BVwG - W214 2228346-1: Difference between revisions

From GDPRhub
No edit summary
No edit summary
Line 82: Line 82:


*an electronic signature under § 4(1) SVG and Article 3(10) eIDAS Regulation can be sufficient to identify a data subject requesting access under Article 15 GDPR,
*an electronic signature under § 4(1) SVG and Article 3(10) eIDAS Regulation can be sufficient to identify a data subject requesting access under Article 15 GDPR,
*the DSB can oder a public entity to comply with a data subject's request. § 24(5) DSG does not apply due to the primacy of application of Article 58(2)(c) GDPR.
*the DSB can oder a public entity to comply with a data subject's request. The restriction of § 24(5) DSG does not apply due to the primacy of application of Article 58(2)(c) GDPR.


==English Summary==
==English Summary==
Line 94: Line 94:


===Dispute===
===Dispute===
Is an electronic signature under § 4(1) SVG and Article 3(10) eIDAS Regulation a sufficient form to identify a data subject regarding an access request?
Is an electronic signature under § 4(1) SVG and Article 3(10) eIDAS Regulation sufficient to identify a data subject regarding an access request?


===Holding===
===Holding===
The BVwG upheld the decision of the DSB. It ruled that the controller had never stated the reasons for its doubts concerning the identity of the data subject. The full name, address and e-mail address of the data subject were known to the controller and also used in the correspondence with the data subject. In addition, the data subject had put a qualified electronic signature on its access request.  
The BVwG upheld the decision of the DSB.  
 
It ruled that the controller had never stated the reasons for its doubts concerning the identity of the data subject. The full name, address and e-mail address of the data subject were known to the controller and also used in the correspondence with the data subject. In addition, the data subject had put a qualified electronic signature on its access request. Hence, it was unclear, why the controller should have any doubts on the data subjects identity.  


Moreover, the BVwG shared the view of the data subject and the DSB that an electronic signature under § 4(1) SVG and Article 3(10) eIDAS Regulation a sufficient form of identification. The provision of an ID card is not the only mean of verifying a data subject's identity.  
Moreover, the BVwG shared the view of the data subject and the DSB that an electronic signature under § 4(1) SVG and Article 3(10) eIDAS Regulation a sufficient form of identification. The provision of an ID card is not the only mean of verifying a data subject's identity.  

Revision as of 14:16, 7 August 2020


BVwG - W214 2228346-1
Courts logo1.png
Court: BVwG (Austria)
Jurisdiction: Austria
Relevant Law: Article 4(1) GDPR
Article 4(2) GDPR
Article 11(2) GDPR
Article 12(6) GDPR
Article 15 GDPR
Article 57 GDPR
Article 58 GDPR
Article 3(10) Regulation (EU) No 910/2014 (eIDAS Regulation)
§ 3(2) Signatur- und Vertrauensdienstegesetz (SVG)
§ 4(1) Signatur- und Vertrauensdienstegesetz (SVG)
§ 8(1) Signatur- und Vertrauensdienstegesetz (SVG)
§ 24(5) Datenschutzgesetz (DSG)
Decided: 27.05.2020
Published: 30.07.2020
Parties: unknown data subject
unknown controller (municipality)
DSB (Austrian Data Protection Authority)
National Case Number/Name: W214 2228346-1
European Case Law Identifier: ECLI:AT:BVWG:2020:W214.2228346.1.00
Appeal from: DSB
DSB-D124.630/0004-DSB/2019
Appeal to: Not appealed
Original Language(s): German
Original Source: Rechtsinformationssystem des Bundes (in German)
Initial Contributor: Marco Blocher

Austrian Federal Administrative Court holds that

  • an electronic signature under § 4(1) SVG and Article 3(10) eIDAS Regulation can be sufficient to identify a data subject requesting access under Article 15 GDPR,
  • the DSB can oder a public entity to comply with a data subject's request. The restriction of § 24(5) DSG does not apply due to the primacy of application of Article 58(2)(c) GDPR.

English Summary

Facts

On 19.02.2019, the data subject sent an access request under Article 15 GDPR to a controller (an Austrian municipality). The request was signed using an electronic signature. The controller did not consider the electronic signature a sufficient form of identification and required the data subject to produce an ID card under Article 12(6) GDPR. As the data subject did not do so, the controller refused to handle the access request under Article 11(2) GDPR.

The data subject filed a complaint with the DSB, which shared the data subject's view and held that the electronic signature was a sufficient form of identification for an access request.

The controller filed an complaint with the BVwG against the decision of the DSB.

Dispute

Is an electronic signature under § 4(1) SVG and Article 3(10) eIDAS Regulation sufficient to identify a data subject regarding an access request?

Holding

The BVwG upheld the decision of the DSB.

It ruled that the controller had never stated the reasons for its doubts concerning the identity of the data subject. The full name, address and e-mail address of the data subject were known to the controller and also used in the correspondence with the data subject. In addition, the data subject had put a qualified electronic signature on its access request. Hence, it was unclear, why the controller should have any doubts on the data subjects identity.

Moreover, the BVwG shared the view of the data subject and the DSB that an electronic signature under § 4(1) SVG and Article 3(10) eIDAS Regulation a sufficient form of identification. The provision of an ID card is not the only mean of verifying a data subject's identity.

Lastly, the BVWG held that § 24 Abs. 5 DSG which would bar the DSB (and BVwG/VwGH) from ordering a public entity to comply with the data subject's requests does not apply due to the primacy of application of Article 58(2)(c) GDPR. Consequently, the BVwG ordered the controller to comply with the data subject's request under Article 15 GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

Court
Federal Administrative Court
Decision date
27.05.2020
Business figures
W214 2228346-1
Saying
W214 2228346-1/16E
IN THE NAME OF THE REPUBLIC!
The Federal Administrative Court, through judge Dr. Eva SOUHRADA-KIRCHMAYER as chairwoman and the expert lay judges Viktoria HAIDINGER, LLM, and Claudia KRAL-BAST as assessors, has rightly recognized the complaint of XXXX against the decision of the data protection authority of 5 December 2019, Zl DSB-D124.630/0004-DSB/2019:
A)
Pursuant to Paragraph 28(2) of the VwGVG, the appeal is dismissed as unfounded and the ruling of the contested decision is upheld on the ground that
- In the award head the respondent is referred to as "City XXXX, represented by the magistrate of City XXXX";
- Point 2 of the contested decision states
"2. the respondent shall be instructed to respond to the complainant's request for information within a period of two weeks".
B)
Pursuant to Art. 133 para. 4 B-VG, the revision is not permitted.
Text
REASONS FOR DECISION:
I. Course of proceedings
1. in his complaint of 13 April 2019 (improved on 19 June 2019) to the data protection authority (DSB, authority prosecuted before the Federal Administrative Court), the co-involved party (original complainant before the authority prosecuted) XXXX claimed an infringement of the right to information. In summary, it was submitted that the co-involved party had submitted a request for information to XXXX on 19 February 2019 pursuant to Art. 15 DSGVO and had digitally signed it with an electronic signature. In a letter dated 22 February 2019, the XXXX City Council then informed the co-participant that his request for information could only be processed further if the co-participant proved his identity by submitting suitable proof of identity. A qualified electronic signature fulfils the legal requirement of written form as defined in § 886 ABGB, but is not sufficient to carry out an identity check. After further correspondence, the City Council of XXXX announced on 3 April 2019 that it would have to refrain from providing information in accordance with Article 11 (2) DSGVO because the party involved had not complied with the request in the sense of Article 12 (6) DSGVO to submit proof of identity within a period of four weeks. In the view of the co-participant, however, there were no grounds for doubting his identity, as his full name in the electronic signature, together with the data stored at XXXX and the information in his request, allowed for a clear identification. Nor had any reasons been given as to why the municipal authorities were not in a position to identify him. The refusal to provide information was therefore incomprehensible.
2) Upon request of the prosecuted authority, the City of XXXX (complainant in the proceedings before the Federal Administrative Court), represented by the magistrate of XXXX, submitted a statement on 12 July 2019 in which it first stated that, according to the business division of XXXX, XXXX was responsible for representing XXXX in matters of data protection, in particular before the prosecuted authority. Furthermore, it was stated (after repetition of the facts of the case) that the electronic signature pursuant to § 4 para. 1 SVG only served to identify the declarant, but did not prove his identity. It was no more than an electronic signature, but proof of identity could only be provided by certain identification documents. Thus, at the time of the contribution, the identity of the co-participant had not been established beyond doubt, which is why, pursuant to Art. 12 para. 6 DPA, additional information had to be requested from the co-participant to confirm the identity. Contrary to the submissions of the co-participant, the mere combination of a name and an address could also not lead to the identification of a person beyond doubt. Moreover, the complainant had given the co-participant several possibilities to prove his identity (personal appearance or transmission of a copy of an identity document), which is why Article 12.2 of the DPA had not been infringed.
3. on 24 July 2019, the authority complained against forwarded the complainant's observations of 12 July 2019 to the co-involved party and gave it the opportunity to submit its observations within the deadline.
4. the co-involved party submitted a statement on 26 August 2019 and argued that proof of identity was by no means mandatory and had to be provided in advance, provided that there was no doubt as to the identity of the contributor. He would have offered the requested copy of the identity document if justified doubts had been stated and justified, but this had not been done. An abuse of the right to information for the purpose of obtaining information by an unauthorised person was not very realistic in view of the data stored with the municipal authorities and XXXX and the communication that had taken place between the co-involved party and the complainant (registered letter, known e-mail address).
5) By the contested decision, the contested authority upheld the complaint of the co-involved party and found that Magistrate XXXX (correctly: XXXX represented by the Magistrate of the City of XXXX) had infringed the co-involved party's right to information by failing to comply with his request for information (ruling point 1). The complainant was instructed to respond to the co-involved party's request for information within a period of two weeks, otherwise the execution would have been carried out (award item 2.).
In its reasoning, the authority complained of first stated that the subject of the complaint was the question whether the complainant had infringed the right to information of the other party by not having complied with the requests for information of 19 February 2019.
Legally, according to Article 15 of the DPA, the data subject has the right to obtain confirmation from the controller as to whether personal data relating to him or her are being processed and, if so, to obtain information on such personal data and to be informed in accordance with letters a to h of the law. cit.
According to Art. 12 DSGVO, the creation of a data protection claim to information presupposes, among other things, that the identity of the person requesting information is established. In the event of justified doubts as to identity, the person responsible may, under Article 12(6) DPA, request additional information necessary to confirm identity, but no routine identity check is possible; a person responsible may not therefore generally require proof of identity.
Art. 12 DSGVO does not provide for a concrete form of identification, recital 64 to the DSGVO states in this context that the person responsible should use all reasonable means to verify the identity of a person seeking information. Proof of identity could, for example, be furnished by means of a passport or identity card, an electronic proof of identity, an identity confirmation service, a qualified electronic signature, another electronic proof of identity procedure or in any other form, provided the identity is sufficiently proven.
In the present case, the request for information by the other party was accompanied by a qualified electronic signature. An essential feature of that signature was that the identity of the natural person was verified by a certification authority in the course of the issuing of the certificate.
In view of the fact that, in addition to the qualified electronic signature, the co-involved party had also given his address, his former address and his e-mail address in his request for information, it would have been possible for the complainant to identify the person requesting information without any doubt. Furthermore, it should be noted that the complainant had not raised any well-founded doubts, but had merely limited herself to the general statement that well-founded doubts would already exist if the authenticity of the entry was not sufficiently assured.
The refusal to comply with the request for information was therefore unjustified and had to be decided in accordance with the case-law. The scope of benefits in point 2 was based on Article 58.2(c) of the DPA in conjunction with § 24.5 of the DPA, whereby the restrictions on persons responsible in the private sector laid down in § 24.5 of the DPA were not to be applied because of the direct primacy of Union law.
6 The complainant lodged an appeal against this decision with the Federal Administrative Court in a written statement dated 7 January 2020.
In it, it was first explained (after the facts of the case had been repeated) that the complainant was a person in charge of the public sector within the meaning of Article 26.1 item 1 of the DSG, which is why the complainant had been granted the status of a public official under Article 26.3 of the DSG. cit. the complainant is entitled to lodge an appeal against a ruling of the data protection authority with the Federal Administrative Court.
It was further argued that the notification of the data protection authority was unlawful in substance. According to § 24.5 of the Data Protection Act, a performance mandate such as that contained in point 2 of the contested ruling can only be issued to persons responsible in the private sector, whereas only a declaratory ruling is permissible to persons responsible in the public sector.
With regard to point 1 of the contested decision, it must be stated that, although it is true that Article 12(6) of the DPA does not permit routine identity checks, doubts as to identity cannot be dispelled by the mere disclosure of an e-mail or postal address, since the problem of unlawful access exists above all in the case of e-mail addresses. Art. 12 para. 6 DSGVO accordingly also allows the person responsible to request copies of identity documents or other identity papers from the person requesting information. The complainant would also not have the legal possibilities to query various registers (ZMR etc.) for the closer verification and comparison of personal data, so that in case of doubt, additional evidence to confirm his identity would have to be requested from the person requesting information. Moreover, Art. 12 para. 6 DPA does not prescribe a limited number of proofs that a responsible person can request from the person requesting information to prove his identity, nor is a specific procedure or sequence specified.
Contrary to the opinion of the authority incriminated, a qualified electronic signature is not to be equated with a passport, identity card or E-ID, since the electronic signature only establishes an attribution connection between the content and the signatory, but this does not say anything about the identity of the signatory himself. In contrast, the situation is different with the E-ID within the meaning of § 4 (1) of the E-GovG, since it serves to prove identity and also fulfils the function of an identity document. However, the co-participant had not used an E-ID, but only an electronic signature, which meant that it was not possible to identify him ex ante, which meant that the co-participant had subsequently been requested to provide proof of identity, as his identity had not been established beyond doubt.
The argumentation put forward by the authority incriminated, that according to § 8 para. 1 SVG a qualified trusted third party service provider or a body acting on its behalf can verify the identity of natural persons present in person to whom a qualified certificate in the sense of § 4 para. 1 of the SVG has been issued, is also incorrect. cit. by means of an official photo ID or other proof of equivalent reliability, the electronic signature is not capable of raising the electronic signature to the rank of an identification document, since even a notarial deed in which the identity of the party has been proven to the notary does not replace an official photo ID. It was therefore not apparent how proof of identity vis-à-vis an electronic trusted service provider, which had no connection whatsoever with the body to which the request for information had been made, was intended to replace proof of identity vis-à-vis the person responsible to whom the request for information was addressed. Nor did the electronic signature fall within the concept of an official photo ID under Paragraph 36b(2), second sentence, No, Paragraph 365p(1)(1)(a) of the GewO1 1994, Paragraph 6(2)(1) of the Financial Market Money Laundering Law, Paragraph 2(2) of the Online Identification Ordinance or Paragraph 23(6) of the Consumer Payment Accounts Law, the latter having been adopted in implementation of European Union law. It could therefore not be assumed, either under national law or under Union law, that an electronic signature constituted proof of identity, which is why the contested decision was also unlawful in terms of content with regard to point 1.
7 In a letter dated 30.01.2020, the authority complained of submitted the complaint together with the administrative act to the Federal Administrative Court and issued a statement. In this opinion, the authority complained of stated, in addition to its statements in the contested decision, that an electronic signature is indeed a suitable means of proving identity and referred to its decision of 31 July 2019, DSB-D123.901/0002-DSB/2019. Furthermore, it should be noted that the request for information also contained the name and the old and current address of the person requesting information or that subsequent correspondence had taken place via the e-mail address and that it could in any event be assumed that these data had been stored in a database by the complainant. It would therefore have been easy for the complainant to identify the person requesting information on the basis of the information provided. With regard to point 2, the authority complained of again stated that § 24.5 of the DPA, which provided for the award of performance contracts only to persons responsible in the private sector, had to remain unapplied with regard to this restriction because of the direct primacy of Union law (Article 58.2 of the DPA Regulation did not provide for such a restriction). However, the complainant was to be granted the right that the phrase "if executed in any other way" could not stand, because an execution against the complainant was not possible.
In addition, the restriction of Sec. 24 (5) of the DPA seems unsystematic, since Sec. 33 (2) item 2 of the DPA, which is located in the third main section of the DPA, which by definition can only apply to those responsible in the public sector, provides for performance contracts by the authority in question.
8 In a letter of 9 April 2020, the complainant commented on the opinion of the authority complained of and claimed that a routine request for proof of identity by Magistrate XXXX was not carried out. Reasonable doubts would exist in particular if the person requesting information only had an e-mail or postal address in addition to his or her name. Only a qualified electronic signature and no E-ID within the meaning of § 4 (1) E-GovG had been used by the co-participant. It was admitted that a qualified electronic signature had a fixed personal link, i.e. a qualified electronic signature was undoubtedly assigned to a clearly identified person. However, not every person can trace the qualified electronic signature back to the uniquely identified person. It was not always possible to draw clear and recognisable conclusions about the identity of a particular person from the indication of an e-mail address and/or a postal address. In the present case, the complainant was also not permitted to carry out a ZMR search because the application of the rights of the persons concerned under the DSGVO was not a task assigned by law, but a legal obligation to which every person responsible within the meaning of the DSGVO was subject.
Furthermore, there was no case for the supremacy of Union law with regard to the award of a performance mandate to the complainant, since this was a special provision of the DPA under procedural law.
9 The co-involved party submitted comments on the complainant's appeal, which was received by the Federal Administrative Court on 29 April 2020. In it, he stated that the facts of the case had been presented in an abridged form. Furthermore, he referred to a link to the website of the Municipality of the City of XXXX, according to which, when asserting the rights of data subjects, the person concerned must prove his identity to the person responsible, for example with a copy of his passport or driving licence.
Furthermore, the co-involved party had not "merely disclosed" his e-mail address, but had used it for active communication by both parties, the content of which referred to a registered letter from XXXX previously sent to the likewise known postal address. Both data had already been stored before the XXXX's request for information and were therefore comparable with the existing data records.
As has already been pointed out, an unauthorised person should therefore also have had access to that registered letter in order to discuss its content via the unauthorised e-mail account. An attacker with these possibilities could easily gain access to a more or less suitable copy of an identity card, the authenticity of which could hardly be checked anyway.
10. the complainant commented on this in an opinion of 19 May 2020. In this statement, she stated that the wording on the homepage of the XXXX did not contradict the legal opinion expressed in the complaint, according to which proof of identity was not required in every case and in a standardised way. With regard to the problem of the verifiability of persons purely by means of a copy of an identity document, it should be noted that in these cases the probability of forgery or identity fraud is considerably reduced in comparison with the mere transmission of a postal address or a signature and represents a comparatively secure form of identity verification. There was nothing to be gained in the present case from the indication of the co-involved party that the communication with him was conducted both via the e-mail address he had given and via the postal address he had given, since this only allowed the conclusion that both parameters were presumably in the hands of one person, but not that this person was also the person about whose data information was sought.
It should be noted that XXXX is an enterprise after XXXX, which as such does not have independent legal capacity (XXXX ), but is part of the magistrate. At the same time, XXXX, as well as the other companies or departments of the City Council, is independently responsible for the data processing carried out by XXXX. Therefore, XXXX does not have the status of a processor according to Art. 28 DSGVO, since XXXX does not carry out data processing on behalf of and on the instructions of XXXX, but rather, according to the division of business for the City of XXXX, XXXX assumes the coordination in the performance of the obligations under data protection law, which are incumbent on the responsible bodies according to the DSGVO, the technical supervision in matters of data protection in the City of XXXX and, in particular, the representation of the City of XXXX in matters of data protection. The action of the XXXX in the present case and the request of the XXXX within the scope of the complainant's original information procedure would result from the aforementioned responsibility of the XXXX for coordinating the data protection obligations of the Responsible Bodies, since this includes in particular the exercise of the rights of the data subjects under the DSGVO.
II. the Federal Administrative Court has considered
1. observations:
The course of the procedure set out in point I. above will be used as a basis for the findings.
On 19.02.2019, the co-participant submitted a request for information to XXXX in which he requested information in accordance with Art. 15 DSGVO on the nature, content, origin, purposes, recipients of transmission and the storage period of the data that would be stored about him. Furthermore, he requested information as to the legal basis for the use of the data and which data would be processed in the course of automated decision-making, including profiling. He also requested (with reference to Art. 4 DSGVO) information on all data that would be stored in other files but could be directly or indirectly linked to his personal data by means of key, search and reference terms. Should the data be processed in accordance with Art. 28 DSGVO, the co-involved party also requested the name and address of the processor.
The co-involved party also justified his request for information by stating that he had reason to believe that the protection of his personal data had been violated, as he had been contacted by market researchers on behalf of XXXX.
Furthermore, the co-respondent requested a copy of the personal data processed. The request for information was provided with a digital signature. To prove his identity, the co-involved party referred to this digital signature of his request for information. The identity of the signatory could be verified at https://www.a-trust.at/de/sicherheit/pdf-verifizieren/. Alternatively, the complainant could have the information sent to him by Rsa or by registered mail, in his own hand with advice of delivery. There could be no doubt as to the identity of the signatory, since data could only be established if the names/addresses were identical.
The complainant subsequently informed the other party by letter of 22 February 2019 that its request for information had been forwarded to the XXXX as the body responsible for coordinating the reply to requests for information under Article 15 of the DSGVO in accordance with the XXXX's business division. The request of the co-participant could only be further processed if the co-participant proved his identity by submitting a suitable proof of identity. A qualified electronic signature met the legal requirement of written form within the meaning of § 886 ABGB, but was not sufficient to carry out an identity check.
The co-involved party did not subsequently submit any (further) proof of identity.
In a letter dated 3 April 2019, the complainant announced that it would refrain from providing information pursuant to Art. 11 (2) DSGVO due to the lack of timely submission of proof of identity, and it also did not comply with the co-involved party's request for information in the further proceedings. Nor did the complainant provide the co-involved party with a copy of the personal data which are the subject of the processing.
The co-operator's e-mail address was used by him and the complainant for active communication, the content of which related to a registered letter from XXXX previously sent to the same known postal address. Both sets of data had already been deposited with XXXX before the request for information was made.
In the contested decision, the contested authority upheld the complaint of the co-involved party and found that "Magistrate XXXX" (correct: City XXXX, represented by the Magistrate of City XXXX, note) had infringed the co-involved party's right to information by failing to comply with his request for information (ruling point 1.). The respondent was ordered to comply with the co-involved party's request for information within a period of two weeks, otherwise the execution would have been carried out (award point 2.).
The city XXXX is a regional authority and therefore a public corporation. Wiener Wohnen is a dependent enterprise of the city XXXX . The City Council (the XXXX) represents the City XXXX in matters of data protection, in particular before the Data Protection Authority.
On the website of the Municipality of XXXX, it can be seen that, when requesting information, the data subject must prove his identity to the person responsible (for example, by providing a copy of a passport or driving licence), in order to ensure that the data are the data subject's.
Second consideration of evidence:
The findings are set out in the administrative act and in the judicial act. The fact that on the website of the XXXX magistrate the proof of identity is required can be seen under the link https://www.wien.gv.at/info/datenschutz/magistrat/ (accessed on 26.05.2020), which was also quoted by the co-involved party (underlined by the Federal Administrative Court):
"Right of access by the data subject
Every data subject has the right to know whether his or her own personal data are being processed by a controller. If large amounts of information about the data subject are processed, the controller may require the applicant to specify to which information or processing operations the application specifically relates (obligation to cooperate).
In addition, the data subject must provide proof of his identity to the person responsible (for example, a copy of a passport or driving licence) in order to ensure that the data are his own.
[...]"
3. legal assessment:
To A)
3.1 Pursuant to Article 130(1)(1) of the Federal Constitution, the administrative courts recognise complaints against the decision of an administrative authority on the grounds of illegality.
According to § 6 of the Federal Administrative Court Act (BVwGG), the Federal Administrative Court decides by single judges, unless federal or state laws provide for decisions to be made by senates. According to § 27 Data Protection Act (DSG) as amended (which essentially corresponds to § 39 DSG 2000, which was in force until 24.05.2018), the Federal Administrative Court decides in proceedings on appeals against notices, on breach of the duty to inform according to § 24 para. 7 and the duty of the data protection authority to decide by senates. The Senate consists of a chairman and one expert lay judge each from the circle of employers and from the circle of employees.
The procedure of the administrative courts with the exception of the Federal Finance Court is regulated by the Administrative Court Procedure Act (VwGVG) (§ 1 leg.cit.). Pursuant to § 58 para. 2 VwGVG, conflicting provisions already announced at the time of the entry into force of this Federal Act remain in force.
Pursuant to § 17 VwGVG, unless otherwise provided for in this Federal Act, the provisions of the AVG, with the exception of §§ 1 to 5 and Part IV, as well as other more detailed laws (not relevant in the present case) and, in addition, those procedural provisions in federal or Land laws which the authority has applied or would have had to apply in the proceedings preceding the proceedings before the Administrative Court shall apply mutatis mutandis to the procedure on complaints pursuant to Article 130(1) B-VG.
Pursuant to Section 28(1) of the VwGVG, the Administrative Court must settle the case by way of a ruling, unless the complaint is to be rejected or the proceedings discontinued. Pursuant to § 31 (1) VwGVG, decisions and orders are made by way of a decision, unless a ruling is required.
Pursuant to § 28, Subsection 2, VwGVG, the Administrative Court must decide on complaints pursuant to Art. 130, Subsection 1, Line 1, B-VG on the merits of the case if the relevant facts have been established or if the establishment of the relevant facts by the Administrative Court itself is in the interest of speed or is associated with a considerable reduction in costs.
3.2 On the process requirements:
The complaint was lodged within the time limit pursuant to Section 7(4) of the VwGVG and the other procedural requirements have also been met.
3.3. to part A):
3.3.1 Legal situation:
The contested authority based its decision on the following legal bases:
Article 12, Article 15, Article 57(1)(f), Article 58(2)(c) and Article 77(1) of the Basic Data Protection Regulation (DSGVO), OJ No L 119 of 4 May 2016 and Article 24(5) of the Data Protection Act (DSG, Federal Law Gazette I No 165/1999 as amended). These provisions shall also be applied in the present appeal proceedings before the Federal Administrative Court. In addition, Article 4 of the Basic Data Protection Regulation (DSGVO), OJ No. L 119 of 4 May 2016, Article 3(10) to (12) and (19) and Article 26 of Regulation (EU) No. 910/2014 of 23 July 2014 on    electronic    identification    and    trust    services for    electronic    transactions    in the    internal market and repealing Directive 1999/93/EC (eIDAS Regulation), and Article 8(1) of the Federal Act on Electronic Signatures and Trust Services for Electronic Transactions (Signatur- und Vertrauensdienstegesetz - SVG) shall also apply. Furthermore, the business classification of the XXXX magistrate is also relevant.
Art. 4 lines 1 and 2 DSGVO read as follows
"Article 4
Definitions
For the purposes of this Regulation
(1) 'personal data' means any information relating to an identified or identifiable natural person (hereinafter referred to as 'data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, a location data, an on-line identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
(2) 'processing' means any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, organisation, filing, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, alignment, restriction, erasure or destruction
Art. 12 DSGVO reads as follows:
"Article 12
Transparent information, communication and procedures for the exercise of the rights of the data subject
1. The controller shall take appropriate measures to provide the data subject with all the information referred to in Articles 13 and 14 and all notifications referred to in Articles 15 to 22 and Article 34 relating to the processing in a precise, transparent, comprehensible and easily accessible form, in clear and simple language, in particular information specifically aimed at children. The information shall be provided in writing or in any other form, including, where appropriate, by electronic means. If requested by the data subject, the information may be given orally, provided that the identity of the data subject has been established in some other form.
The controller shall facilitate the exercise of the rights of the data subject pursuant to Articles 15 to 22; in the cases referred to in Article 11(2), the controller may refuse to act on the data subject's request to exercise his rights pursuant to Articles 15 to 22 only if he establishes that he is unable to identify the data subject.
3. The responsible person shall provide the data subject with information on the measures taken upon request pursuant to Articles 15 to 22 without delay and in any event within one month of receipt of the request. This period may be extended by a further two months where this is necessary having regard to the complexity and number of requests. The responsible person shall inform the data subject of any extension of the time limit within one month of receipt of the request, together with the reasons for the delay. If the data subject submits the request electronically, he or she shall be informed by electronic means where possible, unless he or she indicates otherwise.
4. If the responsible person does not take action at the request of the data subject, he/she shall inform the data subject without delay, and at the latest within one month of receipt of the request, of the reasons therefor and of the possibility of lodging a complaint or judicial remedy with a supervisory authority.
5. Information in accordance with Articles 13 and 14 and all notifications and measures taken in accordance with Articles 15 to 22 and Article 34 shall be provided free of charge. In the event of manifestly unfounded or, in particular, in the event of frequent repetition, excessive requests by a data subject, the controller may either
(a) charge an appropriate fee, taking into account the administrative costs of providing information or notification or carrying out the requested measure; or
(b) refuse to act on the basis of the application.
The person responsible must provide evidence of the manifestly unfounded or excessive nature of the application.
6. Without prejudice to Article 11, where the responsible person has reasonable doubts as to the identity of the natural person making the request pursuant to Articles 15 to 21, he may request any additional information necessary to confirm the identity of the data subject.
7. The information to be provided to data subjects pursuant to Articles 13 and 14 may be provided in combination with standardised icons to provide a meaningful overview of the intended processing in an easily perceivable, comprehensible and clearly understandable form. If the pictorial symbols are presented in electronic form, they shall be machine-readable.
8. The Commission is hereby empowered to adopt delegated acts in accordance with Article 92 in order to define the information to be presented by pictorial symbols and the procedures for the provision of standardised pictorial symbols.
Art. 15 DSGVO reads as follows:
"Article 15
Right of access of the data subject
1. The data subject shall have the right to obtain confirmation from the controller as to whether personal data relating to him or her are being processed; if this is the case, he or she shall have the right to be informed of such personal data and to receive the following information:
(a) the processing purposes;
(b) the categories of personal data processed
(c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular to recipients in third countries or to international organisations;
(d) if possible, the planned duration for which the personal data will be stored or, if this is not possible, the criteria for determining this duration;
(e) the existence of a right of rectification or erasure of personal data relating to him or her or of a right of objection to their processing by the controller;
(f) the existence of a right of appeal to a supervisory authority
(g) if the personal data are not collected from the data subject, all available information on the origin of the data;
(h) the existence of automated decision making, including profiling, as referred to in Article 22(1) and (4) and, at least in those cases, relevant information about the logic involved and the scope and intended impact of such processing on the data subject
2. Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 in relation to the transfer.
3. The controller shall provide a copy of the personal data which are the subject of the processing operation. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. If the data subject submits the request electronically, the information shall be provided in a standard electronic format, unless the data subject indicates otherwise.
4. The right to receive a copy under paragraph 1b shall not adversely affect the rights and freedoms of other persons.
Art. 57 para. 1 lit. f DSGVO reads
"Article 57
Tasks
1. Without prejudice to other tasks set out in this Regulation, each supervisory authority within its territory shall
(f) deal with complaints from a data subject or complaints from a body, organisation or association referred to in Article 80, investigate the subject matter of the complaint to an appropriate extent and inform the complainant within a reasonable time of the progress and outcome of the investigation, in particular where further investigation or coordination with another supervisory authority is necessary
Art. 58 para. 2 lit. c DSGVO reads
Article 58 Powers
2. Each surveillance authority shall have all the following remedial powers enabling it to take action,
(c) instruct the controller or the processor to act on the data subject's requests to exercise the rights conferred on him/her by this Regulation
Art. 77 para. 1 DSGVO reads as follows:
"Article 77
Right of appeal to a supervisory authority
1. Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to complain to a supervisory authority, in particular in the Member State in which he/she is resident, works or is suspected of having committed an infringement, if he/she considers that personal data relating to him/her are being processed in breach of this Regulation.
Art. 3 Z 10, 11, 12 and 19 eIDAS-VO read as follows
"Article 3
Definitions
(10) 'electronic signature' means data in electronic form which is attached to or logically associated with other electronic data and which the signatory uses for signing
(11) 'advanced electronic signature' means an electronic signature which meets the requirements laid down in Article 26
(12) 'qualified    electronic    signature'    means    an    advanced    electronic    signature created       by    a    qualified    electronic    signature-creation    device    and based    on    a    qualified    certificate    for    electronic    signatures
(19) 'trust service provider' means a natural or legal person providing one or more trust services, whether or not as a qualified trust service provider
Article 26 of the eIDAS Regulation states
"Article 26
Requirements for advanced electronic signatures
An advanced electronic signature meets all the following requirements:
(a)    it    is    clearly    identified to the    signatory   
(b) it enables the signatory to be identified
(c)    it    shall be    created    using    electronic    signature-creation-data    which    the    signatory    can use with    a    high    degree of confidence under his sole control
(d)    it    shall be linked    to    the       data    so    signed in such    a       way that    any    subsequent    change    to the    data can be    detected.
§ Article 8(1) of the SVG states
"Issuing qualified certificates for a trust service
§ (1) A qualified VDA or a body acting on its behalf must establish the identity of natural persons present in person or representatives of a legal entity to whom a qualified certificate is to be issued by means of an official photo ID or by means of other proof of equivalent reliability, documented or to be documented (Art. 24 Para. 1 lit. a eIDAS-VO). Representatives of legal persons must also submit proof of their power of representation."
3.3.2 In specific terms, this means the following:
The complainant (respondent in the proceedings before the authority complained of):
First of all, with regard to the question of the name of the parties, it should be noted that it follows from the above-mentioned allocation of responsibilities that the Municipal Department XXXX is responsible for the "representation of the City of XXXX in matters of data protection, in particular before the Data Protection Authority". It follows from the statement of the complainant of 19 May 2020 that XXXX is a dependent enterprise.
In this respect, it is therefore certain that the original respondent in the proceedings of the authority and complainant before the Federal Administrative Court is "City XXXX, represented by the Municipality of City XXXX. However, the blurring of the designation of the original respondent is not to be blamed on the co-defendant.
Paragraph 1 of the contested decision: acceptance of the complaint and finding that the right to information was infringed:
The complainant did not comply with the request for information of the co-involved party of 19 February 2019 and justified this with the lack of proof of identity by the co-involved party. A qualified electronic signature does not replace the requirement of proof of identity.
The complainant was not in the right with this approach:
Pursuant to Art. 15 para. 1 of the DPA, a data subject has the right to obtain confirmation from the controller as to whether personal data relating to him or her are being processed and, if so, to obtain information on such personal data and to be informed in accordance with letters a to h of the law. cit.
According to Art. 12 DSGVO, as correctly explained by the authorities, the creation of such a claim for information under data protection law requires, among other things, that the identity of the person requesting information is established. In the event of justified doubts as to the identity, the person responsible may, pursuant to Art. 12 para. 6 DSGVO, request additional information necessary to confirm the identity. However, the complainant expressly concedes in the complaint that this does not enable routine identity checks to be carried out and that a person responsible may therefore not generally demand the submission of proof of identity.
However, the complainant alleges that doubts about identity could not be dispelled by the mere disclosure of an e-mail or postal address.
In its arguments, however, the appellant overlooks the fact that at no time during the proceedings - neither in its communications with the co- party to the proceedings, nor in the proceedings before the authority complained of, nor in its complaint - did it explain why it doubted the identity of the co- party. The co-involved party expressly asked whether such reasonable doubts existed and, if so, what they consisted of, but received no reply in this regard. In his opinion of 12 July 2019 to the authority against which the case was brought, the complainant merely stated (and in contradiction to her letter of 11 March 2019 addressed to the co-involved party, in which she stated that the qualified electronic signature in the PDF document [...] served as a guarantee for the [...] [authenticity] of the document) that the "authenticity" of the co-involved party's input had not been sufficiently ensured (what was evidently meant was the "identity", NB), without, however, indicating this in concrete terms. Rather, it emerges from the observations that the complainant checks the identity of the person requesting information before providing any information, even if this is denied in the opinion of 9 April 2020. This can also be seen from the website of the municipal authority of XXXX https://www.wien.gv.at/info/datenschutz/magistrat/. However, such a procedure, which is equivalent to a routine identity check, contradicts - as explained above - the wording of Art. 12 para. 6 DPA, according to which the additional request for information presupposes reasonable doubt as to the identity of the applicant. If the complainant argues in her opinion of 19 May 2020 that it is not necessarily necessary to produce a copy of an identity document, but that other proof of identity is also possible, this does not alter the fact that proof of identity is always required.
As the authority in question and the co-involved party have correctly pointed out, the complainant is aware of the full name, address and e-mail address of the co-involved party and the co-involved party has also provided its request for information with a qualified electronic signature.
It also follows from recital 64 of the DSGVO that the complainant must use all reasonable means to establish the identity of a data subject seeking information. Therefore, even if it were to be assumed that the co-involved party was completely unknown to XXXX before submitting a request for information, the complainant would, in line with recital 64, have had to inquire, at least at XXXX, whether the name of the co-involved party was linked to the above-mentioned address and e-mail address.
For the Federal Administrative Court, the administrative files submitted, which describe the course of the proceedings and the course of communication between the co-participant and the complainant in sufficient detail, in any case do not provide any reason why the complainant doubted or should have doubted the identity of the co-participant.
Apart from this, the co-participant agrees that experience has shown that it is much easier to obtain a copy of an identity card in an abusive manner than to obtain access data for the electronic signature. If the complainant, in her opinion of 19 May 2020, takes the view that, in the case of the submission of a copy of an identity document, the probability of forgery or identity fraud is substantially reduced in comparison with the mere transmission of a postal address or a signature and represents a comparatively secure form of identity verification, this may perhaps apply to the transmission of a postal address, but not to the case of the use of a qualified electronic signature.
The appeal had to be dismissed on that ground alone as regards point 1 of the contested decision.
In addition, the co-involved party expressly stated in its comments of 22 April 2020 that the e-mail address was not "merely "made known" but was used by both parties for active communication, the content of which had referred to a registered letter from XXXX previously sent to the likewise known postal address. Both data had already been deposited with XXXX before the request for information was made and were therefore comparable with the existing data records. In this connection, the Federal Administrative Court refers to the case-law of the Administrative Court, according to which the identity can also be clear from the situation. This can be the case, for example, if the client (now the person responsible, note) - without doubting the identity of the person concerned - has already agreed to a longer correspondence with the person concerned after an immediately preceding legal dispute (VwGH 04.07.2016, Ra 2016/04/0014; see also OGH of 25.02.1993, 6 Ob 6/93). Thus, to the extent that the complainant had already engaged in correspondence with the co-involved party in the run-up to the request for information without doubting the identity of the latter, no separate proof of identity would be necessary for this reason too.
However, the Federal Administrative Court also shares the view of the authority against which the case was brought that the electronic signature is a suitable means of proving identity in the present case:
Art. 3 Z 10 of the eIDAS-VO (to which § 3 para. 2 SVG refers) defines an electronic signature as "data in electronic form which are attached to or logically connected with other electronic data and which the signatory uses for signing"; an advanced electronic signature according to Z 11 as "an electronic signature which fulfils the requirements of Article 26", i.e. is unambiguously    assigned to the    signatory   , enables the signatory to be identified, is created using    electronic    signature-creation    data    which    the    signatory    can use with    a    high    degree of confidence under his sole control and is linked to    the    data       thus       signed    in such a way that    any    subsequent    change    to the    data can be    detected; and a qualified electronic signature pursuant to Z 12 as "an    advanced    electronic    signature created       by    a    qualified    electronic    signature-creation    device    and    based    on    a    qualified    certificate    for    electronic    signatures.
According to § 8 para. 1 SiG, a VDA (trusted service provider, i.e. a natural or legal person or other legally responsible institution that issues certificates or provides other signature and certification services; cf. § 2 Z 10 SiG) or a body acting on its behalf must establish the identity of persons to whom a qualified certificate is to be issued by means of an official photo ID or by means of other proof of equivalent reliability, documented or to be documented. The VDA must confirm the assignment of certain signature verification data to this person by means of a qualified certificate.
It follows from this that the identity of the co-participant must have been established when the qualified certificate was issued, otherwise such an issue should not have taken place. There are no indications that the qualified certificate was issued to the co-participant without proof of identity and thus illegally, which is why it must in any case be assumed that his identity has been duly verified by a VDA or an agency acting on its behalf.
In the example requested by the complainant in her opinion of 9 April 2020, according to which a signed purchase contract, which is presented when a file on a business installation is inspected, does not prove proof of identity, the complainant overlooks the fact that, in contrast to the procedure for issuing the qualified certificate, the identity is not or not fully established when the purchase contract is signed. was not verified by a qualified trusted service provider, such as A-Trust GmbH, which is entered in the list of the supervisory authority RTR (Rundfunk und Telekom Regulierungs-GmbH) and is subject to regular checks by the latter.
According to the explanations on "Identity for electronic transactions" on the federal government's legal information site (https://www.oesterreich.gv.at/themen/dokumente_und_recht/handy_signatur_und_kartenbasierte_buergerkarte/1/Seite.2821106.html, accessed on 26.05.2020), users of the qualified electronic signature (citizen card/mobile phone signature) can also identify themselves on websites that support the use of such a signature. In addition to the identification function, the citizen card/mobile phone signature also offers the option of signing documents easily and securely electronically.
The "electronic proof of identity (E-ID)" cited by the complainant is an extension of the qualified electronic signature, but - as explained above - the qualified electronic signature can also already have an identification function.
The explanations of the complainant that the qualified electronic signature cannot replace a photo ID are in vain, since - as the authority in question has correctly pointed out - proof of identity can also be furnished in another way than by means of a photo ID, namely by means of an electronic proof of identity, an identity confirmation service, another electronic proof procedure or even by means of a qualified electronic signature (see Greve in Sydow (ed.), Europäische Datenschutzgrundverordnung (Handkommentar) Art. 12 margin no. 19).
In her statement of 9 April 2020, the complainant herself admitted that a qualified electronic signature has a fixed personal connection, i.e. a qualified electronic signature is undoubtedly assigned to a clearly identified person. To the extent that the complainant asserts that it is not possible for every person to trace the qualified electronic signature back to the uniquely identified person, this does not alter the fact that this identity check was carried out by a trustworthy body set up in accordance with the statutory provisions.
The authority against which the complaint was directed was therefore right to find that the complainant had infringed the right to information of the other party.
3.3.2.2 As regards point 2 of the contested decision: order that the appellant's application be complied with within a period of two weeks, failing which the decision will be executed:
In her complaint, the complainant submits that under Section 24.5 of the DSG the award of a performance mandate to public officials is not permissible.
In so doing, it ignores the fact that the authority complained of has already stated in the contested decision that the restriction of Section 24(5) of the DPA to persons responsible in the private sector must remain unapplied because of the priority of application of Article 58(2)(c) of the DPA, which does not provide for such a restriction.
The authority in question is also in the right with this view:
Pursuant to Art. 58 para. 2 lit. c DPA, each supervisory authority has all the remedial powers to instruct the person responsible or the processor to comply with the data subject's requests to exercise the rights conferred on him/her by this Regulation.
Under the second paragraph of Article 288 of the Treaty on the Functioning of the European Union (TFEU), regulations are those acts which have general application, are binding in their entirety and are directly applicable in all Member States.
In the event of a conflict between national law and directly applicable Union law, the ECJ has consistently held that the national provision must not be applied (see judgment of 15 July 1964, C-6/64; VwGH 06 September 2012, 2012/09/0105).
If the complainant alleges that this is a "special procedural rule", it must be argued that this is contrary to Union law, especially since Union law does not leave room for special rules in this respect.
In the scientific literature, too, the view is held that the tasks and powers of the supervisory authorities as set out in the DSGVO also apply to public administration. "Thus, Art. 57 para. 1 lit. a DSGVO provides that the DPO shall monitor and enforce the application of this Regulation' - also vis-à-vis public administration'. In this respect, the DPO also has the broad powers of investigation under Art. 58 para. 1 DSGVO in relation to public administration, but also the so-called "remedial powers" under Art. 58 para. 2 DSGVO. These are orders which can be interpreted as a notice or as an act of direct administrative authority and compulsory power. (see Konrad Lachmayer, Die DSGVO im öffentlichen Bereich, ÖJZ 2018/17, 112 ff, 118). The DSB may therefore also issue a notice of performance to those responsible in the public sector (Thiele/Wagner, Kommentar zum DSG (2020) § 24 Rz 246).
The authority in charge was therefore entitled to instruct the complainant, also as a person responsible for the public sector, to comply with the request for information made by the co-involved party.
Finally, the Federal Administrative Court also fails to see what the complainant's complaint should be about in this respect, since she would in any case be required to establish the situation in accordance with the legal view of the authority against which proceedings have been brought by providing a service, namely the provision of information, if the authority against which proceedings have been brought has established a violation of the right to information. In this context, reference is also to be made to § 40.4 contained in the DPA 2000 up to the DPA Amendment 2014 (Federal Law Gazette I No. 83/2013), which also stipulated that a contracting authority "[...] must immediately establish the situation corresponding to the legal opinion of the (then) data protection commission by the legal means available to it". There is no indication whatsoever that the legislature dropped this provision because it took the view that such an obligation no longer existed, but rather that - in the light of fundamental new regulations - it apparently considered it unnecessary to retain the provision and assumed that legally compliant action by public authorities was self-evident.
The question of enforcement under the VVG must be distinguished from the performance mandate: the provision of information is an unjustifiable act, and fines may in principle be imposed to enforce it. According to § 5 Para. 4 VVG, enforcement by means of fines as a means of coercion is also permissible against legal persons with the exception of public corporations and registered partnerships. As the authority complained of also admitted itself in its opinion of 30 January 2020, an "execution" against the complainant is not possible. Enforcement by the imposition of fines in the sense of the DSGVO against authorities and public bodies under § 30 DSG is also not possible.
It should be noted in this context that this exception cannot be understood as a "carte blanche" for the public administration not to comply with the DSGVO (see Konrad Lachmayer, ibid.). In particular, any possible claims for damages/liability against the complainant remain unaffected and an infringement of the decision of the authority against which prosecution has been brought could also result in disciplinary and/or criminal consequences.
It was therefore to be decided in accordance with the Rules of Procedure and the appeal was to be dismissed on the basis of the omission of the words "at other execution".
To avoid the need for oral proceedings:
Pursuant to Section 24(1) of the VwGVG, the Administrative Court must conduct a public oral hearing upon application or, if it considers it necessary, ex officio.
Pursuant to Section 24 (4) VwGVG, the Administrative Court may - unless otherwise provided by federal or Land law - dispense with a hearing, notwithstanding a request by a party, if the files show that the oral discussion is unlikely to clarify the case further and neither Article 6 (1) ECHR nor Article 47 GRC precludes the omission of the hearing.
In the present case, no oral hearing was requested by the complainant and the facts were clarified from the file. The use of further evidence was not necessary to clarify the facts of the case.
In the present case, the Federal Administrative Court has to rule exclusively on a question of law (see ECHR 20.06.2013, Appl. No. 24510/06, Abdulgadirov/AZE, margin no. 34 et seq.) According to the case-law of the Constitutional Court, an oral hearing may also be omitted if the facts of the case are undisputed and the legal question is not particularly complex (VfSlg. 17.597/2005; VfSlg. 17.855/2006; most recently, for instance, VfGH 18.06.2012, B 155/12).
It was therefore not necessary to hold an oral hearing.
Re B) Inadmissibility of the appeal:
Pursuant to § 25a para. 1 VwGG, the Administrative Court must state in its ruling or order whether the appeal is admissible under Article 133 para. 4 B-VG. The statement must briefly state the reasons for the ruling.
The present decision does not depend on the resolution of a question of law which is of fundamental importance. There is neither a lack of case law of the Administrative Court nor does the present decision deviate from the case law of the Administrative Court; furthermore, the present case law of the Administrative Court is not to be considered inconsistent. There are also no other indications of a fundamental significance of the legal issues to be resolved. The Federal Administrative Court can base all significant legal questions on the established case law of the Administrative Court or on an already clear legal situation. On this basis, a question of law within the meaning of Article 133.4 of the Federal Constitution of fundamental importance cannot be answered in the affirmative in this respect either (see for example VwGH 25.09.2015, Ra 2015/16/0085, mwN). It was therefore to be stated that an appeal under Article 133.4 B-VG is not admissible.
European Case Law Identifier
ECLI:AT:BVWG:2020:W214.2228346.1.00