BVwG - W108 2263948-1/4E: Difference between revisions
(changed names making sure it is clear who the "data subject" and "controller" are; clarified facts and put them in chronological order; GDPR Articles format; added procedural details;) |
mNo edit summary |
||
(6 intermediate revisions by 2 users not shown) | |||
Line 74: | Line 74: | ||
}} | }} | ||
An Austrian Court held | An Austrian Court held that an automatic e-mail account lock by an algorithm due to suspect activity cannot be considered an automated decision producing legal or similarly significant effects on the data subject within the meaning of [[Article 22 GDPR#1|Article 22(1) GDPR]]. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
A data subject installed | A data subject installed at the front door of his house a camera provided by a telecommunications service provider, the controller. After noticing that he no longer received e-mail notifications from the front door camera he contacted the controller and received different and contradictory information about the causes of system's malfunctioning in different occasions. On this basis, he suspected that his personal data had been leaked due to a ransomware attack and again contacted the controller about this. The data subject later found out that his account had been automatically blocked and the controller replied that this occurred because the account had been improperly used. | ||
The data subject was thus certain that he had been subject to a personal data breach, which the controller should have informed him about under Article 12 GDPR. As a consequence, he believed that this violated his rights under several GDPR provisions, including Article 22 GDPR. | The data subject was thus certain that he had been subject to a personal data breach, which the controller should have informed him about under [[Article 12 GDPR]] in a transparent manner. As a consequence, he believed that this violated his rights under several GDPR provisions, including [[Article 22 GDPR]] and filed a complaint with the Austrian DPA (''DSB''). | ||
However, due to a delay in the procedure, the data subject filed an appeal before the Austrian Federal Administrative Court (''Bundesverwaltungsgericht -'' ''BVwG'') as he claimed that the DSB failed to take a decision within the prescribed time limit. | |||
=== Holding === | === Holding === | ||
On the basis of the submissions of the parties, the BVwG first of all ascertained that there had been no unauthorised access to the data subject's data and that the controller had credibly demonstrated that there had been no hacker attack, hence there had been no violation of [[Article 12 GDPR]], [[Article 5 GDPR]] and [[Article 34 GDPR]]. | |||
The blocking of the complainant's email account was set by an algorithm due to unusually high activity | The BVwG instead determined that the blocking of the complainant's email account was set by an algorithm due to unusually high activity as an anti-spam measure. Effectively, the controller had submitted that it noticed a high number of e-mails were being sent from the data subject's account within a short period of time, and suspected a misuse of his account. | ||
As regards the submission of the data subject, that this resulted in a violation of his right not to be subject to automated decision making under [[Article 22 GDPR#1|Article 22(1) GDPR]], the BVwG made the following considerations. First, it held that an e-mail account lock by an algorithm due to unusually high activity neither produced legal effects within the meaning of [[Article 22 GDPR#1|Article 22(1) GDPR]] nor did it significantly affect the complainant. As a matter of fact, the BVwG considered this to be a technical and organisational measure to maintain data security and network integrity put in place by the controller and was thus permitted under [[Article 22 GDPR#2a|Article 22(2)(a) GDPR]], as necessary for the performance of the contract between them. | |||
The BVwG thus concluded that the controller did not violate any GDPR provisions and the initial complaint was thus unfounded. | |||
== Comment == | == Comment == | ||
The data protection authority did not make a decision within the statutory period of six months, which is why the complainant lodged a default complaint pursuant to Art. 130 para. 1 no. 3 B-VG. The Federal Administrative Court therefore had to examine whether the data protection complaint was justified and whether the rights of the complainant had been violated. | The data protection authority did not make a decision within the statutory period of six months, which is why the complainant lodged a default complaint pursuant to Art. 130 para. 1 no. 3 B-VG. The Federal Administrative Court therefore had to examine whether the data protection complaint was justified and whether the rights of the complainant had been violated. | ||
In addition to this, the judgment does not clarify how the e-mail notification system tied to the front door camera of the data subject can be used to send spam e-mails from his account. | |||
== Further Resources == | == Further Resources == |
Latest revision as of 09:59, 3 January 2024
BVwG - W108 2263948-1/4E | |
---|---|
Court: | BVwG (Austria) |
Jurisdiction: | Austria |
Relevant Law: | Article 1 GDPR Article 5 GDPR Article 12 GDPR Article 22 GDPR Article 22(2) GDPR Article 34 GDPR § 1 DSG § 56 DSG |
Decided: | 18.10.2023 |
Published: | |
Parties: | |
National Case Number/Name: | W108 2263948-1/4E |
European Case Law Identifier: | |
Appeal from: | |
Appeal to: | Not appealed |
Original Language(s): | German |
Original Source: | BVwG (in German) |
Initial Contributor: | Gabriel Frickh |
An Austrian Court held that an automatic e-mail account lock by an algorithm due to suspect activity cannot be considered an automated decision producing legal or similarly significant effects on the data subject within the meaning of Article 22(1) GDPR.
English Summary
Facts
A data subject installed at the front door of his house a camera provided by a telecommunications service provider, the controller. After noticing that he no longer received e-mail notifications from the front door camera he contacted the controller and received different and contradictory information about the causes of system's malfunctioning in different occasions. On this basis, he suspected that his personal data had been leaked due to a ransomware attack and again contacted the controller about this. The data subject later found out that his account had been automatically blocked and the controller replied that this occurred because the account had been improperly used.
The data subject was thus certain that he had been subject to a personal data breach, which the controller should have informed him about under Article 12 GDPR in a transparent manner. As a consequence, he believed that this violated his rights under several GDPR provisions, including Article 22 GDPR and filed a complaint with the Austrian DPA (DSB).
However, due to a delay in the procedure, the data subject filed an appeal before the Austrian Federal Administrative Court (Bundesverwaltungsgericht - BVwG) as he claimed that the DSB failed to take a decision within the prescribed time limit.
Holding
On the basis of the submissions of the parties, the BVwG first of all ascertained that there had been no unauthorised access to the data subject's data and that the controller had credibly demonstrated that there had been no hacker attack, hence there had been no violation of Article 12 GDPR, Article 5 GDPR and Article 34 GDPR.
The BVwG instead determined that the blocking of the complainant's email account was set by an algorithm due to unusually high activity as an anti-spam measure. Effectively, the controller had submitted that it noticed a high number of e-mails were being sent from the data subject's account within a short period of time, and suspected a misuse of his account.
As regards the submission of the data subject, that this resulted in a violation of his right not to be subject to automated decision making under Article 22(1) GDPR, the BVwG made the following considerations. First, it held that an e-mail account lock by an algorithm due to unusually high activity neither produced legal effects within the meaning of Article 22(1) GDPR nor did it significantly affect the complainant. As a matter of fact, the BVwG considered this to be a technical and organisational measure to maintain data security and network integrity put in place by the controller and was thus permitted under Article 22(2)(a) GDPR, as necessary for the performance of the contract between them.
The BVwG thus concluded that the controller did not violate any GDPR provisions and the initial complaint was thus unfounded.
Comment
The data protection authority did not make a decision within the statutory period of six months, which is why the complainant lodged a default complaint pursuant to Art. 130 para. 1 no. 3 B-VG. The Federal Administrative Court therefore had to examine whether the data protection complaint was justified and whether the rights of the complainant had been violated.
In addition to this, the judgment does not clarify how the e-mail notification system tied to the front door camera of the data subject can be used to send spam e-mails from his account.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
Postal address: Erdbergstrasse 192 – 196 1030 Vienna Tel: +43 1 601 49 – 0 Fax: + 43 1 711 23-889 15 41 Email: einlaufstelle@bvwg.gv.at www.bvwg.gv.at DECISION DATE 1 8 . 1 0 . 2 0 2 3 CASE NUMBER W108 2263948-1/4E IN THE NAME OF THE REPUBLIC! The Federal Administrative Court has judge Mag. BRAUCHART as chairman as well as the expert lay judge Dr. FELLNER-RESCH and the expert lay judge Mag. KUNZ as assessor on the complaint in accordance with Art. 130 Para. 1 Z 3 B-VG (default complaint) from XXXX due to violation of the decision-making obligation by the Data protection authority regarding the data protection complaint of March 9, 2022 against the XXXX rightly recognized: A) The data protection complaint is dismissed as unfounded. B) The appeal is not permitted in accordance with Article 133 Para. 4 B-VG. Reasons for the decision: I. Proceedings/facts: 1. On March 9, 2022, the complainant filed a complaint with the data protection authority (appealed Authority before the Federal Administrative Court) the subject matter of the proceedings, based on Art. 77 - 2 - General Data Protection Regulation (GDPR) or Section 24 Data Protection Act (DSG), Data protection complaint against XXXX, a telecommunications services company (Respondent). In his data protection complaint, the complainant (so far relevant to the proceedings): He has a camera that monitors the private area in front of his front door and a Send a notification email to his wife and him if people enter the house, would leave or tamper with the door. On December 5th, 2021 he noticed that the notification emails from his front gate camera had stopped arriving. He I then called the respondent's hotline and it was ultimately him been informed that there was a “glitch” that was being worked on. A day or two The “glitch” later appeared to be resolved and the emails reached him as usual. About two Months later, no emails from the camera had arrived again, this time he had them Respondent contacted via chatbot. Once again he was informed that a “disruption” existed and it was not clear how long this would last. At the On February 18, 2022, he sent a registered letter to the respondent and raised suspicions stated that the “disturbance” was a (reportable) ransomware attack, whereby it was There was an outflow of personal data. After contacting again He learned for the first time from the respondent via chatbot that there was a security lock had been set. As of February 28, 2022, the camera's emails arrived normally again, On March 4th, 2022 he received an email from the respondent in which there was a suspicion that the account had been used improperly. This leads to the conclusion that third parties would have access to his data in this incident had, but the respondent had not made a proper report Art. 12 GDPR is made to him. In his opinion, he is within his rights under Article 1 GDPR or § 1 DSG, Art. 5 DSGVO or § 37 DSG, Art. 12, 22 and 41 DSGVO and Art. 34 DSGVO or § 56 DSG has been violated. The complainant requested that the authority determines the violation of his rights. 2. The authority concerned recorded the complaint under the business number D124.0400/22 and submitted the data protection complaint to on June 20, 2022 Respondent with the request to comment, citing them as violated rights the right to confidentiality and an automated decision in individual cases including profiling. - 3 - 3. In a letter dated June 20, 2022, the authority concerned informed the complainant The status of the proceedings was that his data protection complaint was submitted to the respondent Opinion has been sent, it will be sent to the complainant and he would then have the opportunity to make a final statement. After that be it Notice is provided. 4. On September 2, 2022, the authority concerned found that the (above under point 2. mentioned) request for a statement from the respondent due to a was not sent due to a shipping error and was sent to the complainant in error incorrect status of the proceedings had been communicated (see point 3 above). The relevant authority then sent a letter dated September 2nd, 2022 Data protection complaint from the complainant of the respondent with the Invitation to comment and further notification to the complainant to the status of the proceedings. 5. On September 15, 2022, the complainant filed a default complaint in accordance with Article 130 Paragraph 1 Z 3 B-VG due to violation of the decision-making obligation of the authority concerned. The The complainant stated that the data protection complaint was sent to the on March 9, 2022 the relevant authority was sent, the deadline of six months for the decision has definitely been exceeded and the authority concerned is therefore in default. 6. The respondent submitted a statement on September 20, 2022 data protection complaint and stated: The complainant listed a number of different incidents that occurred temporary outages of the service due to disruptions and in which he Apparently not with problem solving and the associated communication was satisfied. An RTR initiated by the complainant Arbitration proceedings were discontinued in May 2022 without result because Complainant the one offered by the respondent as a gesture of goodwill Credit was too small. Concerns about possible unauthorized access His data was not accessed by the complainant throughout the entire arbitration process been expressed. There is no violation of the right to secrecy in accordance with Section 1 DSG given, especially since the respondent wanted to protect the complainant relevant personal data was always ensured. In the complaint It is stated that a so-called “ransomware attack is certainly conceivable”. In addition It is stated that there was no such cyber attack and therefore not - 4 - was the cause of the disturbances described by the complainant. The Apart from a number of conjectures, the complainant does not provide any information only comprehensible indication as to why he was from one (from the the respondent is responsible for) unauthorized access to his data. What The blocking of the email account concerns data security and anti-spam measures. Measures were the reason for this because a very high number of them occurred in a very short period of time Emails have been sent. Such measures are undoubtedly permissible under the TKG, as did the RTR in the letter dated July 6, 2017 enclosed by the complainant execute. On the one hand, this prevents the network from being overloaded, but on the other hand it helps last but not least, to protect the person affected and other people from abusive behavior Use of email accounts. As stated in the respondent's terms and conditions They are used to avoid disruptions to the network and to maintain the integrity of the network Network is entitled to temporarily not provide services. There is also no profiling within the meaning of Art. 4 Z 4 GDPR. None were achieved automated processing of personal data for the purpose of evaluation personal aspects of the complainant. Anti-spam measures are currently going well not an evaluation of the person, especially since spam emails usually do not come from one natural person (the legitimate user of the account), but abusive and would be caused automatically by unauthorized persons. If through the systems of the Respondent found that spam was being sent via an account, internal processes would automatically block the relevant person (temporarily). Accounts grab. Furthermore, the requirements of Article 22 are also not met GDPR complied with. Even if one were to incorrectly assume profiling, they still unfold appropriate technical and organizational measures taken by the respondent Measures for the purpose of maintaining data security are not legal effect, but merely a factual effect on the complainant. For the sake of completeness, it is stated with regard to Art. 22 GDPR that the Measures to ensure data security in compliance with the of the contract concluded by the complainant. This has the consequence that even However, assuming the existence of an automated decision, such a decision is made is not given because the decision for the fulfillment of the contract is between the was necessary for the respondent and the complainant. 7. The complainant expressed his views within the framework of the granted hearing Written statement dated September 27, 2022 on the respondent's statement (so far relevant to the proceedings) as follows: - 5 - The respondent refers to one and the same event as a disturbance and as a disturbance Barrier, although it cannot be both at the same time. The question remains open as to what because the problem actually was and how it was solved. Art. 5 GDPR requires requires the respondent to act transparently and in good faith, Article 12 GDPR requires transparent information and communication. The respondent However, I make contradictory statements. His argument is also based on the Statements by the respondent herself that the account had been hacked, what if this is true - would be interpreted as unauthorized access. With a working one You can access all of your email accounts completely anonymously in your name set up possible accounts (with a little extra effort, even a bank account in his create names), blackmail or threaten others. The respondent has it However, it was not deemed necessary to inform him about this in a GDPR-compliant manner, although This notification was even provided for in accordance with the respondent's guidelines would have been. The loss of security that comes with turning off the cameras is certainly an impairment within the meaning of Art. 22 GDPR, especially if the block is not blocked is “temporary”, but rather due to the poor implementation of such a thing decision-making algorithm. For the sake of completeness, it should be mentioned that the The respondent accused him of “criminal spam activities”, with which this Decision-making also has a legal component. 8. As a result, the authority concerned submitted in a letter dated December 2nd, 2022 Default complaint including the associated files of the administrative procedure Federal Administrative Court made a decision and issued an opinion on the matter from the fact that at the time the default complaint is filed, the decision deadline is six months had already expired and the default complaint was therefore justified be. When the complaint was sent to the respondent on March 9, 2022 There was a shipping error, which meant that the complaint was not filed until September 2nd, 2022 had been transmitted. The authority concerned must make the decision within the time specified in Section 16 Para. 1 VwGVG due to the shipping error that occurred as a result cannot catch up due to the short decision-making period and the complexity of the case, which is why jurisdiction was transferred ex lege to the Federal Administrative Court. 9. The Federal Administrative Court submitted the default complaint including the notice from the The statement made by the authority concerned when the file was submitted within the framework of the Party hearing from the respondent for information and comments. 10. However, the respondent made no further comment. - 6 - II. The Federal Administrative Court considered: 1. Findings: It depends on the statements above under point I. about the course of the procedure (administrative activities) and the facts of the case. This makes it clear in particular: It cannot be determined that this is due to a hacker attack on the systems the respondent – to an outflow of personal data complainant or to unauthorized interference/access to their data has come. Due to unusually high activity in the complainant's email account a lock is set by an algorithm. 2. Assessment of evidence: These findings arise from the administrative files. The respondent credibly demonstrated in the official proceedings that: There was no hacker attack on their systems during the period in question Outflow of personal data (of the complainant) or none unauthorized access to their data has occurred. In comparison, this is exhausting the complainant's submissions in this regard in merely general statements and Conjectures about what, according to the case law of the Administrative Court, it comes down to one amounts to inadmissible exploratory evidence, which the administrative court must record is not obliged (see VwGH July 19, 2021, Ra 2021/14/0231, VwGH March 18, 2021, Ra 2020/20/0451, each with further references). It cannot therefore be determined that one (of the contractual relationships between the complainant and the respondent covered) unauthorized intervention/access - for example in the form of an investigation and/or Disclosure of the complainant's personal data - took place. That due to an unusually high level of activity on the email account The complainant was blocked by an algorithm, as can be seen from the The respondent's statement and the RTR's letter dated July 6, 2017 the conclusion of the arbitration procedure. The facts relevant to the decision are therefore established. - 7 - 3. Legal assessment: 3.1. According to Art. 130 Para. 1 Z 3 B-VG, the administrative courts hear complaints due to violation of the decision-making obligation by an administrative authority. According to Section 6 BVwGG, the Federal Administrative Court decides by a single judge, if Federal or state laws do not provide for the decision by the Senate. According to § 27 Data Protection Act (DSG) as amended, the Federal Administrative Court decides in proceedings about complaints against decisions due to violation of the obligation to provide information in accordance with § 24 Paragraph 7 and the data protection authority's decision-making obligation by the Senate. The Senate consists of a chairman and an expert lay judge from among the Employers and employees. The procedure of the administrative courts, with the exception of the Federal Finance Court, is over the VwGVG, BGBl. I 2013/33 as amended by BGBl. I 2013/122, is regulated (§ 1 leg.cit.). According to Section 58 Paragraph 2 VwGVG, conflicting provisions remain in force at the time of entry into force of this federal law have already been announced, come into force. According to § 17 VwGVG, unless otherwise specified in this federal law, this applies Procedure for complaints in accordance with Art. 130 Para. 1 B-VG with the provisions of the AVG Exception of §§ 1 to 5 and Part IV, the provisions of Federal Tax Code - BAO, Federal Law Gazette No. 194/1961, the Agricultural Procedure Act - AgrVG, Federal Law Gazette No. 173/1950, and the Service Law Procedure Act 1984 - DVG, Federal Law Gazette No. 29/1984, and otherwise those procedural provisions in federal or state laws apply analogously, which the authority in the procedure before Administrative court applied or had to apply previous proceedings would have. According to Section 28 Paragraph 1 VwGVG, the administrative court has decided on the legal matter provided that the complaint is not rejected or the proceedings are discontinued. 3.2. To A) 3.2.1. On the admissibility of the complaint due to violation of the obligation to make a decision (default complaint) or jurisdiction of the Federal Administrative Court: Section 24 DSG reads in part: - 8 - “Complaint to the data protection authority § 24. (1) Every affected person has the right to lodge a complaint with the Data protection authority if it considers that the processing of the data concerning it personal data against the GDPR or against § 1 or Article 2 1st part violates. (2) The complaint must contain: 1. the name of the right deemed to have been violated, 2. to the extent this is reasonable, the name of the legal entity or body, to whom the alleged infringement is attributed (respondent), 3. the facts from which the violation of the law is derived, 4. the reasons on which the claim of illegality is based, 5. the request to establish the alleged infringement and 6. the information necessary to assess whether the complaint is submitted in a timely manner. (3) A complaint may include the application on which it is based and a any response from the respondent. The data protection authority has... In the event of a complaint, further support will be provided at the request of the person concerned afford. (4) The right to have a complaint dealt with expires if the person who intervenes not within one year of becoming aware of the adverse event but no later than three years after the alleged event occurred took place. Late complaints must be rejected. (5) If a complaint proves to be justified, it must be followed. Is a If the violation is attributable to a person responsible for the private sector, this is the case to respond to the complainant's requests for information, correction, deletion, Restriction or data transfer to the extent necessary in order to eliminate the identified infringement. As far as the complaint turns out not to be proves justified, it must be rejected. (6) A respondent can lodge a complaint before the court until the proceedings have been completed The data protection authority can subsequently eliminate the alleged legal violation by corresponds to the complainant's requests. Appears to the data protection authority If the complaint is found to be irrelevant, it must hear the complainant about it. At the same time, he should be made aware that the data protection authority Proceedings will be terminated informally if he does not do so within a reasonable period of time explains why he at least partially committed the originally alleged infringement still not considered eliminated. Is such a statement by the The complainant has changed the nature of the matter (Section 13 Para. 8 AVG), so it is of the Withdrawal of the original complaint and the simultaneous filing of one to issue a new complaint. In this case too, the original complaint procedure applies to stop it informally and to inform the complainant of this. Late Statements are not to be taken into account. (7) The complainant will be contacted by the data protection authority within three Months from the submission of the complaint about the status and outcome of the investigation informed. (8) Any affected person may refer the matter to the Federal Administrative Court if: The data protection authority does not deal with the complaint or the person concerned does not within three months about the status or outcome of the complaint raised has taken notice. - 9 - (9) The data protection authority can - if necessary - appoint official experts Include procedures. (10) The following are not included in the decision deadline in accordance with Section 73 AVG: 1. the time during which the procedure takes place until the final decision is made is subject to a preliminary question; 2. the time during a procedure according to Articles 56, 60 and 63 GDPR.” According to Section 73 Paragraph 1 AVG, the authorities are obliged if in the Administrative regulations do not provide otherwise regarding applications from parties (§ 8) and Appeals without unnecessary delay, but no later than six months after they are received to issue the notice. According to Section 8 Paragraph 1 VwGVG, a default complaint can only be made if the Authority does not resolve the matter within six months, if a shorter or shorter period is required by law If a longer decision-making period is provided, the decision has not been made within this period. The deadline begins at the time when the application for a substantive decision is submitted to the statutory authority has arrived at the designated location. The complaint must be dismissed if the delay cannot be attributed to the authority's primary fault. Predominant (“objective”) negligence on the part of the authority can be assumed if: This is not due to culpable behavior on the part of the party or due to insurmountable obstacles was prevented from making the decision (see VwGH November 24, 2022, Ra 2022/01/0247, with reference on VwGH June 19, 2018, Ra 2018/03/0021, mwN). In the present case, the authority concerned did not respond within six months The decision on this administrative matter was decided within the deadline and it was not shown that caused by culpable behavior on the part of the party or by insurmountable obstacles Decision was hindered, but stated to the contrary that the delay was due to one is due to shipping errors (caused by the authority concerned). The late complaint filed on September 15, 2022 therefore turns out to be admissible, which is why The Federal Administrative Court was now responsible for hearing the data protection complaint decide (see VwGH September 19, 2017, Ro 2017/20/0001 with reference to VwGH May 27, 2015, Ra 2015/19/0075). 3.2.2. In the matter: 3.2.2.1. Legal situation: 3.2.2.1.1. Art. 4 GDPR reads in part: - 10 - “Definitions For the purposes of this Regulation, the term means: 1."personal data" means any information relating to an identified or relate to an identifiable natural person (hereinafter “data subject”); as A natural person is considered identifiable who, directly or indirectly, in particular by assigning it to an identifier such as a name identification number, location data, an online identifier or one or more special characteristics that express the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person are, can be identified; 2. “Processing” means any operation carried out with or without the aid of automated procedures or any such series of operations related to personal data such as Collecting, recording, organizing, arranging, storing, adapting or Change, reading, querying, use, disclosure Transmission, distribution or other form of provision, comparison or linking, restricting, deleting or destroying; 7. “Responsible person” means the natural or legal person, authority, institution or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data decides; are the ends and means this processing is governed by Union or Member State law specified, the responsible person or the specific ones can Criteria for its designation according to Union law or the law of the Member States be provided; 8. “Processor” means a natural or legal person, authority, institution or other body that processes personal data on behalf of the controller;” 3.2.2.1.2. Art. 5 GDPR reads: “Principles for the processing of personal data (1) Personal data must a) lawfully, in good faith and in a manner favorable to the data subject processed in a comprehensible manner (“legality, processing faithfully and faith, transparency”); b) collected for specified, explicit and legitimate purposes and may not be collected in a be further processed in a manner that is incompatible with these purposes; one Further processing for archiving purposes in the public interest scientific or historical research purposes or for statistical purposes not deemed incompatible with the original purposes in accordance with Article 89(1). (“earmarking”); c) appropriate and relevant to the purpose and relevant to the purposes of processing be limited to the necessary extent (“data minimization”); d) be factually correct and, where necessary, up to date; it's all of them to take appropriate measures to ensure that personal data is stored in relation to are incorrect in relation to the purposes of their processing, will be deleted or corrected immediately become (“accuracy”); e) be stored in a form that only allows the identification of the data subjects for as long as is necessary for the purposes for which they are processed; Personal data may be stored for longer, provided that - 11 - personal data subject to the implementation of appropriate technical and organizational measures required by this regulation to protect the rights and Freedoms of the person concerned are required only for public purposes Interested archival purposes or for scientific and historical purposes Processed for research purposes or for statistical purposes in accordance with Article 89(1). (“storage limit”); f) processed in a way that ensures appropriate security personal data is guaranteed, including protection against unauthorized or unlawful processing and accidental loss Destruction or accidental damage through appropriate technical and organizational measures (“integrity and confidentiality”); (2) The person responsible is responsible for compliance with paragraph 1 and must can demonstrate compliance with it (“accountability”).” 3.2.2.1.3. Art. 22 GDPR reads: “Automated decisions in individual cases including profiling (1) The data subject has the right not to rely exclusively on an automated process to be subject to processing - including profiling - based decision, which has legal effect on it or which affects it in a similar way impaired. (2) Paragraph 1 does not apply if the decision a) for the conclusion or performance of a contract between the data subject and it is necessary for the person responsible b) under Union or Member State law to which the The person responsible is subject to permissible and appropriate legal provisions Measures to safeguard the rights and freedoms as well as the legitimate interests of the contain the data subject or c) takes place with the express consent of the data subject. (3) In the cases mentioned in paragraph 2 letters a and c, the person responsible is responsible appropriate measures to protect the rights and freedoms and legitimate interests of the person concerned, including at least the right to obtain the intervention of a person on the part of the person responsible, upon presentation of their own position and to challenge the decision. (4) Decisions under paragraph 2 may not be based on special categories personal data pursuant to Article 9 paragraph 1, unless Article 9 paragraph 2 Letter a or g applies and appropriate measures to protect the rights and freedoms and the legitimate interests of the data subject. 3.2.2.1.4. Art. 34 GDPR reads: “Notification of a personal data breach affected person (1) The personal data breach is likely to be high Risk for the personal rights and freedoms of natural persons the person responsible notifies the person concerned immediately of the violation. (2) The notification to the data subject referred to in paragraph 1 describes more clearly and simple language the nature of the personal data breach and - 12 - contains at least the information referred to in Article 33(3)(b), (c) and (d). and measures. (3) Notification of the data subject in accordance with paragraph 1 is not necessary if one of the following conditions is met: a) the person responsible has appropriate technical and organizational resources Safety precautions have been taken and these precautions have been taken into account by the Personal data affected by the breach are applied, in particular those caused by which the personal data for all persons who do not have access to the personal data is authorized to be made inaccessible, for example by encryption; b) the person responsible has ensured through the following measures that the high Risk to the rights and freedoms of the data subjects referred to in paragraph 1 of all Probably no longer exists; c) notification would involve disproportionate effort. In In this case, a public notice or similar measure shall be made instead to be carried out so that the persons concerned are informed in a comparably effective manner. (4) If the person responsible has not already notified the data subject of the violation has notified the protection of personal data, the supervisory authority can do so at Taking into account the likelihood of a breach of protection personal data leads to a high risk from the person responsible demand that this be done, or it can issue a resolution stating that certain the conditions specified in paragraph 3 are met. 3.2.2.1.5. Section 1 Paragraph 1 and 2 DSG read: “(1) Everyone has, especially with regard to respect for their private and Family life, right to confidentiality of personal data concerning him Data to the extent that there is a legitimate interest in it. The existence of such Interest is excluded if data is due to its general availability or because of their lack of traceability to the person affected confidentiality claim are not accessible. (2) To the extent that the use of personal data is not vital The interests of the person concerned or with their consent are restrictions The right to secrecy is only required to protect overriding legitimate interests another is permissible, and in the case of interventions by a state authority only on the basis of Laws arising from the provisions of Article 8 paragraph 2 of the European Convention for the Protection of the Human rights and fundamental freedoms (ECHR), Federal Law Gazette No. 210/1958, mentioned reasons are necessary. Such laws permit the use of data that is, by their nature are particularly worthy of protection, only to protect important public interests and at the same time must provide appropriate guarantees for the protection of the Determine the confidentiality interests of those affected. Even in the case of permissible The interference with fundamental rights may only be limited in the mildest possible way leading type.” 3.2.2.2. Applied to the present case, this means the following: 3.2.2.2.1. Regarding the alleged violation of the right to secrecy in accordance with Section 1 Paragraph 1 DSG: - 13 - The fundamental right to data protection normed in Section 1 Paragraph 1 DSG creates a right to Confidentiality of personal data. Among them is – from those recognized by law Limitations aside – the protection of the person concerned from having their data discovered and the protection against the disclosure of the data collected about him. That's it If an intervention becomes a violation of fundamental data protection rights, the intervention must be inadmissible have been. The GDPR and in particular the principles anchored therein are applicable Interpretation of the right to secrecy must in any case be taken into account (Thiele/Wagner, Practical commentary on the Data Protection Act [DSG] § 1 Rz 12, 38f, as of February 1, 2022, rdb.at). First of all, it should be noted that the processing of personal data Complainant generally within the scope of his contractual relationship respondent takes place. Therefore, in accordance with Section 1 Paragraph 2 DSG, the consent of the complainant for processing, a violation of Section 1 DSG in this regard also not asserted by the complainant. In the present case, however, it could not be established that - apart from the Contractual relationship - any unauthorized interference/access to the personal data of the complainant - for example in the form of an investigation and/or transfer - has taken place. Any impossibility that gives rise to the claim To establish facts (positively) (“need of evidence” [VwGH April 20, 1995, 93/09/0408]. At the expense of the applicant, the application must be rejected in this case [idS VwSlg 9721 A/1978; 12,559 A/1987; VwGH November 21, 1991, 89/08/0125 “Burden of proof in the material sense”]; see also VwGH June 23, 1976, 2209/75; also carnival Rz 879f; Rechberger in Rechberger ZPO § 266 Rz 9 ff). This also leaves no room for the determination requested by the complainant Violation of Articles 5, 12 and 34 GDPR. Furthermore, it should be noted that the in Art. 12 GDPR standardizes the transparency principle (only) on the information according to Art. 13 and 14 GDPR as well as the notifications in accordance with Articles 15 to 22 GDPR (cf. Jahnel, Commentary on the General Data Protection Regulation Art. 12 GDPR Rz 1f. [Was standing December 1, 2020, rdb.at]), but not to any information and/or notifications to which the respondent has contractually committed. However, even if there is an attack by unknown third parties on the personal email The complainant's mailbox would have come and third parties would have had access to it had received the complainant's personal data, this interference would be The respondent cannot be attributed as the person responsible within the meaning of Art. 4 No. 7 GDPR, especially since - 14 - This only provides the infrastructure, but the personal data of the complainant has neither transmitted to third parties nor made it (publicly) accessible. It has also not emerged that the respondent provided inadequate information Data security measures to protect the personal data of their customers would have set. There is therefore no interference by the respondent with the fundamental right to data protection complainant. The complainant's data protection complaint arises therefore as unfounded in this regard. 3.2.2.2.2. Regarding the alleged violation of the law, not an exclusively automated one To be subject to decision in accordance with Art. 22 GDPR: According to Art. 22 Para. 1 GDPR, the data subject has the right, not one exclusive a decision based on automated processing, including profiling to be subjected to it, which has a legal effect on it or something similar Significantly impaired. As examples of legal effect, the Article 29 Working Party provides: their guidelines for automated individual decision-making and profiling for the purposes of Regulation 2016/679 approved by the European Data Protection Board were, such as the termination of a contract, the approval or rejection of Social benefits, such as family or housing allowances, the refusal of the Entry into a country or refusal of naturalization called for a significant Impairment decisions that affect a person's financial situation, for example, their creditworthiness, decisions that affect access to Health services affect decisions that affect access to jobs deny or seriously disadvantage people or decisions that affect the access to education, for example university admissions (WP251rev.01, 23). Against this background, it is clear that the complainant automated decision made (setting of a block by an algorithm due to unusually high activity on his email account) no legal effect in the sense Art. 22 Paragraph 1 GDPR or - comparable to the examples presented above - Represents impairment of the complainant, especially since it is only one Temporary blocking when sending/receiving emails and this after Contact with the respondent's customer support within a relatively short period of time period was also removed again. The (short-term) malfunction of his email - 15 - Accounts may affect the complainant in his sphere, but in any case does not constitute a significant impairment of the complainant's situation. In addition, the automated individual decision is also permitted in accordance with Art. 22 Para. 2 lit. a GDPR for the fulfillment of the contract between the complainant and the Respondent necessary, especially since the Respondent according to the Contractual conditions for network stability and network security and related thereto must ensure the protection of (the complainant's) personal data, which guaranteed by automatically setting a block in the event of unusual activities becomes. There would be no other more effective or less effective means of achieving this goal intervention means available, especially since the respondent has an individual assessment and setting a block manually is not possible due to the large number of customer relationships is reasonable and this would probably not be feasible in fact (cf. again WP251rev.01, 25). In the present case, the prohibition of Article 22 Paragraph 1 GDPR does not apply, which is why the data protection complaint is not justified in this respect. 3.2.3. The alleged violation of rights guaranteed by the DSG and the GDPR is therefore not available. The procedure also did not reveal that other, not valid There would be a breach of data protection law for the reasons given. Since the If the data protection complaint proves to be unfounded, it must be dismissed. 3.3. An oral hearing could be held in accordance with Section 24 Paragraphs 1 and 4 VwGVG is no longer applicable. In the present case, there is no request from the party to carry out one oral hearing and allows the oral discussion to provide further clarification Don't expect a legal matter. The need to conduct a negotiation is also not apparent with regard to Article 6 Para. 1 ECHR and Article 47 GRC. The The facts relevant to the decision are clarified here. A solution to legal questions is available in According to the jurisprudence of the ECtHR, an oral hearing is not required. The ECHR and the GRC do not stand in the way of refraining from an oral hearing here. To B) According to Section 25a Paragraph 1 VwGG, the administrative court has in its decision or to decide whether the appeal is permissible in accordance with Article 133 Para. 4 B-VG. The The statement must be briefly justified. - 16 - The present decision does not depend on the resolution of a legal question fundamental importance. Neither is there a lack of case law Administrative Court still deviates from the decision in question case law of the Administrative Court; furthermore is the present one The case law of the Administrative Court cannot be judged to be inconsistent. It There are no other indications of the fundamental meaning of the problem to be solved legal questions. The present decision does not depend on the resolution of a legal question fundamental importance. Neither is there a lack of case law Administrative Court still deviates from the decision in question case law of the Administrative Court; furthermore is the present one The case law of the Administrative Court cannot be judged to be inconsistent. It There are no other indications of the fundamental meaning of the problem to be solved legal questions. It was therefore necessary to declare that the revision pursuant to Article 133 Para. 4 B-VG is not permitted.