which shall be given to each contracting party.
      is of the opinion that an instruction of the person responsible violates


      EU or Member State data protection regulations.
h) Annexes 1, 2 and 3 shall be deemed to be integral parts of the contract.
 
3. Sub-processors
 
a) The processor is without the prior written consent of the
      Controller not entitled to use a sub-processor.
 
b) In the event of written consent, the processor closes the
 
      necessary agreements within the meaning of Art. 28 Para. 4 GDPR with the sub-
      processor. It must be ensured that the sub-processor
      enters into the same obligations as the processor based on this
      agreement. The processor has the responsible person
 
      Override of the obligations under the present agreement upon request
      to be documented at any time. - 12 -
 
 
c) If the sub-processor does not meet his data protection obligations, he is liable
      the processor towards the person responsible for compliance
      Obligations of the sub-processor.
 
d) The person responsible gives his consent to the use of the information in Annex 3
 
      named sub-processor.
 
4. Duration of Agreement
□ The term of the agreement is based on the contract mentioned in point 1a).
x The agreement is concluded for an indefinite period and can be changed by either party
 
      be terminated in writing with a notice period of three months to the end of the month. the
      The possibility of termination without notice for important reasons remains unaffected.
 
In this respect, a data protection service provider agreement between the contracting parties
in relation to the main service described in more detail in the contract referred to in point 1a),
already exists, it is determined by the present agreement on a
 
Order data processing replaced.
 
5. Miscellaneous Provisions
 
a) All disputes arising from and in connection with this contract
      Austrian law, to the exclusion of the UN sales law and conflict of laws
 
      provisions. For all disputes, this will be factual and for XXXX Vienna
      locally competent court agreed.
 
b) Only what has been agreed in writing is binding; there are no oral ones
      ancillary agreements. Changes and additions to the agreement require their
      validity of the written form; this also applies to a waiver of the formal requirement
 
      writtenness.
 
c) All rights and obligations arising from this agreement are transferred to any
      Legal successors of both contracting parties.
 
d) The parties agree to the conclusion of this agreement and its content
      to be treated confidentially. This does not apply to the extent that a party in accordance with the provisions
 
      of the present agreement or due to legal obligation to
      disclosure of this Agreement or any content thereof. This applies,
      insofar as the present agreement does not contain any conflicting provisions
      contains and there are no legal obligations to provide information.
 
 
e) Processor undertakes (i) that its legal representatives,
      Employees and employed and/or commissioned subcontractors to all
      applicable legal provisions in connection with anti-
      comply with anti-corruption regulations and (ii) take appropriate measures to prevent the
      Ensure compliance with anti-corruption regulations. A breach of anti-
 
      Corruption regulations entitle the person responsible - without prejudice to others
      Right of withdrawal and termination - for extraordinary termination without notice
      agreement and to assert any claims for damages. - 13 -
 
 
f) Should any provision of this agreement be invalid or ineffective or
      become, the contracting parties will agree a valid or effective
      Set a provision that will invalidate or ineffective provisions
 
      economically closest.
      The invalidity or ineffectiveness of individual provisions has no effect
      on the validity or effectiveness of the entire contract.
 
g) This contract is drawn up in two originals, of which each contracting party has one
 
      receives.
h) Appendices 1, 2 and 3 are considered to be an integral part of the contract.


[...]"
[...]"


In the annex to the present contract, "personal data" (e.g. first and last name) and "contact data" (e.g. telephone number) are mentioned as processed data categories. Employees and customers are named as data subjects. Furthermore, the order processing contract contains technical and organisational measures, including confidentiality and integrity.


The processed data categories are included in the annex to the present contract
1.3 In a letter to the data protection authority dated XXXX.2019, the complainant additionally argued that the involved party was also setting illegal cookies on its website and submitted a data protection complaint to this effect.
“Personal master data” (e.g. first and last name) and “contact data” (e.g.
 
telephone number) mentioned. The affected persons are employees and


called customers. The order processing contract also contains
2. assessment of evidence:
technical and organizational measures, including confidentiality and integrity.


The findings result from the file in connection with the submissions of the parties, in particular from the submitted contract between the co-participating party and XXXX dated XXXX .2018, and are not disputed.


1.3. The complainant sent a letter dated XXXX .2019 to the
Legal assessment:


The data protection authority also provides that the party involved also unlawful
Re A)


set cookies on their website and filed a privacy complaint to that effect.
1. § 1 of the Federal Act on the Protection of Individuals with regard to the Processing of Personal Data (Data Protection Act - DSG) reads (in excerpts):


2. Evidence assessment:
(constitutional provision)


Basic right to data protection


The findings result from the file in connection with the arguments of the parties,
§ (1) Everyone has the right to confidentiality of personal data concerning him or her, in particular with regard to respect for his or her private and family life, to the extent that there is an interest worthy of protection. The existence of such an interest shall be excluded if data are not accessible to a claim to secrecy due to their general availability or due to their lack of traceability to the person concerned.


in particular from the contract submitted between the party involved and XXXX
(2) Unless the use of personal data is in the vital interest of the data subject or with his or her consent, restrictions to the right to secrecy shall only be permissible to protect overriding legitimate interests of another, and in the case of interference by a state authority only on the basis of laws which are necessary for the reasons set out in Article 8(2) of the European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR), Federal Law Gazette No 210/1958. Such laws may only provide for the use of data which, by their nature, are particularly worthy of protection, in order to safeguard important public interests, and must at the same time lay down appropriate safeguards for the protection of the confidentiality interests of the data subjects. Even in the case of permissible restrictions, the encroachment on the fundamental right may only be carried out in the most lenient manner that leads to the objective.
dated XXXX .2018, and are not disputed.


[...]


3. Legal assessment:
The relevant provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27.04.2016 on the protection of individuals with regard to the processing of personal data, on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), read (in extracts):


Article 4 Definitions For the purposes of this Regulation, the term:


to A)
1. 'personal data' means any information relating to an identified or identifiable natural person (hereinafter 'data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;


1. Section 1 of the Federal Act on the Protection of Natural Persons in Processing
(2) 'processing' means any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, filing, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;


personal data (Data Protection Act - DSG) reads (in excerpts):
3. - 6. [...]


(7) 'controller' means the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its designation may be provided for under Union or Member State law;


      (constitutional provision)
(8) 'processor' means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;


      fundamental right to data protection
9. [...]


(10) 'third party' means any natural or legal person, public authority, agency or other body other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or the processor, are authorised to process the personal data;


      § 1. (1) Everyone has, in particular with regard to respect for his private and
11. - 26. [...]
      family life, right to confidentiality of personal data concerning him
 
      Data insofar as there is a legitimate interest in it. The existence of such - 14 -
 
 
      Interestisexcludedifdataduetotheirgeneralavailabilityorbecause
 
      due to their lack of traceability to the person concerned, no claim to secrecy
 
      are accessible.
 
      (2) Insofar as the use of personal data is not in the vital interest
 
      of the person concerned or with his consent, limitations of the right to
 
      Confidentiality only to protect overriding legitimate interests of another
      permissible, in the event of interference by a state authority only on the basis of laws that
 
      from the in Art. 8 para. 2 of the European Convention for the Protection of Human Rights and
 
      Fundamental Freedoms (EMRK), Federal Law Gazette No. 210/1958, are necessary. such
      Laws prohibit the use of data that, by their nature, deserve special protection,
 
      only provide for the protection of important public interests and must at the same time
      appropriate guarantees for the protection of the confidentiality interests of the persons concerned
 
      determine. Even in the case of permissible restrictions, the encroachment on the fundamental right may in each case
 
      only be undertaken in the mildest, most effective way.
 
      [...]
 
 
The relevant provisions of Regulation (EU) 2016/679 of the European
 
Parliament and Council of April 27, 2016 on the protection of natural persons in the
 
Processing of personal data, the free movement of data and the cancellation of the
 
Directive 95/46/EG (General Data Protection Regulation), read (in excerpts):
 
      Article 4 Definitions For the purposes of this Regulation, the term means:
 
 
      1. “Personal Data” any information relating to an identified or
 
      identifiable natural person (hereinafter "data subject"); as
      identifiable is a natural person who directly or indirectly, in particular
 
      by association with an identifier such as a name, an identification number
 
      location data, an online identifier or one or more specific
      characteristics expressing the physical, physiological, genetic, psychological,
 
      economic, cultural or social identity of this natural person are identified
 
      can be;
 
      2. “Processing” any operation carried out with or without the aid of automated processes
 
      or any such series of operations involving personal data such as that
 
      Collecting, capturing, organizing, arranging, storing, adapting or
      Modification, reading, querying, use, disclosure by
 
      transmission, distribution or any other form of provision, comparison or
      linking, restriction, deletion or destruction; - 15 -
 
 
3rd – 6th […]
 
 
7. "Responsible person" the natural or legal person, authority, institution or other
 
Body alone or jointly with others on the purposes and means of processing
of personal data decides; are the purposes and means of this processing
 
stipulated by Union law or the law of the Member States, the
 
Responsible person or can use the specific criteria according to his designation
provided for by Union law or the law of the Member States;
 
 
8."Processor" means a natural or legal person, public authority, agency or
 
another entity that processes personal data on behalf of the controller;
 
9. […]
 
 
10. “Third party” means a natural or legal person, public authority, agency or other body,
 
other than the data subject, the controller, the processor and the
Persons who are under the direct responsibility of the person responsible or the
 
processors are authorized to process the personal data;
 
 
11th – 26th […]


Article 6 Lawfulness of processing
Article 6 Lawfulness of processing


(1. Processing shall be lawful only if at least one of the following conditions is met: [...]


(1) The processing is only lawful if at least one of the following
(c) processing is necessary for compliance with a legal obligation to which the controller is subject; [...].
 
conditions are met: [...]
 
c) the processing is necessary for compliance with a legal obligation imposed by the
 
Controller is subject to; [...]
 
 
(2) Member States may have more specific provisions adapting the application
the provisions of this regulation in relation to processing to comply with paragraph 1
 
Maintain or introduce subparagraphs c and e by providing specific requirements for the
 
Processing as well as other measures more precisely to determine a lawful and according
ensure fair processing, including for others
 
special processing situations according to Chapter IX.
 
 
(3) The legal basis for the processing pursuant to paragraph 1 letters c and e
set by
 
 
a) Union law or
 
 
b) the law of the Member States to which the controller is subject. - 16 -
 
 
The purpose of the processing must be specified in this legal basis or in relation to the
 
Processing pursuant to paragraph 1 letter e may be necessary for the performance of a task that
 
is in the public interest or in the exercise of official authority which
responsible has been transferred. This legal basis may have specific provisions
 
to adapt the application of the provisions of this regulation, among others
 
Provisions on what general conditions for the regulation of
Lawfulness of the processing by the controller apply, what types of data
 
are processed, which persons are affected, to which institutions and for which
Purposes the personal data may be disclosed, what purpose they


are subject to how long they may be stored and what processing operations and
Member States may maintain or introduce more specific provisions to adapt the application of the rules of this Regulation in relation to processing to comply with points (c) and (e) of paragraph 1 by specifying more precisely specific requirements for processing as well as other measures to ensure lawful and fair processing, including for other specific processing situations referred to in Chapter IX.


procedures may be applied, including measures to ensure a
3. The legal basis for the processing operations referred to in points (c) and (e) of paragraph 1 shall be determined by
lawful and fair processing, such as for others


special processing situations according to Chapter IX. Union law or the law of
(a) Union law; or


Member States must pursue an objective in the public interest and in a
(b) the law of the Member States to which the controller is subject.
proportionate to the legitimate purpose pursued. [...]


The purpose of the processing shall be specified in that legal basis or, as regards the processing referred to in point (e) of paragraph 1, shall be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. That legal basis may contain specific provisions adapting the application of the provisions of this Regulation, including provisions on the general conditions governing the lawfulness of processing by the controller, the types of data processed, the individuals concerned, the entities to which and the purposes for which the personal data may be disclosed, the purpose limitation, the storage period and the processing operations and procedures that may be applied, including measures to ensure lawful and fair processing, such as those for other specific processing situations in accordance with Chapter IX. Union or Member State law must pursue an objective in the public interest and be proportionate to the legitimate aim pursued. [...]


Article 28 Processors
Article 28 Processors


(Where processing is carried out on behalf of a controller, the controller shall only use processors providing sufficient guarantees that appropriate technical and organisational measures will be implemented in such a way that the processing will comply with the requirements of this Regulation and ensure the protection of the rights of the data subject.


(1) If processing is carried out on behalf of a person responsible, then this person only cooperates
(2. The processor shall not use another processor without the prior specific or general written authorisation of the controller. In the case of a general written authorisation, the processor shall always inform the controller of any intended change to the use or replacement of other processors, giving the controller the opportunity to object to such changes.
Processors who offer sufficient guarantees that appropriate technical and
 
organizational measures are carried out in such a way that the processing is in accordance with
 
the requirements of this regulation and the protection of the rights of the persons concerned
person guaranteed.
 
 
(2) The processor will not take on any other processor without prior approval
 
separate or general written approval of the person responsible. in the
In the event of general written approval, the processor will inform the
 
always inform those responsible about any intended change in relation to the addition or
 
the replacement of other processors, giving the controller the option
entitled to object to such changes.
 
 
(3) Processing by a processor is based on a contract
 
or any other legal instrument under Union law or the law of the
Member States that control the processor in relation to the controller
 
binds and in the subject and duration of the processing, type and purpose of the processing,
the type of personal data, the categories of data subjects and the obligations
 
and rights of the person responsible are defined. This contract or this other
 
Legal instrument provides in particular that the processor
 
a) the personal data only on documented instructions from the controller —
 
also with regard to the transfer of personal data to a third country or a - 17 -
 
 
international organization — processed, unless required by Union or EU law
 
Member States to which the processor is subject is obliged to do so; in one
 
In such a case, the processor shall notify the controller of these legal
Requirements prior to processing with, provided that the relevant right such notice
 
not prohibited because of important public interest;
 
 
b) ensures that those authorized to process the personal data
Persons have committed to confidentiality or an appropriate statutory
 
are subject to a duty of confidentiality;
 
 
c) take all measures required under Article 32;
 
d) the conditions for using the services referred to in paragraphs 2 and 4
 
of another processor;
 
 
e) in view of the nature of the processing, the person responsible, if possible with suitable ones
technical and organizational measures to fulfill its obligation to
 
Responding to requests to exercise the rights referred to in Chapter III
 
comply with the data subject;
 
f) taking into account the type of processing and those available to him
 
Information to those responsible for compliance with the provisions of Articles 32 to 36
 
supports the above obligations;
 
g) after completion of the provision of the processing services, all personal data
 
either deletes or returns at the discretion of the person responsible, unless after the
 
Union law or the law of the Member States an obligation to store the
personal data exists;
 
 
h) provide the controller with all the necessary information to demonstrate compliance with the
 
provides the obligations set out in this Article and reviews —
including inspections - carried out by the controller or another of the controller
 
commissioned auditors are carried out, enables and contributes to this.
 
 
With regard to subparagraph 1 letter h, the processor informs the
Responsible immediately if he believes that an instruction against this
 
Regulation or against other data protection regulations of the Union or the
violates Member States.
 
 
(4) If the processor engages the services of another processor
 
Right to request certain processing activities on behalf of the controller
to be carried out, this further processor will be assigned by way of a contract or - 18 -
 
 
        another legal instrument under Union law or the law of the person concerned
 
        Member State imposes the same data protection obligations as those in the Treaty or others
 
        Legal instrument between the controller and the processor in accordance with
        Paragraph 3 are set, whereby in particular sufficient guarantees are offered for this
 
        must ensure that the appropriate technical and organizational measures are implemented in this way
 
        that the processing is carried out in accordance with the requirements of this regulation.
        If the other processor does not meet his data protection obligations, he is liable
 
        first processor towards the person responsible for compliance with the obligations
        that other processor.
 
 
        (5) - (6) [...]
 
 
The relevant provisions of the Postal Market Act (PMG) are (excerpts):
 
universal service
 
        term and scope
 
 
        § 6. (1) - (7) [...]
 
 
        (8) The universal service operator is obliged to provide the universal service in accordance with the needs
        further developed by users and through appropriate measures and
 
        Proposals for securing the supply of postal services and for the further development of the
 
        contribute to universal service. In this context, in particular longer
        Opening hours, better accessibility and all possibilities of securing the location,
 
        especially by third-party post offices.
 
 
        (9) […]
 
        Obligations of Postal Service Providers
 
 
        § 32. (1) - (2) [...]
 
 
        (3) Postal service providers have to set up a complaints management system so that users
 
        and users can raise disputes or complaints.
 
        (4) - (5) [...]
 
 
        (6) Postal service providers shall have comparable, appropriate and up-to-date information at least annually
 
        Information on the quality of their services, in particular the transit times of those carried
        postal items using the methodology specified by ÖNORM EN 13850
 
        publish and the regulatory authority at their request prior to publication
 
        in paper form and electronically processable form. - 19 -
 
 
2. Application of the legal bases to the present complaint:
 
The object of the complaint is the question of whether the party involved
 
thereby violated the right to secrecy by providing the contact details of the
 
Complainant (name and cell phone number) to the XXXX, from which this
Data was subsequently used for the purposes of a customer satisfaction survey.
 
 
2.1. Regarding point 1 of the contested decision: Rejection of the
 
Data protection complaint about illegal setting of cookies:
 
In the contested decision, the data protection authority stated that the entry of the
 
Complainant from XXXX .2019 on the basis of the proceedings
 
Complaint of XXXX .2018 regarding the illegal setting of cookies
represent a significant change in the application within the meaning of Section 13 (8) AVG and therefore this
 
arguments to that effect should be rejected. However, the input was taken as an opportunity
 
been asked to initiate a separate data protection complaints procedure.
 
According to § 13 para. 8 AVG, an application change is only permissible if this changes the matter
 
its essence is not changed, the legislature the vagueness of this
 
consciously accepted the turn. However, the AB emphasize the ease of change of the
law, so that in case of doubt there is no change in the application that would change the nature of the application
 
to go out.
 
However, an application change should then affect the essence of the matter and therefore continue to do so
 
in any case be inadmissible if it is not actually a matter of changing the
 
original application, but a new, "different project" if that
The project thus acquires a different quality in the light of the material laws to be applied
 
(see Hengstschläger/Leeb, AVG § 13 Rz 45 (as of January 1st, 2014, rdb.at)).
 
 
In the present case, the original data protection complaint dated XXXX .2018, the
relates exclusively to the violation of the right to secrecy through the transmission of the
 
contact details of the complainant to the XXXX and the use of the same by
 
obtained this for the purpose of a customer satisfaction survey by entering the XXXX
2019, which the unlawful setting of cookies by the involved party to
 
The subject matter was a significant change in the application within the meaning of Section 13 (8) AVG. The
 
additional, cookies-related, submissions of the complainant in his statement of
XXXX .2019 affects the essence of the subject of the proceedings insofar as it is related to the
 
complaint of XXXX 2018 was presented as going far beyond this - 20 -
 
 
and a new, different, supplementary submission and thus a new - different -
subject of the complaint.
 
 
Against this background, the data protection complaint was rejected
 
the setting of cookies by the data protection authority.
 
In the light of the fact that in relation to the additional - new -, submissions regarding cookies
 
of the complainant by the data protection authority opened a further procedure
 
moreover, there is no lack of legal protection in relation to this complaint.
 
2.2. Regarding point 2 of the contested decision: Rejection of the
 
Privacy Complaint Regarding the Alleged Violation in the Right to
 
Confidentiality according to § 1 DSG:
 
The complainant submitted in the privacy complaint that the intervening party
 
unlawfully gave his name and phone number to a "third party" who is XXXX ,
 
passed on and thus violate confidentiality obligations.
 
A name and phone number are indisputably
 
personal data of the complainant according to Art. 4 Z 1 DSGVO, which also according to Art. 4
 
Z 2 GDPR were processed (i.e. transmitted, provided).
 
The question therefore arises whether the data processing carried out by XXXX for
 
Customer Satisfaction Survey constitutes processing by third parties.
 
In Art. 4 Z 10 GDPR, the processor is expressly excluded from the concept of third parties
 
exempt. Art. 4 Z 8 GDPR in turn defines the term processor.
 
And a responsible person is characterized by the fact that she alone or together with
others about the purposes and means of processing personal data
 
decides (Art. 4 Z 7 GDPR).
 
 
In the present case, the party involved determines the purposes and means of the
Processing, as can be seen from the submitted by her, with the XXXX on XXXX .2018
 
concluded contract results.
 
 
Art. 28 GDPR then regulates the specific processing by a processor.
 
Regarding the question of privileging the examination of the lawfulness of the processing
 
by the processor compared to other data processing is in the - 21 -
 
 
Literature The following stated [cf. on the following paragraphs Bogendorfer in Knyrim,
DatKomm Art 28 GDPR margin nos. 23 - 28 (status 1.10.2018, rdb.at)]:
 
 
“A comparable distinction in relation to the data flows between the different
 
Actors in data processing as in DSG 2000 and correspondingly clear privileges
does not include the GDPR. It summarizes all processing steps in a flat rate and without further
 
Differences in the definition of "processing" in Art 4 Z 2 together and understands
 
including “any operation performed with or without the aid of automated processes, or
any such series of operations related to personal data such as collecting,
 
collecting, organizing, arranging, storing, adapting or
 
Modification, reading, querying, use, disclosure by
transmission, distribution or any other form of provision, comparison or
 
association, restriction, deletion or destruction”. lack of differentiation
 
within the very broad disclosure options mentioned in Art 4 Z 2 (transmission,
dissemination or other form of provision) and in the absence of inclusion of the
 
Order processing in the canon of the legal basis according to Art. 6 and 9
 
the question of whether the "privileging" of the data flow between the person responsible and the
Processor has ceased to exist and there is now a legal basis for this
 
got to. However, the majority of opinions in the literature see this differently
Interpretation approaches differently and considers its own justification for the
 
Data transfer to the processor still not required for:
 
 
It is argued that Art 28 can be understood as an independent power norm.
 
On the other hand, it is critically noted that types 6 and 9 have a final character
 
and no indication of the possibility of expanding what is standardized there
 
canons of legality exist.
 
Based on a systematic and teleological view, [...] in the literature
 
rightly noted that Art 28 is geared precisely to the fact that when
 
processing process, there is a close bond between the controller and the processor
is produced, for which as compensation there is a "release" from the requirement of
 
existence of a legal basis should take place. The Disclosure
 
personal data by transmission iSd Art 4 Z 2 therefore only mean the transfer
to third parties within the meaning of Art 4 Z 10 and not to every recipient. The risk of losing control of
 
Articles 28 and 29 do not specify who is responsible. The same thing pursued with the GDPR - 22 -
 
 
If a
legal basis cannot be achieved.
 
 
From systematic considerations it is argued that the requirement for a
 
Legal basis of data flow between a controller and a
Processor puts the processor on an equal footing with a controller
 
would effect, whereas Art 28 para. 10 with the decision attribution
 
Purpose and use of means of data processing (see margin nos. 6 and 8).
 
The approach that data processing by a processor on the basis of a
 
Balancing interests according to Art. 6 Para. 1 lit f is permissible, can be used as an argument for a
 
"privileged" data flow between controller and processor
convince, since there is already a separate legality check of the data transmission
 
the processor takes place. From a practical point of view, it is used for non-sensitive data
 
regularly be correct that the balancing of interests the legality of the
Data flow to the processor results. For special personal information
 
Art 9, however, there is no possibility of weighing up interests, which is why in these cases
 
order processing is then not possible without special justification in accordance with Article 9
is. A linguistic approach that Art 28 as a general weighing up of interests also in the case of special
 
The GDPR does not indicate whether personal data can be evaluated.
 
Another approach in the literature guides the "privileging" of order processing
 
convincing from the definitions of data processing (Art 4 Z 2), the person responsible
 
(Art 4 Z 7), the processor (Art 4 Z 8), the recipient (Art 4 Z 9) and the third party (Art
4 Z10). Both data transmission to the processor are disclosed
 
to a recipient, but no transmission within the meaning of Art 4 Z 2 takes place, as this indicates the existence
 
of a "third party" in accordance with Art 4 Z 10 and the processor is not such.
 
According to Art. 4 Z 9, the "recipient" is defined as "a natural or legal person, authority,
 
Institution or other body to which personal data is disclosed, independent
 
whether it is a third party or not [...]," defined. [...]
 
A third party iSd Art 4 Z 10 is a natural or legal person, authority, institution or
 
other body, apart from the data subject, the person responsible, the processor
 
and the persons who are under the direct responsibility of the person responsible or the
processors are authorized to process the personal data. - 23 -
 
 
"Receiver" can be understood as an umbrella term that includes all actors
The data subject itself includes, while the definition of "third party" includes a partial exclusion from the
 
includes the group of recipients in that, in addition to those affected, it also includes the (original)
 
Those responsible, the processors and those under their immediate
Authorized persons (e.g. employees or sub-processors) are not responsible
 
assigned to the group of third parties. Because the processor by definition
 
personal data only processed on behalf and is not a third party within the meaning of Art 4 Z 10, he is
fictitious an "internal" recipient who has no personal competence in using the
 
transmitted data and who is bound by instructions. Data processing can
 
therefore be evaluated as a uniform processing operation, for which only one
uniform legality check is required. This unified view is
 
permissible because the broad definition of the term processing in Art 4 Z 2 is not only isolated
 
individual processes, but also a series of processes. The justification of
Order processing follows accessory to the reason for permission of the underlying
 
Processing by the person responsible. The processor is due to the close
 
According to Art. 29, only the “alter ego” of the responsible person is bound by instructions
"extended arm".
 
 
This argument is also found in the Article 29 Working Party's Opinion on the
terms "controller" and "processor".


Support. The controller and the processor become
(3. Processing by a processor shall be carried out on the basis of a contract or other legal instrument under Union or Member State law binding the processor in relation to the controller and specifying the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data, the categories of data subjects and the obligations and rights of the controller. That contract or other legal instrument shall in particular provide that the processor shall


regarded as the "inner circle of data processing" and not as a third party. The legality
(a) process the personal data only on the documented instructions of the controller, including in relation to the transfer of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the processor is subject, in which case the processor shall communicate those legal requirements to the controller prior to the processing, unless the law in question prohibits such communication on grounds of substantial public interest;
the data processing activity of the processor is determined by the order placed by the


responsible. The processor is ultimately functional with a
(b) ensures that the persons authorised to process the personal data have committed themselves to confidentiality or are subject to an appropriate legal obligation of secrecy;


Comparable to employees of the person responsible, who differ from this through his
(c) takes all necessary measures in accordance with Article 32;
organizational autonomy differs: it is up to the person responsible


decide whether to carry out data processing within his organization or entirely
(d) complies with the conditions for using the services of another processor referred to in paragraphs 2 and 4;


or partially delegated to external organizations.”
(e) in view of the nature of the processing, assists the controller, where possible, with appropriate technical and organisational measures, in complying with its obligation to respond to requests for the exercise of the data subject's rights referred to in Chapter III;


Similarly also Bertermann in Ehmann/Selmayr, DS-GVO2, K5 to 7 to Art 28:
(f) taking into account the nature of the processing and the information at its disposal, assists the controller in complying with the obligations referred to in Articles 32 to 36;


(g) upon completion of the provision of the processing services, either erase or return, at the controller's choice, all personal data, unless there is an obligation under Union or Member State law to retain the personal data;


"Therefore, only the understanding remains, order processing as a permissible means of
(h) provide the controller with all necessary information to demonstrate compliance with the obligations laid down in this Article and allow and contribute to audits, including inspections, carried out by the controller or another auditor appointed by the controller.


Processing to understand which is the controller under the premise of
With regard to point (h) of the first subparagraph, the processor shall inform the controller without undue delay if it considers that an instruction infringes this Regulation or other Union or Member State data protection provisions.
Compliance with the requirements of Art. 28 may be used. If the processing itself after a


of the conditions specified in Art. 6 Para. 1 is lawful, the person responsible can
(Where the processor uses the services of another processor to carry out certain processing activities on behalf of the controller, the same data protection obligations as those laid down in the contract or other legal instrument between the controller and the processor referred to in paragraph 3 shall be imposed on that other processor by way of a contract or other legal instrument in accordance with Union or Member State law, in particular providing sufficient guarantees that appropriate technical and organisational measures will be implemented in such a way that the processing will be carried out in accordance with the requirements of this Regulation. Where the other processor fails to comply with its data protection obligations, the first processor shall be liable to the controller for compliance with the obligations of that other processor.
or use several processors according to his instructions. In this respect, it is significant


that the factually identical definition of "processing" in Art. 2d DS-RL and Art. 4 No. 2 DS- - 24 -
(5) - (6) [...]


The relevant provisions of the Postal Market Act (PMG), read (in extracts):
Universal service


GMO as processing not only isolated individual processes, but also a series of processes
Definition and scope
knows. Therefore, if processing is not considered at the micro level, but at the


At macro level, an order processing can be considered part of the processing
§ 6. (1) - (7) [...]


let understand. However, the prerequisite is always that a transmission only to
(8) The universal service operator shall be obliged to further develop the universal service in accordance with the needs of users and to contribute to securing the provision of postal services and to the further development of the universal service by means of appropriate measures and proposals. In this context, longer opening hours, better accessibility and all possibilities of securing locations, in particular through externally operated post offices, shall be examined in particular.
processors bound by instructions. Once a transmission to a third party


takes place, the framework of the permissible means of processing is breached and it is required
(9) [...]


a separate legal basis for the transfer."
Obligations of postal service providers


For the present case, this means against the background that a contract between the
§ 32. (1) - (2) [...]


involved party and the XXXX, in which the order is clearly defined
(3) Postal service providers shall establish a complaints management system so that users can raise disputes or complaints.


is (customer satisfaction surveys) that there is in any case a contractual relationship. The XXXX
(4) - (5) [...]
became an "extended arm" and thus as a processor for the party involved


active. The order processing that has taken place is therefore part of the processing by the
(6) Postal service providers shall publish at least annually comparable, adequate and up-to-date information on the quality of their services, in particular the transit times of the mail carried, using the methodology set out in ÖNORM EN 13850, and shall disclose this information to the regulatory authority upon request in paper and electronically processable form prior to publication.


To see the responsible persons themselves and the legality of the same according to Art. 6 DSGVO
2. application of the legal bases to the complaint in question:
check.


The subject matter of the complaint is the question whether the co-operating party violated the complainant's right to confidentiality by transmitting the complainant's contact details (name and mobile phone number) to XXXX, which subsequently used these data for the purposes of a customer satisfaction survey.


As the data protection authority correctly explains in the contested decision, the
2.1 Regarding point 1 of the contested decision: Rejection of the data protection complaint due to the unlawful setting of cookies:


involved party based on Art. 6 Para. 1 lit. c GDPR, according to which the processing for
In the contested decision, the data protection authority stated that the complainant's submission of XXXX.2019 on the basis of the complaint of XXXX.2018, which initiated the proceedings, concerning the unlawful setting of cookies constituted a substantial amendment of the application within the meaning of Section 13 (8) AVG and that the submission had therefore to be rejected in this respect. However, the submission had been taken as an opportunity to initiate a separate data protection complaint procedure.
Compliance with a legal obligation is required. This results from §§ 32 para.


3 and 6 para. 8 PMG, which on the one hand provide for the establishment of a complaints management system
According to section 13 (8) AVG, an amendment of the application is only admissible if it does not change the substance of the matter, whereby the legislator deliberately accepted the vagueness of this term. However, the AB emphasise that the law is amendment-friendly, so that in case of doubt, an amendment of the application that changes the essence is not to be assumed.
and on the other hand to take appropriate measures to improve quality


of the services offered as part of the universal service, namely postal delivery
However, an amendment to an application is said to affect the essence of the matter and therefore continue to be inadmissible in any case if it is not in fact an amendment to the original application but a new, "different project", i.e. if the project acquires a different quality in the light of the applicable substantive laws (see Hengstschläger/Leeb, AVG § 13 Rz 45 (as of 1.1.2014, rdb.at)).


oblige. Likewise, the assessment of the data protection authority is to be followed,
In the case at hand, the original data protection complaint of XXXX 2018, which exclusively referred to the violation of the right to confidentiality by the transmission of the complainant's contact data to XXXX and the use of the same by XXXX for the purpose of a customer satisfaction survey, underwent a substantial amendment in the meaning of section 13(8) AVG by the submission of XXXX 2019, which dealt with the unlawful setting of cookies by the co-participating party. The complainant's supplementary submission concerning cookies in his statement of XXXX 2019 affects the essence of the subject-matter of the proceedings as presented in the complaint of XXXX 2018, insofar as it goes far beyond this and concerns a new, different, supplementary submission and thus a new - different - subject-matter of the complaint.
that the disclosure of the complainant's name and telephone number to the


Processor was required within the meaning of the provision, namely to fulfill her order,
Against this background, the rejection of the data protection complaint regarding the setting of cookies by the data protection authority was correct.


determining customer satisfaction.
Moreover, in light of the fact that further proceedings were opened by the data protection authority with regard to the complainant's supplementary - new - allegations concerning cookies, there is no lack of legal protection with regard to this point of the complaint.


The procedural processing of the personal data of the
2.2 Regarding point 2 of the contested decision: dismissal of the data protection complaint with regard to the asserted violation of the right to confidentiality pursuant to section 1 of the Data Protection Act:


Complainant was therefore lawful, which is why the dismissal of the complaint by the
In the data protection complaint, the complainant alleged that the co-participating party had unlawfully disclosed his name and telephone number to a "third party", the XXXX , and had thus breached confidentiality obligations.


Data Protection Authority in this regard was right.
It is undisputed that a name and a telephone number are personal data of the complainant according to Art. 4(1) of the GDPR, which were also processed (i.e. transmitted, provided) according to Art. 4(2) of the GDPR.


2.3. Regarding point 3 of the contested decision: rejection of the application for
The question therefore arises as to whether the data processing carried out by XXXX for the customer satisfaction survey constitutes processing by third parties.


Imposition of a fine:
In Art. 4(10) of the GDPR, the processor is explicitly excluded from the term "third party". Art. 4 no. 8 DSGVO in turn defines the term "processor". And a controller is characterised by the fact that it alone or jointly with others decides on the purposes and means of the processing of personal data (Art. 4 Z 7 DSGVO).


In the present case, the involved party determines the purposes and means of the processing, as can be seen from the contract it submitted and concluded with XXXX on XXXX .2018.


In his data protection complaint dated XXXX .2018, the complainant stated that §
Article 28 of the GDPR then regulates the specific processing by a processor.
62 Para. 1 Z 2 DSG, thus the regulation on the imposition of administrative penalties,


applicable is what the data protection authority in the contested decision as an application
With regard to the question of privileging the examination of the lawfulness of the processing by the processor compared to other data processing, the following is stated in the literature [cf. on the following paragraphs Bogendorfer in Knyrim, DatKomm Art 28 DSGVO Rz 23 - 28 (as of 1.10.2018, rdb.at)]:
imposed a fine on the party involved. - 25 -


"The GDPR does not contain a comparable distinction in terms of data flows between the different actors of a data processing as in the DSG 2000 and correspondingly clear privileges. It summarises all processing steps across the board and without further distinctions in the definition of "processing" in Article 4(2) and understands it to mean "any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, filing, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction". In the absence of differentiation within the very broad disclosure options mentioned in Art 4(2) (transmission, dissemination or other form of making available) and in the absence of an inclusion of commissioned processing in the canon of lawfulness bases according to Art 6 and 9, the question arises whether the "privileged status" of the data flow between the controller and the processor has ceased to exist and whether there must now be a lawfulness basis for it. The predominant opinion in the literature, however, sees this differently according to different interpretation approaches and still considers a separate justification basis for the data transfer to the processor to be unnecessary:


In line with this, the complainant also referred to the
It is argued that Art 28 can be understood as an independent authorisation norm.


from his point of view, the admissibility of imposing an administrative fine against the
On the other hand, it is critically noted that Art 6 and 9 have a conclusive character and that there are no indications that the canon of lawfulness standardised there can be extended.
related party reference. There is therefore no doubt that the request of


complainant to the imposition of an administrative fine against the co-involved
From a systematic and teleological point of view, [...] the literature rightly notes that the very ratio of Article 28 is geared towards establishing a close relationship between the controller and the processor in the processing operation, for which, as compensation, an "exemption" from the requirement of the existence of a lawful basis is to take place. The disclosure of personal data by means of transfer as defined in Article 4(2) therefore only means the transfer to third parties as defined in Article 4(10) and not to every recipient. The risk of a loss of control by the controller is not given by Art 28 and 29. The objective of facilitating the flow of data, which is also pursued by the GDPR (cf. recital 10), would not be achieved if a basis of lawfulness were required.


party is directed.
For systematic reasons, it is argued that the requirement of a lawful basis for the flow of data between a controller and a processor would put the processor on an equal footing with a controller, whereas Art 28(10), with its allocation of decisions on the purpose and use of resources for data processing (see recitals 6 and 8), speaks against this.


However, as the data protection authority correctly explained in the contested decision, a
The approach that data processing by a processor is permissible on the basis of a balancing of interests according to Art 6 (1) (f) is not convincing as an argument for a "privileged" data flow between the controller and the processor, since here there is already a separate lawfulness check of the data transfer to the processor. From a practical point of view, it will regularly be true for non-sensitive data that the balancing of interests results in the lawfulness of the data flow to the processor. For special personal data according to Art 9, however, there is no possibility of a balancing of interests, which is why in these cases commissioned processing is not possible without a special justification according to Art 9. A linguistic approach that Art 28 can be evaluated as a general balancing of interests also in the case of special personal data is not to be found in the GDPR.


subjective right to initiate administrative penal proceedings against a
Another approach in the literature convincingly derives the "privileging" of commissioned processing from the definitions of data processing (Art 4(2)), controller (Art 4(7)), processor (Art 4(8)), recipient (Art 4(9)) and third party (Art 4(10)). In the case of data transfer to the processor, there is disclosure to a recipient, but no transfer within the meaning of Art 4(2), as this requires the existence of a "third party" pursuant to Art 4(10) and the processor is not such a third party.


Responsible_nneither from Article 77 paragraph 1 GDPR nor from Article 24 paragraph 1 and 5 GDPR.
The "recipient" is defined in Art 4(9) as "a natural or legal person, public authority, agency or other body to whom personal data are disclosed, whether or not it is a third party [...]". [...]
The principle of ex officio according to Section 25 (1) of the VStG applies. So basically


no one has a legal claim that someone for whatever reason in
A third party within the meaning of Article 4(10) is a natural or legal person, public authority, agency or other body, other than the data subject, the controller, the processor and the persons who are authorised to process the personal data under the direct responsibility of the controller or the processor.


prosecution is taken. The authority has both in the initiation and in the
Recipient" can be understood as an umbrella term encompassing all actors other than the data subjects themselves, while the definition of "third party" implies a partial exclusion from the group of recipients by not including, in addition to the data subjects, the (original) controller, the processor and the persons authorised to act under their direct responsibility (e.g. employees or sub-processors) among the group of third parties. Since the processor, by definition, only processes personal data on behalf of the controller and is not a third party within the meaning of Article 4(10), he is notionally an "internal" recipient who has no authority of his own in the use of the transferred data and is bound by instructions. The data processing can therefore be regarded as a single processing operation for which only a single lawfulness check is required. This uniform approach is permissible because the broad definition of the term "processing" in Article 4(2) recognises not only isolated individual operations, but also a series of operations. The justification of the commissioned processing is accessory to the reason for authorisation of the underlying processing at the controller. The processor is merely the "alter ego" of the controller, its "extended arm", due to the close binding of instructions according to Article 29.
Carrying out the administrative penal proceedings ex officio (cf. Fister in


Lewisch/Fister/Weilguni, VStG § 25 Rz 3f (as of May 1st, 2017, rdb.at)).
This argument also finds support in the Article 29 Working Party's opinion on the terms "controller" and "processor". The controller and processor are seen as the "inner circle of data processing" and not as third parties. The lawfulness of the data processing activity of the processor is determined by the mandate given by the controller. The processor is ultimately functionally comparable to an employee of the controller, distinguished from the latter by its organisational autonomy: it is up to the controller to decide whether to carry out a data processing operation within its organisation or to delegate it in whole or in part to external organisations."


Similarly, Bertermann in Ehmann/Selmayr, DS-GVO2, K5 to 7 on Art 28:


Administrative penal proceedings can therefore only be initiated by a person concerned
"Therefore, the only remaining understanding is to understand commissioned processing as a permissible means of processing, which the controller may use under the condition of compliance with the requirements of Art. 28. If the processing itself is lawful according to one of the conditions mentioned in Art. 6(1), the controller may use one or more processors according to his instructions. In this respect, it is significant that the factually identical definition of "processing" in Art. 2d DPA and Art. 4 No. 2 GDPR recognises as processing not only isolated individual operations, but also a series of operations. Therefore, if processing is not considered at the micro level but at the macro level, commissioned processing can certainly be understood as part of processing. However, the prerequisite is always that a transfer only takes place to processors bound by instructions. As soon as a transfer to a third party takes place, the framework of permissible means of processing is breached and a separate legal basis for the transfer is required."
there is no entitlement to initiation.


For the case at hand, against the background that a contract was concluded between the co-operating party and the XXXX in which the mission is clearly defined (customer satisfaction surveys), this means that a contractual relationship exists in any case. The XXXX acted as an "extended arm" and thus as a processor for the co-participating party. The commissioned processing must therefore be seen as part of the processing by the controller itself, and the lawfulness of the same must be examined according to Art. 6 DSGVO.


The rejection by the data protection authority therefore also took place on this point
As the data protection authority correctly states in the contested decision, the party involved can rely on Art. 6(1)(c) of the GDPR, according to which the processing is necessary for compliance with a legal obligation. This arises from sections 32(3) and 6(8) of the PMG, which on the one hand provide for the establishment of a complaints management system and on the other hand oblige the party to take appropriate measures to improve the quality of the services offered in the course of the universal service, namely postal delivery. The assessment of the data protection authority that the disclosure of the name and telephone number of the complainant to the processor was necessary in the sense of the provision, namely in order to be able to fulfil its mandate of determining customer satisfaction, is also to be followed.


Law.
The processing of the complainant's personal data that was the subject of the proceedings was therefore lawful, which is why the data protection authority was right to dismiss the complaint in this regard.


3. Since only legal questions had to be clarified in the procedure, according to § 24 para. 4
2.3 Regarding point 3 of the contested decision: Rejection of the application for the imposition of a fine:


VwGVG to waive the holding of an oral hearing (VwGH,
In his data protection complaint of XXXX 2018, the complainant stated that Section 62 (1) (2) of the Data Protection Act, i.e. the regulation on the imposition of administrative fines, was applicable, which the data protection authority interpreted in the contested decision as an application for the imposition of a fine on the co-participating party.


09/19/2017, Ra 2017/01/0276).
In line with this, the complainant also referred to the admissibility of imposing an administrative fine on the co-participating party in his appeal against the decision. It is therefore beyond doubt that the complainant's request is also directed at the imposition of an administrative penalty on the co-participating party.


Regarding B) Admissibility of the revision:
However, as the data protection authority correctly stated in the contested decision, a subjective right to initiate administrative penal proceedings against a controller can neither be derived from Article 77 (1) of the GDPR nor from Section 24 (1) and (5) of the DPA. The principle of official channels pursuant to Section 25 (1) VStG applies. Accordingly, no one has a legal right to be prosecuted for any reason whatsoever. The authority must proceed ex officio both in initiating and conducting administrative criminal proceedings (cf. Fister in Lewisch/Fister/Weilguni, VStG2 § 25 Rz 3f (as of 1.5.2017, rdb.at)).


Administrative criminal proceedings can therefore only be initiated by an affected person; there is no right to initiation.


According to § 25a Abs. 1 VwGG, the administrative court in the ruling of its knowledge or
The rejection by the data protection authority was therefore also correct on this point.


Pronounce a resolution as to whether the revision is permissible in accordance with Art. 133 Para. 4 B-VG. the
Since only legal questions were to be clarified in the proceedings, the holding of an oral hearing could be waived pursuant to section 24 (4) VwGVG (VwGH, 19.09.2017, Ra 2017/01/0276).
Statement must be briefly justified.


Re B) Admissibility of the appeal:


The revision is permissible according to Art. 133 Para. 4 B-VG because it is at the highest court
Pursuant to section 25a (1) VwGG, the administrative court shall state in the ruling or decision whether the appeal is admissible pursuant to Art. 133 (4) B-VG. The statement shall be briefly substantiated.


Case law, in particular on the qualification of the processor
The appeal is admissible pursuant to Art. 133 para. 4 B-VG because there is a lack of case law of the highest courts, in particular on the qualification of the processor as the "extended arm" of the controller.
Processor as an "extended arm" of the person responsible is missing.


Therefore, the decision had to be made in accordance with the ruling.


It was therefore to be decided accordingly.
</pre>
</pre>

Latest revision as of 17:28, 2 February 2022

BVwG - W211 2231475-1
Courts logo1.png
Court: BVwG (Austria)
Jurisdiction: Austria
Relevant Law: Article 4(2) GDPR
Article 6(1)(c) GDPR
Article 28 GDPR
§ 13(8) AVG
§ 25(1) VStG
Decided: 20.10.2021
Published: 14.01.2022
Parties: anonymous
DSB (Austria)
National Case Number/Name: W211 2231475-1
European Case Law Identifier: ECLI:AT:BVWG:2021:W211.2231475.1.00
Appeal from:
Appeal to:
Original Language(s): German
Original Source: Rechtsinformationssystem des Bundes (RIS) (in German)
Initial Contributor: Heiko Hanusch

The Federal Administrative Court held that the transmission of personal data from the controller to the processor does not need to be justified under Article 6 GDPR because the processor is to be seen as a mere extension of the controller.

English Summary

Facts

The data subject called the helpline of the Österreichsiche Post AG (Austrian Postal PLC). He gave his phone number to the employee with the request for a callback, thereby stating that he did not want the phone number be given to a third party. Afterwards the data subject was called twice by a market research institute – the processor. The controller and the processor had concluded a processing-contract under Article 28 GDPR.

The data subject filed a complaint with the DSB (Austria) arguing that the transmission of his data (name and phone number) to the processor was illegitimate since he had already denied consent to any form of data sharing with a third party. During these proceedings the data subject amended their submission by also tackling the use of cookies by the controller. The DSB dismissed the complaint.

Holding

The Federal Administrative Court (Bundesverwatungsgericht – BVwG) upheld the decision of the DSB.

The court determined that the processor is to be seen as a dependent extension of the controller (“verlängerter Arm”) (cmp. Article 29 GDPR). If the processing of data is in accordance with Article 6 GDPR, the controller is free to deploy a processor. As a result, the transmission of data from the controller to the processor itself does not need to be justified under Article 6 GDPR.

In the case at hand, the court came to the conclusion that the processing of data by the controller - and therefore also the transmission to the processor - is justified under Article 6(1)(c) GDPR. The controller in this case - the Österreichsiche Post AG - is obliged under national law (§§ 6(8), 32(3) PMG) to provide for a complaint management system to improve their services. According to § 6(8) PMG a postal service must further develop its service in accordance with the needs of users and to contribute to securing the provision of postal services and to the further development of them by means of appropriate measures and proposals. Pursuant to § 32(3) PMG postal service providers must have a complaints management system in place so that users can raise disputes or complaints.

Besides, the court decided the amendment of the data subject’s complaint was inadmissible pursuant to § 13(8) AVG and a data subject has no subjective right to the initiation of administrative fine proceedings under the GDPR and according to § 25(1) VStG.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

Saying


W211 2231475-1/9E

IN THE NAME OF THE REPUBLIC!

The Federal Administrative Court, by Judge Barbara SIMMA LL.M. as chairperson and the expert lay judge Margareta MAYER-HAINZ and the expert lay judge Dr. Ulrich E. ZELLENBERG as associate judge, rules on the complaint of XXXX against the decision of the data protection authority of XXXX, Zl. XXXX in closed session:

A)

The complaint is dismissed as unfounded.

B)

The appeal is admissible pursuant to Art. 133 para. 4 B-VG.


Text


Reasons for decision:

I. Course of proceedings:

By data protection complaint of XXXX .2018 (received by the data protection authority on XXXX .2018), the complainant alleged a violation of the right to confidentiality pursuant to section 1 and sections 8 as well as 62 para. 1 line 1 of the Data Protection Act (DSG) by Österreichische Post AG (the co-participating party).

The complainant summarised that although the co-participating party appeared in the form of a "company", it was de facto a state-owned enterprise. On XXXX 2018, the postal customs office received a letter containing goods ordered by the complainant. Due to irregularities in connection with the consignment, the complainant contacted the "hotline" of the involved party on XXXX 2018. He had left his mobile phone number there with the request to call him back, whereby he had expressly requested the involved party not to pass this number on to third parties under any circumstances. This had been expressly assured to him. He was then called back by the other party and was able to resolve the consignment.

On XXXX.2018, he had been called by XXXX. When the complainant specifically asked where the XXXX had obtained his telephone number and name, he was informed by the caller that she had obtained them from the co-operating party for survey purposes. On the same day, he had been contacted by another number, with the caller apparently suppressing the caller ID. After hearing "Do you want to participate in a survey", he immediately hung up.

At no time had he given his consent to the disclosure of his name and telephone number, but had expressly requested that his contact details not be disclosed. There was also no public interest. As he had not been aware of the disclosure of his data, it had not been possible for him to object. The complainant's right under Article 1(1) of the Data Protection Act had therefore been violated. Section 61(1)(2) of the FADP was also applicable in any case.

In its statement of XXXX.2018, the involved party stated in response to this data protection complaint that XXXX was a processor within the meaning of Article 28 of the GDPR. It was therefore not necessary to obtain consent for the data transfer in question. The customer satisfaction survey was not carried out by employees of the involved party, but by an external company. This ensured that the involved party did not receive any personal results of the survey. The data transfer had been carried out in compliance with all provisions of data protection law, in particular Art. 28 ff DSGVO. However, the complaint had been taken as an opportunity to block the complainant from future customer satisfaction surveys.

By letter of XXXX .2018, the data protection authority again invited the involved party to comment. In particular, it was pointed out to the involved party that the mere fact that the company in question was allegedly a processor did not say anything about the lawfulness of the processing.

In its statement of XXXX .2019, the intervening party argued that it was a postal service provider within the meaning of the Postal Market Act (PMG) and also a universal service provider pursuant to Section 12 PMG. In accordance with the obligations assigned to it, it had to establish a complaints management system, publish information on the quality of its services at least once a year (section 32 PMG), present the number of complaints to the regulatory authority (section 6(7) PMG) and further develop the universal service in line with the needs of users and contribute to the further development of the universal service by means of appropriate measures and proposals to ensure the provision of postal services (section 6(8) PMG). In order to adequately fulfil this obligation, the party involved had set up the postal customer service, which had also been used by the complainant.

In order to further develop and publish the quality in accordance with the legal obligation, the survey of users was the most suitable and recognised method. The survey itself was carried out by XXXX as a processor acting within the framework of the agreement according to Article 28 of the GDPR. The purposes and means were specified by the involved party, which meant that XXXX could not be qualified as a third party within the meaning of Article 4(10) of the GDPR. In terms of data minimisation, the third party only receives the telephone number and the name of the person to be interviewed in order to enable a proper approach. The persons to be interviewed would only be contacted once per occasion, and the interview could also be refused at any time. If at all, one could only speak of a barely noticeable impairment.

When customers contacted the postal customer service, they were expressly informed of the information on data protection on the website of the party involved in accordance with Article 13 of the GDPR in the form of a recorded message. This information clearly stated that corresponding surveys could be carried out. Under point 3.2 of the website, market research institutes were listed as possible external service providers. If people contacted the post customer service, it was therefore ensured that they would receive the information pursuant to Article 13 of the GDPR.

There is a certain period of time between contacting the post customer service and being contacted by the XXXX, within which objections can be made. Participation in the survey is therefore voluntary and can be refused at any time. The complainant had only lodged an objection when contacted by XXXX, which was why no survey had taken place.

The establishment of the customer service was based on a legal obligation. A survey had to be carried out to explain the complaints or to check the service. The survey was the most suitable and recognised or only method. The lawfulness of the data processing was therefore based on Article 6(1)(c) of the GDPR.

In addition, the party involved was also acting in the public interest, as it had been entrusted with the basic postal service, including the associated obligation to review/publish/improve quality. Therefore, Article 6(1)(e) of the GDPR was also relevant. In addition, Article 6(1)(f) of the GDPR could also be used as a legal basis. The involved party does not act as an authority in the sense of the ground for exclusion. The interest in the quality review/publication obligation/improvement obligation resulted from the legal requirements of the PMG and was therefore lawful. In this respect, there is a benefit for the party involved as the responsible party, as it can continuously improve its service quality in accordance with the legal requirements, as well as a benefit for the general public, as it receives a better basic service. An interest is considered legitimate, for example, if it is pursued for the purposes of direct advertising or advertising per se or for the processing of market research.

Likewise, the fundamental right of freedom to conduct a business (Art. 16 of the CFR) gives rise to the legitimate interest of the party involved to learn from its customers their assessment of the complaint management in order to subsequently better meet their needs and wishes. Even in the absence of a legal obligation, the processing of personal data in question was therefore lawful. A survey could only be carried out with the contact data used, which meant that the processing was also necessary. The interest of the involved party and the interest of the general public in the data processing outweighed the complainant's interest. Moreover, the contact details were not particularly sensitive data.

A copy of the agreement on commissioned processing pursuant to Article 28 of the GDPR was attached to the submission.

In his letter of XXXX 2019, the complainant made the following comments on the observations of the co-operating party: First of all, he wanted to add that there had been a "blatant" misuse of data by the co-operating party. The co-operating party used inadmissible cookies and "spyware" on its website, as, in particular, an immediate objection was not possible. This was added as a further grievance to the present complaint.

Regarding the statement of the co-participating party, it could be stated that neither § 32 (6) PMG nor § 6 (7) and (8) PMG contained a justification for the transfer of data to third parties. The argument of increasing efficiency would also not justify the transfer of data to third parties. In the course of his request, he had not been provided with any information within the meaning of Article 13 of the GDPR. Whether participation in the survey was voluntary was irrelevant, as the subject of the complaint was the disclosure of data to third parties. At no time had he given his consent, and in particular a call to the "hotline" could not be regarded as such. The market research company was not subject to the supervision of the co-participating party. Moreover, the contract concluded between XXXX and the co-participating party was not applicable in this case, as the co-participating party had explicitly objected to the transfer of data. It would also have to be clarified whether the contract was not per se immoral and unlawful.

In the contested decision of XXXX, the data protection authority rejected the data protection complaint regarding the unlawful setting of cookies (decision point 1). Furthermore, it dismissed the complaint as unfounded (decision point 2.). The complainant's request for the imposition of a fine was rejected (decision point 3).

The data protection authority essentially stated that the complainant's letter of XXXX.2019, based on the complaint of XXXX 2018 initiating the proceedings concerning the unlawful setting of cookies, constituted a substantial amendment of the application within the meaning of section 13(8) AVG, which is why the submission had to be rejected in this respect. However, it had been taken as an opportunity to initiate separate appeal proceedings.

In the present case, the "disclosure" of the complainant's personal data by the involved party to the market research institute had taken place. The subsequent customer satisfaction enquiry by this company had been about the complainant's complaint and had thus been carried out exclusively in the interest of and on behalf of the co-operating party. The pursuit of the market research company's own purposes had not been intended at any time, which meant that the market research company's independent responsibility had to be denied. The "transfer" in question was therefore data processing attributable to the co-participating party.

The complainant's data had not been transferred or disclosed to "third parties", but had been processed by the market research company on behalf of the involved party in accordance with Article 28 of the GDPR. There was no right for data controllers not to use processors. On the basis of the provisions of the PMG, the co-operating party is obliged to set up a complaints management system and to improve the quality of the services offered in the course of the universal service, i.e. postal delivery, by taking appropriate measures, and thus to take certain measures. Even if these provisions do not order the co-operating party to take any specific measures or to process any specific data, it cannot be assumed that the legislator intended to deprive the co-operating party of the possibility to process data, because otherwise the provision would be meaningless.

The handling of a complaint by a client and a customer as well as the quality assurance measures to be carried out were inconceivable without a name and contact address if the data required for this were not allowed to be processed. In the case of name and contact possibility, there was no doubt that the data processing was also necessary to the given minimal extent.

Finally, it was stated that a subjective right to initiate administrative penal proceedings against specific data controllers could not be derived from Art. 77(1) DPA or Art. 24(1) and (5) DPA, and that the principle of official channels pursuant to Art. 25(1) VStG applied. Therefore, administrative criminal proceedings could only be initiated by a data subject; there was no right to initiation.

In his complaint, which was filed in due time, the complainant stated, in so far as it is relevant here, that the data protection complaint concerned the transfer of data to third parties. It was completely irrelevant whether this disclosure was based on contracts under private law or other agreements.

The fundamental right to data protection was a constitutionally protected legal right that could not be overridden by contracts under private law. It was also irrelevant whether the data protection authority wanted to regard a third body as an "extended arm" or not. The complainant had only provided his (then) telephone number in response to a request by the hotline of the other party that it would otherwise not be possible to process the complaint, with the express instruction not to pass it on to third parties. The two companies that had ultimately received these telephone numbers and had contacted the complainant were market research companies whose business purpose was to collect customer requests for advertising purposes. It was not apparent in what way an advertising company could be useful for quality assurance. Sections 6 and 32 of the PMG also did not provide any indication that the co-operating party was thereby authorised to pass on customer data to third parties.

Article 28(2) of the GDPR stipulates that processors may not use other processors without the prior separate or general written consent of the controller. Thus, the transfer of the data to an advertising company had in any case taken place without a basis in data protection law. There was therefore a violation of data protection by the involved party, as it had passed on the complainant's data to a third party company without consent as defined in Article 7 of the GDPR and contrary to an explicit request by the complainant.

In the contested decision, the complaint regarding the inadmissible setting of cookies was also rejected. On the same date, however, the data protection authority had issued an order to remedy the deficiencies, setting a deadline without service, which could therefore not have been complied with, as the matter had been settled immediately. There had therefore already been a violation of the General Administrative Procedures Act insofar as the parties had not been granted a hearing. The use of cookies fell under both the term data processing and the term data transfer. It was therefore incorrect for the data protection authority to assume that the use of cookies by the party involved was not covered by the content of the complaint.

Moreover, the question of an administrative penalty was not pursued further in the contested decision, which again made clear the unwillingness of the data protection authority to deal with certain matters.

II. the Federal Administrative Court considered:

1. findings:

1.1 The complainant contacted the "hotline" of the involved party on XXXX .2018 due to delivery problems in connection with a postal item. There he left his mobile phone number with the request to call him back, whereby he expressly requested the co-participating party not to pass this number on to third parties under any circumstances.

On XXXX .2018, the complainant was called by XXXX. When the complainant specifically asked where the XXXX had obtained his telephone number and name, he was informed by the caller that she had obtained them from the co-operating party for survey purposes. On the same day, the complainant was contacted by another number for survey purposes and the caller had suppressed the caller ID. The complainant ended this call immediately after the other party asked if he wanted to participate in a survey.

1.2 The following contract was concluded between the co-operating party and XXXX on XXXX .2018 (reproduced in extracts):

"AGREEMENT ON A CONTRACT PROCESSING pursuant to Art. 28 of the GDPR.

concluded between

XXXX (hereinafter referred to as the "Controller")

and

XXXX

XXXX (hereinafter "Processor")

1. subject matter of the agreement

a) The scope of duties of the Processor includes the performance of surveys of all kinds and as required, but in particular the performance of the regularly ongoing survey of "Satisfaction with Postal Customer Service".

In the context of this agreement, "personal data" shall be understood to mean those personal data which the controller transfers to the processor in the context of the agreement described in more detail above or the processing of which is instructed to the processor in that agreement.

b) The categories of personal data processed and the categories of data subjects are as follows

persons in accordance with Appendix 1.

2. obligations of the processor

a) The Processor undertakes to process personal data and processing results exclusively within the framework of the written (e-mail sufficient) orders of the Controller. All data processing activities shall take place exclusively in a member state of the European Union.

b) The Processor is not authorised to disclose personal data of the Controller to third parties without the written consent of the Controller. As far as

the Processor is obliged to do so by law, the Processor shall not

the data controller without undue delay in advance.

c) The transfer of personal data to third parties, for which the processor is not legally obliged, requires a written (e-mail sufficient) order from the controller.

d) Personal data may only be processed for the processor's own purposes with the prior written consent of the controller.

e) The Processor undertakes to maintain data secrecy and declares in a legally binding manner that it has obliged all persons entrusted with the data processing to maintain confidentiality prior to commencement of the activity or that they are subject to an appropriate legal obligation of confidentiality. He/she has obliged all persons entrusted with data processing to keep confidential personal data entrusted or accessible to them exclusively on the basis of their professional employment, without prejudice to other statutory confidentiality obligations, insofar as there is no legally permissible reason for transfer/disclosure of the data. In particular, the confidentiality obligation of the persons entrusted with the data processing shall remain in force even after the termination of their employment or their departure from the Processor.

f) The Processor declares in a legally binding manner that it has taken all necessary measures to ensure the security of the Processing pursuant to Art. 32 GDPR. The Processor represents and warrants that it has taken and will continue to take the risk-appropriate technical and organisational measures described and selected in Appendix 2 to protect the Personal Data from accidental or unlawful destruction or loss and to ensure its proper processing and inaccessibility to unauthorised third parties. The Processor undertakes to maintain the technical and organisational measures in the above sense at the state of the art and to update or adapt them in accordance with technical progress or changes in the threat situation.

g) The Processor shall ensure that the Controller is able to fulfil the rights of the data subject pursuant to Chapter III of the GDPR (information, access, correction and deletion, data portability, objection and automated decision-making in individual cases) and taking into account the Austrian Federal Act on the Protection of Individuals with regard to Processing (DSG as amended) within the statutory time limits at any time, shall provide the Controller with all information necessary for this purpose and shall support the Controller in fulfilling the relevant obligations to the best of its ability. If a corresponding request asserting data subject rights is addressed to the processor and if it is evident from the content of the request that the applicant mistakenly believes the processor to be the controller of the processing activity carried out by the processor on behalf of the controller, the processor shall forward the request to the controller without undue delay and inform the applicant thereof, indicating the date of receipt of the request.

h) The Processor shall support the Controller in complying with the obligations set out in Articles 32 to 36 of the GDPR (data security measures, notifications of personal data breaches to the supervisory authority, notification of the person affected by a personal data breach, data protection impact assessment, prior consultation) to the best of its ability. In particular, the Processor undertakes to notify the Controller of any personal data breach without undue delay, but no later than 36 hours after becoming aware of it.

i) The Processor is advised that it must establish a processing directory in accordance with Article 30 (2) of the GDPR.

j)       The Processor undertakes to provide the Controller with the information necessary to monitor compliance with the obligations set out in this Agreement. In particular, the Processor undertakes to provide the Controller with appropriate written evidence of the implementation and effectiveness of the technical and organisational measures described in Annex 2 without undue delay upon the Controller's request. At the request of the controller, the declaration of data secrecy with regard to the person entrusted with the performance of the contract shall also be submitted to the controller in individual cases.

k) With regard to the processing of the personal data provided by the data controller, the data controller shall be granted the right to verify the correctness of the data processing at the data processor's premises by means of qualified employees who are bound to secrecy or by means of a person who is bound to professional secrecy (court-certified expert, etc.). This shall be done during normal office hours and in coordination with the Data Protection Officer of the Processor or another person responsible for data protection.
The data protection officer/person responsible for data protection at the Processor is:
Mr/Mrs

XXXXXXX

l ) The Processor shall be obliged to hand over to the Controller all processing results and documents containing personal data which are the subject matter of the contract after termination of the contract; this shall not affect the storage of the personal data and processing results handed over to the Processor to the extent and for as long as the Processor has to guarantee its performance.

After the expiry of the warranty period, the processor shall delete all personal data which are the subject of the contract or, at the request of the controller, store them securely before the deletion is carried out. This shall apply in particular insofar as the Processor is not obliged to continue to store personal data on the basis of mandatory statutory provisions.

statutory provisions.

Upon request of the controller, the processor shall confirm the deletion of the data in writing.

If the Processor processes the Personal Data in a special technical format, it shall be obliged to release the Personal Data after the termination of the contract either in that format or, at the request of the Controller, in the format in which it received the Personal Data from the Controller or in another commonly used format.

(m) The processor shall inform the controller without undue delay in the event that the processor

(m) The Processor shall inform the Controller without undue delay if the Processor considers that any instruction given by the Controller is in breach of EU or Member State data protection law.

3. sub-processors

a) The Processor shall not be entitled to use a sub-processor without the prior written consent of the Controller.

b) In the event of written consent, the Processor shall conclude the necessary agreements within the meaning of Article 28(4) of the GDPR with the sub-processor. In doing so, it shall be ensured that the sub-processor enters into the same obligations as those incumbent on the processor on the basis of this agreement. The Processor shall provide the Controller with documentary evidence of the transfer of the obligations under this Agreement at any time upon request.

c) If the sub-processor fails to comply with its data protection obligations, the processor shall be liable to the controller for compliance with the obligations of the sub-processor.

d) The Controller gives its consent to the use of the sub-processors named in Annex 3.

4 Duration of the Agreement

The duration of the agreement shall be governed by the contract referred to in point 1a).

x The agreement is concluded for an indefinite period and may be terminated in writing by either party with three months' notice to the end of the month. The possibility of termination without notice for good cause remains unaffected.

Insofar as a service provider agreement under data protection law already exists between the contracting parties with regard to the main service, which is described in more detail in the contract referred to in point 1a), it shall be replaced by the present agreement on commissioned data processing.

5 Other provisions

a) All disputes arising from and in connection with this Agreement shall be subject to the following

Austrian law, excluding the UN Convention on Contracts for the International Sale of Goods and conflict of laws provisions. For all disputes, the competent court for XXXX Vienna shall be agreed.

b) Only what is agreed in writing shall be binding; there shall be no oral collateral agreements. Amendments and supplements to the agreement must be made in writing in order to be valid; this also applies to any waiver of the formal requirement of writing.

c) All rights and obligations arising from this agreement shall pass to any legal successors of both contracting parties.

d) The parties agree to treat the conclusion of this agreement and its contents as confidential. This shall not apply insofar as a party is obliged to disclose this agreement or the contents thereof in accordance with the provisions of this agreement or due to a legal obligation. This shall apply insofar as the present agreement does not contain any provisions to the contrary and no statutory obligations to provide information exist.

e) The Processor undertakes (i) to ensure that its legal representatives, employees and subcontractors used and/or commissioned comply with all applicable statutory provisions in connection with anti-corruption regulations and (ii) to take appropriate measures to ensure compliance with anti-corruption regulations. A breach of anti-corruption regulations entitles the responsible party - without prejudice to other rights of rescission and termination - to terminate the agreement without notice and to assert any claims for damages.

f) Should individual provisions of this agreement be or become invalid or ineffective, the contracting parties shall mutually agree on a valid or effective provision that comes as close as possible to the invalid or ineffective provisions in economic terms.

The invalidity or ineffectiveness of individual provisions shall not affect the validity or effectiveness of the entire contract.

g) This contract shall be drawn up in two originals, one of which shall be given to each contracting party.

h) Annexes 1, 2 and 3 shall be deemed to be integral parts of the contract.

[...]"

In the annex to the present contract, "personal data" (e.g. first and last name) and "contact data" (e.g. telephone number) are mentioned as processed data categories. Employees and customers are named as data subjects. Furthermore, the order processing contract contains technical and organisational measures, including confidentiality and integrity.

1.3 In a letter to the data protection authority dated XXXX.2019, the complainant additionally argued that the involved party was also setting illegal cookies on its website and submitted a data protection complaint to this effect.

2. assessment of evidence:

The findings result from the file in connection with the submissions of the parties, in particular from the submitted contract between the co-participating party and XXXX dated XXXX .2018, and are not disputed.

Legal assessment:

Re A)

1. § 1 of the Federal Act on the Protection of Individuals with regard to the Processing of Personal Data (Data Protection Act - DSG) reads (in excerpts):

(constitutional provision)

Basic right to data protection

§ (1) Everyone has the right to confidentiality of personal data concerning him or her, in particular with regard to respect for his or her private and family life, to the extent that there is an interest worthy of protection. The existence of such an interest shall be excluded if data are not accessible to a claim to secrecy due to their general availability or due to their lack of traceability to the person concerned.

(2) Unless the use of personal data is in the vital interest of the data subject or with his or her consent, restrictions to the right to secrecy shall only be permissible to protect overriding legitimate interests of another, and in the case of interference by a state authority only on the basis of laws which are necessary for the reasons set out in Article 8(2) of the European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR), Federal Law Gazette No 210/1958. Such laws may only provide for the use of data which, by their nature, are particularly worthy of protection, in order to safeguard important public interests, and must at the same time lay down appropriate safeguards for the protection of the confidentiality interests of the data subjects. Even in the case of permissible restrictions, the encroachment on the fundamental right may only be carried out in the most lenient manner that leads to the objective.

[...]

The relevant provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27.04.2016 on the protection of individuals with regard to the processing of personal data, on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), read (in extracts):

Article 4 Definitions For the purposes of this Regulation, the term:

1. 'personal data' means any information relating to an identified or identifiable natural person (hereinafter 'data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

(2) 'processing' means any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, filing, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

3. - 6. [...]

(7) 'controller' means the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its designation may be provided for under Union or Member State law;

(8) 'processor' means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

9. [...]

(10) 'third party' means any natural or legal person, public authority, agency or other body other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or the processor, are authorised to process the personal data;

11. - 26. [...]

Article 6 Lawfulness of processing

(1. Processing shall be lawful only if at least one of the following conditions is met: [...]

(c) processing is necessary for compliance with a legal obligation to which the controller is subject; [...].

Member States may maintain or introduce more specific provisions to adapt the application of the rules of this Regulation in relation to processing to comply with points (c) and (e) of paragraph 1 by specifying more precisely specific requirements for processing as well as other measures to ensure lawful and fair processing, including for other specific processing situations referred to in Chapter IX.

3. The legal basis for the processing operations referred to in points (c) and (e) of paragraph 1 shall be determined by

(a) Union law; or

(b) the law of the Member States to which the controller is subject.

The purpose of the processing shall be specified in that legal basis or, as regards the processing referred to in point (e) of paragraph 1, shall be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. That legal basis may contain specific provisions adapting the application of the provisions of this Regulation, including provisions on the general conditions governing the lawfulness of processing by the controller, the types of data processed, the individuals concerned, the entities to which and the purposes for which the personal data may be disclosed, the purpose limitation, the storage period and the processing operations and procedures that may be applied, including measures to ensure lawful and fair processing, such as those for other specific processing situations in accordance with Chapter IX. Union or Member State law must pursue an objective in the public interest and be proportionate to the legitimate aim pursued. [...]

Article 28 Processors

(Where processing is carried out on behalf of a controller, the controller shall only use processors providing sufficient guarantees that appropriate technical and organisational measures will be implemented in such a way that the processing will comply with the requirements of this Regulation and ensure the protection of the rights of the data subject.

(2. The processor shall not use another processor without the prior specific or general written authorisation of the controller. In the case of a general written authorisation, the processor shall always inform the controller of any intended change to the use or replacement of other processors, giving the controller the opportunity to object to such changes.

(3. Processing by a processor shall be carried out on the basis of a contract or other legal instrument under Union or Member State law binding the processor in relation to the controller and specifying the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data, the categories of data subjects and the obligations and rights of the controller. That contract or other legal instrument shall in particular provide that the processor shall

(a) process the personal data only on the documented instructions of the controller, including in relation to the transfer of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the processor is subject, in which case the processor shall communicate those legal requirements to the controller prior to the processing, unless the law in question prohibits such communication on grounds of substantial public interest;

(b) ensures that the persons authorised to process the personal data have committed themselves to confidentiality or are subject to an appropriate legal obligation of secrecy;

(c) takes all necessary measures in accordance with Article 32;

(d) complies with the conditions for using the services of another processor referred to in paragraphs 2 and 4;

(e) in view of the nature of the processing, assists the controller, where possible, with appropriate technical and organisational measures, in complying with its obligation to respond to requests for the exercise of the data subject's rights referred to in Chapter III;

(f) taking into account the nature of the processing and the information at its disposal, assists the controller in complying with the obligations referred to in Articles 32 to 36;

(g) upon completion of the provision of the processing services, either erase or return, at the controller's choice, all personal data, unless there is an obligation under Union or Member State law to retain the personal data;

(h) provide the controller with all necessary information to demonstrate compliance with the obligations laid down in this Article and allow and contribute to audits, including inspections, carried out by the controller or another auditor appointed by the controller.

With regard to point (h) of the first subparagraph, the processor shall inform the controller without undue delay if it considers that an instruction infringes this Regulation or other Union or Member State data protection provisions.

(Where the processor uses the services of another processor to carry out certain processing activities on behalf of the controller, the same data protection obligations as those laid down in the contract or other legal instrument between the controller and the processor referred to in paragraph 3 shall be imposed on that other processor by way of a contract or other legal instrument in accordance with Union or Member State law, in particular providing sufficient guarantees that appropriate technical and organisational measures will be implemented in such a way that the processing will be carried out in accordance with the requirements of this Regulation. Where the other processor fails to comply with its data protection obligations, the first processor shall be liable to the controller for compliance with the obligations of that other processor.

(5) - (6) [...]

The relevant provisions of the Postal Market Act (PMG), read (in extracts):
Universal service

Definition and scope

§ 6. (1) - (7) [...]

(8) The universal service operator shall be obliged to further develop the universal service in accordance with the needs of users and to contribute to securing the provision of postal services and to the further development of the universal service by means of appropriate measures and proposals. In this context, longer opening hours, better accessibility and all possibilities of securing locations, in particular through externally operated post offices, shall be examined in particular.

(9) [...]

Obligations of postal service providers

§ 32. (1) - (2) [...]

(3) Postal service providers shall establish a complaints management system so that users can raise disputes or complaints.

(4) - (5) [...]

(6) Postal service providers shall publish at least annually comparable, adequate and up-to-date information on the quality of their services, in particular the transit times of the mail carried, using the methodology set out in ÖNORM EN 13850, and shall disclose this information to the regulatory authority upon request in paper and electronically processable form prior to publication.

2. application of the legal bases to the complaint in question:

The subject matter of the complaint is the question whether the co-operating party violated the complainant's right to confidentiality by transmitting the complainant's contact details (name and mobile phone number) to XXXX, which subsequently used these data for the purposes of a customer satisfaction survey.

2.1 Regarding point 1 of the contested decision: Rejection of the data protection complaint due to the unlawful setting of cookies:

In the contested decision, the data protection authority stated that the complainant's submission of XXXX.2019 on the basis of the complaint of XXXX.2018, which initiated the proceedings, concerning the unlawful setting of cookies constituted a substantial amendment of the application within the meaning of Section 13 (8) AVG and that the submission had therefore to be rejected in this respect. However, the submission had been taken as an opportunity to initiate a separate data protection complaint procedure.

According to section 13 (8) AVG, an amendment of the application is only admissible if it does not change the substance of the matter, whereby the legislator deliberately accepted the vagueness of this term. However, the AB emphasise that the law is amendment-friendly, so that in case of doubt, an amendment of the application that changes the essence is not to be assumed.

However, an amendment to an application is said to affect the essence of the matter and therefore continue to be inadmissible in any case if it is not in fact an amendment to the original application but a new, "different project", i.e. if the project acquires a different quality in the light of the applicable substantive laws (see Hengstschläger/Leeb, AVG § 13 Rz 45 (as of 1.1.2014, rdb.at)).

In the case at hand, the original data protection complaint of XXXX 2018, which exclusively referred to the violation of the right to confidentiality by the transmission of the complainant's contact data to XXXX and the use of the same by XXXX for the purpose of a customer satisfaction survey, underwent a substantial amendment in the meaning of section 13(8) AVG by the submission of XXXX 2019, which dealt with the unlawful setting of cookies by the co-participating party. The complainant's supplementary submission concerning cookies in his statement of XXXX 2019 affects the essence of the subject-matter of the proceedings as presented in the complaint of XXXX 2018, insofar as it goes far beyond this and concerns a new, different, supplementary submission and thus a new - different - subject-matter of the complaint.

Against this background, the rejection of the data protection complaint regarding the setting of cookies by the data protection authority was correct.

Moreover, in light of the fact that further proceedings were opened by the data protection authority with regard to the complainant's supplementary - new - allegations concerning cookies, there is no lack of legal protection with regard to this point of the complaint.

2.2 Regarding point 2 of the contested decision: dismissal of the data protection complaint with regard to the asserted violation of the right to confidentiality pursuant to section 1 of the Data Protection Act:

In the data protection complaint, the complainant alleged that the co-participating party had unlawfully disclosed his name and telephone number to a "third party", the XXXX , and had thus breached confidentiality obligations.

It is undisputed that a name and a telephone number are personal data of the complainant according to Art. 4(1) of the GDPR, which were also processed (i.e. transmitted, provided) according to Art. 4(2) of the GDPR.

The question therefore arises as to whether the data processing carried out by XXXX for the customer satisfaction survey constitutes processing by third parties.

In Art. 4(10) of the GDPR, the processor is explicitly excluded from the term "third party". Art. 4 no. 8 DSGVO in turn defines the term "processor". And a controller is characterised by the fact that it alone or jointly with others decides on the purposes and means of the processing of personal data (Art. 4 Z 7 DSGVO).

In the present case, the involved party determines the purposes and means of the processing, as can be seen from the contract it submitted and concluded with XXXX on XXXX .2018.

Article 28 of the GDPR then regulates the specific processing by a processor.

With regard to the question of privileging the examination of the lawfulness of the processing by the processor compared to other data processing, the following is stated in the literature [cf. on the following paragraphs Bogendorfer in Knyrim, DatKomm Art 28 DSGVO Rz 23 - 28 (as of 1.10.2018, rdb.at)]:

"The GDPR does not contain a comparable distinction in terms of data flows between the different actors of a data processing as in the DSG 2000 and correspondingly clear privileges. It summarises all processing steps across the board and without further distinctions in the definition of "processing" in Article 4(2) and understands it to mean "any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, filing, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction". In the absence of differentiation within the very broad disclosure options mentioned in Art 4(2) (transmission, dissemination or other form of making available) and in the absence of an inclusion of commissioned processing in the canon of lawfulness bases according to Art 6 and 9, the question arises whether the "privileged status" of the data flow between the controller and the processor has ceased to exist and whether there must now be a lawfulness basis for it. The predominant opinion in the literature, however, sees this differently according to different interpretation approaches and still considers a separate justification basis for the data transfer to the processor to be unnecessary:

It is argued that Art 28 can be understood as an independent authorisation norm.

On the other hand, it is critically noted that Art 6 and 9 have a conclusive character and that there are no indications that the canon of lawfulness standardised there can be extended.

From a systematic and teleological point of view, [...] the literature rightly notes that the very ratio of Article 28 is geared towards establishing a close relationship between the controller and the processor in the processing operation, for which, as compensation, an "exemption" from the requirement of the existence of a lawful basis is to take place. The disclosure of personal data by means of transfer as defined in Article 4(2) therefore only means the transfer to third parties as defined in Article 4(10) and not to every recipient. The risk of a loss of control by the controller is not given by Art 28 and 29. The objective of facilitating the flow of data, which is also pursued by the GDPR (cf. recital 10), would not be achieved if a basis of lawfulness were required.

For systematic reasons, it is argued that the requirement of a lawful basis for the flow of data between a controller and a processor would put the processor on an equal footing with a controller, whereas Art 28(10), with its allocation of decisions on the purpose and use of resources for data processing (see recitals 6 and 8), speaks against this.

The approach that data processing by a processor is permissible on the basis of a balancing of interests according to Art 6 (1) (f) is not convincing as an argument for a "privileged" data flow between the controller and the processor, since here there is already a separate lawfulness check of the data transfer to the processor. From a practical point of view, it will regularly be true for non-sensitive data that the balancing of interests results in the lawfulness of the data flow to the processor. For special personal data according to Art 9, however, there is no possibility of a balancing of interests, which is why in these cases commissioned processing is not possible without a special justification according to Art 9. A linguistic approach that Art 28 can be evaluated as a general balancing of interests also in the case of special personal data is not to be found in the GDPR.

Another approach in the literature convincingly derives the "privileging" of commissioned processing from the definitions of data processing (Art 4(2)), controller (Art 4(7)), processor (Art 4(8)), recipient (Art 4(9)) and third party (Art 4(10)). In the case of data transfer to the processor, there is disclosure to a recipient, but no transfer within the meaning of Art 4(2), as this requires the existence of a "third party" pursuant to Art 4(10) and the processor is not such a third party.

The "recipient" is defined in Art 4(9) as "a natural or legal person, public authority, agency or other body to whom personal data are disclosed, whether or not it is a third party [...]". [...]

A third party within the meaning of Article 4(10) is a natural or legal person, public authority, agency or other body, other than the data subject, the controller, the processor and the persons who are authorised to process the personal data under the direct responsibility of the controller or the processor.

Recipient" can be understood as an umbrella term encompassing all actors other than the data subjects themselves, while the definition of "third party" implies a partial exclusion from the group of recipients by not including, in addition to the data subjects, the (original) controller, the processor and the persons authorised to act under their direct responsibility (e.g. employees or sub-processors) among the group of third parties. Since the processor, by definition, only processes personal data on behalf of the controller and is not a third party within the meaning of Article 4(10), he is notionally an "internal" recipient who has no authority of his own in the use of the transferred data and is bound by instructions. The data processing can therefore be regarded as a single processing operation for which only a single lawfulness check is required. This uniform approach is permissible because the broad definition of the term "processing" in Article 4(2) recognises not only isolated individual operations, but also a series of operations. The justification of the commissioned processing is accessory to the reason for authorisation of the underlying processing at the controller. The processor is merely the "alter ego" of the controller, its "extended arm", due to the close binding of instructions according to Article 29.

This argument also finds support in the Article 29 Working Party's opinion on the terms "controller" and "processor". The controller and processor are seen as the "inner circle of data processing" and not as third parties. The lawfulness of the data processing activity of the processor is determined by the mandate given by the controller. The processor is ultimately functionally comparable to an employee of the controller, distinguished from the latter by its organisational autonomy: it is up to the controller to decide whether to carry out a data processing operation within its organisation or to delegate it in whole or in part to external organisations."

Similarly, Bertermann in Ehmann/Selmayr, DS-GVO2, K5 to 7 on Art 28:

"Therefore, the only remaining understanding is to understand commissioned processing as a permissible means of processing, which the controller may use under the condition of compliance with the requirements of Art. 28. If the processing itself is lawful according to one of the conditions mentioned in Art. 6(1), the controller may use one or more processors according to his instructions. In this respect, it is significant that the factually identical definition of "processing" in Art. 2d DPA and Art. 4 No. 2 GDPR recognises as processing not only isolated individual operations, but also a series of operations. Therefore, if processing is not considered at the micro level but at the macro level, commissioned processing can certainly be understood as part of processing. However, the prerequisite is always that a transfer only takes place to processors bound by instructions. As soon as a transfer to a third party takes place, the framework of permissible means of processing is breached and a separate legal basis for the transfer is required."

For the case at hand, against the background that a contract was concluded between the co-operating party and the XXXX in which the mission is clearly defined (customer satisfaction surveys), this means that a contractual relationship exists in any case. The XXXX acted as an "extended arm" and thus as a processor for the co-participating party. The commissioned processing must therefore be seen as part of the processing by the controller itself, and the lawfulness of the same must be examined according to Art. 6 DSGVO.

As the data protection authority correctly states in the contested decision, the party involved can rely on Art. 6(1)(c) of the GDPR, according to which the processing is necessary for compliance with a legal obligation. This arises from sections 32(3) and 6(8) of the PMG, which on the one hand provide for the establishment of a complaints management system and on the other hand oblige the party to take appropriate measures to improve the quality of the services offered in the course of the universal service, namely postal delivery. The assessment of the data protection authority that the disclosure of the name and telephone number of the complainant to the processor was necessary in the sense of the provision, namely in order to be able to fulfil its mandate of determining customer satisfaction, is also to be followed.

The processing of the complainant's personal data that was the subject of the proceedings was therefore lawful, which is why the data protection authority was right to dismiss the complaint in this regard.

2.3 Regarding point 3 of the contested decision: Rejection of the application for the imposition of a fine:

In his data protection complaint of XXXX 2018, the complainant stated that Section 62 (1) (2) of the Data Protection Act, i.e. the regulation on the imposition of administrative fines, was applicable, which the data protection authority interpreted in the contested decision as an application for the imposition of a fine on the co-participating party.

In line with this, the complainant also referred to the admissibility of imposing an administrative fine on the co-participating party in his appeal against the decision. It is therefore beyond doubt that the complainant's request is also directed at the imposition of an administrative penalty on the co-participating party.

However, as the data protection authority correctly stated in the contested decision, a subjective right to initiate administrative penal proceedings against a controller can neither be derived from Article 77 (1) of the GDPR nor from Section 24 (1) and (5) of the DPA. The principle of official channels pursuant to Section 25 (1) VStG applies. Accordingly, no one has a legal right to be prosecuted for any reason whatsoever. The authority must proceed ex officio both in initiating and conducting administrative criminal proceedings (cf. Fister in Lewisch/Fister/Weilguni, VStG2 § 25 Rz 3f (as of 1.5.2017, rdb.at)).

Administrative criminal proceedings can therefore only be initiated by an affected person; there is no right to initiation.

The rejection by the data protection authority was therefore also correct on this point.

Since only legal questions were to be clarified in the proceedings, the holding of an oral hearing could be waived pursuant to section 24 (4) VwGVG (VwGH, 19.09.2017, Ra 2017/01/0276).

Re B) Admissibility of the appeal:

Pursuant to section 25a (1) VwGG, the administrative court shall state in the ruling or decision whether the appeal is admissible pursuant to Art. 133 (4) B-VG. The statement shall be briefly substantiated.

The appeal is admissible pursuant to Art. 133 para. 4 B-VG because there is a lack of case law of the highest courts, in particular on the qualification of the processor as the "extended arm" of the controller.

Therefore, the decision had to be made in accordance with the ruling.