DSB (Austria) - 2023-0.592.319: Difference between revisions

From GDPRhub
mNo edit summary
mNo edit summary
 
(2 intermediate revisions by 2 users not shown)
Line 77: Line 77:
}}
}}


The DPA issued a fine of €12,100 against a controller for failing to comply with the orders of the DPA and continuing the processing of a data subject’s personal data after a request for erasure.
The DPA issued a €12,100 fine against a controller that failed to comply with the orders of the DPA and continued the processing of personal data after an erasure request.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The controller organised a football league. On the controller’s website, there was a publicly available player profile of individuals participating at least once in a match in the league. This profile included a name, photo, nationality, current season’s yellow and red cards of the player and more. The player profile also stated which games a person had participated in.  
The controller organised a football league. On the controller’s website, there were publicly available player profiles of individuals participating at least once in a match in the league. These profiles included a name, photo, nationality, current season’s yellow and red cards of the player and more. The player profile also stated which games a person had participated in.  


The data subject took part in matches in the league organised by the controller. He played his last match on 6 October 2019.  
The data subject took part in matches in the league organised by the controller. He played his last match on 6 October 2019.  
Line 94: Line 94:
After the three weeks, the name and all match statistics were still available on the player profile of the data subject. Instead of the photo, the player profile displayed an icon image labelled "Not publicly visible". The information "Club", "Year of birth", "Status", "In club since", "Nationality" and "Back number" no longer appeared.  
After the three weeks, the name and all match statistics were still available on the player profile of the data subject. Instead of the photo, the player profile displayed an icon image labelled "Not publicly visible". The information "Club", "Year of birth", "Status", "In club since", "Nationality" and "Back number" no longer appeared.  


The Federal Administrative Court ("''Bundesverwaltungsgericht''") also upheld the DPA’s decision on 12 April 2023, which confirmed that the controller needed to erase the data of the data subject. The controller also ignored this decision. The Federal Administrative Court stated in its decision that the controller is required under [[Article 25 GDPR|Article 25 GDPR]] to take into account the concept of data protection through technical design. The controller’s argument that the data of data subjects are required for new registrations, transfers and for checking multiple registrations with identical names, was according to the Court irrelevant if the persons concerned have already left the controller’s association or have not been active players for many years.  
After and appeal, the Federal Administrative Court ("''Bundesverwaltungsgericht''") also upheld the DPA’s decision on 12 April 2023, which confirmed that the controller needed to erase the data of the data subject. The Federal Administrative Court stated in its decision that the controller is required under [[Article 25 GDPR|Article 25 GDPR]] to take into account the concept of data protection through technical design. The controller’s argument that the data of data subjects are required for new registrations, transfers and for checking multiple registrations with identical names, was according to the Court irrelevant if the persons concerned have already left the controller’s association or have not been active players for many years. The controller also ignored this decision.  


In a letter dated 2 May 2022, the DPA initiated the administrative criminal proceedings (this case) and requested the controller to justify their actions and explain their financial circumstances. The controller did not reply.
In a letter dated 2 May 2022, the DPA initiated the administrative criminal proceedings (this case) and requested the controller to justify their actions and explain their financial circumstances. The controller did not reply.
Line 103: Line 103:
Secondly, the DPA held that the personal data of the data subject were no longer necessary for the purposes for which they were collected or otherwise processed within the meaning of  [[Article 17 GDPR#1a|Article 17(1)(a) GDPR]]. The controller also failed to provide a specific legal basis under [[Article 6 GDPR#1|Article 6(1) GDPR]] for continuing the data processing despite multiple requests from the DPA. The DPA noted that any consent previously granted by the data subject in accordance with [[Article 7 GDPR#3|Article 7(3) GDPR]] were revoked with the request for erasure. This also meant that any lawfulness of processing based on the data subject’s consent pursuant to [[Article 6 GDPR#1a|Article 6(1)(a) GDPR]] ceased to apply.  
Secondly, the DPA held that the personal data of the data subject were no longer necessary for the purposes for which they were collected or otherwise processed within the meaning of  [[Article 17 GDPR#1a|Article 17(1)(a) GDPR]]. The controller also failed to provide a specific legal basis under [[Article 6 GDPR#1|Article 6(1) GDPR]] for continuing the data processing despite multiple requests from the DPA. The DPA noted that any consent previously granted by the data subject in accordance with [[Article 7 GDPR#3|Article 7(3) GDPR]] were revoked with the request for erasure. This also meant that any lawfulness of processing based on the data subject’s consent pursuant to [[Article 6 GDPR#1a|Article 6(1)(a) GDPR]] ceased to apply.  


The DPA held that if the controller relied on a legitimate interest under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]], the legitimate interests of the data subject prevailed in the proceeding as the data subject had been out of the controller’s football league for years. There was no reason anymore why the data subject’s data would still be needed for the controller. The interest of the public in the data of a footballer who no longer participates in competitive matches was also considered to be low.  
The DPA held that if the controller relied on a legitimate interest under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]], the rights of the data subject prevailed in the proceeding as the data subject had been out of the controller’s football league for years. There was no reason anymore why the data subject’s data would still be needed for the controller. The interest of the public in the data of a footballer who no longer participates in competitive matches was also considered to be low.  


Moreover, the controller did not submit any reasons for exception of the erasure of a data subject’s data under [[Article 17 GDPR#3|Article 17(3) GDPR]], and none emerged from the proceedings. The exception of archiving purposes in the public interest under [[Article 17 GDPR#3d|Article 17(3)(d) GDPR]] also did not apply according to the DPA as anonymisation of the data subject could neither make the results of the game impossible to understand nor seriously impair them. The DPA therefore held that the controller violated [[Article 17 GDPR|Article 17 GDPR]] by not fully complying with a data subject’s request for erasure.
Moreover, the controller did not submit any exception to the erasure of a data subject’s data under [[Article 17 GDPR#3|Article 17(3) GDPR]], and none emerged from the proceedings. The exception of archiving purposes in the public interest under [[Article 17 GDPR#3d|Article 17(3)(d) GDPR]] also did not apply according to the DPA as anonymisation would neither make the results of the game impossible to understand nor seriously impair them. The DPA therefore held that the controller violated [[Article 17 GDPR|Article 17 GDPR]] by not fully complying with a data subject’s request for erasure.


Thirdly, under [[Article 58 GDPR#2c|Article 58(2)(c) GDPR]], the DPA is authorised to order the controller or processor to comply with the data subject’s requests to exercise their rights under the GDPR. In this case, the controller only partially complied with the orders of the DPA. Although the player photo of the data subject and the information "year of birth", "status", "nationality", "at the club since" and "shirt number" were deleted, the name and all other information of the data subject were still publicly available on the controller’s website. Thus, the controller failed to comply with the orders of the DPA under [[Article 58 GDPR#2c|Article 58(2)(c) GDPR]].
Thirdly, under [[Article 58 GDPR#2c|Article 58(2)(c) GDPR]], the DPA is authorised to order the controller or processor to comply with the data subject’s requests to exercise their rights under the GDPR. In this case, the controller only partially complied with the orders of the DPA. Although the player photo of the data subject and the information "year of birth", "status", "nationality", "at the club since" and "shirt number" were deleted, the name and all other information of the data subject were still publicly available on the controller’s website. Thus, the controller failed to comply with the orders of the DPA under [[Article 58 GDPR#2c|Article 58(2)(c) GDPR]].


The DPA held that the controller could not have been unaware of the unlawfulness of its processing as there were numerous official decisions issued against the controller. In the absence of cooperation from the controller with regard to establishing its financial circumstances, the DPA had to make an estimate. The controller was categorised in the lowest category (“Undertakings with a turnover up to €2 million”) with regard to its turnover and with regard to the imposition of an effective, dissuasive and proportionate fine. Taking into account the fact that the controller did not submit a written justification and thereby cooperated with the DPA only to a very limited extent and the fact that the DPA had no previous relevant violations of the GDPR against the controller, the DPA issued a fine of €12.100 in accordance with [[Article 83 GDPR#4|Article 83(4) GDPR]], [[Article 83 GDPR#5|Article 83(5) GDPR]] and [[Article 83 GDPR#6|Article 83(6) GDPR]].
The DPA held that the controller could not have been unaware of the unlawfulness of its processing as there were numerous official decisions issued against the controller. In the absence of cooperation on the controller's side with regard to its financial situation, the DPA had to estimate it. Taking into account that the controller did not submit a written justification and thereby cooperated with the DPA only to a very limited extent and the fact that there were no previous relevant violations of the GDPR by the controller, the DPA issued a fine of €12.100 in accordance with [[Article 83 GDPR#4|Article 83(4) GDPR]], [[Article 83 GDPR#5|Article 83(5) GDPR]] and [[Article 83 GDPR#6|Article 83(6) GDPR]].


== Comment ==
== Comment ==

Latest revision as of 09:09, 21 May 2024

DSB - 2023-0.592.319
LogoAT.png
Authority: DSB (Austria)
Jurisdiction: Austria
Relevant Law: Article 6(1)(f) GDPR
Article 6(1)(a) GDPR
Article 7(3) GDPR
Article 17(1)(a) GDPR
Article 17(3) GDPR
Article 25(1) GDPR
Article 58(2)(c) GDPR
Article 83(4) GDPR
Article 83(5) GDPR
Article 83(6) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 04.01.2024
Published: 17.05.2024
Fine: 12,100 EUR
Parties: n/a
National Case Number/Name: 2023-0.592.319
European Case Law Identifier: ECLI:AT:DSB:2024:2023.0.592.319
Appeal: n/a
Original Language(s): German
Original Source: RIS (in DE)
Initial Contributor: ec

The DPA issued a €12,100 fine against a controller that failed to comply with the orders of the DPA and continued the processing of personal data after an erasure request.

English Summary

Facts

The controller organised a football league. On the controller’s website, there were publicly available player profiles of individuals participating at least once in a match in the league. These profiles included a name, photo, nationality, current season’s yellow and red cards of the player and more. The player profile also stated which games a person had participated in.

The data subject took part in matches in the league organised by the controller. He played his last match on 6 October 2019.

On 23 September 2020, the data subject sent an email to the controller requesting erasure of his personal data. The controller replied by stating it was unable to comply with their request due to statistical reasons.

The data subject then submitted a complaint to the Austrian DPA ("Datenschutzbehörde") on 1 October 2020. The data subject argued that they wanted their data, which was processed publicly and could be found by search engines, to be erased because they no longer played football and therefore had no plans to ever again participate as a player in the football league organised by the controller. The processing of their data was therefore no longer necessary.

The DPA upheld the data subject’s complaint and stated that the controller had violated the data subject’s right to erasure by rejecting their request. The DPA ordered the controller to erase the data subject’s data within three weeks and to refrain from disclosing the data to other parties.

After the three weeks, the name and all match statistics were still available on the player profile of the data subject. Instead of the photo, the player profile displayed an icon image labelled "Not publicly visible". The information "Club", "Year of birth", "Status", "In club since", "Nationality" and "Back number" no longer appeared.

After and appeal, the Federal Administrative Court ("Bundesverwaltungsgericht") also upheld the DPA’s decision on 12 April 2023, which confirmed that the controller needed to erase the data of the data subject. The Federal Administrative Court stated in its decision that the controller is required under Article 25 GDPR to take into account the concept of data protection through technical design. The controller’s argument that the data of data subjects are required for new registrations, transfers and for checking multiple registrations with identical names, was according to the Court irrelevant if the persons concerned have already left the controller’s association or have not been active players for many years. The controller also ignored this decision.

In a letter dated 2 May 2022, the DPA initiated the administrative criminal proceedings (this case) and requested the controller to justify their actions and explain their financial circumstances. The controller did not reply.

Holding

Firstly, taking into account the Federal Administrative Court’s ruling, the DPA held that the controller breached its obligation under Article 25(1) GDPR by failing to take appropriate technical and organisational measures. These measures should ensure that, in the event of a necessary erasure – whether at the request of a data subject or on its own initiative – personal data of players who participated in at least one match in the controller's league are completely erased from the publicly accessible database on its website.

Secondly, the DPA held that the personal data of the data subject were no longer necessary for the purposes for which they were collected or otherwise processed within the meaning of Article 17(1)(a) GDPR. The controller also failed to provide a specific legal basis under Article 6(1) GDPR for continuing the data processing despite multiple requests from the DPA. The DPA noted that any consent previously granted by the data subject in accordance with Article 7(3) GDPR were revoked with the request for erasure. This also meant that any lawfulness of processing based on the data subject’s consent pursuant to Article 6(1)(a) GDPR ceased to apply.

The DPA held that if the controller relied on a legitimate interest under Article 6(1)(f) GDPR, the rights of the data subject prevailed in the proceeding as the data subject had been out of the controller’s football league for years. There was no reason anymore why the data subject’s data would still be needed for the controller. The interest of the public in the data of a footballer who no longer participates in competitive matches was also considered to be low.

Moreover, the controller did not submit any exception to the erasure of a data subject’s data under Article 17(3) GDPR, and none emerged from the proceedings. The exception of archiving purposes in the public interest under Article 17(3)(d) GDPR also did not apply according to the DPA as anonymisation would neither make the results of the game impossible to understand nor seriously impair them. The DPA therefore held that the controller violated Article 17 GDPR by not fully complying with a data subject’s request for erasure.

Thirdly, under Article 58(2)(c) GDPR, the DPA is authorised to order the controller or processor to comply with the data subject’s requests to exercise their rights under the GDPR. In this case, the controller only partially complied with the orders of the DPA. Although the player photo of the data subject and the information "year of birth", "status", "nationality", "at the club since" and "shirt number" were deleted, the name and all other information of the data subject were still publicly available on the controller’s website. Thus, the controller failed to comply with the orders of the DPA under Article 58(2)(c) GDPR.

The DPA held that the controller could not have been unaware of the unlawfulness of its processing as there were numerous official decisions issued against the controller. In the absence of cooperation on the controller's side with regard to its financial situation, the DPA had to estimate it. Taking into account that the controller did not submit a written justification and thereby cooperated with the DPA only to a very limited extent and the fact that there were no previous relevant violations of the GDPR by the controller, the DPA issued a fine of €12.100 in accordance with Article 83(4) GDPR, Article 83(5) GDPR and Article 83(6) GDPR.

Comment

Both the previous DPA decision with the orders for the controller (D124.3076) and the Federal Administrative Court decision (W252 2246403-1/10E) are not (yet) available on the Austrian case law system or anywhere else online.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

Text

GZ: 2023-0.592.319 of January 4, 2024 (case number: DSB-D550.515)

[Editor's note: Names and companies, legal forms and product names, addresses (including URLs, IP and email addresses), file numbers (and the like), etc., as well as their initials and abbreviations may be abbreviated and/or changed for pseudonymization reasons. Obvious spelling, grammatical and punctuation errors have been corrected.]

Criminal conviction

Accused legal entity: N*** - Football Association (ZVR: *6*7**88*)

The accused legal entity with its registered office in **** T***dorf, J***straße *7 (hereinafter: the accused), as the controller within the meaning of Article 4(7) of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter: "GDPR"), OJ No. L 119 of 4 May 2016, p. 1 as amended, has carried out the following acts and thereby committed the following administrative offenses:The accused legal entity with its registered office in **** T***dorf, J***straße *7 (hereinafter: the accused), as the controller within the meaning of Article 4, Paragraph 7 of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter: “GDPR”), OJ L 119, 4 May 2016, p. 1 as amended, and thereby committed the following administrative offenses:

I.Roman one. The accused, as the controller, violated its obligation under Art. 25 (1) GDPR within the federal territory of Austria (“crime scene”) during an unspecified period of time, but in any event from 25 May 2018 to date (“offense period 1”), by failing to take appropriate technical and organizational measures to ensure that, in the event of necessary deletion – either at the request of a data subject or on its own initiative – personal data of players who have participated in at least one game in the league organized by the accused are completely deleted from the publicly accessible database on the website https://www.n***.com/. The accused, as the responsible party, has violated its obligation under Article 25, paragraph 1, of the GDPR within the federal territory of Austria (“crime scene”) during an unspecified period of time, but in any event from May 25, 2018 to date (“Offense Period 1”), by failing to take appropriate technical and organizational measures to ensure that, in the event of a required deletion – either at the request of a data subject or on its own initiative – personal data of players who have participated in at least one game in the league organized by the accused are completely deleted from the publicly accessible database on the website https://www.n***.com/.

II.Roman II. Furthermore, the accused, as the person responsible, violated Art. 17 GDPR in the period from September 23, 2020 to date (“offense period 2”), within the federal territory of Austria (“crime scene”), by not fully complying with Mr. Roberto B***’s request for deletion dated September 23, 2020. According to Art. 17 Para. 1 GDPR, the data subject had the right to have his data deleted and the accused was obliged to delete the data subject’s personal data immediately. One of the exceptions in Art. 17 Para. 3 GDPR did not apply in this specific case. The accused continues to process personal data of Mr. Roberto B*** by publishing his personal data at the URL https://www.n***.com/?action=showPlayer The accused has also violated Article 17 of the GDPR as the controller in the period from September 23, 2020 to date ("Offense Period 2"), within the federal territory of Austria ("Crime Scene"), by not fully complying with Mr. Roberto B***'s request for deletion of September 23, 2020. According to Article 17, Paragraph 1, GDPR, the data subject had the right to have his data deleted and the accused was obliged to delete the data subject's personal data immediately. One of the exceptions in Article 17, Paragraph 3, GDPR did not apply in this specific case. The accused continues to process personal data of Mr. Roberto B*** by publishing his personal data on her website at the URL https://www.n***.com/?action=showPlayer&id=*4*6.

III.Roman III. Finally, in the period from May 11, 2021 to date (“Offense Period 3”), within the federal territory of Austria (“Crime Scene”), the accused failed to comply with the performance order in point 2.b. of the legally binding decision of the Data Protection Authority dated May 10, 2021, GZ: D124.3076, 2021-0.096.835, which was demonstrably served on her on May 11, 2021, by not deleting the personal data of the data subject or by storing it in an area that is not publicly accessible. As a result, the accused failed to comply with an instruction from a supervisory authority within the meaning of Art. 58, Paragraph 2(c) GDPR. Finally, in the period from May 11, 2021 to date (“Offense Period 3”), within the federal territory of Austria (“Crime Scene”), the accused failed to comply with the performance order in point 2.b. of the legally binding decision of the data protection authority dated May 10, 2021, GZ: D124.3076, 2021-0.096.835, which was verifiably delivered to her on May 11, 2021, by not deleting the personal data of the person concerned or storing it in an area that is not publicly accessible. As a result, the accused did not follow an instruction from a supervisory authority within the meaning of Article 58, Paragraph 2, Letter c, GDPR.

Administrative offenses according to:

Ad I.:Ad Roman one: Art. 25 Para. 1 in conjunction with Art. 83 Para. 1 and 4 lit. a GDPR OJ L 2016/119, p. 1, as amended Article 25, Paragraph 1, in conjunction with Article 83, Paragraph 1, and 4 lit. a, GDPR OJ L 2016/119, p. 1, as amended

Ad II.:Ad Roman II: Art. 17 Para. 1 in conjunction with Art. 83 Para. 1 and 5 lit. b GDPR OJ L 2016/119, p. 1, as amended Article 17, Paragraph 1, in conjunction with Article 83, Paragraph 1, and 5 lit. b, GDPR OJ L 2016/119, p. 1, as amended

Ad III.:Ad Roman III.: Art. 58, paragraph 2, letter c in conjunction with Art. 83, paragraph 1 and 6 GDPR OJ L 2016/119, p. 1, as amended Article 58, paragraph 2, letter c, in conjunction with Article 83, paragraph one, and 6 GDPR OJ L 2016/119, p. 1, as amended

The following penalty is imposed for these administrative offences pursuant to Art. 83 GDPR:The following penalty is imposed for these administrative offences pursuant to Article 83 GDPR:

Fine of Euro

according to

€ 11,000

Art. 83, paragraph 4, letter a, paragraph 5, letter a and paragraph 6 GDPRArticle 83, paragraph 4, letter a,, paragraph 5, letter a and paragraph 6, GDPR

You must also pay according to Section 64 of the Administrative Penal Code 1991 - VStG:You must also pay according to Section 64 of the Administrative Penal Code 1991 - VStG:

1,100

Euro as a contribution to the costs of the criminal proceedings, which is 10% of the fine, but at least 10 euros;

     

Euro as reimbursement of cash expenses for

     

The total amount to be paid (fine/costs/cash expenses) is therefore

12,100

Euro

Payment deadline:

If no appeal is lodged, this penal decision is immediately enforceable. In this case, the total amount must be paid into the account [editor's note: abbreviated here] within two weeks of the decision becoming final. The reference number and the date of completion should be stated as the intended purpose.

If no payment is made within this period, the entire amount can be demanded. In this case, a flat-rate contribution to costs of five euros must be paid. If no payment is made, the outstanding amount will be enforced.

Justification:

1.     The following facts relevant to the decision have been established on the basis of the evidence taken:

1.1. Regarding the information provided on the accused's website, the affected party's request for deletion and the appeals procedure for case number D124.3076

1.1.1.   The accused organizes a **** soccer league. The following information about people who have taken part in a game in the league organized by the accused at least once is publicly available on the accused's website:

 Player details

- Name and photo

- Year of birth

- Status (eligible to play or not)

- Team

- In the club since

- Nationality

- Shirt number

 Information and statistics

- Goals per game

- On field percentage

- Goals after half-time

- Win/Draw/Loss

- Score percentage

- On fire rate

- Club loyalty

 Current season

- Games

- Goals

- Yellow cards

- Yellow/Red cards

- Red cards

 All-time Statistics

-    Games

-    Goals Yellow cards

-    Yellow/red cards

-    Red cards

In addition, all games in which a person has participated are listed in the player profile.

Assessment of evidence for 1.1.1.: These findings are based on a query of the accused's website (last accessed on December 19, 2023, for example see: https://www.n***.com/index.php?action=showPlayer&id=2*9*3, screenshots of which are in the electronically maintained procedural file).

1.1.2.   Mr. Roberto B*** (hereinafter: the person concerned) took part in games in the league organized by the accused. He played his last game on October 6, 2019.

On September 23, 2020, the person concerned sent an email requesting the deletion of his personal data to the accused, in which he asked to be deleted from the accused's systems.

The accused stated in messages to the person concerned dated September 23, 2020, and September 24, 2020 that she could not comply with his request. In summary, deletion was not possible for statistical reasons.

The person concerned then filed a complaint with the data protection authority on October 1, 2020. The complaint procedure was conducted under case number D124.3076.

The data protection authority upheld the person concerned's complaint in its decision of May 10, 2021 (ref. no.: D124.3076, 2021-0.096.835) and found in point 1 that the accused had violated the person concerned's right to deletion by rejecting his request for deletion of September 23, 2020.

In point 2 of the decision, the accused (note: referred to as the respondent in the appeal proceedings) was given the following instruction (formatting not reproduced 1:1):In point 2 of the decision, the accused (note, referred to as the respondent in the appeal proceedings) was given the following instruction (formatting not reproduced 1:1):

1. The respondent is instructed to refrain from disclosing the complainant's data that is publicly accessible on the respondent's website (www.n***.com) under ID: *4*6 within three weeks

a.    to refrain from disclosing it by transmitting it and

b.    to delete this data or to store it in an area that is not publicly accessible.

This decision subsequently became legally binding.

Evaluation of evidence on 1.1.2.: These findings arise from the file components of the appeal proceedings for D124.3076.

1.1.3. At the time of the decision, the affected person's name and all game statistics are still visible on the player profile.

Instead of the photo, a symbolic image with the inscription "NOT PUBLICLY VISIBLE" is displayed on the player profile. The information "Unaffiliated" appears under the team item. The information year of birth, status, in the club since, nationality, shirt number no longer appears.

The accused also did not fully comply with deletion requests from other affected persons and these persons can still view their names and all game statistics on the accused's website.

The data protection authority ordered the accused in several notices to delete data from affected persons on their website. The accused did not comply with the instructions of the data protection authority.

The Federal Administrative Court also confirmed a notice from the data protection authority with a legally binding ruling dated April 12, 2023, according to which the accused must delete data from an affected person from their website. The accused also ignored this ruling.

Assessment of evidence regarding 1.1.3.: The finding that the above-mentioned data of the person concerned is still publicly accessible results from a call to the URL https://www.n***.com/?action=showPlayer&id=*4*6 (last queried by the data protection authority on December 19, 2023, screenshot in the file). The fact that the accused did not fully comply with requests for deletion from other persons and that the data protection authority ordered her to delete the data in several decisions is evident from several complaint procedures concluded by the data protection authority with a decision (e.g. the complaint procedures for D124.1086, D124.3657, D124.1324/23). The finding that the Federal Administrative Court has confirmed a decision by the data protection authority results from the corresponding decision of April 12, 2023; GZ: W252 2246403-1/10E. The fact that the accused ignored this finding is evident from a query of the player profile at issue in that case (see: https://www.n***.com/?action=showPlayer&id=5*4*, last accessed on December 29, 2023, screenshot in the file).

1.2. On the course of the present administrative penal proceedings

1.2.1.   By letter dated May 2, 2022, the data protection authority initiated the present administrative penal proceedings and requested the accused to justify herself and to explain her financial circumstances.

Despite an announcement by telephone on June 13, 2022, the accused did not submit any written justification to the data protection authority and did not comment on her financial circumstances.

1.2.2.   By decision of April 27, 2023, the data protection authority suspended the present administrative penal proceedings until the final decision by the Court of Justice of the European Union in Case C-807/21. This suspension decision became final due to the lack of an appeal.

By decision of December 5, 2023, the data protection authority revoked the suspension decision of April 27, 2023 ex officio and continued the administrative penal proceedings - taking into account the judgment of December 5, 2023 of the ECJ in case C-807/21.

Assessment of evidence under 1.2.1. and 1.2.2.: The findings are based on the content of the administrative penal act in question. The course of the telephone call with the then chairman of the accused was recorded in a file note dated June 13, 2022, in which he announced that he would submit a justification.

2. Legally, this means:

2.1. On the jurisdiction of the data protection authority and the scope of the GDPR

According to Article 83, paragraph 4, letter a, fines of up to EUR 10,000,000 or, in the case of an undertaking, up to 2% of its total worldwide annual turnover of the preceding financial year can be imposed if the obligations of the controllers and processors under Articles 8, 11, 25 to 39, 42 and 43 are violated.According to Article 83, paragraph 4, letter a, fines of up to EUR 10,000,000 or, in the case of an undertaking, up to 2% of its total worldwide annual turnover of the preceding financial year can be imposed if the obligations of the controllers and processors under Articles 8, 11, 25 to 39, 42 and 43 are violated.

Article 83, paragraph 5, letter b, GDPR stipulates that infringements of the provisions of Articles 12 to 22 of the GDPR may be subject to fines of up to EUR 20,000,000 or, in the case of an undertaking, up to 4% of its total worldwide annual turnover in the preceding financial year, whichever is higher.Article 83, paragraph 5, letter b, GDPR stipulates that infringements of the provisions of Articles 12 to 22 of the GDPR may be subject to fines of up to EUR 20,000,000 or, in the case of an undertaking, up to 4% of its total worldwide annual turnover in the preceding financial year, whichever is higher.

Pursuant to Article 83(6) GDPR, failure to comply with an instruction from the supervisory authority pursuant to Article 58(2) shall be subject to fines of up to EUR 20,000,000 or, in the case of an undertaking, up to 4% of its total worldwide annual turnover of the preceding financial year, whichever is higher.Pursuant to Article 83(6) GDPR, failure to comply with an instruction from the supervisory authority pursuant to Article 58(2) shall be subject to fines of up to EUR 20,000,000 or, in the case of an undertaking, up to 4% of its total worldwide annual turnover of the preceding financial year, whichever is higher.

According to Section 22 Paragraph 5 of the Data Protection Act, the Data Protection Authority is responsible for imposing fines on natural and legal persons in Austria as the national supervisory authority.According to Section 22 Paragraph 5 of the Data Protection Act, the Data Protection Authority is responsible for imposing fines on natural and legal persons in Austria as the national supervisory authority.

The Data Protection Authority is therefore responsible in this case.

2.2. On the processing of personal data and the status of the accused as the controller

According to Article 2 Paragraph 1 of the GDPR, the regulation applies to the fully or partially automated processing of personal data as well as to the non-automated processing of personal data that are or are to be stored in a filing system.According to Article 2 Paragraph 1 of the GDPR, the regulation applies to the fully or partially automated processing of personal data as well as to the non-automated processing of personal data that are or are to be stored in a filing system.

There are no doubts as to the existence of processing of personal data within the meaning of Art. 4(1) and (2) GDPR, and this has not been disputed by the accused.There are no doubts as to the existence of processing of personal data within the meaning of Article 4(1) and (2) GDPR, and this has not been disputed by the accused.

By publishing the information mentioned in 1.1.1, the accused is undoubtedly processing personal data.

The accused's role as controller pursuant to Art. 4(7) GDPR was also never disputed, and no evidence emerged during the proceedings to suggest the contrary. As controller, the accused is the addressee of the relevant obligations of the GDPR.The accused's role as controller pursuant to Article 4(7) GDPR was also never disputed, and no evidence emerged during the proceedings to suggest the contrary. As controller, the accused is the addressee of the relevant obligations of the GDPR.

2.3. Regarding the violation according to point I.2.3. Regarding the violation according to point Roman one.

Pursuant to Art. 25 (1) GDPR, the controller shall, taking into account the state of the art, the costs of implementation and the nature, scope, circumstances and purposes of processing as well as the different likelihood and severity of the risks to the rights and freedoms of natural persons associated with the processing, both at the time of determining the means of processing and at the time of the actual processing, implement appropriate technical and organizational measures - such as pseudonymization - designed to effectively implement data protection principles such as data minimization and to incorporate the necessary guarantees into the processing in order to meet the requirements of the GDPR and protect the rights of data subjects.Pursuant to Article 25, paragraph one, GDPR, the controller shall, taking into account the state of the art, the costs of implementation and the nature, scope, circumstances and purposes of processing as well as the different likelihood and severity of the risks to the rights and freedoms of natural persons associated with the processing, both at the time of determining the means of processing and at the time of the actual processing, implement appropriate technical and organizational measures - such as pseudonymization - designed to effectively implement data protection principles such as data minimization and to incorporate the necessary guarantees into the processing in order to meet the requirements of the GDPR and protect the rights of data subjects. e.g. pseudonymisation – which are designed to effectively implement data protection principles such as data minimisation and to incorporate the necessary safeguards into the processing in order to meet the requirements of the GDPR and protect the rights of the data subjects.

Recital 78 GDPR specifies what appropriate technical and organizational measures can be.

It states the following in part: In order to be able to demonstrate compliance with this regulation, the controller should establish internal strategies and take measures that comply in particular with the principles of data protection by design and data protection by default. Such measures could include, among others, minimizing the processing of personal data, pseudonymizing personal data as quickly as possible, creating transparency regarding the functions and processing of personal data, enabling the data subject to monitor the processing of personal data, and enabling the controller to create and improve security features.

The European Data Protection Board (EDPB) has stressed in its guidelines on Art. 25 GDPR that both the appropriate measures and the necessary guarantees should serve the same purpose, namely to protect the rights of the data subjects and to ensure that the protection of their personal data is included in the processing (see Guidelines 4/2019 on Article 25, para. 7).The European Data Protection Board (EDPB) has stressed in its guidelines on Article 25 GDPR that both the appropriate measures and the necessary guarantees should serve the same purpose, namely to protect the rights of the data subjects and to ensure that the protection of their personal data is included in the processing (see Guidelines 4/2019 on Article 25, para. 7).

Those responsible must implement the principles to ensure data protection by design and by default. These principles include transparency, lawfulness, processing in good faith, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, and accountability.

In this case, the principle of data minimization pursuant to Article 5(1)(c) of the GDPR should be emphasized. Accordingly, personal data must be adequate, relevant and limited to what is necessary for the purposes of processing.In this case, the principle of data minimization pursuant to Article 5(1)(c) of the GDPR should be emphasized. Accordingly, personal data must be adequate, relevant and limited to what is necessary for the purposes of processing.

In the guidelines mentioned, the EDPS gives some examples of key aspects of technology design and default settings with regard to data minimization.

Where it is not necessary for the purposes of processing that the final data set refers to an identified or identifiable individual, but this is the case in the original processing (as in statistics), the controller must erase or anonymise the personal data as soon as identification is no longer required (see the EDPB guidelines mentioned above, paragraphs 75 and 76).Where it is not necessary for the purposes of processing that the final data set refers to an identified or identifiable individual, but this is the case in the original processing (as in statistics), the controller must erase or anonymise the personal data as soon as identification is no longer required (see the EDPB guidelines mentioned above, paragraphs 75 and 76).

Aspects of accountability can also be found in the principle of “data protection by design” enshrined in Article 25(1) of the GDPR, according to which the means of processing, i.e. products, services and applications, must be chosen both at the time of determining the means of processing and at the time of the actual processing in such a way that the requirements of the GDPR can be met (cf. Baumgartner in Ehmann/Selmayr (eds.), DS-GVO2 [2018] Art. 25, para. 2; see also [2018] Article 25, para. 2; see also Hötzendorfer in Gantschacher/Jelinek/Schmidl/Spanberger (eds.), Commentary on the General Data Protection Regulation [2017] Art. 25, Note 3). (eds.), Commentary on the General Data Protection Regulation [2017] Article 25, Note 3).

The prerequisite for processing personal data in a responsible manner is that the controller has both the knowledge to implement data protection and the skills required to do so. This means that the controller is aware of the data protection obligations arising from the GDPR and that he can comply with these obligations (cf. the aforementioned EDSA guidelines, para. 88). The prerequisite for processing personal data in a responsible manner is that the controller has both the knowledge to implement data protection and the skills required to do so. This means that the controller is aware of the data protection obligations arising from the GDPR and that he can comply with these obligations (cf. the aforementioned EDSA guidelines, para. 88).

The accused would have to ensure – for example following a justified request for deletion – that it is no longer possible to identify the data subject from the data published on its website. This could be done, for example, by anonymisation – as expressly stated by the EDPB in its guidelines (cf. the aforementioned EDPB guidelines, paragraph 54; for anonymisation as a means of deletion, see also the DSB decision of 5 December 2018, DSB-D123.270/0009-DSB/2018). The accused would have to ensure – for example following a justified request for deletion – that it is no longer possible to identify the data subject from the data published on its website. This could be done, for example, by anonymisation – as expressly stated by the EDPB in its guidelines (cf. the aforementioned EDPB guidelines, paragraph 54; For anonymization as a means of deletion, see also the DSB decision of December 5, 2018, DSB-D123.270/0009-DSB/2018).

The Federal Administrative Court has also already stated that the accused is required to take the idea of data protection through technology design into account in accordance with Art. 25 GDPR. Accordingly, the argument that the data of those affected is required for new registrations, transfers and to check multiple registrations in the case of identical names is irrelevant if the persons concerned have already left the accused's association or have not been active players for many years (cf. the BVwG decision of April 12, 2023, GZ: W252 2246403-1/10E).The Federal Administrative Court has also already stated that the accused is required to take the idea of data protection through technology design into account in accordance with Article 25 GDPR. Accordingly, the argument that the data of those affected is required for new registrations, transfers and to check multiple registrations in the case of identical names is irrelevant if the persons concerned have already left the accused's association or have not been active players for many years (cf. the decision of the BVwG of April 12, 2023, GZ: W252 2246403-1/10E).

As a result, the accused violated Art. 25 GDPR at least during the period of the offense 1 by not taking appropriate technical and organizational measures so that in the event of a necessary deletion from the accused's public database, no conclusions can be drawn about the persons concerned.As a result, the accused violated Article 25 GDPR at least during the period of the offense 1 by not taking appropriate technical and organizational measures so that in the event of a necessary deletion from the accused's public database, no conclusions can be drawn about the persons concerned.

The accused therefore fulfilled the objective aspect of Article 25, paragraph 1, GDPR during the first period of the offense.The accused therefore fulfilled the objective aspect of Article 25, paragraph 1, GDPR during the first period of the offense.

2.4. On the violation according to point II.2.4. On the violation according to Roman II.

According to Art. 17 Para. 1 GDPR, a data subject has the right to demand that the controller immediately erase their personal data, and the controller is also obliged to erase personal data immediately if one of the reasons stated in Art. 17 Para. 1 lit. a - lit. f GDPR applies.According to Article 17 Paragraph 1 GDPR, a data subject has the right to demand that the controller immediately erase their personal data, and the controller is also obliged to erase personal data immediately if one of the reasons stated in Article 17 Paragraph 1 lit. a - lit. f GDPR applies.

In the complaint procedure for D124.3076, the data subject stated that he wanted his data, which was processed publicly and could be found by search engines, to be erased, that he no longer plays football, and that he therefore has no intention of ever again taking part in the football league organized by the accused as a player. The processing of his data is therefore no longer necessary.

As the data protection authority legally established in its decision of May 10, 2023, the accused violated the data subject's right to erasure by rejecting the data subject's request for erasure of September 23, 2020.

The data subject's personal data are no longer necessary within the meaning of Art. 17, Paragraph 1, Letter a, GDPR for the purposes for which they were collected or otherwise processed. The data subject's personal data are no longer necessary within the meaning of Article 17, Paragraph one, Letter a, GDPR for the purposes for which they were collected or otherwise processed.

In addition, the data subject's personal data are unlawfully processed within the meaning of Art. 17, Paragraph 1, Letter d, leg. cit.:In addition, the data subject's personal data are unlawfully processed within the meaning of Article 17, Paragraph one, Letter d, leg. cit. processed unlawfully:

The accused has failed - despite requests from the data protection authority in the complaint procedure under D124.3076 and in the present administrative penal proceedings - to name a specific legal basis within the meaning of Article 6, paragraph 1, GDPR for the data processing.The accused has failed - despite requests from the data protection authority in the complaint procedure under D124.3076 and in the present administrative penal proceedings - to name a specific legal basis within the meaning of Article 6, paragraph 1, GDPR for the data processing.

It should be noted that any consent previously given by the data subject was revoked in accordance with Art. 7, paragraph 3, GDPR with the request for deletion dated September 23, 2020. With the effective revocation of the consent of the data subject, any legal basis pursuant to Art. 6 Paragraph 1 Letter a of GDPR (legality of processing based on the consent of the data subject) also ceases to apply. It should be noted that any consent previously given by the data subject was revoked in accordance with Article 7 Paragraph 3 of GDPR with the request for deletion dated September 23, 2020. With the effective revocation of the consent of the data subject, any legal basis pursuant to Article 6 Paragraph 1 Letter a of GDPR (legality of processing based on the consent of the data subject) also ceases to apply.

If the accused relies on a legitimate interest pursuant to Art. 6 Paragraph 1 Letter f of GDPR, it should be noted that the weighting of the original interests has since shifted because the data subject has been eliminated from the accused’s football league for years. He played his last game on October 6, 2019. There is no longer any reason why the data subject’s data would still be needed for the football league organized by the accused. The interest of the public interested in sports competitions in the data of a footballer who no longer participates in competitive matches is also to be assessed as low. Thus, the legitimate interest of the person concerned prevails in the subject matter of the proceedings. If the accused relies on a legitimate interest in accordance with Article 6, paragraph one, letter f, GDPR, it must be stated that the weighting of the original interests has since shifted because the person concerned has already been eliminated from the accused's football league for years. He played his last game on October 6, 2019. There is no longer any reason why the data of the person concerned would still be needed for the football league organized by the accused. The interest of the public interested in sports competitions in the data of a footballer who no longer participates in competitive matches is also to be assessed as low. Thus, the legitimate interest of the person concerned prevails in the subject matter of the proceedings.

The data protection authority does not ignore the fact that Article 17, Paragraph 3 of the GDPR contains exceptions to Article 17, but the accused did not put forward any such exceptions, and none emerged from the course of the proceedings.The data protection authority does not ignore the fact that Article 17, Paragraph 3 of the GDPR contains exceptions to Article 17, but the accused did not put forward any such exceptions, and none emerged from the course of the proceedings.

From the point of view of the data protection authority, the only possible exception on which the accused could rely is the archiving purpose in the public interest pursuant to Article 17, Paragraph 3, Letter d in conjunction with Article 89 of the GDPR.From the point of view of the data protection authority, the only possible exception on which the accused could rely is the archiving purpose in the public interest pursuant to Article 17, Paragraph 3, Letter d in conjunction with Article 89 of the GDPR.

Since anonymization of the data of the person concerned neither makes the game results impossible nor seriously affects them, the exception is not applicable to the present case (for anonymization as a means of deletion, see again the DSB decision of December 5, 2018, DSB-D123.270/0009-DSB/2018).

In particular, taking into account the factors of expediency, relevance and purposefulness, storage in a form that enables the data subject to be identified does not appear to be necessary in the present case (cf. Article 5, Paragraph 1, Letter c, GDPR ("data minimization"). The principle of storage limitation (Article 5, Paragraph 1, Letter e, GDPR) also speaks in favor of this assessment. In particular, taking into account the factors of expediency, relevance and purposefulness, storage in a form that enables the data subject to be identified does not appear to be necessary in the present case (cf. Article 5, Paragraph 1, Letter c, GDPR ("data minimization"). The principle of storage limitation (Article 5, Paragraph 1, Letter e, GDPR) also speaks in favor of this assessment.

The data protection authority also notes again that the Federal Administrative Court came to the same conclusion in a similar case (cf. BVwG W252 2246403-1/10E of April 12, 2023).The data protection authority also notes again that the Federal Administrative Court came to the same conclusion in a similar case (cf. BVwG W252 2246403-1/10E of April 12, 2023).

As can be seen from the findings, the accused is still processing the data subject’s data on its website and has not yet fully complied with the data subject’s request for deletion – despite the data protection authority’s final decision.

The accused therefore violated the data subject’s right to deletion pursuant to Art. 17 GDPR during the second period of the offense and in this respect the objective elements of the offense are met.The accused therefore violated the data subject’s right to deletion pursuant to Article 17 GDPR during the second period of the offense and in this respect the objective elements of the offense are met.

2.5. On the violation pursuant to point III. 2.5. Regarding the violation according to Roman III.

The data protection authority has the power within the meaning of Article 58, paragraph 2, letter c, GDPR to instruct the controller or the processor to comply with the data subject's requests to exercise the rights to which he or she is entitled under this regulation.The data protection authority has the power within the meaning of Article 58, paragraph 2, letter c, GDPR to instruct the controller or the processor to comply with the data subject's requests to exercise the rights to which he or she is entitled under this regulation.

In the present case, the accused only partially complied with the supervisory authority's instructions.

At an unknown time, the player photo of the person concerned and the information "year of birth", "status", "nationality", "in the club since" and "shirt number" were deleted. However, the name and all other information about the person concerned listed under point 1.1.1. are still publicly visible on the accused's website.

Against the background of the facts established as proven, the accused, as the person responsible pursuant to Article 4(7) of the GDPR, is responsible for the objective aspect of the administrative offence under Article 58, Paragraph 2, Letter c in conjunction with Article 83, Paragraph 6 of the GDPR, because it did not comply with the data protection authority’s instructions to delete the data subject’s data or to store it in an area that is not publicly accessible.Against the background of the facts established as proven, the accused, as the person responsible pursuant to Article 4(7) of the GDPR, is responsible for the objective aspect of the administrative offence under Article 58, Paragraph 2, Letter c in conjunction with Article 83, Paragraph 6 of the GDPR, because it did not comply with the data protection authority’s instructions to delete the data subject’s data or to store it in an area that is not publicly accessible.

2.6. On the criminal liability of the accused as a legal person

The conditions for the imposition of fines on both natural persons and legal persons are set out in Article 83 of the GDPR. However, the national legislator has set out further "general conditions for the imposition of fines" in Section 30, Paragraph 1 and 2 of the DSG.

The conditions for the imposition of fines on both natural persons and legal persons are set out in Article 83 of the GDPR. However, the national legislator has set out further "general conditions for the imposition of fines" in Section 30, Paragraph 1 and 2 of the DSG.

Pursuant to Section 30, Paragraph 1, DSG, the Data Protection Authority may impose fines on a legal person if infringements of the provisions of the GDPR have been committed by persons who have acted either alone or as part of a body of the legal person and who hold a management position within the legal person due to (1) the authority to represent the legal person, (2) the authority to take decisions on behalf of the legal person, or (3) a control authority within the legal person.Pursuant to Paragraph 30, Paragraph 1, DSG, the Data Protection Authority may impose fines on a legal person if infringements of the provisions of the GDPR have been committed by persons who have acted either alone or as part of a body of the legal person and who hold a management position within the legal person due to (1) the authority to represent the legal person, (2) the authority to take decisions on behalf of the legal person, or (3) a control authority within the legal person.Legal persons can also be held liable for violations of the provisions of the GDPR in accordance with Section 30, Paragraph 2 of the Data Protection Act in cases where a lack of supervision or control by a person named in Section 30, Paragraph 1 of the Data Protection Act enabled these violations to be committed by a person working for the legal person, provided that the act does not constitute a criminal offence within the jurisdiction of the courts. Legal persons can also be held liable for violations of the provisions of the GDPR in accordance with Section 30, Paragraph 2 of the Data Protection Act in cases where a lack of supervision or control by a person named in Section 30, Paragraph 1 of the Data Protection Act enabled these violations to be committed by a person working for the legal person, provided that the act does not constitute a criminal offence within the jurisdiction of the courts. In its ruling of May 12, 2020, Ro 2019/04/0229, the Administrative Court dealt for the first time with the applicability of the criminal liability requirements of Section 30 DSG in proceedings under Art. 83 GDPR and found in this context that a legal person cannot act on its own and therefore its criminal liability under Section 30 DSG is a consequence of the criminal, unlawful and culpable conduct of a managerial person within the meaning of Section 30, Paragraph 1 DSG. Accordingly, in order for the prosecution directed against the legal person to be effective, the precise description of the criminal act committed by the natural person (managerial person or so-called “attribution person”) is necessary. The attribution of the criminal act by the managerial person to the legal person must be included in the ruling and the attribution person must also be named as an identified natural person (cf. VwGH May 12, 2020, Ro 2019/04/0229, with further references). In other words: in proceedings pursuant to Art. 83 GDPR, the data protection authority must name in the ruling of the penal decision the natural person whose violation of the GDPR or the DSG is to be attributed to the legal person responsible within the meaning of Art. 4(7) GDPR in order to be able to impose a fine pursuant to Art. 83 GDPR on the responsible person as a legal person.In its ruling of 12 May 2020 in Ro 2019/04/0229, the Administrative Court dealt for the first time with the applicability of the criminal liability requirements of Paragraph 30 DSG in proceedings pursuant to Article 83 GDPR and found in this context that a legal person cannot act on its own and therefore its criminal liability under Paragraph 30 DSG is a consequence of the factual, unlawful and culpable conduct of a manager within the meaning of Paragraph 30, Paragraph one, DSG. Accordingly, for the effectiveness of the prosecution directed against the legal person, the precise description of the act committed by the natural person (manager or so-called "attributable person") is necessary. The attribution of the act by the manager to the legal person must be included in the ruling and the attribution person must also be named as an identified natural person (cf. VwGH 12.05.2020, Ro 2019/04/0229, mwN). In other words: in proceedings under Article 83, GDPR, the data protection authority must name the natural person whose violation of the GDPR or the DSG is to be attributed to the legal person responsible within the meaning of Article 4, paragraph 7, GDPR in the ruling of the penal decision in order to be able to impose a fine under Article 83, GDPR on the person responsible as a legal person.

By order of December 6, 2021, the Berlin Higher Regional Court asked the ECJ for a preliminary ruling under Article 267 TFEU to interpret Article 83 GDPR with regard to the question of whether a company can be directly affected in fine proceedings for a violation of Article 83 GDPR and in this context submitted the following questions:By order of December 6, 2021, the Berlin Higher Regional Court asked the ECJ for a preliminary ruling under Article 267 TFEU to interpret Article 83 GDPR with regard to the question of whether a company can be directly affected in fine proceedings for a violation of Article 83 GDPR and in this context submitted the following questions:

1. Is Article 83 (4) to (6) GDPR to be interpreted as meaning that it incorporates the functional concept of a company and the functionary principle assigned to Articles 101 and 102 TFEU into domestic law with with the result that, by extending the legal entity principle underlying Section 30 of the Administrative Offenses Act, fine proceedings can be conducted directly against a company and the fine does not require the determination of an administrative offence committed by a natural and identified person, possibly a fully criminal offence?Is Article 83, paragraphs 4 to 6 of the GDPR to be interpreted as incorporating the functional concept of a company assigned to Articles 101 and 102 TFEU and the functional entity principle into domestic law with the result that, by extending the legal entity principle underlying Section 30 of the Administrative Offenses Act, fine proceedings can be conducted directly against a company and the fine does not require the determination of an administrative offence committed by a natural and identified person, possibly a fully criminal offence?

2.     If the answer to question 1 is in the affirmative: Should Article 83(4) to (6) of the GDPR be interpreted as meaning that the company must have culpably committed the infringement mediated by an employee (cf. Article 23 of Council Regulation (EC) no. 1/2003 of 16 December 2002 on the implementation of the competition rules laid down in Articles 81 and 82 of the Treaty), or is an objective breach of duty attributable to the company in principle sufficient for a fine to be imposed on it (“strict liability”)?If the answer to question 1 is in the affirmative: Should Article 83(4) to (6) of the GDPR be interpreted as meaning that the company must have culpably committed the infringement mediated by an employee (cf. Article 23 of Council Regulation (EC) no. 1/2003 of 16 December 2002 on the implementation of the competition rules laid down in Articles 81, and 82 of the Treaty), or is an objective breach of duty attributable to the company sufficient for it to be fined (“strict liability”)?

The request for a preliminary ruling from the Berlin Regional Court raised the question of whether the provisions of Section 30(1) and (2) DSG may be applied at all because they violate the directly applicable provisions of the GDPR, and whether the statements made by the VwGH in its above-cited ruling on the criminal liability of legal persons in proceedings under Art. 83 GDPR can be upheld. Since the ECJ's decision on these questions had a prejudicial effect on the present proceedings, the administrative penal proceedings were suspended. The request for a preliminary ruling from the Berlin Higher Regional Court raised the question of whether the provisions of paragraph 30, paragraphs one and two of the DSG may be applied at all because they violate the directly applicable provisions of the GDPR, and whether the statements of the VwGH in its above-cited ruling on the criminal liability of legal persons in proceedings under Article 83 of the GDPR can be upheld. Since the ECJ's decision on these questions had a prejudicial effect on the present proceedings, the administrative penal proceedings were suspended.

Finally, in its recent judgment of December 5, 2023, the ECJ held that the directly applicable provisions of Article 58, paragraph 2, letter i and Article 83, paragraphs 1 to 6 of the GDPR are to be interpreted as precluding a national rule according to which a fine for an infringement referred to in Article 83, paragraphs 4 to 6 of the GDPR can only be imposed on a legal person in its capacity as controller if that infringement was previously attributed to an identified natural person.Finally, in its recent judgment of December 5, 2023, the ECJ held that the directly applicable provisions of Article 58, paragraph 2, letter i and Article 83, paragraphs 1 to 6 of the GDPR are to be interpreted as precluding a national rule according to which a fine for an infringement referred to in Article 83, paragraphs 4 to 6 of the GDPR can only be imposed on a legal person in its capacity as controller if that infringement was previously attributed to an identified natural person. identified natural person.

The ECJ stated in this context that legal persons are liable not only for infringements committed by their representatives, directors or managing directors, but also for infringements committed by any other person acting in the course of their business activities and on behalf of the legal person. In addition, it must be possible to impose the fines provided for in Art. 83 GDPR directly on legal persons (cf. ECJ of December 5, 2023, C-807/21 Rs Deutsche Wohnen SE, para. 44).The ECJ stated in this context that legal persons are liable not only for infringements committed by their representatives, directors or managing directors, but also for infringements committed by any other person acting in the course of their business activities and on behalf of the legal person. In addition, it must be possible to impose the fines provided for in Article 83 of the GDPR directly on legal persons (see ECJ of December 5, 2023, C-807/21 Rs Deutsche Wohnen SE, para. 44).

The (material) conditions for the imposition of fines by supervisory authorities are precisely regulated in Article 83 (1) to (6) of the GDPR and without any discretion for the Member States. The GDPR does not contain any provision according to which the imposition of a fine on a legal person as the controller depends on the prior determination that this infringement was committed by an identified natural person. The GDPR merely grants Member States the option/power to provide for requirements regarding the procedure to be applied by supervisory authorities when imposing a fine, but in no way, through these procedural requirements, does it standardise substantive requirements in addition to those in Article 83(1) and (6) of the GDPR (cf. ECJ C-807/21, para. 45 ff). The requirements for the imposition of a fine under Article 83 of the GDPR by a supervisory authority therefore arise exclusively from Union law. The (substantive) requirements for the imposition of fines by supervisory authorities are regulated precisely in Article 83(1) to (6) of the GDPR and without any discretion for the Member States. The GDPR does not contain any provision according to which the imposition of a fine on a legal person as the controller depends on it being established beforehand that the infringement was committed by an identified natural person. The GDPR merely grants Member States the possibility/power to provide for requirements regarding the procedure to be applied by the supervisory authorities when imposing a fine, but in no way, beyond these procedural requirements, the standardisation of substantive requirements in addition to those in Article 83, paragraph 1, and 6 of the GDPR (see ECJ C-807/21, paras 45 et seq.). The requirements for the imposition of a fine under Article 83 of the GDPR by a supervisory authority therefore arise exclusively from Union law.The ECJ argued that a national provision which lays down additional requirements for the imposition of fines under Article 83 GDPR violates Article 83(1) GDPR because it weakens the effectiveness and deterrent effect of fines imposed on legal persons. It must be taken into account that fines are a key element in enforcing the objectives of the GDPR and in ensuring that the rights of data subjects are respected and in ensuring a high level of protection throughout the Union (see ECJ C-807/21, paras 51 and 73). As a result, the ECJ found that the conditions for imposing a fine under Article 83 GDPR are conclusively regulated in Article 83(1) to (6) GDPR (para. 53). The ECJ argued that a national provision which lays down additional requirements for the imposition of fines under Article 83 GDPR violates Article 83(1) GDPR because it weakens the effectiveness and deterrent effect of fines imposed on legal persons. It must be taken into account that fines are a key element in enforcing the objectives of the GDPR, in ensuring that the rights of data subjects are safeguarded and in ensuring a high level of protection throughout the Union (see ECJ C-807/21, paras. 51 and 73). As a result, the ECJ therefore found that the conditions for the imposition of a fine under Article 83, GDPR are conclusively regulated in Article 83, paragraph 1, to 6, GDPR (para. 53).

2.7. On the subjective aspect of the offence

With regard to the second question referred, the ECJ has now explicitly stated, as already assumed by the data protection authority in its previous case law, that only violations of provisions of the GDPR that the controller commits culpably, i.e. intentionally or negligently, can lead to the imposition of a fine (see ECJ of December 5, 2023, C-807/21, para. 68). With regard to the second question referred, the ECJ has now explicitly stated, as already assumed by the data protection authority in its previous case law, that only violations of provisions of the GDPR that the controller commits culpably, i.e. intentionally or negligently, can lead to the imposition of a fine (cf. ECJ of December 5, 2023, C-807/21, para. 68).

With regard to the subjective aspect of the offense, it must be taken into account that the requirement of fault for the imposition of a fine under Art. 83 GDPR is to be interpreted autonomously within the Union and, in particular, to be assessed in the light of the case law of the ECJ. With regard to the questions referred for a preliminary ruling with regard to fault, the ECJ also found that the Union legislature had not granted the Member States any discretion in this regard for national regulations, since the substantive requirements are exclusively/finally regulated in Article 83(1) to (6) GDPR (see also ECJ of 5 December 2023, C-683/21 Rs Nacionalinis visuemenes sveikatos centras, paras 64 et seq.). With regard to the subjective aspect of the offence, it must be taken into account that the requirement of fault for the imposition of a fine under Article 83 GDPR is to be interpreted autonomously within the Union and, in particular, to be assessed in the light of the case law of the ECJ. With regard to the questions referred for a preliminary ruling regarding fault, the ECJ also found that the Union legislature had not granted the Member States any discretion in this regard for national regulations, since the substantive requirements are precisely regulated exclusively/exhaustively in Article 83, paragraphs 1 to 6 of the GDPR (see also ECJ of 5 December 2023, C-683/21 Rs Nacionalinis visuemenes sveikatos centras, paras 64 et seq.).

On the question of whether an infringement was committed intentionally or negligently and can therefore be punished with a fine, the ECJ made it clear in its judgment cited above that such fault already exists if the accused could not have been unaware of the illegality of his conduct, regardless of whether he was aware that he was violating the provisions of the GDPR (see ECJ C-807/21, para 76). On the question of whether an infringement was committed intentionally or negligently and can therefore be punished with a fine, the ECJ made it clear in its judgment cited above that such fault already exists if the accused could not have been unaware of the illegality of his conduct, regardless of whether he was aware that he was violating the provisions of the GDPR (see ECJ C-807/21, para. 76).

Referring to further case law, the ECJ also expressly clarified that the application of Article 83 GDPR to legal persons does not require any action or even knowledge on the part of the management body of that legal person (cf. ECJ of December 5, 2023, C-807/21, para. 77). Referring to further case law, the ECJ also expressly clarified that the application of Article 83 GDPR to legal persons does not require any action or even knowledge on the part of the management body of that legal person (cf. ECJ of December 5, 2023, C-807/21, para. 77).

The responsibility and liability of a controller extends to any processing of personal data carried out by or on its behalf. In this context, the controller must not only take appropriate and effective measures, but must also be able to demonstrate that its processing activities are in line with the GDPR and that the measures it has taken to ensure this compliance are also effective (cf. ECJ C-807/21, para. 38, with reference to Recital 74). The responsibility and liability of a controller extends to any processing of personal data carried out by or on its behalf. In this context, the controller must not only take appropriate and effective measures, but must also be able to demonstrate that its processing activities are in line with the GDPR and that the measures it has taken to ensure this compliance are also effective (cf. ECJ C-807/21, para. 38, with reference to Recital 74).

Applied to the present case, this means the following:

First of all, it should be noted that during the investigation there was no evidence that the violations in question were committed by a person who was not acting in the course of the activity and on behalf of the accused.

Despite numerous official notices issued against her and an administrative court decision, the accused has failed to take appropriate technical and organizational measures so that in the event of a necessary deletion from the public database, a personal reference to the persons concerned can no longer be established.

The accused has still not fully complied with the request for deletion of the person concerned dated September 23, 2020 and the service order in the decision of the data protection authority dated May 10, 2021 (GZ: D124.3076, 2021-0.096.835).

Not only could she not have been unaware of the illegality, she was even aware that she was violating the provisions of the GDPR.

The data protection authority assumes that all of the legal violations committed by the accused were intentional.

This means that the subjective aspect of the offense is fulfilled.

3. The following must be noted regarding sentencing:

According to Article 83(1) GDPR, the data protection authority must ensure that the imposition of fines for violations of the provisions of the GDPR subject to sanctions (Article 83(4), (5) and (6) GDPR) is effective, proportionate and dissuasive in each individual case. In more detail, Article 83(2) GDPR stipulates that certain criteria must be taken into account in each individual case when deciding on the imposition of a fine and on its amount. According to Article 83(1) GDPR, the data protection authority must ensure that the imposition of fines for infringements of the sanctioned provisions of the GDPR (Article 83(4), (5) and (6) GDPR) is effective, proportionate and dissuasive in each individual case. In more detail, Article 83(2) GDPR stipulates that in each individual case when deciding on the imposition of a fine and on its amount, certain criteria must be taken into account in each individual case.

When determining the penalty, the data protection authority applied the EDSA guidelines on the calculation of administrative fines under the GDPR (see EDPB Guidelines 04/2022 on the calculation of administrative fines under the GDPR, Version 2.1 of 24 May 2023 - hereinafter referred to as the "Fines Guidelines"). When determining the penalty, the data protection authority applied the EDSA guidelines on the calculation of administrative fines under the GDPR (see EDPB Guidelines 04/2022 on the calculation of administrative fines under the GDPR, Version 2.1 of 24 May 2023 - hereinafter referred to as the "Fines Guidelines").

The assessment of the sentence within a statutory penalty range is a discretionary decision that must be made according to the criteria laid down by the legislature in Paragraph 19 of the VStG (cf. VwGH September 5, 2013, 2013/09/0106).The assessment of the sentence within a statutory penalty range is a discretionary decision that must be made according to the criteria laid down by the legislature in Paragraph 19 of the VStG (cf. VwGH September 5, 2013, 2013/09/0106).

According to Paragraph 19, Section 1 of the VStG, the basis for determining the sentence is the importance of the legal interest protected by criminal law and the intensity of its impairment by the act. Furthermore, according to the purpose of the threat of punishment, the possible aggravating and mitigating factors must be weighed against each other, insofar as they do not already determine the threat of punishment.Particular attention must be paid to the extent of the fault. Taking into account the specific nature of administrative criminal law, Sections 32 to 35 of the Criminal Code are to be applied mutatis mutandis. The accused’s income and assets and any duty of care must be taken into account when determining fines (naturally, this only applies to natural persons, but can be applied mutatis mutandis to legal persons); however, only to the extent that the directly applicable provisions of the GDPR do not supersede the provisions of the Administrative Criminal Code and to the extent required by Article 83(8) of the GDPR and Recital 148 with regard to the procedural guarantees to be ensured. According to Paragraph 19, Paragraph 1, of the Administrative Criminal Code, the basis for determining the penalty is the importance of the legal interest protected by criminal law and the intensity of its impairment by the act. In addition, depending on the purpose of the threat of punishment, the aggravating and mitigating circumstances under consideration must be weighed against each other, insofar as they do not already determine the threat of punishment. Particular attention must be paid to the extent of the culpability. Taking into account the nature of administrative criminal law, paragraphs 32 to 35 of the Criminal Code are to be applied mutatis mutandis. The accused's income and assets and any care obligations must be taken into account when determining fines (this naturally only applies to natural persons, but is to be applied mutatis mutandis to legal persons); however, this only to the extent that the directly applicable provisions of the GDPR do not supersede the provisions of the Administrative Penalty Act and to the extent required by Article 83(8) of the GDPR and Recital 148 with regard to the procedural guarantees to be ensured.

Article 83, Paragraph 3 of the GDPR, in derogation from the cumulation principle stipulated in Section 22, Paragraph 2 of the VStG, stipulates that in cases of identical or linked processing operations that intentionally or negligently violate several provisions of the GDPR, the total amount of the fine shall not exceed the amount for the most serious violation. The absorption principle therefore applies within the scope of this provision.Article 83, Paragraph 3 of the GDPR, in derogation from the cumulation principle stipulated in Section 22, Paragraph 2 of the VStG, stipulates that in cases of identical or linked processing operations that intentionally or negligently violate several provisions of the GDPR, the total amount of the fine shall not exceed the amount for the most serious violation. The absorption principle therefore applies within the scope of this provision.

Pursuant to Article 83, Paragraph 5, Letter a, or Paragraph 6, GDPR, in the event of the infringements referred to therein, in accordance with Paragraph 2, fines of up to EUR 20,000,000 or, in the case of an undertaking, up to 4% of its total worldwide annual turnover in the preceding financial year, whichever is higher, shall be imposed.In accordance with Article 83, Paragraph 5, Letter a, or Paragraph 6, GDPR, in the event of the infringements referred to therein, in accordance with Paragraph 2, fines of up to EUR 20,000,000 or, in the case of an undertaking, up to 4% of its total worldwide annual turnover in the preceding financial year, whichever is higher, shall be imposed.

Furthermore, within the meaning of Article 83(1) GDPR, it should be noted that when determining the “total amount of the fine” using the absorption principle pursuant to Article 83(3) GDPR, all violations of the GDPR committed must be taken into account. The wording “amount for the most serious violation” refers to the penalty range or the legally prescribed maximum amounts (see Article 83(4) to (6) GDPR). The EDPB stated that within the scope of Article 83(3) GDPR, the other violations committed cannot de facto be rejected, but must be taken into account accordingly when determining the penalty (see Fines Guidelines, Chapter 3 – paragraph 43). Otherwise, this would lead to a privileged treatment of controllers and processors who have violated several provisions of the GDPR within the framework of a single established case. Furthermore, within the meaning of Article 83, paragraph 1, GDPR, it should be noted that when determining the “total amount of the fine” using the absorption principle pursuant to Article 83, paragraph 3, GDPR, all violations of the GDPR committed must be taken into account. The wording “amount for the most serious violation” refers to the penalty range or the legally prescribed maximum amounts (see Article 83, paragraphs 4 to 6, GDPR). The EDPB stated that within the scope of Article 83, paragraph 3, GDPR, the other violations committed cannot de facto be rejected, but must be taken into account accordingly when determining the penalty (see Fines Guidelines, Chapter 3 – paragraph 43). Otherwise, this would lead to a privileged treatment of those responsible and data processors who have violated several provisions of the GDPR within the framework of an established case.

Due to the accused's failure to cooperate in determining their financial circumstances, the data protection authority had to make an estimate (cf. VwGH 11.05.1990, 89/18/0179; 22.04.1992, 92/03/0019; 23.02.1996, 95/02/0174). In view of the Fines guidelines, the accused is classified in the lowest category ("Undertakings with a turnover up to € 2 million") in relation to its turnover and with a view to imposing an effective, deterrent and proportionate fine. This classification takes due account of the size of the company, in particular to ensure that the fine is proportionate. Due to the defendants' lack of cooperation in determining their financial circumstances, the data protection authority had to make an estimate (cf. VwGH 11.05.1990, 89/18/0179; 22.04.1992, 92/03/0019; 23.02.1996, 95/02/0174). In view of the Fines guidelines, the defendant is classified in the lowest category ("Undertakings with a turnover up to € 2 million") in terms of its turnover and with a view to imposing an effective, deterrent and proportionate fine during the estimate. This classification takes due account of the size of the company, in particular to ensure that the fine is proportionate.

The penalty in this specific case is up to EUR 20,000,000 (static penalty) according to Article 83, Paragraph 5 of the GDPR. The dynamic penalty (4% of annual turnover) does not apply.The penalty in this specific case is up to EUR 20,000,000 (static penalty) according to Article 83, Paragraph 5 of the GDPR. The dynamic penalty (4% of annual turnover) does not apply.

In light of the facts assumed to be proven and taking into account the nature, gravity and duration of the infringement (Article 83, paragraph 1, letter a, GDPR), the intentional or negligent nature of the infringement (Article 83, paragraph 2, letter b, GDPR) and the categories of personal data affected by the infringement (Article 83, paragraph 2, letter g, GDPR), the data protection authority shall determine the seriousness of the infringement as a medium level of seriousness.In light of the facts assumed to be proven and taking into account the nature, gravity and duration of the infringement (Article 83, paragraph 1, letter a, GDPR), the intentional or negligent nature of the infringement (Article 83, paragraph 2, letter b, GDPR) and the categories of personal data affected by the infringement (Article 83, paragraph 2, letter g, GDPR), the data protection authority shall determine the seriousness of the infringement as a medium level of seriousness. of the infringement”) with a “medium level of seriousness”.

In relation to the facts of the case at hand, the following aggravating factors were also taken into account when determining the sentence (in addition to the criteria already taken into account for determining the degree of severity in accordance with Article 83, paragraph 1, letters a, b and g of the GDPR):In relation to the facts of the case at hand, the following aggravating factors were also taken into account when determining the sentence (in addition to the criteria already taken into account for determining the degree of severity in accordance with Article 83, paragraph 1, letters a, b and g of the GDPR):

 Despite being notified by telephone, the accused did not submit any written justification to the data protection authority, did not comment on her financial situation and thus cooperated with the data protection authority to a very limited extent (cf. Article 83, paragraph 1, letter f of the GDPR)Despite being notified by telephone, the accused did not submit any written justification to the data protection authority, did not comment on her financial situation and thus cooperated with the data protection authority to a very limited extent (cf. Article 83, paragraph 1, letter f of the GDPR)

In relation to In the present case, the following mitigating factors were taken into account when determining the sentence:

    The data protection authority has no previous relevant violations of the GDPR against the accused (cf. Art. 83, Paragraph 2, Letter e, GDPR). The data protection authority has no previous relevant violations of the GDPR against the accused (cf. Article 83, Paragraph 2, Letter e, GDPR).

According to the consistent case law of the VwGH, considerations of special prevention and general prevention may also be taken into account when determining the sentence (cf. VwGH 15.5.1990, 89/02/0093, VwGH 22.4.1997, 96/04/0253, VwGH 29.1.1991, 89/04/0061). According to the consistent case law of the VwGH, considerations of special prevention and general prevention may also be taken into account when determining the sentence (cf. VwGH 15.5.1990, 89/02/0093, VwGH 22.4.1997, 96/04/0253, VwGH 29.1.1991, 89/04/0061).

The imposition of the specific fine was in any case necessary in the sense of special prevention in order to deter the accused from committing further violations, to sensitize them with regard to data protection through technical design and data protection-friendly default settings in accordance with Art. 25 GDPR and to sensitize them with regard to their obligations in connection with requests for deletion and compliance with instructions from the data protection authority. In any case, it can be assumed that the accused will continue the processing in question without the imposition of a fine, since they have already ignored a legally binding decision of the Federal Administrative Court. The imposition of the specific fine was in any case necessary in the sense of special prevention in order to deter the accused from committing further violations, to sensitize them with regard to data protection through technical design and data protection-friendly default settings in accordance with Article 25 GDPR and to sensitize them with regard to their obligations in connection with requests for deletion and compliance with instructions from the data protection authority. In any case, it can be assumed that the accused will continue the processing in question without the imposition of a fine, as she has already ignored a legally binding ruling by the Federal Administrative Court.

The imposition of the fine was also necessary in the interests of general prevention in order to sensitize those responsible with regard to data processing within the framework of comparable publicly accessible databases and with regard to dealing with requests for deletion and service orders from the data protection authority.

The penalty imposed in the final analysis in the amount of EUR 11,000 appears to be appropriate to the crime and the guilt in view of the realised negative value of the offense, measured against the available penalty range (in this case up to EUR 20,000,000), and is at the lowest end of the available penalty range.