BVwG - W108 2263948-1/4E: Difference between revisions

BVwG - W108 2263948-1/4E
Court:	BVwG (Austria)
Jurisdiction:	Austria
Relevant Law:	Article 1 GDPR Article 5 GDPR Article 12 GDPR Article 22 GDPR Article 22(2) GDPR Article 34 GDPR § 1 DSG § 56 DSG
Decided:	18.10.2023
Published:
Parties:
National Case Number/Name:	W108 2263948-1/4E
European Case Law Identifier:
Appeal from:
Appeal to:	Not appealed
Original Language(s):	German
Original Source:	BVwG (in German)
Initial Contributor:	Gabriel Frickh

An Austrian Court held that an automatic e-mail account lock by an algorithm due to suspect activity cannot be considered an automated decision producing legal or similarly significant effects on the data subject within the meaning of Article 22(1) GDPR.

English Summary

Facts

A data subject installed at the front door of his house a camera provided by a telecommunications service provider, the controller. After noticing that he no longer received e-mail notifications from the front door camera he contacted the controller and received different and contradictory information about the causes of system's malfunctioning in different occasions. On this basis, he suspected that his personal data had been leaked due to a ransomware attack and again contacted the controller about this. The data subject later found out that his account had been automatically blocked and the controller replied that this occurred because the account had been improperly used.

The data subject was thus certain that he had been subject to a personal data breach, which the controller should have informed him about under Article 12 GDPR in a transparent manner. As a consequence, he believed that this violated his rights under several GDPR provisions, including Article 22 GDPR and filed a complaint with the Austrian DPA (DSB).

However, due to a delay in the procedure, the data subject filed an appeal before the Austrian Federal Administrative Court (Bundesverwaltungsgericht - BVwG) as he claimed that the DSB failed to take a decision within the prescribed time limit.

Holding

On the basis of the submissions of the parties, the BVwG first of all ascertained that there had been no unauthorised access to the data subject's data and that the controller had credibly demonstrated that there had been no hacker attack, hence there had been no violation of Article 12 GDPR, Article 5 GDPR and Article 34 GDPR.

The BVwG instead determined that the blocking of the complainant's email account was set by an algorithm due to unusually high activity as an anti-spam measure. Effectively, the controller had submitted that it noticed a high number of e-mails were being sent from the data subject's account within a short period of time, and suspected a misuse of his account.

As regards the submission of the data subject, that this resulted in a violation of his right not to be subject to automated decision making under Article 22(1) GDPR, the BVwG made the following considerations. First, it held that an e-mail account lock by an algorithm due to unusually high activity neither produced legal effects within the meaning of Article 22(1) GDPR nor did it significantly affect the complainant. As a matter of fact, the BVwG considered this to be a technical and organisational measure to maintain data security and network integrity put in place by the controller and was thus permitted under Article 22(2)(a) GDPR, as necessary for the performance of the contract between them.

The BVwG thus concluded that the controller did not violate any GDPR provisions and the initial complaint was thus unfounded.

Comment

The data protection authority did not make a decision within the statutory period of six months, which is why the complainant lodged a default complaint pursuant to Art. 130 para. 1 no. 3 B-VG. The Federal Administrative Court therefore had to examine whether the data protection complaint was justified and whether the rights of the complainant had been violated.

In addition to this, the judgment does not clarify how the e-mail notification system tied to the front door camera of the data subject can be used to send spam e-mails from his account.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

Postal address:
                                                                   Erdbergstrasse 192 – 196
                                                                              1030 Vienna
                                                                       Tel: +43 1 601 49 – 0
                                                                Fax: + 43 1 711 23-889 15 41

                                                             Email: einlaufstelle@bvwg.gv.at
                                                                          www.bvwg.gv.at

                     DECISION DATE

                                 1 8 . 1 0 . 2 0 2 3                            

CASE NUMBER





                                  W108 2263948-1/4E

                IN THE NAME OF THE REPUBLIC!


The Federal Administrative Court has judge Mag. BRAUCHART as chairman
as well as the expert lay judge Dr. FELLNER-RESCH and the expert lay judge

Mag. KUNZ as assessor on the complaint in accordance with Art. 130 Para. 1 Z 3 B-VG

(default complaint) from XXXX due to violation of the decision-making obligation by the
Data protection authority regarding the data protection complaint of March 9, 2022 against the

XXXX rightly recognized:


A)


The data protection complaint is dismissed as unfounded.

B)


The appeal is not permitted in accordance with Article 133 Para. 4 B-VG.









                            Reasons for the decision:


I. Proceedings/facts:

1. On March 9, 2022, the complainant filed a complaint with the data protection authority (appealed

Authority before the Federal Administrative Court) the subject matter of the proceedings, based on Art. 77 - 2 -


General Data Protection Regulation (GDPR) or Section 24 Data Protection Act (DSG),
Data protection complaint against XXXX, a telecommunications services company

(Respondent).


In his data protection complaint, the complainant (so far
relevant to the proceedings):


He has a camera that monitors the private area in front of his front door and a

Send a notification email to his wife and him if people enter the house,
would leave or tamper with the door. On December 5th, 2021 he noticed

that the notification emails from his front gate camera had stopped arriving. He

I then called the respondent's hotline and it was ultimately him
been informed that there was a “glitch” that was being worked on. A day or two

The “glitch” later appeared to be resolved and the emails reached him as usual. About two

Months later, no emails from the camera had arrived again, this time he had them
Respondent contacted via chatbot. Once again he was informed

that a “disruption” existed and it was not clear how long this would last. At the

On February 18, 2022, he sent a registered letter to the respondent and raised suspicions
stated that the “disturbance” was a (reportable) ransomware attack, whereby it was

There was an outflow of personal data. After contacting again
He learned for the first time from the respondent via chatbot that there was a security lock

had been set. As of February 28, 2022, the camera's emails arrived normally again,

On March 4th, 2022 he received an email from the respondent in which
there was a suspicion that the account had been used improperly.

This leads to the conclusion that third parties would have access to his data in this incident

had, but the respondent had not made a proper report
Art. 12 GDPR is made to him. In his opinion, he is within his rights under Article 1 GDPR

or § 1 DSG, Art. 5 DSGVO or § 37 DSG, Art. 12, 22 and 41 DSGVO and Art. 34 DSGVO

or § 56 DSG has been violated. The complainant requested that the
authority determines the violation of his rights.


2. The authority concerned recorded the complaint under the business number

D124.0400/22 and submitted the data protection complaint to on June 20, 2022
Respondent with the request to comment, citing them as violated rights

the right to confidentiality and an automated decision in individual cases
including profiling. - 3 -


3. In a letter dated June 20, 2022, the authority concerned informed the complainant
The status of the proceedings was that his data protection complaint was submitted to the respondent

Opinion has been sent, it will be sent to the complainant and

he would then have the opportunity to make a final statement. After that be it
Notice is provided.


4. On September 2, 2022, the authority concerned found that the (above under point

2. mentioned) request for a statement from the respondent due to a
was not sent due to a shipping error and was sent to the complainant in error

incorrect status of the proceedings had been communicated (see point 3 above).


The relevant authority then sent a letter dated September 2nd, 2022
Data protection complaint from the complainant of the respondent with the

Invitation to comment and further notification to the complainant

to the status of the proceedings.

5. On September 15, 2022, the complainant filed a default complaint in accordance with Article 130

Paragraph 1 Z 3 B-VG due to violation of the decision-making obligation of the authority concerned. The

The complainant stated that the data protection complaint was sent to the on March 9, 2022
the relevant authority was sent, the deadline of six months for the decision

has definitely been exceeded and the authority concerned is therefore in default.

6. The respondent submitted a statement on September 20, 2022

data protection complaint and stated:


The complainant listed a number of different incidents that occurred
temporary outages of the service due to disruptions and in which he

Apparently not with problem solving and the associated communication

was satisfied. An RTR initiated by the complainant
Arbitration proceedings were discontinued in May 2022 without result because

Complainant the one offered by the respondent as a gesture of goodwill

Credit was too small. Concerns about possible unauthorized access
His data was not accessed by the complainant throughout the entire arbitration process

been expressed. There is no violation of the right to secrecy in accordance with Section 1 DSG

given, especially since the respondent wanted to protect the complainant
relevant personal data was always ensured. In the complaint

It is stated that a so-called “ransomware attack is certainly conceivable”. In addition
It is stated that there was no such cyber attack and therefore not - 4 -


was the cause of the disturbances described by the complainant. The
Apart from a number of conjectures, the complainant does not provide any information

only comprehensible indication as to why he was from one (from the

the respondent is responsible for) unauthorized access to his data. What
The blocking of the email account concerns data security and anti-spam measures.

Measures were the reason for this because a very high number of them occurred in a very short period of time

Emails have been sent. Such measures are undoubtedly permissible under the TKG,
as did the RTR in the letter dated July 6, 2017 enclosed by the complainant

execute. On the one hand, this prevents the network from being overloaded, but on the other hand it helps

last but not least, to protect the person affected and other people from abusive behavior
Use of email accounts. As stated in the respondent's terms and conditions

They are used to avoid disruptions to the network and to maintain the integrity of the network

Network is entitled to temporarily not provide services.

There is also no profiling within the meaning of Art. 4 Z 4 GDPR. None were achieved

automated processing of personal data for the purpose of evaluation

personal aspects of the complainant. Anti-spam measures are currently going well
not an evaluation of the person, especially since spam emails usually do not come from one

natural person (the legitimate user of the account), but abusive and
would be caused automatically by unauthorized persons. If through the systems of the

Respondent found that spam was being sent via an account,

internal processes would automatically block the relevant person (temporarily).
Accounts grab. Furthermore, the requirements of Article 22 are also not met

GDPR complied with. Even if one were to incorrectly assume profiling, they still unfold

appropriate technical and organizational measures taken by the respondent
Measures for the purpose of maintaining data security are not legal

effect, but merely a factual effect on the complainant.

For the sake of completeness, it is stated with regard to Art. 22 GDPR that the
Measures to ensure data security in compliance with the

of the contract concluded by the complainant. This has the consequence that even

However, assuming the existence of an automated decision, such a decision is made
is not given because the decision for the fulfillment of the contract is between the

was necessary for the respondent and the complainant.

7. The complainant expressed his views within the framework of the granted hearing

Written statement dated September 27, 2022 on the respondent's statement (so far

relevant to the proceedings) as follows: - 5 -


The respondent refers to one and the same event as a disturbance and as a disturbance
Barrier, although it cannot be both at the same time. The question remains open as to what

because the problem actually was and how it was solved. Art. 5 GDPR requires

requires the respondent to act transparently and in good faith, Article 12
GDPR requires transparent information and communication. The respondent

However, I make contradictory statements. His argument is also based on the

Statements by the respondent herself that the account had been hacked, what if
this is true - would be interpreted as unauthorized access. With a working one

You can access all of your email accounts completely anonymously in your name

set up possible accounts (with a little extra effort, even a bank account in his
create names), blackmail or threaten others. The respondent has it

However, it was not deemed necessary to inform him about this in a GDPR-compliant manner, although

This notification was even provided for in accordance with the respondent's guidelines
would have been. The loss of security that comes with turning off the cameras

is certainly an impairment within the meaning of Art. 22 GDPR, especially if the block is not blocked

is “temporary”, but rather due to the poor implementation of such a thing
decision-making algorithm. For the sake of completeness, it should be mentioned that the

The respondent accused him of “criminal spam activities”, with which this
Decision-making also has a legal component.


8. As a result, the authority concerned submitted in a letter dated December 2nd, 2022

Default complaint including the associated files of the administrative procedure
Federal Administrative Court made a decision and issued an opinion on the matter

from the fact that at the time the default complaint is filed, the decision deadline is

six months had already expired and the default complaint was therefore justified
be. When the complaint was sent to the respondent on March 9, 2022

There was a shipping error, which meant that the complaint was not filed until September 2nd, 2022

had been transmitted. The authority concerned must make the decision within the time specified in Section 16 Para.
1 VwGVG due to the shipping error that occurred as a result

cannot catch up due to the short decision-making period and the complexity of the case,

which is why jurisdiction was transferred ex lege to the Federal Administrative Court.

9. The Federal Administrative Court submitted the default complaint including the notice from the

The statement made by the authority concerned when the file was submitted within the framework of the
Party hearing from the respondent for information and comments.


10. However, the respondent made no further comment. - 6 -


II. The Federal Administrative Court considered:

1. Findings:


It depends on the statements above under point I. about the course of the procedure

(administrative activities) and the facts of the case.

This makes it clear in particular:


It cannot be determined that this is due to a hacker attack on the systems

the respondent – to an outflow of personal data
complainant or to unauthorized interference/access to their data

has come.


Due to unusually high activity in the complainant's email account
a lock is set by an algorithm.


2. Assessment of evidence:


These findings arise from the administrative files.

The respondent credibly demonstrated in the official proceedings that:

There was no hacker attack on their systems during the period in question
Outflow of personal data (of the complainant) or none

unauthorized access to their data has occurred. In comparison, this is exhausting

the complainant's submissions in this regard in merely general statements and
Conjectures about what, according to the case law of the Administrative Court, it comes down to one

amounts to inadmissible exploratory evidence, which the administrative court must record

is not obliged (see VwGH July 19, 2021, Ra 2021/14/0231, VwGH March 18, 2021, Ra
2020/20/0451, each with further references). It cannot therefore be determined that one (of the

contractual relationships between the complainant and the respondent

covered) unauthorized intervention/access - for example in the form of an investigation and/or
Disclosure of the complainant's personal data - took place.


That due to an unusually high level of activity on the email account

The complainant was blocked by an algorithm, as can be seen from the
The respondent's statement and the RTR's letter dated July 6, 2017

the conclusion of the arbitration procedure.


The facts relevant to the decision are therefore established. - 7 -


3. Legal assessment:

3.1. According to Art. 130 Para. 1 Z 3 B-VG, the administrative courts hear complaints

due to violation of the decision-making obligation by an administrative authority.


According to Section 6 BVwGG, the Federal Administrative Court decides by a single judge, if
Federal or state laws do not provide for the decision by the Senate. According to

§ 27 Data Protection Act (DSG) as amended, the Federal Administrative Court decides in proceedings

about complaints against decisions due to violation of the obligation to provide information in accordance with §
24 Paragraph 7 and the data protection authority's decision-making obligation by the Senate. The Senate

consists of a chairman and an expert lay judge from among the

Employers and employees.

The procedure of the administrative courts, with the exception of the Federal Finance Court, is over

the VwGVG, BGBl. I 2013/33 as amended by BGBl. I 2013/122, is regulated (§ 1 leg.cit.). According to Section 58 Paragraph 2

VwGVG, conflicting provisions remain in force at the time of entry into force
of this federal law have already been announced, come into force.


According to § 17 VwGVG, unless otherwise specified in this federal law, this applies

Procedure for complaints in accordance with Art. 130 Para. 1 B-VG with the provisions of the AVG
Exception of §§ 1 to 5 and Part IV, the provisions of

Federal Tax Code - BAO, Federal Law Gazette No. 194/1961, the Agricultural Procedure Act - AgrVG,
Federal Law Gazette No. 173/1950, and the Service Law Procedure Act 1984 - DVG, Federal Law Gazette No. 29/1984,

and otherwise those procedural provisions in federal or state laws

apply analogously, which the authority in the procedure before
Administrative court applied or had to apply previous proceedings

would have.


According to Section 28 Paragraph 1 VwGVG, the administrative court has decided on the legal matter
provided that the complaint is not rejected or the proceedings are discontinued.


3.2. To A)


3.2.1. On the admissibility of the complaint due to violation of the obligation to make a decision
(default complaint) or jurisdiction of the Federal Administrative Court:


Section 24 DSG reads in part: - 8 -


                         “Complaint to the data protection authority
    § 24. (1) Every affected person has the right to lodge a complaint with the
Data protection authority if it considers that the processing of the data concerning it
personal data against the GDPR or against § 1 or Article 2 1st part

violates.
(2) The complaint must contain:
       1. the name of the right deemed to have been violated,
       2. to the extent this is reasonable, the name of the legal entity or body,

       to whom the alleged infringement is attributed (respondent),
       3. the facts from which the violation of the law is derived,
       4. the reasons on which the claim of illegality is based,
       5. the request to establish the alleged infringement and
       6. the information necessary to assess whether the complaint

       is submitted in a timely manner.
    (3) A complaint may include the application on which it is based and a
any response from the respondent. The data protection authority has...
In the event of a complaint, further support will be provided at the request of the person concerned

afford.
    (4) The right to have a complaint dealt with expires if the person who intervenes
not within one year of becoming aware of the adverse event
but no later than three years after the alleged event occurred
took place. Late complaints must be rejected.

    (5) If a complaint proves to be justified, it must be followed. Is a
If the violation is attributable to a person responsible for the private sector, this is the case
to respond to the complainant's requests for information, correction, deletion,
Restriction or data transfer to the extent necessary

in order to eliminate the identified infringement. As far as the complaint turns out not to be
proves justified, it must be rejected.
    (6) A respondent can lodge a complaint before the court until the proceedings have been completed
The data protection authority can subsequently eliminate the alleged legal violation by
corresponds to the complainant's requests. Appears to the data protection authority

If the complaint is found to be irrelevant, it must hear the complainant about it.
At the same time, he should be made aware that the data protection authority
Proceedings will be terminated informally if he does not do so within a reasonable period of time
explains why he at least partially committed the originally alleged infringement
still not considered eliminated. Is such a statement by the

The complainant has changed the nature of the matter (Section 13 Para. 8 AVG), so it is of the
Withdrawal of the original complaint and the simultaneous filing of one
to issue a new complaint. In this case too, the original complaint procedure applies
to stop it informally and to inform the complainant of this. Late

Statements are not to be taken into account.
    (7) The complainant will be contacted by the data protection authority within three
Months from the submission of the complaint about the status and outcome of the investigation
informed.
    (8) Any affected person may refer the matter to the Federal Administrative Court if:

The data protection authority does not deal with the complaint or the person concerned does not
within three months about the status or outcome of the complaint raised
has taken notice. - 9 -


    (9) The data protection authority can - if necessary - appoint official experts
Include procedures.
(10) The following are not included in the decision deadline in accordance with Section 73 AVG:
       1. the time during which the procedure takes place until the final decision is made

       is subject to a preliminary question;
       2. the time during a procedure according to Articles 56, 60 and 63 GDPR.”

According to Section 73 Paragraph 1 AVG, the authorities are obliged if in the

Administrative regulations do not provide otherwise regarding applications from parties (§ 8) and
Appeals without unnecessary delay, but no later than six months after they are received

to issue the notice.


According to Section 8 Paragraph 1 VwGVG, a default complaint can only be made if the
Authority does not resolve the matter within six months, if a shorter or shorter period is required by law

If a longer decision-making period is provided, the decision has not been made within this period. The deadline

begins at the time when the application for a substantive decision is submitted to the statutory authority
has arrived at the designated location. The complaint must be dismissed if the delay

cannot be attributed to the authority's primary fault.


Predominant (“objective”) negligence on the part of the authority can be assumed if:
This is not due to culpable behavior on the part of the party or due to insurmountable obstacles

was prevented from making the decision (see VwGH November 24, 2022, Ra 2022/01/0247, with reference

on VwGH June 19, 2018, Ra 2018/03/0021, mwN).

In the present case, the authority concerned did not respond within six months

The decision on this administrative matter was decided within the deadline and it was not shown that
caused by culpable behavior on the part of the party or by insurmountable obstacles

Decision was hindered, but stated to the contrary that the delay was due to one

is due to shipping errors (caused by the authority concerned).

The late complaint filed on September 15, 2022 therefore turns out to be admissible, which is why

The Federal Administrative Court was now responsible for hearing the data protection complaint

decide (see VwGH September 19, 2017, Ro 2017/20/0001 with reference to VwGH May 27, 2015, Ra
2015/19/0075).


3.2.2. In the matter:


3.2.2.1. Legal situation:

3.2.2.1.1. Art. 4 GDPR reads in part: - 10 -


                                 “Definitions
For the purposes of this Regulation, the term means:
1."personal data" means any information relating to an identified or
  relate to an identifiable natural person (hereinafter “data subject”); as

  A natural person is considered identifiable who, directly or indirectly,
  in particular by assigning it to an identifier such as a name
  identification number, location data, an online identifier or one or more
  special characteristics that express the physical, physiological, genetic,

  psychological, economic, cultural or social identity of that natural person
  are, can be identified;
2. “Processing” means any operation carried out with or without the aid of automated procedures
  or any such series of operations related to personal data such as
  Collecting, recording, organizing, arranging, storing, adapting or

  Change, reading, querying, use, disclosure
  Transmission, distribution or other form of provision, comparison or
  linking, restricting, deleting or destroying;
7. “Responsible person” means the natural or legal person, authority, institution or

  other body which, alone or jointly with others, determines the purposes and means of the
  processing of personal data decides; are the ends and means
  this processing is governed by Union or Member State law
  specified, the responsible person or the specific ones can
  Criteria for its designation according to Union law or the law of the Member States

  be provided;
8. “Processor” means a natural or legal person, authority, institution or
  other body that processes personal data on behalf of the controller;”

3.2.2.1.2. Art. 5 GDPR reads:


                “Principles for the processing of personal data
(1) Personal data must
a) lawfully, in good faith and in a manner favorable to the data subject

  processed in a comprehensible manner (“legality, processing faithfully
  and faith, transparency”);
b) collected for specified, explicit and legitimate purposes and may not be collected in a
  be further processed in a manner that is incompatible with these purposes; one
  Further processing for archiving purposes in the public interest

  scientific or historical research purposes or for statistical purposes
  not deemed incompatible with the original purposes in accordance with Article 89(1).
  (“earmarking”);
c) appropriate and relevant to the purpose and relevant to the purposes of processing

  be limited to the necessary extent (“data minimization”);
d) be factually correct and, where necessary, up to date; it's all of them
  to take appropriate measures to ensure that personal data is stored in relation to
  are incorrect in relation to the purposes of their processing, will be deleted or corrected immediately
  become (“accuracy”);

e) be stored in a form that only allows the identification of the data subjects
  for as long as is necessary for the purposes for which they are processed;
  Personal data may be stored for longer, provided that - 11 -


  personal data subject to the implementation of appropriate technical and
  organizational measures required by this regulation to protect the rights and
  Freedoms of the person concerned are required only for public purposes
  Interested archival purposes or for scientific and historical purposes

  Processed for research purposes or for statistical purposes in accordance with Article 89(1).
  (“storage limit”);
f) processed in a way that ensures appropriate security
  personal data is guaranteed, including protection against unauthorized or

  unlawful processing and accidental loss
  Destruction or accidental damage through appropriate technical and
  organizational measures (“integrity and confidentiality”);
(2) The person responsible is responsible for compliance with paragraph 1 and must
can demonstrate compliance with it (“accountability”).”


3.2.2.1.3. Art. 22 GDPR reads:

            “Automated decisions in individual cases including profiling

(1) The data subject has the right not to rely exclusively on an automated process
to be subject to processing - including profiling - based decision,
which has legal effect on it or which affects it in a similar way
impaired.
(2) Paragraph 1 does not apply if the decision

a) for the conclusion or performance of a contract between the data subject and
it is necessary for the person responsible
b) under Union or Member State law to which the
The person responsible is subject to permissible and appropriate legal provisions
Measures to safeguard the rights and freedoms as well as the legitimate interests of the

contain the data subject or
c) takes place with the express consent of the data subject.
(3) In the cases mentioned in paragraph 2 letters a and c, the person responsible is responsible
appropriate measures to protect the rights and freedoms and legitimate interests

of the person concerned, including at least the right to obtain the
intervention of a person on the part of the person responsible, upon presentation of their own
position and to challenge the decision.
(4) Decisions under paragraph 2 may not be based on special categories
personal data pursuant to Article 9 paragraph 1, unless Article 9 paragraph 2

Letter a or g applies and appropriate measures to protect the rights and
freedoms and the legitimate interests of the data subject.

3.2.2.1.4. Art. 34 GDPR reads:


    “Notification of a personal data breach
                                    affected person
(1) The personal data breach is likely to be high
Risk for the personal rights and freedoms of natural persons

the person responsible notifies the person concerned immediately of the violation.
(2) The notification to the data subject referred to in paragraph 1 describes more clearly
and simple language the nature of the personal data breach and - 12 -


contains at least the information referred to in Article 33(3)(b), (c) and (d).
and measures.
(3) Notification of the data subject in accordance with paragraph 1 is not necessary if
one of the following conditions is met:

a) the person responsible has appropriate technical and organizational resources
Safety precautions have been taken and these precautions have been taken into account by the
Personal data affected by the breach are applied, in particular those caused by
which the personal data for all persons who do not have access to the

personal data is authorized to be made inaccessible, for example by
encryption;
b) the person responsible has ensured through the following measures that the high
Risk to the rights and freedoms of the data subjects referred to in paragraph 1 of all
Probably no longer exists;

c) notification would involve disproportionate effort. In
In this case, a public notice or similar measure shall be made instead
to be carried out so that the persons concerned are informed in a comparably effective manner.
(4) If the person responsible has not already notified the data subject of the violation

has notified the protection of personal data, the supervisory authority can do so at
Taking into account the likelihood of a breach of protection
personal data leads to a high risk from the person responsible
demand that this be done, or it can issue a resolution stating that certain
the conditions specified in paragraph 3 are met.


3.2.2.1.5. Section 1 Paragraph 1 and 2 DSG read:

“(1) Everyone has, especially with regard to respect for their private and
Family life, right to confidentiality of personal data concerning him

Data to the extent that there is a legitimate interest in it. The existence of such
Interest is excluded if data is due to its general availability or
because of their lack of traceability to the person affected
confidentiality claim are not accessible.

(2) To the extent that the use of personal data is not vital
The interests of the person concerned or with their consent are restrictions
The right to secrecy is only required to protect overriding legitimate interests
another is permissible, and in the case of interventions by a state authority only on the basis of
Laws arising from the provisions of Article 8 paragraph 2 of the European Convention for the Protection of the

Human rights and fundamental freedoms (ECHR), Federal Law Gazette No. 210/1958, mentioned reasons
are necessary. Such laws permit the use of data that is, by their nature
are particularly worthy of protection, only to protect important public interests
and at the same time must provide appropriate guarantees for the protection of the

Determine the confidentiality interests of those affected. Even in the case of permissible
The interference with fundamental rights may only be limited in the mildest possible way
leading type.”

3.2.2.2. Applied to the present case, this means the following:

3.2.2.2.1. Regarding the alleged violation of the right to secrecy in accordance with Section 1 Paragraph 1 DSG: - 13 -


The fundamental right to data protection normed in Section 1 Paragraph 1 DSG creates a right to
Confidentiality of personal data. Among them is – from those recognized by law

Limitations aside – the protection of the person concerned from having their data discovered and

the protection against the disclosure of the data collected about him. That's it
If an intervention becomes a violation of fundamental data protection rights, the intervention must be inadmissible

have been. The GDPR and in particular the principles anchored therein are applicable

Interpretation of the right to secrecy must in any case be taken into account (Thiele/Wagner,
Practical commentary on the Data Protection Act [DSG] § 1 Rz 12, 38f, as of February 1, 2022, rdb.at).


First of all, it should be noted that the processing of personal data

Complainant generally within the scope of his contractual relationship
respondent takes place. Therefore, in accordance with Section 1 Paragraph 2 DSG, the consent of the

complainant for processing, a violation of Section 1 DSG in this regard

also not asserted by the complainant.

In the present case, however, it could not be established that - apart from the

Contractual relationship - any unauthorized interference/access to the

personal data of the complainant - for example in the form of an investigation
and/or transfer - has taken place. Any impossibility that gives rise to the claim

To establish facts (positively) (“need of evidence” [VwGH April 20, 1995, 93/09/0408].
At the expense of the applicant, the application must be rejected in this case [idS VwSlg 9721 A/1978;

12,559 A/1987; VwGH November 21, 1991, 89/08/0125 “Burden of proof in the material sense”]; see also

VwGH June 23, 1976, 2209/75; also carnival Rz 879f; Rechberger in Rechberger ZPO § 266 Rz
9 ff).


This also leaves no room for the determination requested by the complainant

Violation of Articles 5, 12 and 34 GDPR. Furthermore, it should be noted that the in
Art. 12 GDPR standardizes the transparency principle (only) on the information according to Art.

13 and 14 GDPR as well as the notifications in accordance with Articles 15 to 22 GDPR (cf.

Jahnel, Commentary on the General Data Protection Regulation Art. 12 GDPR Rz 1f. [Was standing
December 1, 2020, rdb.at]), but not to any information and/or notifications

to which the respondent has contractually committed.


However, even if there is an attack by unknown third parties on the personal email
The complainant's mailbox would have come and third parties would have had access to it

had received the complainant's personal data, this interference would be
The respondent cannot be attributed as the person responsible within the meaning of Art. 4 No. 7 GDPR, especially since - 14 -


This only provides the infrastructure, but the personal data
of the complainant has neither transmitted to third parties nor made it (publicly) accessible.

It has also not emerged that the respondent provided inadequate information

Data security measures to protect the personal data of their customers
would have set.


There is therefore no interference by the respondent with the fundamental right to data protection

complainant. The complainant's data protection complaint arises
therefore as unfounded in this regard.


3.2.2.2.2. Regarding the alleged violation of the law, not an exclusively automated one

To be subject to decision in accordance with Art. 22 GDPR:

According to Art. 22 Para. 1 GDPR, the data subject has the right, not one exclusive

a decision based on automated processing, including profiling

to be subjected to it, which has a legal effect on it or something similar
Significantly impaired.


As examples of legal effect, the Article 29 Working Party provides:

their guidelines for automated individual decision-making and profiling
for the purposes of Regulation 2016/679 approved by the European Data Protection Board

were, such as the termination of a contract, the approval or rejection of
Social benefits, such as family or housing allowances, the refusal of the

Entry into a country or refusal of naturalization called for a significant

Impairment decisions that affect a person's financial situation,
for example, their creditworthiness, decisions that affect access to

Health services affect decisions that affect access to jobs

deny or seriously disadvantage people or decisions that affect the
access to education, for example university admissions (WP251rev.01, 23).


Against this background, it is clear that the complainant

automated decision made (setting of a block by an algorithm
due to unusually high activity on his email account) no legal effect in the sense

Art. 22 Paragraph 1 GDPR or - comparable to the examples presented above

- Represents impairment of the complainant, especially since it is only one
Temporary blocking when sending/receiving emails and this after

Contact with the respondent's customer support within a relatively short period of time
period was also removed again. The (short-term) malfunction of his email - 15 -


Accounts may affect the complainant in his sphere, but in any case
does not constitute a significant impairment of the complainant's situation.


In addition, the automated individual decision is also permitted in accordance with Art. 22 Para. 2 lit. a

GDPR for the fulfillment of the contract between the complainant and the
Respondent necessary, especially since the Respondent according to the

Contractual conditions for network stability and network security and related thereto

must ensure the protection of (the complainant's) personal data, which
guaranteed by automatically setting a block in the event of unusual activities

becomes. There would be no other more effective or less effective means of achieving this goal

intervention means available, especially since the respondent has an individual assessment
and setting a block manually is not possible due to the large number of customer relationships

is reasonable and this would probably not be feasible in fact (cf. again

WP251rev.01, 25).

In the present case, the prohibition of Article 22 Paragraph 1 GDPR does not apply,

which is why the data protection complaint is not justified in this respect.


3.2.3. The alleged violation of rights guaranteed by the DSG and the GDPR
is therefore not available. The procedure also did not reveal that other, not valid

There would be a breach of data protection law for the reasons given. Since the
If the data protection complaint proves to be unfounded, it must be dismissed.


3.3. An oral hearing could be held in accordance with Section 24 Paragraphs 1 and 4

VwGVG is no longer applicable. In the present case, there is no request from the party to carry out one
oral hearing and allows the oral discussion to provide further clarification

Don't expect a legal matter. The need to conduct a negotiation is

also not apparent with regard to Article 6 Para. 1 ECHR and Article 47 GRC. The
The facts relevant to the decision are clarified here. A solution to legal questions is available in

According to the jurisprudence of the ECtHR, an oral hearing is not required. The ECHR and the

GRC do not stand in the way of refraining from an oral hearing here.

To B)


According to Section 25a Paragraph 1 VwGG, the administrative court has in its decision or

to decide whether the appeal is permissible in accordance with Article 133 Para. 4 B-VG. The
The statement must be briefly justified. - 16 -


The present decision does not depend on the resolution of a legal question
fundamental importance. Neither is there a lack of case law

Administrative Court still deviates from the decision in question

case law of the Administrative Court; furthermore is the present one
The case law of the Administrative Court cannot be judged to be inconsistent. It

There are no other indications of the fundamental meaning of the problem to be solved

legal questions.

The present decision does not depend on the resolution of a legal question

fundamental importance. Neither is there a lack of case law

Administrative Court still deviates from the decision in question
case law of the Administrative Court; furthermore is the present one

The case law of the Administrative Court cannot be judged to be inconsistent. It

There are no other indications of the fundamental meaning of the problem to be solved
legal questions. It was therefore necessary to declare that the revision pursuant to Article 133 Para. 4 B-VG

is not permitted.