BVwG - W258 2247028-1: Difference between revisions
From GDPRhub
(→Facts) |
No edit summary |
||
| Line 64: | Line 64: | ||
}} | }} | ||
The Federal Administrative Court of Austria held that the DSB (Austria) has no power to declare processing activities unlawful | The Federal Administrative Court of Austria held that, if administrative proceedings are not initiated by a complaint but by the DSB (Austria) itself, the DSB has no power to (merely) declare processing activities unlawful, because neither Article 58(2) GDPR nor the national law provides for such a power. | ||
== English Summary == | == English Summary == | ||
Revision as of 15:53, 29 June 2022
| BVwG - W258 2247028-1 | |
|---|---|
 | |
| Court: | BVwG (Austria) |
| Jurisdiction: | Austria |
| Relevant Law: | Article 58(2) GDPR § 24 DSG |
| Decided: | 29.04.2022 |
| Published: | 03.06.2022 |
| Parties: | anonymous DSB |
| National Case Number/Name: | W258 2247028-1 |
| European Case Law Identifier: | ECLI:AT:BVWG:2022:W258.2247028.1.00 |
| Appeal from: | |
| Appeal to: | |
| Original Language(s): | German |
| Original Source: | Rechtsinformationssystem des Bundes (RIS) (in German) |
| Initial Contributor: | Heiko Hanusch |
The Federal Administrative Court of Austria held that, if administrative proceedings are not initiated by a complaint but by the DSB (Austria) itself, the DSB has no power to (merely) declare processing activities unlawful, because neither Article 58(2) GDPR nor the national law provides for such a power.
English Summary
Facts
The controller is an employer who allegedly surveilled its employees work phones and work email accounts from January until March 2021. The DSB (Austria) heard of this conduct in media reports and initiated an ex officio investigation into the matter on 31 March 2021. On 29 July 2021 the DSB adopted an administrative act in which operative part it (only) declared the past processing of the controller unlawful.
The controller initiated court proceedings against the act claiming that its conduct was lawful and that the DSB - neither under national law nor under the GDPR - had the power to officially declare the processing unlawful if the administrative proceedings were initiated by the DSB on its own and not by a complaint.
Holding
The Federal Administrative Court (Bundesverwaltungsgericht – BVwG) decided in favour of the controller and set the administrative act aside.
The court held that there is no provision in national law or the GDPR that gave the DSB the power to officially declare the processing unlawful. It found that the DSB has only the power to declare an act of processing unlawful if the administrative court proceedings were initiated by a complaint under § 24 DSG (Austrian Data Protection Act). § 24(2)(Nr. 5) DSG prescribes that a complaint to the DSB must include a request by the complainant to declare the alleged infringement unlawful. Since § 24 DSG is a provision solely referring to a complaint proceeding, it cannot be directly applied to an ex officio proceeding. The court also rejected an analogous application of § 24 DSG, because it concluded that the legislator purposefully regulated complaint and ex officio proceedings differently so that there is no room for an analogous application. It found the reason for this distinction is that in a complaint proceeding there is a data subject who might have a legal interest in the declaration in order to pursue further individual claims against the controller such as a claim for damages; in ex officio proceedings there is no such interest.
Moreover, the court found that there is no legal basis in the GDPR either. There are only the powers under Article 58(2) GDPR, including the power to issue a reprimand or to fine the controller.
Comment
The BVwG mainly based its decision on a decision (Ro 2020/04/0032-8) of the Supreme Administrative Court of Austria (Verwaltungsgerichtshof – VwGH), which was issued during the present court proceedings. However, in my opinion, both Austrian courts were incorrect. German Courts and scholars (see Grittmann in Taeger/Gabel, DSGVO - BDSG – TTDSG, Art. 58 Para 24) are of the opinion that a reprimand under Article 58(2)(b) GDPR constitutes a declaration that the processing was unlawful. According to this view a reprimand consists of two parts: The declaration that an act of processing was unlawful and the warning that the controller should not violate the GDPR again in the future. Therefore, by way of an argumentum a fortiori (a maiore ad minus), it may be concluded that a DPA has the power to declare the processing unlawful.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
Postal address:
Erdbergstrasse 192 – 196
1030 Vienna
Phone: +43 1 601 49-0
Fax: + 43 1 711 23-889 15 41
Email: einlaufstelle@bvwg.gv.at
www.bvwg.gv.at
DECISIONS D A T U M
2 9 . 0 4 . 2 0 2 2
BUSINESS NUMBER
W 2 5 8 2 2 4 7 0 2 8 - 1 / 1 1 E
I M N A M E N D E R E P U B L I K !
The Federal Administrative Court has judge Mag. Gerold PAWELKA-SCHMIDT as
Chairman and the expert lay judges Dr. Gerd TRÖTZMÜLLER and Gerhard RAUB
as assessor on the complaint of XXXX, represented by CERHA HEMPEL Rechtsanwälte
GmbH, 1010 Vienna, against the decision of the data protection authority of July 29, 2021, GZ DSB-
D213.1303 2021-0.412.072, in circulation on a data protection matter
rightly recognised:
A) The complaint will be followed and the notice will be removed without replacement.
B) The revision is not permitted according to Art. 133 Para. 4 B-VG.
Reasons for decision:
I. Procedure:
1. Based on media reports that the complainant (in the proceedings before the
Data protection authority "responsible") company mobile phones and company e-mail accounts
some of their employees is said to have been monitored by the relevant authority on March 31, 2021
ex officio investigation proceedings initiated against the complainant and asked her, - 2 -
within three weeks, various questions about the procedure and the extent of the monitoring as well as
to answer about a obtained consent and to present related documents.
2. In a letter dated April 28, 2021, the complainant submitted various documents
Declarations of consent and non-disclosure clauses and answered the questions
summarized as follows: In the course of the sale of a business unit, a
competitive bidding process lasting several months. Just before the end of
Negotiations there was a "leak" in which strictly confidential information of the
bidding process had become public, causing the complainant damage in
millions had been created. The board of the complainant then had a
internal investigation initiated. The purpose of the investigation is to clarify the facts and
the relief of the suspected employees. For this are the
official e-mail accounts - after obtaining the consent of the persons concerned
certain keywords, as well as in the partially anonymous
Individual call records of the employees involved have been inspected. the
Complainant was under company law to an investigation of the facts
been obliged to comply with data protection regulations
have performed.
3. With a decision dated July 29, 2021, the relevant authority stated that "the ex officio
Inspection method was authorized and it is found that processing
personal data of 73 individuals between January and March 2021 for purposes
internal investigations based on the stated justification facts (§1 Abs.2 DSG,
Article 6 paragraph 1 lit. a and alternatively lit. f GDPR) was unlawful.”
As a reason, the relevant authority summarized the consent obtained
was due to the imbalance between the complainant as an employer and
the employees as their employees is not made voluntarily and is therefore invalid. Since the
If the legal basis for the processing cannot be changed later, the
Complainant also does not base the data processing on the permission of the
"legitimate interest" according to Art 6 Para 1 lit f GDPR. The data processing can
but in any case not based on Art. 6 Para. 1 lit f GDPR, because relevant
Legislation should have been complied with, which was not the case. So
is subject to the investigation carried out as a control measure which the
touch human dignity, the consent of the works council, which the complainant
have not caught up., - 3 -
4. The present complaint of August 27, 2021 is directed against this decision
Procedural errors and substantive illegality in which the complainant
requested that the Federal Administrative Court decide in the matter itself and
determine that the processing by the complainant was lawful, in eventu
revoke the contested decision and issue a new decision
referred back to the relevant authority.
In essence, the complainant submitted that the authority concerned had the
Facts insufficiently determined and incorrectly legally assessed, especially in relation
on the voluntariness of the consent obtained from the employees. Also have the
competent authority violated the surprise ban because for the
Complainant had not been foreseeable that the last of 18
questions asked will be particularly relevant to the decision and they also have
the proceedings are expected to be discontinued after the questions have been answered. About that
Furthermore, the verdict of the notice was too vague. Contrary to the view of those concerned
Authority it is also permissible to process data with several permissions
to secure. There was also no company agreement or
The works council's consent is required, which the complainant claims with a
have substantiated legal opinions. Regarding the admissibility of several
Justification reasons, the necessity of a works agreement and the admissibility
of consent to data processing in employment relationships encourage them to do so
to request a preliminary ruling from the ECJ.
5. The data protection authority submitted the complaint to the adjudicating court
Connection of the administrative act with a brief dated October 4th, 2021, received on
05.10.2021, and stated in summary that the complainant had
relevant time of data collection from the staff exclusively on the
Justification of the consent under Art 6 Para 1 lit a GDPR supported. the
Officials could not have expected that the consent would only be "pro forma"
will be obtained and processing, regardless of consent - based on a
legitimate interest according to Art 6 Para 1 lit f GDPR -, nevertheless takes place. It is inadmissible
in the event of problems with the consent, subsequently refer to other justifications
to support. In this respect, the complainant's arguments are justified
Interest according to Art 6 Para 1 lit f GDPR and the explanations of the submitted
legal opinion into emptiness. Furthermore, the Respondent is all
investigation results essential to the decision have been disclosed and they have to do so
be able to comment on why the objection of the ban on surprises is misguided., - 4 -
6. In a brief dated November 18, 2021, the complainant summarized that
not all affected employees would be subject to the ArbVG. The authority concerned
have the decision-relevance of the existence of a works agreement is not sufficient
communicated, as a result of which the complainant had been deprived of the opportunity to
to submit an expert opinion on this subject, which was already available before the decision was issued.
Furthermore, neither the verdict nor the reasoning indicated “which
Processing(s) of which personal data […] with regard to which employees
due to which specific circumstances should have been unlawful”, whereby this
be too vague.
With the consent obtained from the employees, the relevant authority only
selectively and in a generalizing manner, without considering the circumstances of the
to enter into individual cases that would speak in favor of the voluntary nature of the consent.
The complainant does not have the legal basis for the use of the data
later changed, rather all employees are the internal ones
Data protection guidelines known, which inform that the complainant at
Violations of laws or company policies Inspection of documents and
can take correspondence.
7. The authority concerned responded with a brief about hearings from the parties on November 26, 2021
December 20, 2021, essentially as before.
8. Based on the decree of the hg business allocation committee of December 16, 2021
the case was taken from Judicial Division W211 and Judicial Division W258
reassigned as of 01/03/2022.
9. With a hearing of April 11, 2022, the authority concerned was informed of the
decision of the Administrative Court of December 14, 2021, Ro
2020/04/0032, that she did not have any in an officially initiated examination procedure
Competence to determine infringements in a manner capable of having legal force, why
the notice would have to be remedied without replacement.
9. In a brief dated April 25, 2022, the authority concerned submitted that
The finding cited is not applicable to the case in question because the
decision of the data protection authority on an ongoing infringement
reason. In the present case, however, the infringement has already been completed and
thus (also) a violation of § 1 DSG has been agreed. It is not justifiable,, - 5 -
which is why, in the case of identical facts, one in the past and already
Completed violation of rights in the case of an individual complaint according to § 1 in conjunction with § 24 DSG,
cannot, however, be determined in an official examination procedure.
It is typical for violations of the fundamental right to data protection according to § 1 DSG that they already
Are completed. However, the Austrian (constitutional) legislature could not
be assumed to issue a provision that cannot be enforced ex officio,
because Article 58 (2) GDPR does not provide for a corresponding right to remedy the situation. Therefore have the
Decision of the competent authority - in contrast to the decision, which said knowledge
of the Administrative Court is based - also contain only one ruling
and not several. In general, Art 58 GDPR only applies to currently existing or
to interpret possible legal infringements in the future.
Ultimately, a violation of the GDPR should be discussed in the form of a notification, so that
both in official proceedings and in individual proceedings for those subject to the law
the possibility of an appeal in the sense of legal protection is open.
Evidence was collected by inspecting the administrative file.
II. The Federal Administrative Court considered:
1. The following facts are established:
With a decision dated July 29, 2021, the relevant authority spoke in an officially initiated manner
Examination procedure on the admissibility of data use by the complainant
away.
The statement of the notice reads:
"The official examination procedure was justified and it is determined that the
Processing of personal data of 73 individuals between January and March
2021 for the purposes of internal investigations based on the information provided
Justification facts (§ 1 Abs. 2 DSG, Art. 6 Abs. 1 lit. a and alternatively lit. f
GDPR) was unlawful."
2. The findings result from the following assessment of evidence:
The findings are based on the harmless administrative act., - 6 -
3. Legally it follows:
The admissible complaint is justified.
3.1. Regarding the relevant legal provisions:
Article 58 GDPR entitled “Powers” reads:
“[…] (2) Each supervisory authority shall have all of the following remedial powers that
allow her
a) to warn a controller or a processor that
intended processing operations are likely to violate this regulation
violate
b) to warn a controller or a processor if he is using
processing operations has violated this regulation,
c) instruct the controller or the processor to comply with the requests of the
data subject to exercise the rights to which they are entitled under this regulation
correspond to,
d) instruct the controller or the processor to
Processing operations, if necessary, in a specific way and within a
to bring them into line with this regulation within a certain period of time,
e) to instruct the person responsible of a breach of protection
to notify the data subject of personal data accordingly,
f) a temporary or permanent restriction of processing, including
a ban on imposing
g) the correction or deletion of personal data or the
Restriction of processing pursuant to Articles 16, 17 and 18 and the
Informing the recipients to whom these personal data pursuant to Article
17 paragraph 2 and Article 19 were disclosed to order such measures,
h) to revoke a certification or to instruct the certification body to
revoke the certification granted in accordance with Articles 42 and 43, or the
instruct certification bodies not to issue certification if the
Requirements for certification are not or no longer met, - 7 -
i) to impose a fine pursuant to Article 83, in addition to or instead of in
measures referred to in this paragraph, depending on the circumstances of the individual case,
j) the suspension of the transfer of data to a recipient in a third country
or to an international organization. […]
(6) Any Member State may provide by law that its
Supervisory authority in addition to the powers listed in paragraphs 1, 2 and 3
has additional powers. The exercise of these powers shall not be effective
impair the implementation of Chapter VII.”
Section 24 DSG entitled “Complaint to the data protection authority” reads:
"Section 24. (1) Every data subject has the right to lodge a complaint with the
Data Protection Authority when it considers that the processing of you
personal data concerned against the GDPR or against § 1 or article
2 1. Chapter violates.
(2) The complaint must contain:
[…]
5. the desire to determine the alleged infringement [...]
(5) If a complaint proves to be justified, it must be followed. Is a
Injury to be attributed to a person responsible for the private sector, so is this
to comply with the complainant's requests for information, correction,
deletion, restriction or data transfer to the extent
which is required to eliminate the identified infringement. As far as the
If the complaint proves to be unjustified, it must be dismissed."
3.2. Applied to the situation, this means:
The authority concerned has to deal with the challenged decision in an ex officio manner
initiated test procedure agreed that the ex officio test procedure is justified
had been and established that the processing of personal data by 73
Persons between January and March 2021 for the purpose of internal investigations based on various
stated facts of justification was unlawful., - 8 -
However, the authority concerned has no legal basis for a self-employed person
Objection to the possible authorization to carry out a procedure within the meaning of
Art 58 para 2 GDPR or the possible illegality of the respective cause
Processing operation: Art 58 DSGVO contains no express legal basis for
an independent determination of the possible illegality of a data protection law
relevant processing operation in a procedure initiated ex officio by the
Data Protection Authority. § 24 DSG in turn regulates what you think in your opinion
Right to protection of the personal data concerning them
Individual complaint and is thus officially on the of the data protection authority
initiated proceedings not directly applicable. (VwGH 14.12.2021, Ro 2020/04/0032)
Also an analogous application of § 24 DSG, which the data protection authority
Competence grants, in the case of individual complaints, violations of data protection law
legally binding, on examination procedures initiated ex officio, separates
in the absence of an unplanned gap, because the legislature has the powers of
Data protection authority aware of individual complaints and official intervention
has regulated differently (see also VwGH 14.12.2021, Ro 2020/04/0032 mwN).
3.3. The objections of the authority concerned are not convincing.
3.3.1. If the authority concerned believes that the previously cited finding of
Administrative Court of December 14, 2021, AZ Ro 2020/04/0032, on the subject matter
case is not applicable because the Administrative Court in this decision only
has dealt with ongoing violations of the law, which
Infringements of rights in the case in question have already been completed is her
to counter that the Verwaltungsgerichtshofin the above-mentioned decision also
dealt with infringements that had already been completed, namely with
the transfer of personal data to third parties (margin no. 3).
3.3.2. However, the authority concerned must be agreed that the
Administrative Court in this decision only on violations of the GDPR, but not
- as here - referred to a violation of § 1 DSG. But that means nothing to her
win, because the main considerations of the Administrative Court also refer to violations
can be taken over against § 1 DSG:
Regarding the procedural rules and the competence of the data protection authority
the Data Protection Act makes no difference whether a breach of the GDPR or the
§ 1 DSG is objective. With regard to violations of § 1 DSG, there is no - 9 -
express legal basis for the authority concerned, infringements in one
officially initiated procedures in a legally binding manner.
An analogous application of § 24 DSG (only there - apart from the one here not
relevant § 22 para. 6 DSG - a determination competence of the data protection authority standardized)
is excluded in the case of violations of § 1 DSG, because the statements of the VwGH, according to which the
Legislators of the possibility of Art. 58 Para. 6 GDPR, according to which each Member State through
Legislation can provide that its supervisory authority, in addition to the provisions of Art. 58 para
1, 2 and 3 GDPR has additional powers according to the
Materials on § 22 DSG deliberately not used (cf. AB 1761 BlgNR 25. GP, 14),
which is why he extends the powers of the data protection authority to individual complaints and
official intervention deliberately regulated differently, which is why an analogy
due to a lack of gaps contrary to the plan, also apply to procedures that refer to § 1 DSG
support.
With the same justification, the Administrative Court also has that in this decision
- argument now used by the authority concerned that it is not comprehensible
why the authority concerned in proceedings on individual complaints, but not
has a determination authority in procedures initiated ex officio.
If the authority concerned argues that it is typical for violations of § 1 DSG that they
have already been completed and it can be submitted to the Austrian (constitutional) legislature
not be assumed to enact a provision that is not carried out ex officio
can, it starts from the incorrect assumption that data protection law - here this
Fundamental right to data protection according to § 1 DSG - would only be enforceable if
Violations of rights can be determined in a way that is legally binding.
On the contrary, the determination competence of the data protection authority in
Complaints procedure according to §24DSG has not been standardized to a person responsible or
to cause a processor to behave in accordance with the law or to
to help enforce data protection law itself, but to allow those affected to do so
enable illegality in an official procedure that is simple for them
to have a binding determination of data processing in order to inform the data subject
based on this finding to allow further individual claims - about
Claims for damages - to be pursued (VwGH 14.12.2021, Ro 2020/04/0032 Rz 38 f).
Rather, the enforcement of data protection law is carried out by other legal institutions, such as
Remedial powers of the authority, in particular according to Art. 58 GDPR, or fines, - 10 -
ensured
or a restriction of data processing in accordance with Art 58 Para 2 lit f GDPR
comes - the authority concerned has the competence to be responsible according to Art. 58 para. 2 lit b
GDPR to issue a warning or a fine pursuant to Art. 83 GDPR, if necessary
to impose administrative penalties in accordance with § 62 DSG. If profit or damage intent
In addition, a violation of § 1 DSG is even threatened with criminal penalties (§ 63 DSG).
Ultimately, the authority concerned may argue that violations of the GDPR
(probably also meant against § 1 DSG) is to be agreed in the form of a notification in order to
Enabling the addressee of a decision to appeal is a suitable justification
be sure that performance orders have to be issued in the form of a notification, but not that the
DSB has a determination authority.
3.4. The contested decision was therefore issued without a legal basis, which is why the
Complaints directed against him already for this reason and the decision
could be repaired without replacement.
3.4. It was therefore to be decided accordingly.
3.5. According to § 24 para. 2Z 1 2nd case
VwGVG are disregarded.
Regarding point B) Inadmissibility of the revision:
According to § 25a Abs 1 VwGG, the administrative court in its decision or
Pronounce a resolution as to whether the revision is permissible in accordance with Art. 133 Para. 4 B-VG. This
Statement must be briefly justified.
The revision is not admissible because there were no legal issues to be resolved, which were fundamental
importance within the meaning of Art. 133 Para. 4 B-VG. To answer the question of whether the
data protection authority in an ex officio initiated test procedure
is entitled to establish legal violations in a legally binding manner, or about the
To deny the authorization of the official examination procedure, that could be
Administrative Court based on the cited case law of the Administrative Court.
Although the citation cited did not expressly refer to violations of § 1 DSG, his
However, the underlying considerations could undoubtedly be transferred to violations of § 1 DSG
will.
