OGH - 6Ob19/23x: Difference between revisions

From GDPRhub
No edit summary
mNo edit summary
 
Line 62: Line 62:
}}
}}


In the follow-up to the CJEU ''Österreichische Post'', the Austrian Supreme Court stated that the controller had an obligation to disclose specific recipients’ identities to the extent that the data subject asked for it and this was technically feasible.
In the follow-up to the [https://curia.europa.eu/juris/document/document.jsf?docid=269146&doclang=en CJEU ''Österreichische Post''], the Austrian Supreme Court stated that the controller had an obligation to disclose specific recipients’ identities to the extent that the data subject asked for it and this was technically feasible.


== English Summary ==
== English Summary ==

Latest revision as of 13:56, 10 May 2023

OGH - 6Ob19/23x
Courts logo1.png
Court: OGH (Austria)
Jurisdiction: Austria
Relevant Law: Article 15(1)(c) GDPR
Decided: 24.03.2023
Published:
Parties: Österreichische Post AG
National Case Number/Name: 6Ob19/23x
European Case Law Identifier: ECLI:AT:OGH0002:2023:0060OB00019.23X.0324.000
Appeal from:
Appeal to: Not appealed
Original Language(s): German
Original Source: OGH (Austria) (in German)
Initial Contributor: mg

In the follow-up to the CJEU Österreichische Post, the Austrian Supreme Court stated that the controller had an obligation to disclose specific recipients’ identities to the extent that the data subject asked for it and this was technically feasible.

English Summary

Facts

The controller was a logistics and postal service provider also active in the fields of direct marketing and address publication. The data subject requested the controller to provide access to personal data concerning them pursuant to Article 15 GDPR. Deeming the controller’s reply insufficient, the data subject went to court to enforce their right to access.

The data subject asked a full disclosure of which data were effectively shared and with whom, as the controller’s reply did not comply with the principles of accuracy and comprehensibility under Article 12(1) GDPR. During the civil proceeding it became clear that the controller processed and shared with third-parties data concerning the data subject’s marketing profile and potential political affinities with third-parties. However, the controller did not disclose the identity of specific recipients in the access request, but only their broad categories (e.g. advertising companies, IT-companies, NGOs).

The controller denied that statistical data about data subjects’ political and philosophical affinities (the so-called marketing profiles) were personal data covered by the GDPR. The controller also replied that it could not disclose recipients’ identity because of several reasons, such as business confidentiality and a disproportionate effort on its side, as it did not keep a record of all the disclosure operations. Also, the controller argued that there is no obligation to disclose the identity of specific recipients under the GDPR, but only the categories of recipients.

The first instance court upheld the controller’s defense.

The court of appeal confirmed this judgement, stating that the GDPR gives the controller a free choice whether to share specific recipients or broad categories of recipients. As the controller disclosed such categories during the first instance proceeding, Article 15 GDPR was not violated.

The Austrian Supreme Court sent a preliminary reference to the CJEU, which decided the case with judgement C-154/21, Österreichische Post. In the CJEU’s view, the controller has an obligation to disclose specific recipients when the data subject so requested.

This judgement is the follow-up of that decision at the national level.

Holding

The Austrian Supreme Court stated that the accuracy of marketing profiling operated by the controller was irrelevant to the question whether the information collected and shared by the controller was personal data under Article 4(1) GDPR. Indeed, the fact that marketing (and political) profiles might have been inaccurate did not put into question their nature of being personal data.

Concerning the controller’s obligation to disclose the specific recipients’ identities, the court referred to Österreichische Post and confirmed that this disclosure was mandatory under Article 15(1)(c) GDPR. The court completely disregarded the claim that business confidentiality could impair the data subject’s right pursuant to Article 15(1)(c) GDPR.

However, the Court sent the case back to the judge of first instance, in order to ascertain whether the disclosure of the recipients was really impossible in practice, as the controller claimed. As a matter of fact, this circumstance was taken for granted by the judge and not factually proved.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

Head

The Supreme Court, as a court of appeal, has been appointed by Senate President Hon.-Prof. dr Gitschthaler as chairman and the privy councilors Dr. Nowotny, Dr. Hofer-Zeni-Rennhofer, Dr. Faber and Mag. Pertmayr as additional judges in the case of the plaintiff J* V*, represented by Mag. Robert Haupt, LL.M., lawyer in Vienna, against the defendant Ö* AG, *, represented by Wolf Theiss Rechtsanwälte GmbH & Co KG in Vienna, for providing information in accordance with Art 15 GDPR, on the plaintiff’s appeal against the judgment of the Vienna Higher Regional Court as a court of appeal of January 18, 2021, GZ 11 R 188/20b Co KG in Vienna, for providing an Information in accordance with Article 15, GDPR, about the appeal of the plaintiff against the judgment of the Vienna Higher Regional Court as a court of appeal of January 18, 2021, GZ 11 R 188/20b-21, whereby the judgment of the Vienna Regional Court for civil law matters of October 13, 2020, GZ 60 Cg 14/20z-15, was confirmed in closed session

decision

caught:

saying

I. The proceedings interrupted by the decision of April 15, 2021, AZ 6 Ob 63/21i will be continued.Roman one. The procedure interrupted by the decision of April 15, 2021, AZ 6 Ob 63/21i will be continued.

II. The revision will be followed.roman II. The revision will be followed.

The decisions of the lower courts are reversed. The case is remanded to the trial court for a new hearing and decision.

The costs of the appeal proceedings are further procedural costs.

text

Reason:

[1] Defendant is the nation's leading logistics and postal service provider, whose primary businesses include the transportation of letters, direct mail, print media and packages. In addition, the defendant has a trade license as an "address publisher and direct marketing company" within the meaning of § 151 GewO. The defendant is the country's leading logistics and postal service provider, whose main business areas include the transport of letters, direct mail, print media and packages. In addition, the defendant has a trade license as an "address publisher and direct marketing company" within the meaning of Section 151, GewO. On February 17, 2019, the plaintiff submitted a request for information to the defendant in accordance with Article 15 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of data and to repeal Directive 95/46/EC (General Data Protection Regulation, OJ L 119/1 of May 4th, 2016, S 1; hereinafter "GDPR") on the type and content of the data stored about him, where they came from, what they were used for and to whom they were or will be transmitted.

[2] In its electronically transmitted information, the defendant listed the personal data of the plaintiff that it had processed, their origin and the plaintiff's marketing classifications. She announced that the plaintiff's personal data and marketing classifications would be offered to the defendant's business customers. The defendant received marketing classifications ("Sinus-Geo-Milieus") determined on the basis of a probability calculation from one of its named suppliers, took them over and sold them on unchanged. For the plaintiff, the dominant marketing classification (probability value) was the "Geo Milieu: middle class" with 26.78%. The Conservative probability value accounted for 5.44%. The following description is assigned to the Sinus Milieu “bourgeois middle class”: “The mainstream who is willing to perform and adapt: striving for professional and social establishment, secure and harmonious relationships, support and orientation, peace and deceleration”. The information provided by the defendant also contained a tabular listing of the plaintiff's party affiliation, with the information found at the beginning of the letter that these statistical projections regarding "possible target group for election advertising" would be deleted after the information was issued.

[3] Further information was available by linking to the defendant's website. Among the data protection purposes listed there was in particular the information that the defendant used data for marketing purposes of third parties as part of its work as an address publisher and direct marketing company in order to support advertising companies in active and targeted customer communication. The data used for this is name, gender, title, academic degree, address, date of birth, job, industry or business name and affiliation to the customer and prospect file from which the defendant obtained data. The categories of potential recipients could be accessed via a link to the data protection information. In addition to data exchange within the Post group of companies, transmission to external service providers, namely IT service providers, print service providers, service providers in the context of customer care, contract management, market research institutes, marketing companies and advertising agencies as well as transmission to courts and authorities, there was a list of other recipients such as insurance companies, auditors or NGOs.

[4] It was only in the course of the present legal procedure that the defendant informed the plaintiff in the respondent and (according to the action expansion) in a preparatory brief that the marketing classification "probability value conservative" was processed for marketing purposes as part of the address. "Business customers" (namely advertising companies, e.g. in mail order and stationary trade, financial service providers and insurance companies, IT and telecommunications companies, energy suppliers, address publishers and associations such as charitable organizations, NGOs and political parties). The defendant did not disclose specific recipients of the plaintiff's data. As a recipient of the marketing classification "Possible target group for election advertising", only the Social Democratic Party of Austria could be considered as a potential recipient. Data was last transmitted to them in July 2018, although it was no longer possible to determine whether the plaintiff's data records were also included.

[5] The plaintiff requests the defendant's conviction to him (improved) information in accordance with Art 15 GDPR, contains the information as to whether the plaintiff's personal data on party affinity ("sought the defendant's conviction to him (improved) information Article 15, GDPR, including the information as to whether the plaintiff’s personal data on party affinity (“Possible target group for election advertising [...]”) and on ideology (e.g. “Probability value conservatives”) were (or not) transmitted, and if so, also of the Recipient(s) to whom the personal data of the plaintiff have been disclosed or will be disclosed. The information provided by the defendant does not meet the legal requirements of Art 15 GDPR because it does not indicate whether the defendant has the personal data of the plaintiff to third parties and, if it was actually passed on, who the specific recipients of this data were. The information did not meet either the requirement of accuracy or the requirement of comprehensibility of Art. 12 Para. 1 Sentence 1 DSGVO.") were transmitted (or not), and if so, also of the recipient(s) to whom the personal data of the plaintiff was disclosed have been or will be disclosed. The information provided by the defendant does not meet the legal requirements of Article 15 GDPR because it does not show whether the defendant passed on the personal data of the plaintiff to third parties and, if it was actually passed on, who the specific recipients of this data were. The information did not meet the requirement of accuracy or comprehensibility of Article 12, paragraph 1, sentence 1 GDPR.

[6]                                                                                                                                    ¡ The marketing classifications mentioned are not personal data of the plaintiff. The plaintiff has no right to the disclosure of specific recipients. Such is also not actually possible or could only be reconstructed with a disproportionate amount of effort because the defendant does not keep any records of the specific recipient. Furthermore, a detailed disclosure of the individual recipients would be tantamount to a disclosure of the distribution channels and the individual customer relationships of the defendants and thus interfere with their business secrets and the confidentiality interests of their customers. Therefore, such a comprehensive disclosure is not owed on the basis of Article 15 (4) GDPR. Objected that the information provided to the plaintiff met the requirements of Article 15 GDPR. The marketing classifications mentioned are not personal data of the plaintiff. The plaintiff has no right to the disclosure of specific recipients. Such is also not actually possible or could only be reconstructed with a disproportionate amount of effort because the defendant does not keep any records of the specific recipient. Furthermore, a detailed disclosure of the individual recipients would be tantamount to a disclosure of the distribution channels and the individual customer relationships of the defendants and thus interfere with their business secrets and the confidentiality interests of their customers. Therefore, such a comprehensive disclosure is not owed on the basis of Article 15, paragraph 4, GDPR.

[7] The trial court dismissed the claim. It was undisputed that the defendant did not keep a record of the individual data sets in the data packages sent to its customers and that a retrospective reconstruction of the specific data sets was not possible or only possible with great effort. It can be left open whether the probability values of the marketing classifications are personal data because the defendant fulfilled the request for information at the latest with a brief submitted in the present proceedings. The specification of recipient categories corresponds to the legal requirements; the individual recipients do not have to be named.

[8] The Court of Appeals upheld this decision. It is not undisputed that the defendant does not keep a log of the individual data sets in the data packages sent to its customers and that retrospective reconstruction of the specific data sets is not possible or only possible with great effort. However, the defendant informed the plaintiff at the latest in the course of this process about the transmission of the data specified by the plaintiff. Art 15 para 1 lit c GDPR gives the person responsible the right to choose whether to name specific recipients or categories of recipients to the data subject. The defendant made use of this by informing the plaintiff of the relevant categories of recipients. confirmed this decision. It is not undisputed that the defendant does not keep a log of the individual data sets in the data packages sent to its customers and that retrospective reconstruction of the specific data sets is not possible or only possible with great effort. However, the defendant informed the plaintiff at the latest in the course of this process about the transmission of the data specified by the plaintiff. Article 15, paragraph one, litera c, GDPR gives the person responsible the right to choose whether to name specific recipients or categories of recipients to the data subject. The defendant made use of this by informing the plaintiff of the relevant categories of recipients.

[9]                                                                                         The ordinary Revision to because there is no supreme court ruling on the question of whether Article 15, paragraph one, litera c, GDPR grants the person responsible the right to choose to name the data subject either specific recipients or categories of recipients.

[10] Plaintiff's appeal is allowed for the reason stated by the Court of Appeal; it is also entitled in the sense of the application for annulment made as an alternative.

Legal Assessment

[11] 1.1. Whether actual allegations by a party are to be regarded as admitted on the basis of a conclusive confession within the meaning of Section 267 (1) ZPO is to be assessed by the court, taking careful consideration of the entire content of the opponent's submissions (RS0040091; cf. RS0083785). However, the mere omission of a dispute can only be regarded as a concession if, in the individual case, there are weighty indications for a (conclusive) confession (RS0039955 [T2, T3]; RS0039941 [T3, T4, T5]), for example because the statement made by the opponent Apparently, the assertion had to be easily refutable, but was never specifically commented on (RS0039927 [T1], or because a party only counters individual factual allegations by the opponent with a concrete counter-argument, but does not comment on the content of the others (RS0039927 [T12]). 1.1. The court must assess whether actual allegations by a party based on a conclusive confession within the meaning of Section 267, Paragraph 1, ZPO are to be regarded as admitted, taking careful consideration of the entire content of the opposing arguments (RS0040091; compare RS0083785). The mere omission of the dispute but can only be considered a concession if there are important indications for a (conclusive) confession in the individual case (RS0039955 [T2, T3]; RS0039941 [T3, T4, T5]), for example because the assertion made by the opponent obviously had to be easily refutable, but never specifically commented on it (RS0039927 [T1], or because a party only counters individual factual allegations by the opponent with a concrete counter-argument , but does not comment on the content of the others (RS0039927 [T12]).

[12] 1.2. The court of first instance accepted the defendant's assertion that a retrospective reconstruction of the specific data sets sent to business customers was not possible or only possible with great effort as conclusively undisputed. However, the Court of Appeal correctly pointed out that there were not sufficient indications for this in the present case and the plaintiff's conduct in the process shows that he (also) rejects the defendant's point of view that the requested information is factually not possible due to the recipient's lack of knowledge. The non-contention assumed by the court of first instance would amount to a conclusive admission that the fulfillment of the request for action was impossible, which cannot be assumed of the plaintiff here.

[13] 1.3. Defendant's submissions in this regard are pertinent. In this respect, there is therefore a deficiency in the finding, which the court of first instance will have to rectify in the continued proceedings (on this below point 4.1. f).

[14] 2.1. In the meantime, the Supreme Court has already had to deal with the question of whether the information at issue here about “worldview” or “affinity with parties” constitutes personal data within the meaning of Art 4 No. 1 GDPR in other proceedings also brought against the defendant here (6 Ob 35/21x; 6 Ob 127/20z). Accordingly, the term "personal data" of Art 4 No 1 GDPR is to be understood broadly. Therefore, internal states such as opinions, motives, wishes, beliefs and value judgments as well as statistical probability statements that do not represent mere forecast or planning values, but rather provide subjective and/or objective assessments of an identified or identifiable person, have a personal reference. The information to be assessed here is therefore subject to the regime of the GDPR, as it is directly assigned to the plaintiff and contains statements about his preferences and attitudes; whether the assessments are actually correct is irrelevant. The fact that the data is (only) calculated using statistical probabilities does not change the existence of personal data. The "affinities" contain a probability statement about certain interests and preferences of the plaintiff (6 Ob 35/21x [Recital Gr 1.ff]; 6 Ob 127/20z [Recital Gr 2.ff]).2.1. In the meantime, the Supreme Court has already had to deal with the question of whether the information at issue here about “worldview” or “party affinity” constitutes personal data within the meaning of Article 4, No. 1 GDPR in other proceedings also brought against the defendant here ( 6 Ob 35/21x; 6 Ob 127/20z). According to this, the term "personal data" of Article 4, No. 1 GDPR is to be understood broadly. Therefore, internal states such as opinions, motives, wishes, beliefs and value judgments as well as statistical probability statements that do not represent mere forecast or planning values, but rather provide subjective and/or objective assessments of an identified or identifiable person, have a personal reference. The information to be assessed here is therefore subject to the regime of the GDPR, as it is directly assigned to the plaintiff and contains statements about his preferences and attitudes; whether the assessments are actually correct is irrelevant. The fact that the data is (only) calculated using statistical probabilities does not change the existence of personal data. The "affinities" contain a probability statement about certain interests and preferences of the plaintiff (6 Ob 35/21x [Recital Gr 1.ff]; 6 Ob 127/20z [Recital Gr 2.ff]).

[15] 2.2. That is something to hold onto. In the present case, too, the disputed information about the plaintiff represents personal data within the meaning of Art 4 No. 1 DSGVO. An appeal to the ECJ is due to the unambiguous interpretation of Union law in the sense of the "acte-clair" doctrine (cf. RS0082949 [T18] ) dispensable (6 Ob 35/21x [Rec. Gr 1.5.]). The request for a preliminary ruling suggested in this regard can therefore be dispensed with.2.2. That is something to hold onto. In the present case, too, the disputed information about the plaintiff represents personal data within the meaning of Article 4, No. 1 GDPR. An appeal to the ECJ is necessary because of the unambiguous interpretation of Union law in the sense of the "acte-clair" doctrine, compare RS0082949 [T18] ) dispensable (6 Ob 35/21x [Rec. Gr 1.5.]). The request for a preliminary ruling suggested in this regard can therefore be dispensed with.

[16] 3.1. In Case 6 Ob 159/20f, the Senate submitted the following question for a preliminary ruling to the Court of Justice of the European Union (ECJ) in accordance with Article 267 TFEU by decision of February 18, 2021:

"Article 15(1)(c) of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data, on the free movement of data and on the repeal of Directive 95/46/EC (General Data Protection Regulation, OJ L 119/1 of May 4, 2016, p. 1; hereinafter referred to as "GDPR") is to be interpreted in such a way that the right to information on recipient categories is limited if specific recipients of planned disclosures have not yet been determined However, the right to information must also extend to recipients of these disclosures if data has already been disclosed? Is Article 15, paragraph one, litera c, of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on protection of natural persons in the processing of personal data, on the free movement of data and on the repeal of Directive 95/46/EC (General Data Protection Regulation, OJ L 119/1 of 4 May 2016, S 1; hereinafter "GDPR") to be interpreted in such a way that the right to information is limited to recipient categories if specific recipients have not yet been determined for planned disclosures, but the right to information must also extend to recipients of these disclosures if data has already been disclosed?"

[17]                                                                                                          were

[18] 3.2. In its judgment of January 12, 2023, C-154/21, the ECJ answered this question as follows:

"Art. 15 Para. 1 Letter c of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data, on the free movement of data and on the repeal of Directive 95/46/EC ( Data protectionArticle 15, paragraph one, letter c of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of individuals with regard to the processing of personal data, on the free movement of data and repealing Directive 95/46/ EG (General Data Protection Regulation) is to be interpreted in such a way that the right of the person concerned provided for in this provision to information about the personal data concerning them requires that the person responsible is obliged, if this data has been disclosed to recipients or is still being disclosed, to inform the data subject of the identity of the recipients, unless it is not possible to identify the recipients or the person responsible can prove that the requests for information from the data subject are manifestly unfounded or excessive within the meaning of Art. 12 para. 5 of Regulation 2016/679; in this case, the person responsible can only inform the data subject of the categories of recipients concerned. Basic Regulation) is to be interpreted in such a way that the right of the data subject provided for in this provision to information about the personal data concerning them requires that the person responsible, if this data have been disclosed or are still being disclosed to recipients, is obliged to inform the data subject of the identity of the recipients, unless it is not possible to identify the recipients or the person responsible can prove that the requests for information from the data subjects person are manifestly unfounded or excessive within the meaning of Article 12, paragraph 5, of Regulation 2016/679; in this case, the person responsible can only inform the data subject of the categories of recipients concerned."

[19] 3.3. From this answer, which contradicts the legal view of the lower courts, it follows that the plaintiff's request for disclosure of the recipients of his personal data (and not just the categories of recipients) is fundamentally justified.

In addition, it should be noted that even a "presumption of law" used by the defendant for the first time in the appeal procedure in accordance with the rules of conduct approved by the Austrian data protection authority in accordance with Article 40 (5) GDPR regarding the exercise of the trade of the address method and direct marketing companies, which are within the borders of the GDPR (Recital Gr 98 of the GDPR; cf. It should also be noted that even a "presumption of legality" used by the defendant for the first time in the appeal proceedings in compliance with the rules of conduct approved by the Austrian data protection authority in accordance with Article 40, paragraph 5, GDPR regarding the exercise of the trade of the address publishers and direct marketing companies, which must remain within the limits of the GDPR (ErwGr 98 of the GDPR; compare Strohmaier in Knyrim, DatKomm62. Lfg Art 40 Rz 39 and Rz 46), which, according to the judgment of the ECJ mentioned, is directly based on Art 15 Para 1 letter c GDPR could undoubtedly not conflict with the plaintiff's existing right to information. Article 40, margin no. 39 and margin no. 46), which, according to the judgment of the ECJ mentioned, could undoubtedly not conflict with the plaintiff’s right to information, which exists directly on the basis of Article 15, paragraph one, litera c, GDPR.

[21] 3.4. The defendant's objection that the plaintiff's request for information conflicted with overriding confidentiality interests of the defendant and its customers, because full disclosure of all specific recipients would simultaneously reveal the defendant's customer base within the framework of the exercise of the trade as an address trading and direct marketing company, does not apply either. Because then Art 15 para 1 lit c GDPR could never lead to the disclosure of individual recipients, because in this case Article 15, paragraph one, litera c, GDPR would never lead to the disclosure of individual recipients, because in this case “business secrets” would always be disclosed. The interpretation of a statute that results in the statute having no scope is prohibited (cf. RS0010053). has no scope is prohibited cf. RS0010053).

[22] This also results from ErwGgr 63 (to Art 15 GDPR), in which it is carried out: This also results from ErwGr 63 (on Article 15, GDPR), in which it is carried out:

“This right should not interfere with the rights and freedoms of others, such as trade secrets or intellectual property rights, and in particular copyright in software. However, this must not result in the data subject being denied any information.” (emphasis added by the Senate)

[23] In its judgment of January 12, 2023, C-154/21 (marginal 38 ff), the ECJ also stated that the right to information about the specific recipient of the personal data is necessary to the practical effectiveness of the Exercise of the rights of the person concerned according to Art 16 to 19, Art 21, 79 and 82 GDPR to ensure the practical effectiveness of the exercise of the rights of the data subject under Articles 16 to 19, Articles 21, 79 and 82 GDPR.

[24] 3.5. However, in order to avoid a surprise decision (cf. also 6 Ob 20/23w), the parties must be given the opportunity before the first court to to make (supplementary) submissions and offer of evidence on the following aspects identified by the ECJ that have not yet been sufficiently discussed:

[25] 3.5.1. In its judgment, the Court mentions the exceptional case that it is not possible for the controller to identify the recipients. The defendant submitted arguments in this direction in the first instance proceedings. However, no determinations have been made in this regard so far. This alone forces the decisions of the lower courts to be overturned. The court of first instance will therefore have to make findings after discussion on the basis of the – possibly supplemented – arguments of the parties.

[26] 3.5.2. On the other hand, the Court considers the case in which the person responsible proves that the requests for information from the data subject are manifestly unfounded or excessive within the meaning of Art 12 Para 5 .2. On the other hand, the Court considers the case where the person responsible proves that the requests for information from the data subject are manifestly unfounded or excessive within the meaning of Article 12, paragraph 5, GDPR 2016/679.

[27] 4. The reservation of costs is based on § 52 ZPO.4. The reservation of costs is based on paragraph 52, ZPO.