DSB (Austria) - 2022-0.083.310: Difference between revisions
mNo edit summary |
mNo edit summary |
||
Line 63: | Line 63: | ||
}} | }} | ||
The Austrian DPA found that | The Austrian DPA found that the Minister of Finances implementing instructions from a parliamentary anti-corruption committee falls within the scope of the GDPR. | ||
== English Summary == | == English Summary == |
Revision as of 16:24, 22 March 2023
DSB - 2022-0.083.310 | |
---|---|
Authority: | DSB (Austria) |
Jurisdiction: | Austria |
Relevant Law: | Article 2(2)(a) GDPR Article 58(2)(f) GDPR |
Type: | Other |
Outcome: | n/a |
Started: | |
Decided: | 14.02.2022 |
Published: | |
Fine: | n/a |
Parties: | Austrian Minister of Finances |
National Case Number/Name: | 2022-0.083.310 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | German |
Original Source: | DSB (Austria) (in DE) |
Initial Contributor: | mg |
The Austrian DPA found that the Minister of Finances implementing instructions from a parliamentary anti-corruption committee falls within the scope of the GDPR.
English Summary
Facts
An Austrian parliamentary anti-corruption committee asked the Minister of Finances to disclose information about criminal financial proceedings pending against an ÖVP (Österreichische Volkspartei – Austrian People's Party) politician.
In an attempt to prevent such disclosure from happening, the data subject requested the Austrian DPA to issue a ban on the processing pursuant to Article 58(2)(f) GDPR. According to the data subject, the problem was not the disclosure to the committee per se but rather the fact that personal data are usually leaked to the media. The data subject also claimed that there was no factual element behind the investigation, but only an attempt to damage him politically. Finally, the data subject argued that no legal basis could be found for the intended processing: thus, violations of Articles 5 and 6 GDPR occurred.
The controller in this case was the Minister of Finances, namely an organ of the government. However, the Minister of Finances claimed that it operated on behalf of the parliamentary committee, which is part of the legislative power. Therefore, according to the Minister, the DPA had no competence to deal with the matter since core legislative functions do not fall within the scope of the GDPR (Article 2(2)(a) GDPR). If a legal basis had to be found, however, that would be the parliamentary scrutiny in the interest of democracy. The Minister of Finances also argued, that the fact that members of the anti-corruption committee may later leak the data subject's data was not an issue within the control of the Minister of Finances and hence did not constitute a legal interest against the disclosure to the anti-corruption committee.
Holding
According to the DPA, the Minister of Finances' claim that it just implemented instructions from the parliamentary committee was unconvincing. The Minister is part of the executive power. When it comes to the disclosure of personal data, it is not obliged to provide the requested information in each case. As a consequence, it cannot be seen as acting exclusively on behalf of the Parliament. Therefore, the DPA has a general competence to review the Minister of Finances' actions in light of the GDPR.
However, the DPA also clarified that such competence is limited to ex post reviews: the DPA is not entitled to intervene before the processing occurred. Otherwise it would substitute itself to the Minister of Finances in taking the decision. Therefore, the data subject could not rely on Article 58(2)(f) GDPR, which refers to a processing already in place.
In a long obiter dictum, the DPA also added that, even imagining that the DPA was competent for ex ante reviews of the the Minister of Finances' actions, an injunction pursuant to Article 58(2)(f) GDPR could only be requested in case of an “imminent danger”. In the present situation, such danger would have lied in potential leaks of information to the media. However, the risk was associated with the parliamentary committee or its individual members and not with the Minister of Finances, which was the controller in this proceeding. Therefore, no measure could have been issued.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
text GZ: 2022-0.083.310 from February 14, 2022 (case number: DSB-D124.0128/22) [Editor's note: Names and companies, legal forms and product names, addresses (including URLs, IP and e-mail addresses), file numbers (and the like), etc., as well as their initials and abbreviations may be abbreviated and/or changed for reasons of pseudonymization be. Corrected obvious spelling, grammar, and punctuation errors.] NOTICE SAY The data protection authority decides on the application according to § 22 DSG from Udo A*** (applicant), represented by W*** Rechtsanwälte GmbH, B***straße *4, *** S***, to prohibit the processing of his personal data through the forthcoming transmission of information on financial criminal proceedings against him or against companies that were owned by him or in which he held executive functions, to the committee of inquiry into clarifying corruption allegations against ÖVP government members (ÖVP Corruption Investigation Committee). the Federal Minister of Finance (respondent) as follows: The application is rejected. Legal basis: §§ 22 para. 1 and 4 of the Data Protection Act (DSG), Federal Law Gazette I No. 165/1999 as amended, Art. 18, 51, 57 and 58 of the General Data Protection Regulation (GDPR) in conjunction with §§ 56, 57 para. 1 and 58 of the General Administrative Procedures Act 1991 (AVG), Federal Law Gazette No. 51/1991 as amended, Art. 52a, 53 and 138b of the Federal Constitutional Law (B-VG), Federal Law Gazette No. 1/1930 as amended, Section 25 of the Rules of Procedure for parliamentary committees of inquiry (VO-UA), Federal Law Gazette I. No. 99/2014 as amended. REASON A. Submissions 1. On January 24, 2022, the applicant submitted an application for the issuance of a mandate decision in accordance with Section 22 (4) DSG in conjunction with Section 57 (1) AVG and Article 58 (2) (f) GDPR. As justification, the applicant essentially argued that the minority of the parliamentary investigative committee called "ÖVP Corruption Investigative Committee" had demanded that the respondent ask whether against him or companies that he owned or in which he held an executive function, financial criminal proceedings had been initiated since 2015 and what the number of these would be. The transmission of the data concerned to the U-Committee would not be a problem in itself. However, the notorious permeability of sub-committees to the media public, which has been well known since the Ibiza sub-committee at the latest, is unbearable. It forces him to take precautionary action against the disclosure of data of any kind to the U-Committee. On the other hand, it is obviously inadmissible exploratory evidence. The planned data processing does not serve to investigate a "certain completed process in the area of federal administration", but rather to find snippets of information that are interesting for the media. He is being brought before a political tribunal on a blanket suspicion that has no basis in substance – with the only recognizable aim of bringing him out in order to exchange political change on his back. The data processing in question - both the evaluation and the transmission - falls within the scope of the GDPR and the DSG. Data processing is therefore only permissible if, on the one hand, it complies with the general basic principles of the processing of personal data (Article 5 GDPR) and, on the other hand, it fulfills a specific legal basis (Article 6 GDPR). The present request pursuant to Section 25 (2) VO-UA has no other purpose than to obtain exploratory evidence and contradicts the specificity requirement stipulated by the legislature. His name was picked out completely arbitrarily from the extensive list of "(potential) donors of the ÖVP" and brought into a deeply reputation-damaging, libelous connection to (purely suspected) financial criminal proceedings and corruption. Since it is not provided under federal constitutional law or ordinary law to meet inadmissible evidence requirements, the data processing (evaluation and transmission) is not necessary to fulfill a legal obligation. There is therefore no legal basis within the meaning of Art. 6 GDPR. The request in question also lacks the restriction required in Art. 53 Para. 3 B-VG, according to which only files and documents "to the extent of the subject of the investigation" may be submitted. With regard to the required data, however, there is not even an abstract relevance for the object of investigation. There is a violation of the principle of lawfulness of processing according to Art. 5 Para. 1 lit. a GDPR. In addition, there is a violation of the principle of data minimization according to Art. 5 Para. 1 lit. c GDPR. The applicant considers a submission to be incompatible with the requirements of the GDPR because it violates the principles of data minimization, legality and purpose limitation due to the lack of abstract relevance to the object of investigation. Likewise, a weighing of interests pursuant to Section 1 (2) DSG must be in favor of the applicant. The main reason why the transmission of personal data to the U-Committee is so problematic is that the confidentiality obligations imposed on the members of the U-Committee and other persons authorized to access the data are simply regarded by them as irrelevant. The VO-UA and the InfoOG provide for a ban on disclosure and publication in several places. In particular, the forwarding of documents from the investigative committee regarding the alleged venality of the turquoise-blue federal government ("Ibiza U-Committee") to the media has shown that the U-Committee has holes like Swiss cheese and that it is practically impossible to Hold those responsible for the data leaks accountable. There is imminent danger with regard to the data processing in question. It can be assumed that the Federal Minister, if he has not already started to do so, will start evaluating/collecting the required data in the next few days and will immediately transmit the evaluated data to the U-Committee. This means that the documents would be sent by the registry of the National Council to all members of the U-committee and numerous other people without prior information and hearing of the person concerned and without closer examination of the content of the documents and the lawfulness of the processing as soon as they were there had arrived. There is a significant and immediate threat to his interests in secrecy, which are worthy of protection. 2. In a submission dated January 31, 2022, the respondent argued that the Parliament's request for a survey ultimately led to the U-Committee of the Federal Minister of Finance using the U-Committee for the purpose of indirect evidence gathering. The respondent was formally assigned to the executive state power. However, insofar as he carries out surveys on behalf of a U-committee, he becomes functionally active for the legislature. Actions by an administrative authority to implement a request from a sub-committee to carry out surveys pursuant to Section 25 (3) VO-UA are to be attributed to the legislative power. The decision on the purposes of the data processing is specified by the investigation order in accordance with Section 25 (2) and (3) VO-UA and the subject of the investigation. The fact that the means of data processing are not specified and that the respondent has some leeway with regard to the technical and organizational use of resources does not change the fact that the purposes of data processing are specified by the subcommittee. It follows that the U-Committee and not the Federal Minister of Finance is to be qualified as responsible. According to the wording of § 18 DSG, the DSB is set up as a national supervisory authority under Art. 51 GDPR. From a constitutional point of view, however, it would not be arguable that the DSB would be called upon to control the legislative body. Any data protection control must be limited to checking whether the relevant data protection provisions have been complied with when handling personal data obtained as part of the subject of the investigation and the decision to take evidence. The present application to the DSB is essentially not directed against the fact that the requirements of the GDPR were not observed when processing personal data, but against the collection order of the U-committee to the respondent. In this respect, the DSB is also not responsible. The DSB, as an administrative authority, is prohibited from examining files that are attributable to legislation without an express constitutional basis. This applies even if one assumes that the respondent does not act as an auxiliary body of legislation within the framework of the collection order, but as an administrative body, since any prohibition notice from the DSB would also materially suspend the collection order of the U-committee. The arguments of the applicant are not suitable to justify a direct threat to secrecy interests worthy of protection in accordance with Sections 22 (4) DSG in conjunction with Section 57 (1) AVG. The respondent, as the body responsible for making submissions to the committee of inquiry, is obliged to fully meet all the evidence requirements within the scope of its competence. In the specific case, the committee of inquiry had clearly defined which files and documents were to be submitted to Parliament by the Federal Minister of Finance in accordance with the supplementary evidence resolution pursuant to Section 25 (2) VO-UA. The threat to his interests in secrecy, which is worthy of protection and which is only alleged by the applicant, arises, if at all, only in the sphere of the investigative committee in Parliament. The VwGH recently dealt in detail with the question of whether the GDPR is also applicable to core activities of legislation and answered this question in the negative because this activity falls under Art. 16 Para. 2 TFEU and is therefore subject to Art. 2 Para. 2 lit. a GDPR is excluded from the material scope of the GDPR (VwGH December 14, 2021, Ro 2021/04/0006). Even if these statements are contained in a preliminary ruling request to the ECJ and a decision by the ECJ is still pending, they are quite convincing and justifiable, so that the DPO does not have the right to examine due to the lack of applicability of the GDPR. The obligation to submit has a sufficient legal basis within the meaning of Section 1 (2) DSG and the weighing of interests provided for there is in any case in favor of the admissibility of the data use due to the importance of parliamentary control for a democratic society. The further processing of the data in the U-Committee, regardless of whether the respondent is responsible for the collection of the data within the framework of an order from the U-Committee or not, is exclusively the responsibility of Parliament and therefore cannot be the basis of a complaint addressed to the Federal Minister be a cease-and-desist order directed towards finances. It is also noted that a body that is required to submit a submission has no authority to subsequently amend a specific and clearly defined additional evidence requirement, as in the present case. The same applies to the assessment of the data protection principles of purpose limitation according to Art. 5 Para. 1 lit. b GDPR and data minimization according to Art. 5 Para. 1 lit -committees would say yes. The (theoretical) possibility of a data protection violation by members of the investigative committee or other persons with access rights to the data in non-compliance with legal obligations of confidentiality and secrecy can under no circumstances justify the non-compliance with an additional requirement for evidence by an organ that is obliged to submit a submission, whose actions according to Art. 18 B-VG can only be based on may be made by laws. There would also be legal protection options in connection with the committee of inquiry, which are open to the person concerned at any time. B. Findings of Facts 1. On October 13, 2021, the request for the establishment of an investigative committee in accordance with § 33 (1) second sentence GOG-NR regarding clarification of corruption allegations against ÖVP government members (ÖVP corruption investigative committee) was introduced in the National Council (4/US 27th GP) and the committee of inquiry concerned was set up on December 9, 2021 as part of the 133rd session of the National Council. 2. On December 16, 2021, some of the members of the committee of inquiry pursuant to Section 25 (2) VO-UA made the following request to the respondent (formatting not reproduced 1:1, markings by the applicant): [Editor's note: the graphic file (request to the respondent by some of the members of the investigative committee) was removed because it cannot be displayed pseudonymised in the RIS. The document contains the request to the Federal Minister of Finance "to find out against which of the following persons or companies, which were owned by these persons or in which they held executive positions, criminal financial proceedings have been initiated since 2015 and the number of these proceedings" . The following list contains the name of the applicant.] Evidence assessment: The findings result from the submissions of the applicant in the complaint brief dated January 24, 2022, the statement by the respondent dated January 31, 2022 and official investigations by the data protection authority (ÖVP - Corruption Investigation Committee). D. In legal terms it follows that: C.1. On the competence of the data protection authority The Respondent essentially argues that he is formally assigned to the executive state power. However, insofar as he carries out surveys on behalf of a U-committee, he is functionally working for the legislature and is therefore not the responsibility of the data protection authority. In this context, the respondent refers to the case law of the Constitutional Court, according to which organs that act on behalf of another state function are attributed to the state function on whose behalf they are acting (VfSlg. 10.290/1984, 11.961/1989 , 13.670/1994 concerning measures taken by administrative authorities following a court order). The data protection authority does not share the legal opinion of the respondent that he, as the referring body, is to be attributed to the legislative power: According to Art. 53 Para. 1 B-VG, the National Council can appoint committees of inquiry by resolution. Committees of inquiry are to be assigned to the legislature, both organizationally and functionally. Art. 53 para. 3 B-VG obliges all the bodies mentioned to support the activities of a committee of inquiry by submitting files and documents and by conducting surveys. Para. 3 leg. cit. establishes a self-information right of the sub-committee to the extent of the subject of investigation (cf. Konrath/Posnik in Kahl/Khakzadeh/Schmid, commentary on the Federal Constitutional Law B-VG and fundamental rights Art. 53 B-VG). According to Section 25 (2) VO-UA, a quarter of the members of the (already set up) investigative committee can request additional evidence (beyond the basic evidence resolution). The constitutional requirements according to Art. 53 Para. 3 and 4 B-VG are decisive. They are intended to ensure that the activities of a committee of inquiry do not endanger sources pursuant to Art. 52a para. 2 B-VG, nor influence a decision-making or decision-making process in a federal executive body, and this also not in any other way is impaired (cf. Paperback Committees of Inquiry Legal Texts and Explanations, 7th edition, page 73). The system of separation of powers and only individual power-binding elements on which the Federal Constitution is based requires an independent area of responsibility for implementation in general, and for the Federal Government and its members in particular. By determining the object of investigation in Art. 53 Para. 2 B-VG, it is generally ruled out that a committee of inquiry is involved with the ongoing activities of the Federal Government or its members and in particular with open decision-making processes (cf. Erl to Federal Law Gazette I No. 101/ 2014, 439 dB XXV.GP) Art. 53 para. 4 B-VG substantiates para. 3 insofar as it clarifies that the information rights of the National Council are not unlimited in the interest of the functioning of the federal government and its members (cf. paperback investigative committees legal texts and explanations, 7th edition, page 14 ff). Overall, these provisions mean that the National Council's right to information can therefore be restricted and the exception serves, among other things, to ensure the functionality and the independent and uninfluenced decision of the Federal Government or a member of the Federal Government in individual cases (cf. Zögernitz, NR-GOG, § 24 VO-UA). Contrary to what the respondent argues, it is not always obliged to submit it to the committee of inquiry, especially not in the cases of Art. 53 (3) last sentence and (4) B-VG, which in any case speaks against the assumption of the respondent that it "as a (mere) collection body" would be functionally assigned to the state function of legislation, because in this case it would not have any independent discretion with regard to the submission of files. The regulation of Art. 138b Para. 1 Z 4 B-VG and the related case law of the Constitutional Court (see in particular VfSlg. 19.973/2015) speak against the acceptance of the respondent. Therefore, the respondent is not deprived of its organizational and functional classification as an administrative organ even in the case of an obligation to submit to a committee of inquiry. In summary, it is therefore possible for an administrative body that is obliged to provide information to submit complaints in connection with a file submission to a committee of inquiry at the data protection authority, which has comprehensive powers of control over - including the highest - administrative bodies (Section 35 (1) and (2) DSG). However, as the Constitutional Court has already stated, the role of the data protection authority is limited to an ex-post control in the event of an obligation to submit to a committee of inquiry (see, for example, the decision of September 25, 2021, UA 6/2021 with further references; see also the - approving - notification of September 8, 2021, GZ: 2021-0.474.768). An ex-ante control, as sought by the applicant, would inevitably result in the data protection authority as an - albeit independent - administrative authority taking the place of the body responsible for submission and thus having to interpret a request in accordance with Section 25 VO-UA. On the one hand, this would result in an examination of the content of the request and thus to the admissibility of the request from the point of view of the GDPR and the DSG. On the other hand, it would then be in the hands of the data protection authority to (partially) prevent the files being submitted to a committee of inquiry and thus restrict its investigative activities, without the committee of inquiry or its members being able to contest this decision due to lack of party status. In Art. 138b B-VG (conclusive), the constitutional legislature has provided for the possibility of binding dispute settlement by the Constitutional Court in connection with committees of inquiry. The fact that Art. 138b B-VG does not provide for a data subject to prevent the submission of a file due to the risk of violating highly personal rights (see again the ruling of September 25, 2021 already cited) may represent a gap in the legal protection system, but it can not lead to establishing a competence of the data protection authority. Finally, it is noted here that the request for a preliminary ruling from the ECJ cited by the respondent pursuant to Art -33/22), which deals with the applicability of the GDPR to the processing of personal data by a committee of inquiry set up by a parliament of a Member State in the exercise of its right to oversee enforcement. In the present case, on the other hand, the subject of the proceedings is data processing which, although connected to the activities of a committee of inquiry, is carried out or should be carried out by an organ referring to the committee of inquiry. In the present case, therefore, nothing can be derived from the reference for a preliminary ruling referred to. The application therefore proves to be inadmissible for the reasons given above. C.2. On the mandate notice in general But even if one wanted to assume that the data protection authority had jurisdiction, the application would not be successful. Mandate notifications typically serve the immediate and ex officio enforcement of measures of an administrative nature that cannot be postponed in a one-party procedure. In this respect, they are of a provisional nature and therefore do not fit into a procedure with several parties involved, in which a (final) decision can be issued which would finally regulate the matter - which is disputed between the parties involved - after the corresponding investigations have been carried out. In this respect, this is an atypical mandate decision of its own kind, but it can be deduced from the clear wording of the law in the sense of the applicant's submission that the legislator wanted to grant the person concerned a subjective right to legal protection by the data protection authority. A merit-based decision must therefore be made on the present application (cf. the notification of October 29, 2015, GZ: DSB-D215.861/0010-DSB/2015). According to § 22 Para. 4 DSG in connection with § 57 Para in default) is present and thus takes into account an increased risk potential in the event of imminent danger (cf. Thiele/Wagner, practical commentary on the Data Protection Act (DSG), § 22 DSG, margin no. 8). Since the issuance of a mandate decision does not have to be preceded by an investigation by the data protection authority, it is up to the applicant to certify the legal requirements for the issuance of the decision together with the application (to make this credible, to provide prima facie evidence; cf. Schmidl in Gantschacher†/Jelinek/Schmidl/Spanberger , Commentary on the DSG, § 22 Note 9). Subsequent retrieval of the certificate or evidence-based proceedings would not be compatible with the character of the decision pursuant to § 22 DSG as an urgent administrative measure (data protection police emergency decree) (cf. the decision of September 24, 2015, GZ: DSB-D215.813/0012 -DSB/2015). The issuing of a mandate decision requires, on the one hand, that the data processing is materially unlawful and that there is already a reasonable suspicion that this is the case. Factual indications must therefore justify the assumption of the probability that provisions of data protection law have been violated and that this can be explained in a rationally comprehensible manner (cf. VwGH March 21, 2012, 2012/16/0005). On the other hand, it is necessary that the operation of this data processing poses a significant direct threat to confidentiality interests of the data subjects that are worthy of protection (i.e. imminent danger) (cf. Thiele/Wagner, practical commentary on the Data Protection Act (DSG), § 22 DSG, margin no. 15). Both criteria must be met in order for a mandate decision to be issued. There is imminent danger if the omission of the official measure would probably result in the data subject having to accept (further) privacy violations or even damage, which can be prevented by issuing the provisional prohibition of data processing. In this respect, Section 22 (4) DSG represents a lex specialis to Section 57 AVG. This means that the otherwise necessary examination of the impossibility of postponing the measure in relation to the necessary duration of the preliminary investigation in the data protection area is omitted (cf. Thiele/Wagner, practical commentary on the data protection law ( DSG), § 22 DSG, margin no. 18). A general concern with regard to future events is not sufficient to meet the criteria of “imminent danger” (cf. DSK 30.3.2012, K121.765/0008-DSK/2012). The existence of imminent danger must be justified with facts that relate to the individual case. Pure speculation, hypothetical considerations or assumptions based on everyday experience that are independent of the case are not sufficient (cf. Thiele/Wagner, practical commentary on the Data Protection Act (DSG), § 22 DSG, margin no. 20). C.3. Regarding the existence of a significant direct threat to the applicant's confidentiality interests worthy of protection through the operation of the data processing in question (imminent danger): First of all, it should be noted that the data protection authority, according to the statements made above, in any case over the application of January 24, 2022 for the issuance of a mandate decision in accordance with Section 22 (4) DSG in conjunction with Section 57 (1) AVG in conjunction with Article 58 (2) lit. f GDPR has to deny merit. As has been established, as part of the additional evidence requirement pursuant to Section 25 (2) VO-UA of December 16, 2021, the respondent was requested to raise whether against the applicant or companies that were owned by or in which he held board functions, since 2015 criminal financial proceedings were initiated and to what number these were led. With regard to the data processing in question, the applicant argues that the evaluation and transmission of the data concerned to the committee of inquiry is not a problem in principle, but that it is about the forwarding of information or documents to the media public by members of the committee of inquiry. With regard to the possible existence of imminent danger, the applicant claims in his submission initiating the proceedings that as a result of the investigative work of the ÖVP corruption investigation committee it can be assumed that the data will be transmitted promptly to this committee of investigation. Essentially, the applicant justifies the existence of a significant threat to his confidentiality interests with the fact that information or documents concerning him were passed on by third parties (members of the investigative committee) and finally published. However, the admissibility of a mandate decision presupposes that a dangerous situation by the respondent and person responsible within the meaning of Art. 4 Z 7 DSGVO is to be feared. However, it is not concretely recognizable and it was also not presented to what extent this dangerous situation would have arisen directly as a result of the objected data processing by the respondent (especially since this is basically covered in Art. 53 Para. 3 B-VG), the application of 24 January 2022 against the (upcoming) evaluation and transmission of documents related to the applicant to the ÖVP corruption investigation committee. At no time did the applicant claim that this personal data (e.g. to the media) was directly disclosed by the respondent. Rather, the applicant expressly stated that the data processing of the respondent did not pose a problem in principle. Thus, the (alleged) direct threat to his interests in secrecy, which is worthy of protection, does not lie in the data processing that is the subject of the proceedings. In addition, only a general concern regarding future events can be derived from the submissions of the applicant, which, however, are not attributable to the sphere of the respondent. From the data protection authority's point of view, the fear that members of the committee of inquiry would - contrary to existing confidentiality obligations - disclose to third parties the information they became aware of in the course of their work for the committee of inquiry is merely hypothetical considerations or assumptions based on everyday experience (by the applicant "the notorious permeability of U-committees" is cited), which are not suitable for being able to certify the existence of a concrete dangerous situation within the meaning of § 22 DSG with regard to the respondent (cf. again Thiele/Wagner, practical commentary on the data protection law (DSG), § 22 DSG, margin no. 20). In summary, it can be stated that the alleged endangerment of the applicant's interests is seen in the activities of members of the committee of inquiry, but not in the data processing by the respondent - which is the subject of the proceedings here. In any case, it is beyond the Respondent's sphere to influence the data processing after the transmission has taken place (apart from the classification according to the InfOG). The application was therefore dismissed accordingly. In the present case, the applicant has submitted an application for the issuance of a mandate decision in accordance with Section 22 (4) DSG in conjunction with Section 57 (1) AVG in conjunction with Article 58 (2) (f) GDPR. For this reason, these legal bases for a mandate decision are also listed in the decision (§ 22 Para. 4 DSG and § 57 AVG). Nevertheless, the refusal does not take the form of a mandate decision, since the characteristic of imminent danger required under Section 57 (1) AVG is in any case missing for the refusal of the application. A mandate decision - and thus a legal protection procedure extended and extended by the possibility of presentation - only makes sense in the case of a positive administrative police intervention in existing rights (arg: "measures that cannot be postponed"), but not in the present case of the rejection of such an application Intervention due to the lack of the legal requirements (see again the above-mentioned decision of September 24, 2015).