BVwG - W214 2219800-3: Difference between revisions

From GDPRhub
No edit summary
Line 107: Line 107:


<pre>
<pre>
Court


Federal Administrative Court
Decision date
26.04.2021
Business number
W214 2219800-3
Saying
W214 2219800-3/20E
IN THE NAME OF THE REPUBLIC!
The Federal Administrative Court, by Judge Eva SOUHRADA-KIRCHMAYER as chairperson and the expert lay judges Huberta MAITZ-STRASSNIG and Claudia KRAL-BAST as associate judges, found in favour of XXXX on his appeal against the decision of the data protection authority of 14 May 2019, Zl DSB-D123.770/0009-DSB/2019:
A)
A1) The complaint is partially upheld pursuant to section 28(2) of the Administrative Court Procedure Act, Federal Law Gazette I No. 33/2013 as amended (VwGVG) and it is established that XXXX has violated the complainant's right to confidentiality by storing the complainant's photograph on identity card no. XXXX in the central and local identity document registers beyond 24 September 2018.
A2) The XXXX is ordered to delete or arrange for the deletion of the complainant's photograph on identity card no. XXXX from both the central identity document register and the local application within a period of two weeks.
A3) For the rest, the appeal is dismissed as unfounded pursuant to § 28 (2) VwGVG.
B)
The appeal is not admissible pursuant to Art. 133 para. 4 B-VG.
Text
Reasons for decision:
I. Course of proceedings
In his complaint of 10 November 2018 (improved by submissions of 14 November 2018 and 29 November 2018) to the data protection authority (DPA, the authority before the Federal Administrative Court), the complainant, XXXX, alleged a violation of the right to confidentiality. In summary, it was argued that the permanent storage of his biometric data on identity card no. XXXX as well as his photographs on identity cards no. XXXX and no. XXXX by XXXX as passport authority and data controller pursuant to Article 4(7) of the GDPR in the Identity Document Register (IDR) of XXXX was disproportionate and (had been) inadmissible (due to non-compliance with deletion deadlines). He therefore requested deletion.
At the request of the authority concerned, the XXXX (original respondent in the proceedings before the authority concerned, party to the proceedings before the Federal Administrative Court) submitted a statement on 8 January 2019, in which it was initially stated that the XXXX was responsible for representing the XXXX in matters of data protection, in particular before the authority concerned, according to the division of business of the XXXX. As regards the content of the complainant's data protection complaint, it was stated that in the area of local applications, the storage of photographs was permissible even beyond the creation of the passport or identity card, since Section 22a (5) of the Passport Act 1992, which regulates the deletion of data processed therein, did not refer to photographs, but only to other procedural data, which was also not disputed by the complainant himself. As regards the complainant's identity card no. XXXX, it was stated that it had been valid until 23 November 2014 and had been reported as lost by the complainant on 7 September 2015. In this case, the processing within the framework of the central registry could therefore be based on section 22b (2) (1) of the Passport Act 1992, which would have had the consequence that the personal data processed within the framework of this procedure would have had to be blocked for information one year after the expiry of the validity period, which would have been 23 November 2015, and deleted after the expiry of two further years, which would again have been 23 November 2017. However, it had to be taken into account that, apart from the provisions of passport law, there was a further requirement for the processing of this data, as the law enforcement authorities would in any case need access to the relevant personal data, including the photograph, in order to prevent any misuse of the public document in question (cf. sections 223 et seq. of the Criminal Code in the area of forgery of documents), in order to be able to carry out any comparisons with possible forgeries made from this identity card. In addition, it had to be taken into consideration that the mayors, as authorities responsible for lost property in the sense of section 4 subsection 3 of the Police Police Act, Federal Law Gazette No. 566/1991, had to be able to process all personal data relevant to the recovery of the property, which would undoubtedly also include the photograph itself, in accordance with section 53b of the Police Act. Accordingly, there were legal obligations of law enforcement or the lost property authorities, which, in the sense of Article 17(3) of the GDPR, would preclude the deletion of the photograph in the central registry pursuant to Article 22b of the Passport Act 1992 and - since the GDPR was a regulation and thus directly applicable - Article 22c of the Passport Act 1992 and its deletion deadlines had to remain inapplicable due to the primacy of Union law. With regard to the identity cards with the numbers XXXX and XXXX, it had to be stated that, according to the extract from the Local Identity Register submitted by the complainant, the identity card no. XXXX had been set to invalid after a complaint by the complainant on 24 September 2015 and the identity card had remained with XXXX. In this case, only the processing of personal data in the context of a procedure under § 22b (1) of the Passport Act 1992, namely in the course of the procedure for issuing identity card no. XXXX, had come into consideration. For this case of processing of personal data, § 22c para. 1 leg. cit. provides for the blocking of information on these data for one year after the invalidation of the passport or identity card. Since the invalidation had taken place on 24 September 2015, this would be 24 September 2016. However, since a new identity card with the number XXXX had been issued immediately after the invalidation (according to the extract from the local identity document register provided by the complainant, the application date for the new identity card was 24 September 2015), it had to be assumed that, in the course of the creation of this identity card, the same photograph had been used as for the previous invalidated identity card. This would now mean that, since the invalidation date of the latter was not until 2025, no blocking of information or deletion of the photographs for the identity cards of no. XXXX and no. XXXX had to be carried out according to § 22c Passport Act 1992.
The complainant submitted a reply to the opinion of the other party on 19 March 2019, stating that if - as claimed by the other party - photographs were not procedural data within the meaning of Section 22a of the Passport Act 1992 and therefore no deletion period ex lege existed for them, this was an unintended loophole. Since both (biometric) photographs and fingerprints are biometric data within the meaning of Article 4(14) of the GDPR, the very short deletion period for fingerprints could and should therefore also lead to a similar period for photographs. Furthermore, the party involved interpreted EU law in an impracticable manner; section 22c of the Passport Act 1992 could only be waived in favour of an even shorter deletion period. The repeal of a deletion period, such as § 22c of the Passport Act 1992 (lex specialis), on the basis of the GDPR in favour of permanent storage was therefore an impracticable way of interpreting the law. With regard to the assertion of the other party that photographs are part of the data used to notify an authority of the issuance of a travel document, the other party should explain in which cases the photograph currently stored in the IDR is used to enforce a passport refusal or to search for stolen travel documents and why the storage of photographs of all issued travel documents is absolutely necessary and proportionate for this purpose. The document data would be sufficient for this purpose. The enforcement of the lost property system also did not provide sufficient justification for the processing of photographs in the IDR, as there was no photograph in the IDR for foreign identity documents and only a check could be carried out on the basis of the photograph on the identity document. The argument that centrally stored photographs would serve to prevent counterfeiting also made the storage of the photograph of all holders of travel documents appear disproportionate, as there were a number of lesser means of minimising the risk, which in combination would almost neutralise the risk. Processing merely on the basis of abstract dangers or needs that may arise in the future does not justify indiscriminate storage in every case, and a balancing exercise must be carried out in each individual case. Therefore, the minimum possible storage period and the minimum possible data set for the respective purpose and occasion must be chosen. Simply storing all available data in an undifferentiated manner because it could possibly be used for something at some point contradicts the principles and the current state of knowledge in data protection law. Section 22c (3) of the Passport Act 1992, which refers to lost documents via Section 22b (1), also opens up the possibility of deleting data even before the expiry of the maximum retention periods if the purpose of processing has ceased to exist, which in turn, in conjunction with the principles of purpose limitation (Article 5 (1) (b) of the Data Protection Regulation), data minimisation (Article 5 (1) (c) of the Data Protection Regulation) and storage limitation (Article 5 (1) (e) of the Data Protection Regulation), should lead to a short retention period. If Section 22c (3) of the Passport Act 1992 opens up this possibility for lost documents, this should also apply to documents still in the holder's possession. The permanent storage of photographs in the IDR for lost travel documents beyond the deletion periods was already inadmissible due to the unambiguous legal situation of § 22c para. 2 Passport Act 1992. The permanent storage of photographs in the IDR as a form of data retention or as evidence for identification services for mostly blameless citizens, which could be used for all "eventualities", was also disproportionate.
4 On 19.06.2019, the authority concerned invited the co-participating party to submit additional comments.
In its statement of 9 July 2019, the involved party first stated that it had never received the complainant's reply and explained (as far as relevant for the present appeal proceedings) that all applications for travel documents, including one passport photo each of the complainant, had been stored in the passport EDP programme Identity Document Register (IDR) of XXXX on the basis of his written, signed application. These passport photos stored in the IDR had been transmitted to XXXX as the service provider commissioned by XXXX for the production of travel documents. The production of Austrian biometric passports with data carriers and Austrian identity cards as well as the delivery of the newly produced travel documents by post necessarily required the storage and transmission of a passport photo to XXXX. The complainant's personal and document data had not been transmitted to other recipients. Since 2004, a total of two biometric passports with data carriers (one reported lost, one valid) and three identity cards (one reported lost, one invalid, one valid) had been issued to the complainant in this way. No other processing activities had been carried out by XXXX in the IDR in relation to the photographs in question.
The statement was accompanied by an excerpt from the ZMR and the Central and Local Identity Document Registers concerning the complainant.
6. On 10.07.2019, the respondent authority submitted the complainant's replication to the co-respondent and gave the complainant an opportunity to supplement its submission of 09.07.2019.
On 18 July 2019, the involved party submitted a supplementary statement in which it explained (as far as relevant for the present appeal proceedings) that in the case of identity cards no. XXXX and no. XXXX, the processing activity was not based on Section 22b (2), but on Section 22b (1). The consequence of this was that a blocking of information concerning the personal data processed in the context of the procedure pursuant to § 22b para. 1 leg. cit. is based on § 22c para. 1.
The authority concerned sent the complainant the comments of the co-involved party by letter dated 26.07.2019 and also gave him the opportunity to submit a statement.
However, the complainant did not subsequently submit any further comments.
In the contested decision, the authority partially upheld the complainant's complaint and found that the co-participating party had violated the complainant's right to confidentiality by storing the complainant's personal data (section 22b (2) of the Passport Act 1992) relating to identity card no. XXXX in the central identity document register beyond 23 November 2017 (decision point 1). The co-participating party was ordered to delete the data pursuant to paragraph 1 within a period of two weeks (paragraph 2.). In all other respects, the complaint was dismissed on the grounds of violation of the right to secrecy (decision point 3.).
By way of justification, the authority first stated (after repeating the arguments of the parties and the course of the proceedings) that the subject of the complaint was the question of whether the co-participating party had violated the complainant's right to secrecy by storing biometric data or the entire data set on identity card no. XXXX beyond the time of application, but in any case longer than until 24 November 2009. the entire data set of identity card no. XXXX had been stored beyond the date of the application, but in any event longer than until 24 November 2009, as well as by storing the photographs of identity cards no. XXXX , no. XXXX and no. XXXX beyond the date of production.
Legally, it had to be stated that when processing personal data in local applications pursuant to § 22a para. 1 Passport Act 1992, the passport authorities, i.e. pursuant to § 16 para. 1 leg. cit., the district administrative authorities, for the area of the Federal Province of Vienna according to Art. 109 B-VG the XXXX , are authorised, when applying for the issuance of a passport or identity card, to process several data of the applicant, among them according to § 22a para. 1 lit. leg. cit. also the photograph, for the purpose of inserting these data into the passport or identity card and to transmit these data for this purpose to the processor within the meaning of § 3 para. 6 leg. cit. for this purpose. Pursuant to section 22a(2) of the Passport Act 1992, the locally competent passport authority is authorised to determine further personal data (procedural data) required for the issuing procedure and other procedures pursuant to this Federal Act and to process them together with the related data pursuant to subsection 1 and the further data pursuant to section 22b(1) of the Federal Act. cit. shall be processed automatically. Pursuant to section 22a subsection 5 of the Passport Act 1992, the procedural data pursuant to subsection 2 leg. cit. had to be deleted as soon as they were no longer needed, but no later than ten years after the decision had become final or after the passport had been issued. These deletion provisions would refer to "further procedural data" according to para. 2 leg. cit. It resulted from this that the Passport Act 1992 did not provide for an explicit deletion period in local applications for the procedural data mentioned in para. 1 and thus also for photographs. Photographs were therefore procedural data which were not subject to any legally standardised deletion from local records. With regard to the processing of personal data within the framework of the central registry, section 22b(1) of the Passport Act 1992 stipulates that passport authorities, as joint controllers under Article 4(7) in conjunction with Article 26(1) of the GDPR, are authorised to process the personal data required for the performance of the tasks assigned to them under this federal law in accordance with section 22a(1), thus including photographs. 1, i.e. also photographs, with the exception of lit. k, as well as additional data from the time of issuance, in such a way that each data controller also has access to the data provided by the other data controllers. The purpose of this processing was to inform an authority pursuant to para. 4 about the issuance of a passport or identity card or about a procedure pursuant to this Federal Act. The passport authorities are also allowed to determine the name, sex, academic degree, date of birth, place of birth, nationality, place of residence or contact point, photograph, area-specific personal identification number, names of a person's parents and alias data of a person and to process them within the framework of a central record together with the decisive reason for the storage as well as the issuing authority, the date of issue, the passport number and the period of validity of the passport or passport replacement if a passport or passport replacement of the person concerned is reported as lost or mislaid (section 22b para. 2 Passport Act 1992). Section 18 leg. cit. stipulates that a substitute passport is to be understood as an identity card. In the case of identity card no. XXXX, personal data processed in accordance with section 22b(2) of the Passport Act 1992, if it concerned a passport replacement of the person concerned that had been reported as lost or alienated, had to be blocked for information one year after the expiry of its validity, in accordance with section 22c(2) of the Passport Act 1992. Pursuant to paragraph 4, the personal data blocked for information were to be deleted after a further two years. The identity card no. XXXX had been valid until 23 November 2014. On 23 November 2015, the personal data would have had to be blocked for information and deleted on expiry of two further years, on 23 November 2017. The arguments put forward by the other party that the deletion of the data would be contrary to, among other things, the provisions on the enforcement of the lost property law and criminal prosecution, could not be accepted. Following the case law of the Constitutional Court, the authority in question had already stated that the mere possibility of proceedings, without concrete indications, did not justify the continued storage of personal data, which is why there was no justification for the data processing in question under Article 1(2) of the Data Protection Act. With regard to the identity cards no. XXXX and no. XXXX, it had to be explained that personal data had to be blocked for information one year after the invalidation of the passport or identity card, in the case of passports, however, no later than six years after the expiry of the last period of validity, pursuant to section 22b para. 1 of the Passports Act 1992. The personal data blocked for information must also be physically deleted after a further two years (section 22c(4) of the Passports Act 1992). On 24 September 2015, the identity card with the number XXXX had been declared invalid. On 24 September 2016, the personal data would have had to be blocked for information and also deleted after two years. However, as an application for a new identity card had been submitted on 24 September 2015, it had to be assumed that the same photograph had been used in the course of creating the identity card. This meant that a block on information or deletion did not yet apply to these identity cards. For the sake of completeness, it was pointed out that according to Article 89 of the Federal Constitution, the courts were not entitled to review the validity of duly promulgated ordinances, notices on the re-publication of a law (treaty), laws and treaties. This applies all the more to administrative authorities.
The complainant filed an appeal against this decision with the Federal Administrative Court in a written statement dated 24 August 2019. In his appeal, the complainant stated with regard to points 1 and 2 of the contested decision that the authority only requested the deletion from the central registry. However, it was not clear from the decision whether this also applied to the local record. It was therefore requested that points 1 and 2 be extended to the effect that all data relating to ID card no. XXXX were to be deleted, which would also include the local record. Regarding paragraph 3, it was stated that the use of the same photograph for identity cards no. XXXX and XXXX did not constitute a justification for continuing to process this date, because even in the case of identical data, the provision of section 22c (2) of the Passport Act 1992 would apply. As passport no. XXXX had been withdrawn and declared invalid, all data relating to this passport would have had to be blocked for information as of 24 September 2016 and deleted as of 24 September 2018. The authority in question mentioned Article 89 of the Federal Constitution and argued that courts (excluding the Constitutional Court) and administrative authorities were not entitled to review laws. It should be countered that it had already been shown how the enforcement of the Passport Act 1992 could be brought in line with the framework conditions of data protection law and why - at the latest since the concretisation of data protection law by the GDPR - it must be an unplanned loophole if no deletion period existed or no minimum retention periods or storage periods were specified. Therefore, a repeal of an applicable law had never been requested, but rather its possible enforcement in accordance with the framework legislation. The authority, like the other party involved, only referred to national provisions, namely the Passport Act 1992, and did not examine the framework conditions and basic principles of data protection law, which were superordinate to it and which would have a direct effect especially in the absence of national provisions or in the absence of specific provisions (lack of deletion periods with regard to the "local record" in section 22a of the Passport Act 1992). In the absence of an ex lege deletion period, the retention period was therefore to be derived from the intended or ex lege processing purpose. The last sentence of section 22a(1) of the Passport Act 1992 and section 22b(1) of the Passport Act 1992 enumerate the processing purposes and after the production and dispatch of the ID card and, if applicable, the expiry of an appropriate complaint period with regard to the photograph, they had in any case been achieved, whereby further processing would no longer correspond to the intended purpose. Alternatively, there is also a possible analogy to fingerprints as biometric data, for which a relatively short deletion period exists ex lege. Furthermore, national provisions that would contradict the EU framework legislation (GDPR) were not applicable. Therefore, a lack of a deletion period does not entitle the data to be kept indefinitely or to limit deletion to the central record, as claimed by the authority, since the principles of Article 5 of the GDPR would contradict this. It is therefore requested that point 3 be amended to the effect that the photographs of ID cards no. XXXX and no. XXXX are to be deleted from the local and central records. Furthermore, the request was made to submit to the ECJ the question of interpretation pursuant to Art. 267 TFEU as to whether processing purposes mentioned in national standards in conjunction with Art. 5 GDPR would imply the existence of deletion periods, as well as whether there could be an unlimited storage of data without explicit standardisation.
On 3 September 2019, the involved party sent the authority the confirmation of XXXX that the identity card data of the Eastern identity card no. XXXX had been deleted from the central IDR in accordance with decision item 1 of the decision. The deletion order of the prosecuting authority had thus been complied with within the period stipulated in paragraph 2 of the decision.
The authority informed the complainant by letter of 12 September 2019 that it had been confirmed that the identity card data of the Austrian identity card no. XXXX had been deleted from the central IDR in accordance with point 1 of the decision.
By letter dated 18 September 2019, the authority concerned submitted the complaint together with the administrative act to the Federal Administrative Court for a decision.
On the basis of the order of the Division Committee of 17.07.2020, the case in question was assigned to the now competent court division W214, where it was received on 24.07.2020.
15 On 17.12.2020, the complainant submitted a "suggestion of a submission to the Constitutional Court" to the Federal Administrative Court, stating that he was requesting the submission of §§ 22a, b of the Passport Act 1992 to the Constitutional Court for a review of their constitutionality due to the violation of the requirement of determinacy (Art. 18 B-VG), the GDPR framework legislation (Art. 5, 6, 9, 12 and 23 GDPR), the constitutional provision of § 1 para. 2 GDPR, Art. 7 and 8 CFR, Art. 16 TFEU, Art. 8 ECHR, as well as the danger to fundamental rights and freedoms due to ongoing access expansions to inventory data, lack of a judge's prerogative and effective downstream legal protection. The current provisions of sections 22a and b of the Passports Act 1992 do not specify exact storage periods (maximum or minimum), processing purposes or transfer authorisations for certain categories of data, and no distinction is made between the individual categories of data, which would, however, be necessary to ensure transparent and lawful processing that is comprehensible to the data subject.
16 On 04.02.2021, the Federal Administrative Court sent the complainant's complaint and the statement of 17.12.2020 to the co-involved party for information and gave it the opportunity to submit a statement.
(17) In its opinion of 23 February 2021, the involved party stated that Article 5 (1) (e) of the GDPR referred to by the complainant stipulated that personal data had to be stored in a form that allowed the identification of the data subject only for as long as necessary for the purposes for which they were processed. This storage limitation referred to by the complainant was comprehensibly regulated in § 22c (1), (2) (1) and (2) and (4) of the Passport Act 1992 by blocking periods and deletion periods with regard to personal data and document data. These retention periods for personal data in the register (identity document register), which are based on the period of validity of Austrian travel documents, are important because otherwise it would no longer be possible to clarify personal data and the dates of issue of the travel document in the event of any problems with Austrian passports and identity cards in connection with a border control, for example if there is a suspicion of falsification. Furthermore, in the case of theft or loss of the Austrian passport or Austrian identity card, it would no longer be possible to report the loss or loss of the passport or identity card to the police (nationally according to § 22b para. 2 subpara. 1 Passport Act 1992 and internationally according to the provisions of the Schengen Agreement), especially since the travel document number, the issuing authority, the exact date of issue, the validity date, etc. would no longer be ascertainable. In addition, in the event of any doubts as to the authenticity of the travel document presented when it is used as a travel document or as an official photo ID in identity checks, it would be necessary to request, on a case-by-case basis, the authorities mentioned in § 22b para. 4 and para. 4a of the Passport Act 1992, a comparison of the issued Austrian travel document with the travel document data requested by the travel document applicant is no longer possible until the expiry of the validity period of the travel document by the passport authority without the record data (in particular name, date of birth, proof of citizenship, passport photo, signature, issuing authority, travel document number, date of issue, date of validity) processed in the course of applying for and issuing travel documents. It should be noted that § 22c Passport Act 1992 refers to personal data in each case and not to different systems. The reference to § 22b of the Passport Act 1992, which in turn referred to § 22a of the Passport Act 1992, only specified the personal data in more detail. Accordingly, the corresponding statutory deletion periods existed. The obligation to delete the identity card with the number XXXX had been fulfilled; on the basis of points 1. and 2. of the contested decision of the authority concerned, the deletion of the data on the Austrian identity card no. XXXX in the central identity document register and in the local identity document register at XXXX, which is technically inseparable from the central identity document register, had been initiated by e-mail on 30 August 2019. The identity card no. XXXX no longer appeared in the identity document register (neither centrally nor locally). It was therefore noted that, as regards the personal data of the identity card bearing the number XXXX, there was no longer any complaint, as the complainant's request had been granted. As regards the identity card bearing the number XXXX, there was no obligation to delete it, since it was valid until 6 September 2025. The complainant's argumentation regarding § 22a (1) and § 22b (1) of the Passport Act 1992 concerning the lack of an ex-lege deletion period in the records for valid Austrian travel documents was not comprehensible, as § 22c of the Passport Act 1992 in any case regulated the retention period for personal travel document data, which was based on the period of validity of the Austrian travel document. Section 22c of the Passport Act 1992 referred - as mentioned - to specifically mentioned data and not systems. On the other hand, the argumentation was also not comprehensible, since §§ 22a para. 1 and 22b para. 1 of the Passport Act 1992 authorised the passport authorities to store the types of data of the applicant (such as name, date of birth, photograph, signature, etc.) and the dates of issue of the Austrian passport or Austrian identity card, which were enumerated in the application.) and the issuing data of the Austrian travel document (such as issuing authority, date of issue, validity date, passport or identity card number, etc.) in the central and local records (in the central and local identity document register of XXXX), i.e. in particular to store them. There was thus an authorisation to process. Even assuming the absence of a legal obligation to delete data, Article 5(1)(e) of the GDPR would not apply during the current period of validity of the ID card, since the personal data would continue to be needed in personal form for the reasons mentioned above, in any case during the period of validity and even afterwards. Sections 22a (1) and 22b (1) of the Passport Act 1992 do not provide for a deletion period for the duration of the validity of the issued travel documents, and such a period would also be counterproductive during the validity of the travel documents. There was also no obligation to cancel the identity card with the number XXXX; the complainant had complained about the identity card no. XXXX and it had been set to "invalid" in the Identity Documents Register on 24 September 2015, and on the same day the production order for the free replacement identity card for the complainant had been placed with XXXX via the Identity Documents Register on the basis of the identity card application record of 7 September 2015 and with the photo submitted to the passport authority at that time. The "replacement" identity card No. XXXX with the original dates of issue and validity (7 September 2015 to 6 September 2025) and the same photograph had demonstrably been issued to the complainant on 14 October 2015. Both identity cards formed a legal unit with regard to the application, which could be justified in particular by referring to the same basis for the application. A deletion of the IDR data of the identity card no. XXXX complained of in the identity document register would have the consequence that the processing (storage) of the complainant's personal data pursuant to §§ 22a (1) and 22b (1) of the Passport Act 1992 for the "replacement" identity card no. XXXX, which would be valid until 6 September 2025, would be deprived of its basis. The blocking of the data of identity card no. XXXX for information in the central and local records (identity document register) as of 24 September 2016 and the deletion of these identity card data as of 24 September 2018 pursuant to § 22c para. 2 and para. 4 Passport Act 1992, as requested by the complainant, could therefore not come into effect. The argument that the photographs in the identity document register are biometric data within the meaning of Article 4(14) of the GDPR is strongly opposed, as they are not stored on the data carrier of the biometric passport ("chip").
The Federal Administrative Court transmitted the opinion of the co-participating party to the complainant and the authority concerned on 07.04.2021 within the framework of the hearing of the parties.
In his statement of 15 April 2021, the complainant explained - by attaching documents - that the photographs used for passports and identity cards were biometric data. Furthermore, the complainant reiterated that the storage of his photograph was not necessary. Even if an identity card was necessary in everyday life, one could usually prove one's identity with any official photo ID (student ID, gun permit, driving licence...). At most, a purely local storage of the scanned application form including photo in an archive of the passport authority without automated retrieval options would be compatible with the purpose of the procedural documentation.
20 The Federal Administrative Court asked the co-participating party to clarify whether the photograph stored on the occasion of the issuance of the identity card that was later declared invalid is stored separately both under the no. of the invalid identity card and under the no. of the subsequently issued valid identity card.
In this regard, the involved party informed the complainant in a letter of 22 April 2021 that the federal application Identity Document Register (IDR) was set up in such a way that each passport or identity card application was recorded separately together with the respective photograph submitted. In the present case, a new free identity card with the number XXXX had been issued to the complainant by the MBA 4/5 on 24 September 2015 on the basis of his complaint about an alleged production error in the identity card (plastic card) with the number XXXX that he had applied for on 7 September 2015. Here, too, the relevant application for reissue free of charge, together with the photograph, had been recorded and stored separately in the IDR. According to passport law, the same photograph could be used for the fee-free reissue, provided that there were no more than six months between the two dates of issue. However, this did not change the fact that in the present case, the photograph used had also been stored separately in the IDR with the application for the free reissue of the identity card.
II. the Federal Administrative Court considered:
1. findings:
The findings are based on the course of proceedings mentioned under point I.
In his data protection complaint of 10 November 2018 (improved with submissions of 14 November 2018 and 29 November 2018), the complainant alleged a violation of the right to confidentiality and claimed that a permanent storage of his biometric data on identity card no. XXXX as well as his photographs on identity cards no. XXXX and no. XXXX by the XXXX as passport authority and responsible person pursuant to Art. 4 line 7 of the GDPR in the Identity Document Register (IDR) of the XXXX was disproportionate and (had been) inadmissible (due to the non-observance of deletion deadlines). The complainant therefore requested the deletion of the personal data relating to identity card no. XXXX as well as the photographs relating to identity cards no. XXXX and no. XXXX .
In its decision of 14 May 2019, Zl DSB-D123.770/0000-DSB/2019, the authority partially upheld the complainant's complaint and found that the co-participating party had violated the complainant's right to confidentiality by storing the complainant's personal data (§ 22b para. 2 Passport Act 1992) on identity card no. XXXX in the central identity document register beyond 23 November 2017 (decision point 1). The co-participating party was ordered to delete the data pursuant to paragraph 1 within a period of two weeks (paragraph 2.). In all other respects, the complaint was dismissed on the grounds of violation of the right to secrecy (decision point 3.).
The complainant filed an appeal against this decision with the Federal Administrative Court in a written submission dated 24 August 2019.
The complainant's data on identity card no. XXXX were deleted from the central and local identity document registers, which are technically inseparable, no later than 03.09.2019.
The complainant's photograph, which was processed on the occasion of the application for identity card no. XXXX, is still processed by the co-participating party in the data set of this identity card, which was declared invalid on 24.09.2015.
This photograph is also processed by the co-operating party in the data set on the complainant's identity card no. XXXX.
2. assessment of evidence:
The findings result from the administrative act and from the court record and are undisputed.
3. legal assessment:
Re A)
3.1 Pursuant to Art. 130 para. 1 subpara. 1 B-VG, the administrative courts shall rule on complaints against the decision of an administrative authority on grounds of illegality.
Pursuant to section 6 of the Federal Administrative Court Act (BVwGG), the Federal Administrative Court decides by single judges, unless federal or provincial laws provide for decisions by senates. Pursuant to section 27 of the Data Protection Act (DSG) as amended (which essentially corresponds to section 39 DSG 2000, which was in force until 24 May 2018), the Federal Administrative Court decides in proceedings on appeals against decisions, on the grounds of violation of the duty to inform pursuant to section 24(7) and the duty of the data protection authority to decide by a senate. The senate consists of a chairperson and one expert lay judge each from the circle of employers and employees.
The procedure of the administrative courts, with the exception of the Federal Finance Court, is regulated by the Administrative Court Procedure Act (VwGVG) (§ 1 leg.cit.). Pursuant to § 58 para 2 VwGVG, conflicting provisions that have already been promulgated at the time of the entry into force of this Federal Act shall remain in force.
Pursuant to § 17 VwGVG, unless otherwise provided for in this Federal Act, the provisions of the AVG, with the exception of §§ 1 to 5 as well as Part IV, as well as other more specifically mentioned laws (not relevant in the present case) and, moreover, those procedural provisions in federal or provincial laws which the authority applied or should have applied in the proceedings before the administrative court shall apply mutatis mutandis to the proceedings on appeals pursuant to Art. 130 para 1 B-VG.
Pursuant to section 28 (1) VwGVG, the administrative court shall dispose of the case by way of a decision, unless the complaint is to be dismissed or the proceedings are to be discontinued. Pursuant to section 31 (1) VwGVG, decisions and orders shall be made by decision, unless a finding is to be made.
Pursuant to § 28 para 2 VwGVG, the administrative court shall decide on the merits of appeals pursuant to Art. 130 para 1 subpara 1 B-VG if the relevant facts have been established or if the determination of the relevant facts by the administrative court itself is in the interest of speed or entails a considerable saving of costs.
3.2 On the process requirements:
The appeal was filed within the time limit pursuant to section 7 (4) VwGVG and the other procedural requirements were also met.
3.3 Re award part A):
3.3.1 Legal situation:
The authority concerned based its decision on the following legal bases:
Art. 58 para. 2 lit. d and Art. 77 of the General Data Protection Regulation (GDPR), OJ No. L 119 of 04.05.2016; Sections 1, 24 para. 1 and 5 of the Data Protection Act (DSG), Federal Law Gazette I No. 165/1999 as amended as well as Sections 22a, 22b, 22c of the Passport Act 1992, Federal Law Gazette No. 839/1992 as amended. No. 839/1992 as amended. These provisions are also to be applied in the present appeal proceedings before the Federal Administrative Court; furthermore, Art. 5 para. 1 lit. c of the GDPR is relevant.
Art. 4 Z 14 DSGVO reads:
„14.
"biometric data" means personal data, obtained by means of specific technical procedures, relating to the physical, physiological or behavioural characteristics of a natural person, which enable or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;".
Art. 5 para. 1 lit. c and e DSGVO read:
"Art. 5 GDPR Principles for the processing of personal data
(1) Personal data must
(c) adequate and relevant to the purpose and limited to what is necessary for the purposes of the processing ('data minimisation');'.
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data are processed; personal data may be kept for longer periods insofar as the personal data are processed solely for archiving purposes in the public interest or for scientific and historical research purposes, or for statistical purposes as referred to in Article 89(1), subject to the implementation of appropriate technical and organisational measures required by this Regulation to protect the rights and freedoms of the data subject ('storage limitation');'.
Article 58(2)(d) of the GDPR reads:
"Article 58 Powers
(2) Each supervisory authority shall have all of the following remedial powers that permit it,
(d) instruct the controller or processor, as appropriate, to bring processing operations into compliance with this Regulation in a specified manner and within a specified period of time;'.
Article 77 of the GDPR reads:
"Article 77
Right to complain to a supervisory authority
1. Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her residence, place of work or the place of the alleged infringement, if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.
2. The supervisory authority to which the complaint has been lodged shall inform the complainant of the status and outcome of the complaint, including the possibility of a judicial remedy under Article 78.".
Section 1 and Section 24 (1) and (5) of the FADP read:
"Article 1
(Constitutional provision)
Fundamental right to data protection
(1) Everyone has the right to confidentiality of personal data relating to him or her, in particular with regard to respect for his or her private and family life, insofar as there is an interest worthy of protection. The existence of such an interest shall be excluded if data is not accessible to a claim to secrecy due to its general availability or due to its lack of traceability to the person concerned.
(2) Unless the use of personal data is in the vital interest of the data subject or with his or her consent, restrictions on the right to confidentiality shall only be permissible to safeguard overriding legitimate interests of another, and, in the case of interference by a public authority, only on the basis of laws which are necessary for the reasons set out in Article 8(2) of the European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR), Federal Law Gazette No. 210/1958. Such laws may only provide for the use of data which, by their nature, are particularly worthy of protection, in order to safeguard important public interests, and must at the same time lay down appropriate safeguards for the protection of the confidentiality interests of the data subjects. Even in the case of permissible restrictions, the encroachment on the fundamental right may only be carried out in the most lenient manner that leads to the objective.
(3) Insofar as personal data concerning him or her are intended for computer-assisted processing or for processing in files kept manually, i.e. without computer assistance, everyone shall have the right, in accordance with statutory provisions
1.the right to be informed about who processes which data concerning him/her, where the data originate from and for what purpose they are used, in particular also to whom they are transmitted;
2.The right to rectification of inaccurate data and the right to erasure of inadmissibly processed data.
(4) Restrictions of the rights under subsection (3) shall only be permissible under the conditions set out in subsection (2).
(1) Every data subject shall have the right to lodge a complaint with the data protection authority if he or she considers that the processing of personal data relating to him or her infringes the GDPR or Section 1 or Article 2, Chapter 1.
(5) If a complaint proves to be justified, it shall be followed up. If an infringement is attributable to a private sector controller, the latter shall be ordered to comply with the complainant's requests for information, rectification, erasure, restriction or data transfer to the extent necessary to remedy the identified infringement. If the complaint proves to be unjustified, it shall be dismissed.
Section 22a of the Passports Act 1992, including the heading, reads:
"Processing of personal data on the occasion of the application and in local applications
§ 22a. (1) The passport authorities shall be empowered, when an application is made for the issue of a passport or identity card, to
a) Names,
b) Gender,
(c) academic degree,
d) Date of birth,
e) Place of birth,
f) Citizenship,
g) Residences or contact point (Section 19a MeldeG),
h) Size,
(i) special characteristics in verbal description,
j) photograph,
(k) the papillary line impressions of two fingers,
(l) signature; and
m) the area-specific personal identifier (bPK) pursuant to § 9 of the E-Government Act - E-GovG, Federal Law Gazette I No. 10/2004, and
(n) names, sex and dates of birth of co-registered children
of the applicant for the purpose of inserting these data into the passport or identity card and to transmit these data for this purpose to the processor pursuant to § 3 para. 6.
(2) The locally competent passport authority shall be authorised to determine further personal data (procedural data) required for the issuing procedure and other procedures pursuant to this Federal Act and to process such data together with the related data pursuant to subsection 1 as well as the further data pursuant to section 22b subsection 1 in an automated manner.
(3) Only names, dates of birth, passport or identity card number, a procedure number or the area-specific personal identifier (bPK, Section 9 of the E-Government Act) may be processed as selection criteria for determining data pursuant to para. 2. Information on the photograph and the signature image is only permissible if this is a necessary prerequisite for the fulfilment of an official task. Papillary line prints processed pursuant to para. 1 lit. k may only be processed for the identification of the passport holder and the verification of the authenticity of the document in execution of this Act.
(4) Data processed pursuant to para 2 may only be processed for the enforcement of this Federal Act, unless there is a separate explicit legal authorisation. However, procedural data may only be processed by the respective competent local passport authority.
(5) The procedural data pursuant to para 2 shall be deleted as soon as they are no longer required, but no later than ten years after the decision has become final or after the passport has been issued. Data on documents to be presented as evidence in proceedings under this Federal Act and data on official decisions to be taken into account in such proceedings shall be deleted one year after the passport or identity card has been cancelled, in the case of passports at the latest six years after the expiry of the period of validity.
(5a) The data pursuant to para 1 lit. k shall be deleted no later than two months after the document has been sent (section 3 para 6), and no later than four months after the document has been sent with the involvement of the Federal Ministry for European and International Affairs, otherwise upon effective withdrawal or legally binding rejection or dismissal of the application.
(6) Log data on processing operations actually carried out, such as in particular changes, queries and transfers, shall be kept for three years."
Section 22b of the Passports Act 1992, including the heading, reads:
"Processing of personal data in the framework of central evidence
§ 22b. (1) The passport authorities, as joint controllers pursuant to Art. 4(7) in conjunction with Art. 26(1) of the GDPR, shall be authorised to process the personal data required for the performance of the tasks assigned to them under this Federal Act pursuant to § 22a(1), with the exception of lit. k, and, from the time of issuance
(a) the issuing authority,
(b) the date of issue,
(c) the passport or identity card number,
(d) the period of validity,
(e) the scope of application,
f) the area-specific personal identifier (bPK, Section 9 of the E-Government Act),
(g) specific information necessary for the issuing procedure; and
h) a note on any ongoing proceedings under this federal act
jointly in such a way that each data controller also has access to those data in the data processing which have been made available to him/her by the other data controllers. The purpose of this processing is to inform an authority pursuant to para. 4 about the issuance of a passport or identity card or about a procedure pursuant to this federal law.
(1a) The fulfilment of information, access, rectification, erasure and other obligations under the provisions of the GDPR vis-à-vis the data subject shall be incumbent on each controller with regard to those data processed in connection with the procedures it conducts or the measures it takes. If a data subject exercises a right under the GDPR against a controller who is not competent pursuant to the first sentence and provides proof of his or her identity, the data subject shall be referred to the competent controller.
(1b) The Federal Minister of the Interior shall exercise the function of a data processor pursuant to Art. 4(8) in conjunction with Art. 28(1) of the GDPR. In this function, he or she is obliged to fulfil the data protection obligations pursuant to Art. 28(3)(a) to (h) of the GDPR. In this function, he must implement data quality assurance measures, such as in particular providing information on the possible identity of two similar data records or the spelling of addresses. In addition, he is entitled to use other processors.
(2) The passport authorities may also determine the name, sex, academic degree, date of birth, place of birth, nationality, place of residence or contact point (section 15a MeldeG), photograph, the area-specific personal identifier (bPK, section 9 E-Government Act), names of a person's parents and alias data of a person and process them within the framework of a central record together with the reason for storage as well as the issuing authority, the date of issue, the passport number and the period of validity of the passport or passport replacement if
1. a passport or passport replacement of the person concerned is reported lost or alienated,
2. a passport or passport replacement has been refused or withdrawn from the person concerned pursuant to sections 14 or 15; or
3. the passport authority is informed about the order to take a travel document pursuant to section 107 of the Federal Act on Judicial Proceedings in Non-Contentious Matters (Außerstreitgesetz - AußStrG), Federal Law Gazette I No. 111/2003, or the revocation of such a measure.
The purpose of this processing is to establish the identity of persons and to prevent improper processing of travel documents as well as to inform the authorities about existing grounds for refusal and revocation. Section 22a (3) last sentence shall apply mutatis mutandis to the use of photo data.
(3) The passport authorities shall be empowered,
1. the personal data stored by them in the central registry on the occasion of a specific procedure for the purposes pursuant to para. 1 last sentence and para. 2 penultimate sentence as well as
2. the personal data stored in the central registry for the purposes of proceedings under this federal act
to process. A retrieval of personal data is only permissible on the basis of the search criteria specified in § 22a par. 3. With the exception of information retrieval, the use of a photograph stored pursuant to para 2 is only permitted within six months after the photograph has been processed in the central registry for the first time.
(4) Upon request in individual cases, data of certain persons processed pursuant to paras 1 and 2 may be transmitted to the passport authorities for the purpose of procedures under this Federal Act, to the master number register authority for the purpose of electronic data verification pursuant to section 18 para 1 E-GovG, to the security authorities, ordinary courts and public prosecution authorities for their activities in the service of criminal justice. In the case of granting the possibility of automated retrieval of personal data, such retrieval shall only be permitted on the basis of the search criteria specified in section 22a (3). Otherwise, transfers are only permissible if there is an explicit legal authorisation for this.
(4a) Upon request in individual cases, the names, dates of birth, photograph and passport or identity card number of certain persons may be transmitted to authorities if they have to establish the identity of a person within the scope of a legally assigned task and if this is not possible otherwise or not within the time required by the circumstances. Paragraph 4, second sentence, shall apply.
(5) The logging regulations of § 22a par. 6 shall also apply to the central evidence pursuant to par. 1 and 2 of this provision.
(6) With regard to the processing of personal data under this Federal Act, there shall be no right to object pursuant to Art. 21 of the GDPR and no right to restrict processing pursuant to Art. 18 of the GDPR. The data subjects shall be informed of this in an appropriate manner.
(7) The Federal Minister of the Interior shall, upon request of the person concerned using the electronic proof of identity (E-ID) function, process a note in the central record that the person concerned will be informed in due time about the expiry of the validity of his/her travel document and notify the person concerned in due time before the expiry of the validity of his/her travel document. No notification shall be made and the relevant note shall be deleted if the person concerned so requests. The Federal Minister of the Interior is authorised to determine by decree a later point in time from which data subjects may be notified of the expiry of the validity of their travel documents.
(8) The citizenship authority shall be authorised and, upon request, obliged to provide the Authority with data lawfully held by it and required for proceedings or for the initiation of proceedings under this Federal Act. A refusal to provide information is not permissible. The data shall be deleted immediately if they are no longer required for the fulfilment of the specific purpose."
Section 22c of the Passports Act 1992, including the heading, reads:
"Central record; blocking of information and deletion
§ 22c. (1) Personal data processed pursuant to section 22b sub-section 1 when an application is filed shall be deleted upon effective withdrawal or legally binding rejection of the application, the note on an ongoing procedure pursuant to this Federal Act shall be deleted upon legally binding conclusion of the procedure. Apart from that, the personal data pursuant to section 22b para 1 shall be blocked for information one year after the passport or identity card has been cancelled, in the case of passports, however, no later than six years after the expiry of the last period of validity.
(2) Personal data processed in accordance with section 22b(2) are
1. in the cases of Z 1 and, in the cases of Z 2, in the case of travel documents in circulation, six years after the expiry of the last period of validity in the case of passports, and one year after the expiry of the period of validity in the case of a passport replacement,
2. otherwise, in the cases of para 2, to block information for ten years after the decision has become final.
(3) If the reason for storing the data ceases to apply prior to the expiry of the full stops referred to in subsection 2, the personal data shall be blocked for information one year after the reason ceases to apply.
(4) The personal data blocked for information shall also be physically deleted after the expiry of two further years."
3.3.2 Applied to the specific case, this means the following:
On the qualification of photographs as biometric data:
The complainant assumes that the data used for passports and identity cards are biometric data within the meaning of Art. 4(14) of the GDPR. The other party disputes this. It should be noted that the scientific literature by Jahnel states that facial images fulfil all elements of the definition. The phrase "enabling or confirming the unique identification of that natural person" refers to "personal data" and not to the specific technical means of processing. "For the concept of biometric data, it is therefore important that data are obtained by specific technical means and that these data allow the unambiguous identification of the person. [...] Therefore, facial images are always biometric data. [...] In order for facial data to also fall under the concept of special categories of personal data, however, an additional factual element must be fulfilled according to the definition of Art. 9(1), namely the processing 'for the purpose of uniquely identifying a natural person'" (Jahnel, Kommentar zur DSGVO, Art. 4 Rz 8 und 9). Hödl in Knyrim, DatKomm Art 4 DSGVO (as of 1.12.2018, rdb.at), explains in a more differentiated manner: "Simple photographs of persons do not constitute biometric material. Only the further technical processing of the image data should lead to the existence of biometric data." In this respect, this would correspond to the complainant's view that the image data will qualify as biometric data at the latest when processed by the authority.
The photographs used for passports and identity cards serve the purpose of uniquely identifying the person to whom the identity document was issued, even if queries from the identity document register have to be carried out according to other criteria.
Ultimately, the question of whether the photographs used are biometric data can be left open for the following reasons: even if they were biometric data, the processing of these data is provided for at the level of the law (Passport Act 1992) for reasons of substantial public interest (Art. 9(2)(g) GDPR), although the respective deletion periods and, even if no deletion periods are provided for, the provisions of Art. 5 GDPR in particular also come into play.
With regard to points 1 and 2 of the contested decision:
In decision point 1 of the contested decision, the authority ruled that the complaint was partially upheld and that the co-participating party had violated the complainant's right to confidentiality by storing the complainant's personal data (§ 22b para. 2 of the Passport Act 1992) on identity card no. XXXX were stored in the central identity document register, and that in point 2 of the contested decision the co-participating party be ordered to delete the data pursuant to point 1 within a period of two weeks.
The co-operating party complied with this order and, on 30.08.2019, arranged for the deletion of the data relating to the complainant's identity card no. XXXX at the XXXX. The deletion of this data was confirmed by XXXX on 03.09.2019.
The complainant challenges paragraph 1 of the contested decision insofar as he states that the authority only requires the deletion from the central register. However, it was not clear from the decision whether this also applied to the local record. He therefore requested that points 1 and 2 be extended to the effect that all data on the XXXX ID card were to be deleted, which would also include the local record.
However, as the involved party explained in its statement of 23.02.2021, the central and local identity document registers are technically inseparable and the identity card no. XXXX does not appear in the identity document register either centrally or locally after the deletion has been carried out.
As a result, it follows that points 1 and 2 of the contested decision do not need to be corrected due to the technical inseparability of the central and the local identity document registers, and the complaint is therefore to be dismissed in this respect.
With regard to point 3 of the contested decision:
The complainant further requested the deletion of the photographs stored in the identity document register for the identity cards no. XXXX and XXXX.
The authority dismissed the complainant's data protection complaint in this regard in point 3 of the contested decision.
For identity card no. XXXX :
The identity card No. XXXX , in the name of the complainant, is valid from 07.09.2015 to 06.09.2025.
The complainant considers that his right to confidentiality has been violated and requests the deletion of his photo for identity card no. XXXX, arguing that § 22a and § 22b of the Passport Act 1992 do not stipulate a deletion period, which is why the maximum processing period or storage period must be derived from the purpose of the processing. These processing purposes were listed in the last sentence of section 22a(1) and the last sentence of section 22b(1). It follows from this that after the production and dispatch of the ID card and waiting for an appropriate complaint period, the purpose of the processing with regard to the photograph had been achieved in any case.
The intervening party argues that the standardisation of a deletion period in §22a and §22b of the Passport Act 1992 would be counterproductive for the duration of validity, as the data would still be needed.
It is correct that with regard to the data mentioned in § 22a para. 1 and § 22b para. 1 Passport Act 1992, no statutory deletion periods are provided for - among others - photographs in valid travel documents. As far as the purposes stated in the Act are concerned, the last sentence of section 22b(1), for example, refers to subsection (4). According to section 22b (4) of the Passport Act 1992, data of certain persons processed upon request in individual cases pursuant to subsections (1) and (2) may be transmitted to the passport authorities for the purpose of proceedings under this Federal Act, to the master number register authority for the purpose of electronic data verification pursuant to section 18 (1) of the E-GovG, to the security authorities, ordinary courts and public prosecution authorities for their activities in the service of criminal justice. This provision seems to assume a storage of personal data beyond the production and sending of the ID card.
Nevertheless, in this case - if interpreted in conformity with Union and constitutional law - it cannot be assumed that there is an entitlement to unlimited storage "in stock", but rather, when assessing the lawfulness of the processing, Art. 5 GDPR must be consulted, according to which personal data must be adequate and relevant to the purpose and limited to what is necessary for the purposes of the processing ("data minimisation") and stored in a form that permits identification of data subjects only for as long as is necessary for the purposes for which the data are processed ("storage limitation"). According to the explanations in Government Bill 65 of the Supplements XXVI GP, "for an orderly enforcement of the passport system, the processing of personal data of applicants for a travel document is indispensable to the extent provided for by law and in this sense there is always an overriding public interest in data processing that is worthy of protection", which is why there is also no right of objection or right to restriction of processing. According to the Federal Administrative Court, this must in any case apply to valid travel documents. As the party involved correctly points out, if the personal data were deleted immediately after the production and dispatch of the identity document (and waiting for an appropriate complaint period), it would no longer be possible to clarify the personal data and the dates of issue of the travel document in the event of any problems with Austrian passports and identity cards in connection with a border control, for example if there were suspicions of forgery. In addition, as stated above, in the event of any doubts about the authenticity of the travel document presented when it is used as a travel document or as an official photo ID, in the event of identity clarifications upon request in the individual case of the authorities named in § 22b para. 4 and para. 4a Passport Act 1992, a verification of the issued Austrian travel document in comparison with the travel document data requested by the travel document applicant until the expiry of the validity period of the travel document by the passport authority is no longer possible without the record data (in particular name, date of birth, proof of citizenship, passport photo, signature, issuing authority, travel document number, date of issue, date of validity) processed in the course of the application for and issuance of travel documents. Contrary to the complainant's view, the pure document data without a photograph are not sufficient for the above-mentioned purposes, especially since photographs are usually absolutely necessary for the clarification of identity, since, for example, in the case of falsifications of the ID card, a possible exchange of the photograph would not be recognisable if the data were otherwise left unchanged. The complainant argues that there are "a number of lesser means" and that there are hardly any known cases of "perfect" forgeries, but especially when there are no document verification devices/technical aids available, forgeries cannot always be recognised at first glance, which is why it is necessary to be able to compare the data and the photograph in the IDR. In the present case, there are no obvious alternative means, especially since the ID card does not have a chip that could be read. It follows from the above that the processing of the personal data for the duration of the validity of the identity card is, pursuant to Article 5 of the GDPR, adequate and relevant to the purpose and limited to what is necessary for the purposes of the processing, since the processing of the complainant's personal data in the identity card no. XXXX is necessary for the above-mentioned reasons at any rate until the expiry of the validity of the identity card. Thereafter, the deletion periods of Section 22c of the Passport Act 1992 apply, which, as a result of the technical inseparability of the central and local identity document registers, in effect apply to the central and local applications.
The complaint was therefore to be dismissed in this respect.
The Federal Administrative Court is therefore unable to identify any unconstitutionality of the provisions of § 22a and § 22b of the Passport Act 1992, which is why a referral to the Constitutional Court pursuant to Art. 140 (1) 1 could be dispensed with. The complainant's suggestion to submit the question to the ECJ for a preliminary ruling pursuant to Art. 267 TFEU "whether processing purposes mentioned in national standards in conjunction with Art. 5 GDPR imply the existence of deletion periods, as well as whether there can be an unlimited storage of data without explicit standardisation" was not to be followed due to the above, especially since a court that is not the court of last instance - such as the Federal Administrative Court (cf. VfGH 26.02.2018, E 4325/2017) - is only obliged to make a submission if it doubts the validity of Union law (Kolonovits/Muzak/Stöger, Verwaltungsverfahrensrecht11, Rz 313/1). However, in the opinion of the Federal Administrative Court, such doubts do not exist and were not alleged in the appeal.
For identity card no. XXXX :
Identity card No. XXXX , in the name of the complainant, was issued on 07.09.2015 and set to invalid on 24.09.2015 in the Identity Document Register.
The complainant considers that his fundamental right to data protection has been violated and requests the deletion of his photo on identity card no. XXXX .
In the contested decision, the authority concerned stated that pursuant to section 22c (1) of the Passport Act 1992, the personal data pursuant to section 22b (1) had to be blocked for information for one year after the passport or identity card [...] had been cancelled. Pursuant to para 4, the personal data blocked for information must also be physically deleted after a further two years. Therefore, the personal data had to be blocked for information as of 24 September 2016 and also deleted after two years. However, as an application for a new identity card had been submitted on 24 September 2015, it had to be assumed that the same photograph had been used in the course of creating the identity card. This meant that the blocking or deletion of information for these ID cards did not yet apply.
The co-respondent argued that deleting the IDR data of the claimed identity card no. XXXX from the Identity Documents Register would have the effect of removing the basis for processing (storing) the complainant's personal data pursuant to §§ 22a para. 1 and 22b para. 1 Passport Act 1992 for the "replacement" identity card no. XXXX, which would be valid until 6 September 2025.
However, this cannot be followed:
Even if the creation of identity card no. XXXX is based on the same application and the same photograph as the invalidated identity card no. XXXX, it is not clear to what extent the personal data or the photograph of the complainant on the invalid identity card no. XXXX form the basis for the processing (storage) of the personal data or the photograph of the complainant on the identity card no. XXXX at the present time. The basis for the issuing of the valid identity card no. XXXX as well as the storage of the personal data is the complainant's application for the issuing of the identity card of 7 September 2015 and the complaint about the (now invalid) identity card no. XXXX by the complainant of 24 September 2015. However, this basis is not lost by the deletion of the photograph of the invalid identity card no. XXXX. Moreover, as can be seen from the extract from the Central Identity Document Register concerning the complainant, the complainant's personal data or photograph are stored twice, once in relation to the invalid identity card no. XXXX and once in relation to the valid identity card no. XXXX . Therefore, if one were to delete the complainant's personal data or photograph from the invalid identity card no. XXXX, the personal data or photograph of the complainant would still be present in the data record of the identity card no. XXXX, especially since the data record of the valid identity card no. XXXX does not contain a reference to the data record of the invalid identity card no. XXXX, but - as already explained - the data are listed independently. The argumentation of the other party that both identity cards form a legal unit can therefore not be accepted. The personal data or (as requested by the complainant) the photograph would therefore have had to be blocked for information as of 24 September 2016 and deleted after two years. Moreover, the above considerations regarding the necessity of storing the data in the IDR do not apply to invalid or expired ID cards, as invalid or expired ID cards per se no longer have an ID function. The complaint was therefore to be upheld and the other party was to be ordered to have the complainant's photo of identity card no. XXXX deleted from the identity document register (both the central identity document register and the local application) within a period of two weeks.
On the omission of an oral hearing:
Pursuant to section 24 (1) VwGVG, the administrative court shall hold a public hearing upon request or, if it deems it necessary, ex officio.
Pursuant to section 24 (4) VwGVG, the administrative court may - unless otherwise provided by federal or provincial law - dispense with a hearing notwithstanding a party application if the files show that the oral discussion is unlikely to result in further clarification of the case and neither Art. 6 (1) ECHR nor Art. 47 CFR preclude the dispensing with the hearing.
In the case at hand, the complainant did not request an oral hearing and the facts of the case were clarified by the files. The use of further evidence was not necessary to clarify the facts.
In the present case, the Federal Administrative Court has to rule exclusively on a question of law (cf. ECHR 20.06.2013, Appl. no. 24510/06, Abdulgadirov v. AZE, para. 34 et seq.). According to the case law of the Constitutional Court, an oral hearing can also be omitted if the facts of the case are undisputed and the legal question is not of any particular complexity (VfSlg. 17.597/2005; VfSlg. 17.855/2006; most recently, for example, VfGH 18.06.2012, B 155/12).
It was therefore not necessary to hold an oral hearing.
Re B) Inadmissibility of the appeal:
Pursuant to § 25a para 1 VwGG, the administrative court shall state in the ruling of its decision or order whether the appeal is admissible pursuant to Art. 133 para 4 B-VG. The decision shall be briefly substantiated.
The present decision does not depend on the solution of a legal question of fundamental importance. There is neither a lack of case law of the Administrative Court nor does the present decision deviate from the case law of the Administrative Court; furthermore, the present case law of the Administrative Court is not to be judged as inconsistent. There are also no other indications of fundamental importance of the legal questions to be resolved. The Federal Administrative Court can base all significant legal questions on the established case law of the Administrative Court or on a legal situation that is clear anyway. On this basis, a legal question of fundamental importance within the meaning of Art. 133 para. 4 B-VG cannot be affirmed (cf. e.g. VwGH 25.09.2015, Ra 2015/16/0085, mwN). Therefore, it had to be stated that the appeal was not admissible pursuant to Art. 133 (4) B-VG.
European Case Law Identifier
ECLI:AT:BVWG:2021:W214.2219800.3.00
</pre>
</pre>

Revision as of 13:10, 7 July 2021

BVwG - W214 2219800-3
Courts logo1.png
Court: BVwG (Austria)
Jurisdiction: Austria
Relevant Law: Article 5(1)(c) GDPR
Article 5(1)(e) GDPR
Article 58(2)(d) GDPR
Article 77 GDPR
§ 22a PassG 1992
§ 22b PassG 1992
§ 22c PassG 1992
Decided: 26.04.2021
Published:
Parties:
National Case Number/Name: W214 2219800-3
European Case Law Identifier: ECLI:AT:BVWG:2021:W214.2219800.3.00
Appeal from: DSB
DSB-D123.770/0009-DSB/2019
Appeal to:
Original Language(s): German
Original Source: Rechtsinformationssystem des Bundes (RIS) (in German)
Initial Contributor: n/a

The Austrian Federal Administrative Court ruled that the storage of personal data on an identity document is justified for the entire duration of its validity, in particular to detect forgeries. In contrast, personal data from an old identity document must be deleted even if the data is the same as that of a new identity document.

English Summary

Facts

The controller issues identity cards and passports. The data transmitted for this purpose are in any case stored for the duration of the validity of the identity documents.

The data subject reported losing an identity card ("old ID"), which was subsequently blocked. He then applied for a new identity card ("new ID") using the same photograph, which was still valid at the time of the decision. The photograph relating to the new ID was still stored at the time of the decision. The same photograph was also stored in the data set of the old ID, even though it had been blocked for more than three years.

In a complaint to the Austrian DPA (DSB), the data subject requested, among other things, the deletion of these photographs. The DSB did not follow the data subject in this respect.

The data subject filed an appeal against this with the Austrian Federal Administrative Court (BVwG).

Holding

The BVwG ruled, among other things, that the controller is obliged to delete the photograph relating to the old ID. However, during the period of validity of an identity document, photographs may be stored.

Photographs as biometric data

The court first dealt with the question of whether photographs are biometric data within the meaning of Article 4(14) GDPR. In this regard, it stated that photographs serve to uniquely identify the person to whom the identity document is issued. This does not change if queries from the identity document register are carried out according to other criteria. In the end, however, the court leaves the qualification as biometric data open, since their processing would in any case be lawful under Article 9(2)(g) GDPR. The processing of biometric data was provided for at the statutory level by the Austrian Passport Act 1992 (PassG) for reasons of substantial public interest.

No obligation to delete data concerning a valid identity document

The court stated that there was no obligation to delete the data concerning the new identity card. Such obligation cannot exist during the period of validity of the identity card. After the expiry of the validity, § 22c PassG provides for a deletion obligation. First of all, the opinion of the data subject is rejected, according to which the photographs are to be deleted after production and issuing of the ID card and waiting for an appropriate complaint period. The data subject was of the opinion that "production and issuance" were the decisive purposes of the data processing and that those implied a corresponding deletion period. The court based its decision on the fact that § 22a(1) and § 22b(1) PassG, which regulate data processing from the time of application for the issuance of an identity document, do not provide for any deletion periods with regard to photographs. In addition, according to § 22b(4)(1) PassG, processed data of certain persons may be transmitted to specifically defined authorities for specifically defined purposes upon request in individual cases. In this respect, this provision seems to assume a storage of personal data beyond the production and issuance of the ID card.

The court then states that there is nevertheless also no authorisation for unlimited storage "in advance". Rather, the principles of data minimisation and storage limitation laid down in Article 5 GDPR set the relevant limits. However, processing for the duration of validity is justified in any case.

First of all, reference is made to the explanations in a government bill. According to these, "the processing of personal data of applicants for a travel document to the extent provided for by law is indispensable for an orderly enforcement of the passport system and, in this sense, there is always an overriding public interest in the processing of data that is worthy of protection". Therefore, no right of objection or right to erasure of processing had been introduced. According to the BVwG, this applies in any case to valid travel documents.

Otherwise, confirmation of the personal data and the dates of issue of the travel document would no longer be possible in the event of any problems with passports and identity cards in connection with a border control (e.g. if forgery is suspected). Also, identity checks for other authorities according to the above-mentioned § 22b (4) PassG or according to § 22b (4a) PassG, which also provides for such a check, would no longer be possible in case of doubts about the authenticity. In the court's view, photographs in particular were also necessary for these verifications, since especially in the case of falsifications of the ID card, a possible exchange of the photograph would not be recognisable if the data were otherwise left unchanged.

Finally, the court briefly states that it has no doubts about the constitutionality and EU lawfulness of § 22a and § 22b PassG. It therefore refrained from referring the case to the Austrian Constitutional Court or the ECJ. The data subject had proposed to ask the ECJ "whether processing purposes mentioned in national norms imply the existence of deletion periods in interaction with Article 5 GDPR, as well as whether there can be an unlimited storage of data without explicit provisions".

Obligation to delete data regarding an expired identity document

The court ruled that the photograph stored in the data record of the old ID must be deleted, even if it is identical to the photograph on the new ID. § 22c (1) PassG provides that one year after the identity card has been cancelled, personal data and in particular photographs are to be blocked for information requests (by authorities). According to § 22c (4) PassG, the personal data blocked for information must be physically deleted after a further two years.

These conditions were met here, so the court ruled that the right to deletion had been violated.

According to the BVwG, this decision is not changed by the fact that an application for a new ID using the same photo was submitted before the expiry of the deletion period. The data for the old ID do not constitute a basis for the new ID. Rather, it can only be based on the new data. The photo was stored twice. Deleting the old photo would not lead to a gap in the data record for the new ID card.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

Court

Federal Administrative Court
Decision date

26.04.2021
Business number

W214 2219800-3
Saying


W214 2219800-3/20E

IN THE NAME OF THE REPUBLIC!

The Federal Administrative Court, by Judge Eva SOUHRADA-KIRCHMAYER as chairperson and the expert lay judges Huberta MAITZ-STRASSNIG and Claudia KRAL-BAST as associate judges, found in favour of XXXX on his appeal against the decision of the data protection authority of 14 May 2019, Zl DSB-D123.770/0009-DSB/2019:

A)

A1) The complaint is partially upheld pursuant to section 28(2) of the Administrative Court Procedure Act, Federal Law Gazette I No. 33/2013 as amended (VwGVG) and it is established that XXXX has violated the complainant's right to confidentiality by storing the complainant's photograph on identity card no. XXXX in the central and local identity document registers beyond 24 September 2018.

A2) The XXXX is ordered to delete or arrange for the deletion of the complainant's photograph on identity card no. XXXX from both the central identity document register and the local application within a period of two weeks.

A3) For the rest, the appeal is dismissed as unfounded pursuant to § 28 (2) VwGVG.

B)

The appeal is not admissible pursuant to Art. 133 para. 4 B-VG.
Text


Reasons for decision:

I. Course of proceedings

In his complaint of 10 November 2018 (improved by submissions of 14 November 2018 and 29 November 2018) to the data protection authority (DPA, the authority before the Federal Administrative Court), the complainant, XXXX, alleged a violation of the right to confidentiality. In summary, it was argued that the permanent storage of his biometric data on identity card no. XXXX as well as his photographs on identity cards no. XXXX and no. XXXX by XXXX as passport authority and data controller pursuant to Article 4(7) of the GDPR in the Identity Document Register (IDR) of XXXX was disproportionate and (had been) inadmissible (due to non-compliance with deletion deadlines). He therefore requested deletion.

At the request of the authority concerned, the XXXX (original respondent in the proceedings before the authority concerned, party to the proceedings before the Federal Administrative Court) submitted a statement on 8 January 2019, in which it was initially stated that the XXXX was responsible for representing the XXXX in matters of data protection, in particular before the authority concerned, according to the division of business of the XXXX. As regards the content of the complainant's data protection complaint, it was stated that in the area of local applications, the storage of photographs was permissible even beyond the creation of the passport or identity card, since Section 22a (5) of the Passport Act 1992, which regulates the deletion of data processed therein, did not refer to photographs, but only to other procedural data, which was also not disputed by the complainant himself. As regards the complainant's identity card no. XXXX, it was stated that it had been valid until 23 November 2014 and had been reported as lost by the complainant on 7 September 2015. In this case, the processing within the framework of the central registry could therefore be based on section 22b (2) (1) of the Passport Act 1992, which would have had the consequence that the personal data processed within the framework of this procedure would have had to be blocked for information one year after the expiry of the validity period, which would have been 23 November 2015, and deleted after the expiry of two further years, which would again have been 23 November 2017. However, it had to be taken into account that, apart from the provisions of passport law, there was a further requirement for the processing of this data, as the law enforcement authorities would in any case need access to the relevant personal data, including the photograph, in order to prevent any misuse of the public document in question (cf. sections 223 et seq. of the Criminal Code in the area of forgery of documents), in order to be able to carry out any comparisons with possible forgeries made from this identity card. In addition, it had to be taken into consideration that the mayors, as authorities responsible for lost property in the sense of section 4 subsection 3 of the Police Police Act, Federal Law Gazette No. 566/1991, had to be able to process all personal data relevant to the recovery of the property, which would undoubtedly also include the photograph itself, in accordance with section 53b of the Police Act. Accordingly, there were legal obligations of law enforcement or the lost property authorities, which, in the sense of Article 17(3) of the GDPR, would preclude the deletion of the photograph in the central registry pursuant to Article 22b of the Passport Act 1992 and - since the GDPR was a regulation and thus directly applicable - Article 22c of the Passport Act 1992 and its deletion deadlines had to remain inapplicable due to the primacy of Union law. With regard to the identity cards with the numbers XXXX and XXXX, it had to be stated that, according to the extract from the Local Identity Register submitted by the complainant, the identity card no. XXXX had been set to invalid after a complaint by the complainant on 24 September 2015 and the identity card had remained with XXXX. In this case, only the processing of personal data in the context of a procedure under § 22b (1) of the Passport Act 1992, namely in the course of the procedure for issuing identity card no. XXXX, had come into consideration. For this case of processing of personal data, § 22c para. 1 leg. cit. provides for the blocking of information on these data for one year after the invalidation of the passport or identity card. Since the invalidation had taken place on 24 September 2015, this would be 24 September 2016. However, since a new identity card with the number XXXX had been issued immediately after the invalidation (according to the extract from the local identity document register provided by the complainant, the application date for the new identity card was 24 September 2015), it had to be assumed that, in the course of the creation of this identity card, the same photograph had been used as for the previous invalidated identity card. This would now mean that, since the invalidation date of the latter was not until 2025, no blocking of information or deletion of the photographs for the identity cards of no. XXXX and no. XXXX had to be carried out according to § 22c Passport Act 1992.

The complainant submitted a reply to the opinion of the other party on 19 March 2019, stating that if - as claimed by the other party - photographs were not procedural data within the meaning of Section 22a of the Passport Act 1992 and therefore no deletion period ex lege existed for them, this was an unintended loophole. Since both (biometric) photographs and fingerprints are biometric data within the meaning of Article 4(14) of the GDPR, the very short deletion period for fingerprints could and should therefore also lead to a similar period for photographs. Furthermore, the party involved interpreted EU law in an impracticable manner; section 22c of the Passport Act 1992 could only be waived in favour of an even shorter deletion period. The repeal of a deletion period, such as § 22c of the Passport Act 1992 (lex specialis), on the basis of the GDPR in favour of permanent storage was therefore an impracticable way of interpreting the law. With regard to the assertion of the other party that photographs are part of the data used to notify an authority of the issuance of a travel document, the other party should explain in which cases the photograph currently stored in the IDR is used to enforce a passport refusal or to search for stolen travel documents and why the storage of photographs of all issued travel documents is absolutely necessary and proportionate for this purpose. The document data would be sufficient for this purpose. The enforcement of the lost property system also did not provide sufficient justification for the processing of photographs in the IDR, as there was no photograph in the IDR for foreign identity documents and only a check could be carried out on the basis of the photograph on the identity document. The argument that centrally stored photographs would serve to prevent counterfeiting also made the storage of the photograph of all holders of travel documents appear disproportionate, as there were a number of lesser means of minimising the risk, which in combination would almost neutralise the risk. Processing merely on the basis of abstract dangers or needs that may arise in the future does not justify indiscriminate storage in every case, and a balancing exercise must be carried out in each individual case. Therefore, the minimum possible storage period and the minimum possible data set for the respective purpose and occasion must be chosen. Simply storing all available data in an undifferentiated manner because it could possibly be used for something at some point contradicts the principles and the current state of knowledge in data protection law. Section 22c (3) of the Passport Act 1992, which refers to lost documents via Section 22b (1), also opens up the possibility of deleting data even before the expiry of the maximum retention periods if the purpose of processing has ceased to exist, which in turn, in conjunction with the principles of purpose limitation (Article 5 (1) (b) of the Data Protection Regulation), data minimisation (Article 5 (1) (c) of the Data Protection Regulation) and storage limitation (Article 5 (1) (e) of the Data Protection Regulation), should lead to a short retention period. If Section 22c (3) of the Passport Act 1992 opens up this possibility for lost documents, this should also apply to documents still in the holder's possession. The permanent storage of photographs in the IDR for lost travel documents beyond the deletion periods was already inadmissible due to the unambiguous legal situation of § 22c para. 2 Passport Act 1992. The permanent storage of photographs in the IDR as a form of data retention or as evidence for identification services for mostly blameless citizens, which could be used for all "eventualities", was also disproportionate.

4 On 19.06.2019, the authority concerned invited the co-participating party to submit additional comments.

In its statement of 9 July 2019, the involved party first stated that it had never received the complainant's reply and explained (as far as relevant for the present appeal proceedings) that all applications for travel documents, including one passport photo each of the complainant, had been stored in the passport EDP programme Identity Document Register (IDR) of XXXX on the basis of his written, signed application. These passport photos stored in the IDR had been transmitted to XXXX as the service provider commissioned by XXXX for the production of travel documents. The production of Austrian biometric passports with data carriers and Austrian identity cards as well as the delivery of the newly produced travel documents by post necessarily required the storage and transmission of a passport photo to XXXX. The complainant's personal and document data had not been transmitted to other recipients. Since 2004, a total of two biometric passports with data carriers (one reported lost, one valid) and three identity cards (one reported lost, one invalid, one valid) had been issued to the complainant in this way. No other processing activities had been carried out by XXXX in the IDR in relation to the photographs in question.

The statement was accompanied by an excerpt from the ZMR and the Central and Local Identity Document Registers concerning the complainant.

6. On 10.07.2019, the respondent authority submitted the complainant's replication to the co-respondent and gave the complainant an opportunity to supplement its submission of 09.07.2019.

On 18 July 2019, the involved party submitted a supplementary statement in which it explained (as far as relevant for the present appeal proceedings) that in the case of identity cards no. XXXX and no. XXXX, the processing activity was not based on Section 22b (2), but on Section 22b (1). The consequence of this was that a blocking of information concerning the personal data processed in the context of the procedure pursuant to § 22b para. 1 leg. cit. is based on § 22c para. 1.

The authority concerned sent the complainant the comments of the co-involved party by letter dated 26.07.2019 and also gave him the opportunity to submit a statement.

However, the complainant did not subsequently submit any further comments.

In the contested decision, the authority partially upheld the complainant's complaint and found that the co-participating party had violated the complainant's right to confidentiality by storing the complainant's personal data (section 22b (2) of the Passport Act 1992) relating to identity card no. XXXX in the central identity document register beyond 23 November 2017 (decision point 1). The co-participating party was ordered to delete the data pursuant to paragraph 1 within a period of two weeks (paragraph 2.). In all other respects, the complaint was dismissed on the grounds of violation of the right to secrecy (decision point 3.).

By way of justification, the authority first stated (after repeating the arguments of the parties and the course of the proceedings) that the subject of the complaint was the question of whether the co-participating party had violated the complainant's right to secrecy by storing biometric data or the entire data set on identity card no. XXXX beyond the time of application, but in any case longer than until 24 November 2009. the entire data set of identity card no. XXXX had been stored beyond the date of the application, but in any event longer than until 24 November 2009, as well as by storing the photographs of identity cards no. XXXX , no. XXXX and no. XXXX beyond the date of production.

Legally, it had to be stated that when processing personal data in local applications pursuant to § 22a para. 1 Passport Act 1992, the passport authorities, i.e. pursuant to § 16 para. 1 leg. cit., the district administrative authorities, for the area of the Federal Province of Vienna according to Art. 109 B-VG the XXXX , are authorised, when applying for the issuance of a passport or identity card, to process several data of the applicant, among them according to § 22a para. 1 lit. leg. cit. also the photograph, for the purpose of inserting these data into the passport or identity card and to transmit these data for this purpose to the processor within the meaning of § 3 para. 6 leg. cit. for this purpose. Pursuant to section 22a(2) of the Passport Act 1992, the locally competent passport authority is authorised to determine further personal data (procedural data) required for the issuing procedure and other procedures pursuant to this Federal Act and to process them together with the related data pursuant to subsection 1 and the further data pursuant to section 22b(1) of the Federal Act. cit. shall be processed automatically. Pursuant to section 22a subsection 5 of the Passport Act 1992, the procedural data pursuant to subsection 2 leg. cit. had to be deleted as soon as they were no longer needed, but no later than ten years after the decision had become final or after the passport had been issued. These deletion provisions would refer to "further procedural data" according to para. 2 leg. cit. It resulted from this that the Passport Act 1992 did not provide for an explicit deletion period in local applications for the procedural data mentioned in para. 1 and thus also for photographs. Photographs were therefore procedural data which were not subject to any legally standardised deletion from local records. With regard to the processing of personal data within the framework of the central registry, section 22b(1) of the Passport Act 1992 stipulates that passport authorities, as joint controllers under Article 4(7) in conjunction with Article 26(1) of the GDPR, are authorised to process the personal data required for the performance of the tasks assigned to them under this federal law in accordance with section 22a(1), thus including photographs. 1, i.e. also photographs, with the exception of lit. k, as well as additional data from the time of issuance, in such a way that each data controller also has access to the data provided by the other data controllers. The purpose of this processing was to inform an authority pursuant to para. 4 about the issuance of a passport or identity card or about a procedure pursuant to this Federal Act. The passport authorities are also allowed to determine the name, sex, academic degree, date of birth, place of birth, nationality, place of residence or contact point, photograph, area-specific personal identification number, names of a person's parents and alias data of a person and to process them within the framework of a central record together with the decisive reason for the storage as well as the issuing authority, the date of issue, the passport number and the period of validity of the passport or passport replacement if a passport or passport replacement of the person concerned is reported as lost or mislaid (section 22b para. 2 Passport Act 1992). Section 18 leg. cit. stipulates that a substitute passport is to be understood as an identity card. In the case of identity card no. XXXX, personal data processed in accordance with section 22b(2) of the Passport Act 1992, if it concerned a passport replacement of the person concerned that had been reported as lost or alienated, had to be blocked for information one year after the expiry of its validity, in accordance with section 22c(2) of the Passport Act 1992. Pursuant to paragraph 4, the personal data blocked for information were to be deleted after a further two years. The identity card no. XXXX had been valid until 23 November 2014. On 23 November 2015, the personal data would have had to be blocked for information and deleted on expiry of two further years, on 23 November 2017. The arguments put forward by the other party that the deletion of the data would be contrary to, among other things, the provisions on the enforcement of the lost property law and criminal prosecution, could not be accepted. Following the case law of the Constitutional Court, the authority in question had already stated that the mere possibility of proceedings, without concrete indications, did not justify the continued storage of personal data, which is why there was no justification for the data processing in question under Article 1(2) of the Data Protection Act. With regard to the identity cards no. XXXX and no. XXXX, it had to be explained that personal data had to be blocked for information one year after the invalidation of the passport or identity card, in the case of passports, however, no later than six years after the expiry of the last period of validity, pursuant to section 22b para. 1 of the Passports Act 1992. The personal data blocked for information must also be physically deleted after a further two years (section 22c(4) of the Passports Act 1992). On 24 September 2015, the identity card with the number XXXX had been declared invalid. On 24 September 2016, the personal data would have had to be blocked for information and also deleted after two years. However, as an application for a new identity card had been submitted on 24 September 2015, it had to be assumed that the same photograph had been used in the course of creating the identity card. This meant that a block on information or deletion did not yet apply to these identity cards. For the sake of completeness, it was pointed out that according to Article 89 of the Federal Constitution, the courts were not entitled to review the validity of duly promulgated ordinances, notices on the re-publication of a law (treaty), laws and treaties. This applies all the more to administrative authorities.

The complainant filed an appeal against this decision with the Federal Administrative Court in a written statement dated 24 August 2019. In his appeal, the complainant stated with regard to points 1 and 2 of the contested decision that the authority only requested the deletion from the central registry. However, it was not clear from the decision whether this also applied to the local record. It was therefore requested that points 1 and 2 be extended to the effect that all data relating to ID card no. XXXX were to be deleted, which would also include the local record. Regarding paragraph 3, it was stated that the use of the same photograph for identity cards no. XXXX and XXXX did not constitute a justification for continuing to process this date, because even in the case of identical data, the provision of section 22c (2) of the Passport Act 1992 would apply. As passport no. XXXX had been withdrawn and declared invalid, all data relating to this passport would have had to be blocked for information as of 24 September 2016 and deleted as of 24 September 2018. The authority in question mentioned Article 89 of the Federal Constitution and argued that courts (excluding the Constitutional Court) and administrative authorities were not entitled to review laws. It should be countered that it had already been shown how the enforcement of the Passport Act 1992 could be brought in line with the framework conditions of data protection law and why - at the latest since the concretisation of data protection law by the GDPR - it must be an unplanned loophole if no deletion period existed or no minimum retention periods or storage periods were specified. Therefore, a repeal of an applicable law had never been requested, but rather its possible enforcement in accordance with the framework legislation. The authority, like the other party involved, only referred to national provisions, namely the Passport Act 1992, and did not examine the framework conditions and basic principles of data protection law, which were superordinate to it and which would have a direct effect especially in the absence of national provisions or in the absence of specific provisions (lack of deletion periods with regard to the "local record" in section 22a of the Passport Act 1992). In the absence of an ex lege deletion period, the retention period was therefore to be derived from the intended or ex lege processing purpose. The last sentence of section 22a(1) of the Passport Act 1992 and section 22b(1) of the Passport Act 1992 enumerate the processing purposes and after the production and dispatch of the ID card and, if applicable, the expiry of an appropriate complaint period with regard to the photograph, they had in any case been achieved, whereby further processing would no longer correspond to the intended purpose. Alternatively, there is also a possible analogy to fingerprints as biometric data, for which a relatively short deletion period exists ex lege. Furthermore, national provisions that would contradict the EU framework legislation (GDPR) were not applicable. Therefore, a lack of a deletion period does not entitle the data to be kept indefinitely or to limit deletion to the central record, as claimed by the authority, since the principles of Article 5 of the GDPR would contradict this. It is therefore requested that point 3 be amended to the effect that the photographs of ID cards no. XXXX and no. XXXX are to be deleted from the local and central records. Furthermore, the request was made to submit to the ECJ the question of interpretation pursuant to Art. 267 TFEU as to whether processing purposes mentioned in national standards in conjunction with Art. 5 GDPR would imply the existence of deletion periods, as well as whether there could be an unlimited storage of data without explicit standardisation.

On 3 September 2019, the involved party sent the authority the confirmation of XXXX that the identity card data of the Eastern identity card no. XXXX had been deleted from the central IDR in accordance with decision item 1 of the decision. The deletion order of the prosecuting authority had thus been complied with within the period stipulated in paragraph 2 of the decision.

The authority informed the complainant by letter of 12 September 2019 that it had been confirmed that the identity card data of the Austrian identity card no. XXXX had been deleted from the central IDR in accordance with point 1 of the decision.

By letter dated 18 September 2019, the authority concerned submitted the complaint together with the administrative act to the Federal Administrative Court for a decision.

On the basis of the order of the Division Committee of 17.07.2020, the case in question was assigned to the now competent court division W214, where it was received on 24.07.2020.

15 On 17.12.2020, the complainant submitted a "suggestion of a submission to the Constitutional Court" to the Federal Administrative Court, stating that he was requesting the submission of §§ 22a, b of the Passport Act 1992 to the Constitutional Court for a review of their constitutionality due to the violation of the requirement of determinacy (Art. 18 B-VG), the GDPR framework legislation (Art. 5, 6, 9, 12 and 23 GDPR), the constitutional provision of § 1 para. 2 GDPR, Art. 7 and 8 CFR, Art. 16 TFEU, Art. 8 ECHR, as well as the danger to fundamental rights and freedoms due to ongoing access expansions to inventory data, lack of a judge's prerogative and effective downstream legal protection. The current provisions of sections 22a and b of the Passports Act 1992 do not specify exact storage periods (maximum or minimum), processing purposes or transfer authorisations for certain categories of data, and no distinction is made between the individual categories of data, which would, however, be necessary to ensure transparent and lawful processing that is comprehensible to the data subject.

16 On 04.02.2021, the Federal Administrative Court sent the complainant's complaint and the statement of 17.12.2020 to the co-involved party for information and gave it the opportunity to submit a statement.

(17) In its opinion of 23 February 2021, the involved party stated that Article 5 (1) (e) of the GDPR referred to by the complainant stipulated that personal data had to be stored in a form that allowed the identification of the data subject only for as long as necessary for the purposes for which they were processed. This storage limitation referred to by the complainant was comprehensibly regulated in § 22c (1), (2) (1) and (2) and (4) of the Passport Act 1992 by blocking periods and deletion periods with regard to personal data and document data. These retention periods for personal data in the register (identity document register), which are based on the period of validity of Austrian travel documents, are important because otherwise it would no longer be possible to clarify personal data and the dates of issue of the travel document in the event of any problems with Austrian passports and identity cards in connection with a border control, for example if there is a suspicion of falsification. Furthermore, in the case of theft or loss of the Austrian passport or Austrian identity card, it would no longer be possible to report the loss or loss of the passport or identity card to the police (nationally according to § 22b para. 2 subpara. 1 Passport Act 1992 and internationally according to the provisions of the Schengen Agreement), especially since the travel document number, the issuing authority, the exact date of issue, the validity date, etc. would no longer be ascertainable. In addition, in the event of any doubts as to the authenticity of the travel document presented when it is used as a travel document or as an official photo ID in identity checks, it would be necessary to request, on a case-by-case basis, the authorities mentioned in § 22b para. 4 and para. 4a of the Passport Act 1992, a comparison of the issued Austrian travel document with the travel document data requested by the travel document applicant is no longer possible until the expiry of the validity period of the travel document by the passport authority without the record data (in particular name, date of birth, proof of citizenship, passport photo, signature, issuing authority, travel document number, date of issue, date of validity) processed in the course of applying for and issuing travel documents. It should be noted that § 22c Passport Act 1992 refers to personal data in each case and not to different systems. The reference to § 22b of the Passport Act 1992, which in turn referred to § 22a of the Passport Act 1992, only specified the personal data in more detail. Accordingly, the corresponding statutory deletion periods existed. The obligation to delete the identity card with the number XXXX had been fulfilled; on the basis of points 1. and 2. of the contested decision of the authority concerned, the deletion of the data on the Austrian identity card no. XXXX in the central identity document register and in the local identity document register at XXXX, which is technically inseparable from the central identity document register, had been initiated by e-mail on 30 August 2019. The identity card no. XXXX no longer appeared in the identity document register (neither centrally nor locally). It was therefore noted that, as regards the personal data of the identity card bearing the number XXXX, there was no longer any complaint, as the complainant's request had been granted. As regards the identity card bearing the number XXXX, there was no obligation to delete it, since it was valid until 6 September 2025. The complainant's argumentation regarding § 22a (1) and § 22b (1) of the Passport Act 1992 concerning the lack of an ex-lege deletion period in the records for valid Austrian travel documents was not comprehensible, as § 22c of the Passport Act 1992 in any case regulated the retention period for personal travel document data, which was based on the period of validity of the Austrian travel document. Section 22c of the Passport Act 1992 referred - as mentioned - to specifically mentioned data and not systems. On the other hand, the argumentation was also not comprehensible, since §§ 22a para. 1 and 22b para. 1 of the Passport Act 1992 authorised the passport authorities to store the types of data of the applicant (such as name, date of birth, photograph, signature, etc.) and the dates of issue of the Austrian passport or Austrian identity card, which were enumerated in the application.) and the issuing data of the Austrian travel document (such as issuing authority, date of issue, validity date, passport or identity card number, etc.) in the central and local records (in the central and local identity document register of XXXX), i.e. in particular to store them. There was thus an authorisation to process. Even assuming the absence of a legal obligation to delete data, Article 5(1)(e) of the GDPR would not apply during the current period of validity of the ID card, since the personal data would continue to be needed in personal form for the reasons mentioned above, in any case during the period of validity and even afterwards. Sections 22a (1) and 22b (1) of the Passport Act 1992 do not provide for a deletion period for the duration of the validity of the issued travel documents, and such a period would also be counterproductive during the validity of the travel documents. There was also no obligation to cancel the identity card with the number XXXX; the complainant had complained about the identity card no. XXXX and it had been set to "invalid" in the Identity Documents Register on 24 September 2015, and on the same day the production order for the free replacement identity card for the complainant had been placed with XXXX via the Identity Documents Register on the basis of the identity card application record of 7 September 2015 and with the photo submitted to the passport authority at that time. The "replacement" identity card No. XXXX with the original dates of issue and validity (7 September 2015 to 6 September 2025) and the same photograph had demonstrably been issued to the complainant on 14 October 2015. Both identity cards formed a legal unit with regard to the application, which could be justified in particular by referring to the same basis for the application. A deletion of the IDR data of the identity card no. XXXX complained of in the identity document register would have the consequence that the processing (storage) of the complainant's personal data pursuant to §§ 22a (1) and 22b (1) of the Passport Act 1992 for the "replacement" identity card no. XXXX, which would be valid until 6 September 2025, would be deprived of its basis. The blocking of the data of identity card no. XXXX for information in the central and local records (identity document register) as of 24 September 2016 and the deletion of these identity card data as of 24 September 2018 pursuant to § 22c para. 2 and para. 4 Passport Act 1992, as requested by the complainant, could therefore not come into effect. The argument that the photographs in the identity document register are biometric data within the meaning of Article 4(14) of the GDPR is strongly opposed, as they are not stored on the data carrier of the biometric passport ("chip").

The Federal Administrative Court transmitted the opinion of the co-participating party to the complainant and the authority concerned on 07.04.2021 within the framework of the hearing of the parties.

In his statement of 15 April 2021, the complainant explained - by attaching documents - that the photographs used for passports and identity cards were biometric data. Furthermore, the complainant reiterated that the storage of his photograph was not necessary. Even if an identity card was necessary in everyday life, one could usually prove one's identity with any official photo ID (student ID, gun permit, driving licence...). At most, a purely local storage of the scanned application form including photo in an archive of the passport authority without automated retrieval options would be compatible with the purpose of the procedural documentation.

20 The Federal Administrative Court asked the co-participating party to clarify whether the photograph stored on the occasion of the issuance of the identity card that was later declared invalid is stored separately both under the no. of the invalid identity card and under the no. of the subsequently issued valid identity card.

In this regard, the involved party informed the complainant in a letter of 22 April 2021 that the federal application Identity Document Register (IDR) was set up in such a way that each passport or identity card application was recorded separately together with the respective photograph submitted. In the present case, a new free identity card with the number XXXX had been issued to the complainant by the MBA 4/5 on 24 September 2015 on the basis of his complaint about an alleged production error in the identity card (plastic card) with the number XXXX that he had applied for on 7 September 2015. Here, too, the relevant application for reissue free of charge, together with the photograph, had been recorded and stored separately in the IDR. According to passport law, the same photograph could be used for the fee-free reissue, provided that there were no more than six months between the two dates of issue. However, this did not change the fact that in the present case, the photograph used had also been stored separately in the IDR with the application for the free reissue of the identity card.

II. the Federal Administrative Court considered:

1. findings:

The findings are based on the course of proceedings mentioned under point I.

In his data protection complaint of 10 November 2018 (improved with submissions of 14 November 2018 and 29 November 2018), the complainant alleged a violation of the right to confidentiality and claimed that a permanent storage of his biometric data on identity card no. XXXX as well as his photographs on identity cards no. XXXX and no. XXXX by the XXXX as passport authority and responsible person pursuant to Art. 4 line 7 of the GDPR in the Identity Document Register (IDR) of the XXXX was disproportionate and (had been) inadmissible (due to the non-observance of deletion deadlines). The complainant therefore requested the deletion of the personal data relating to identity card no. XXXX as well as the photographs relating to identity cards no. XXXX and no. XXXX .

In its decision of 14 May 2019, Zl DSB-D123.770/0000-DSB/2019, the authority partially upheld the complainant's complaint and found that the co-participating party had violated the complainant's right to confidentiality by storing the complainant's personal data (§ 22b para. 2 Passport Act 1992) on identity card no. XXXX in the central identity document register beyond 23 November 2017 (decision point 1). The co-participating party was ordered to delete the data pursuant to paragraph 1 within a period of two weeks (paragraph 2.). In all other respects, the complaint was dismissed on the grounds of violation of the right to secrecy (decision point 3.).

The complainant filed an appeal against this decision with the Federal Administrative Court in a written submission dated 24 August 2019.

The complainant's data on identity card no. XXXX were deleted from the central and local identity document registers, which are technically inseparable, no later than 03.09.2019.

The complainant's photograph, which was processed on the occasion of the application for identity card no. XXXX, is still processed by the co-participating party in the data set of this identity card, which was declared invalid on 24.09.2015.

This photograph is also processed by the co-operating party in the data set on the complainant's identity card no. XXXX.

2. assessment of evidence:

The findings result from the administrative act and from the court record and are undisputed.

3. legal assessment:

Re A)

3.1 Pursuant to Art. 130 para. 1 subpara. 1 B-VG, the administrative courts shall rule on complaints against the decision of an administrative authority on grounds of illegality.

Pursuant to section 6 of the Federal Administrative Court Act (BVwGG), the Federal Administrative Court decides by single judges, unless federal or provincial laws provide for decisions by senates. Pursuant to section 27 of the Data Protection Act (DSG) as amended (which essentially corresponds to section 39 DSG 2000, which was in force until 24 May 2018), the Federal Administrative Court decides in proceedings on appeals against decisions, on the grounds of violation of the duty to inform pursuant to section 24(7) and the duty of the data protection authority to decide by a senate. The senate consists of a chairperson and one expert lay judge each from the circle of employers and employees.

The procedure of the administrative courts, with the exception of the Federal Finance Court, is regulated by the Administrative Court Procedure Act (VwGVG) (§ 1 leg.cit.). Pursuant to § 58 para 2 VwGVG, conflicting provisions that have already been promulgated at the time of the entry into force of this Federal Act shall remain in force.

Pursuant to § 17 VwGVG, unless otherwise provided for in this Federal Act, the provisions of the AVG, with the exception of §§ 1 to 5 as well as Part IV, as well as other more specifically mentioned laws (not relevant in the present case) and, moreover, those procedural provisions in federal or provincial laws which the authority applied or should have applied in the proceedings before the administrative court shall apply mutatis mutandis to the proceedings on appeals pursuant to Art. 130 para 1 B-VG.

Pursuant to section 28 (1) VwGVG, the administrative court shall dispose of the case by way of a decision, unless the complaint is to be dismissed or the proceedings are to be discontinued. Pursuant to section 31 (1) VwGVG, decisions and orders shall be made by decision, unless a finding is to be made.

Pursuant to § 28 para 2 VwGVG, the administrative court shall decide on the merits of appeals pursuant to Art. 130 para 1 subpara 1 B-VG if the relevant facts have been established or if the determination of the relevant facts by the administrative court itself is in the interest of speed or entails a considerable saving of costs.

3.2 On the process requirements:

The appeal was filed within the time limit pursuant to section 7 (4) VwGVG and the other procedural requirements were also met.

3.3 Re award part A):

3.3.1 Legal situation:

The authority concerned based its decision on the following legal bases:

Art. 58 para. 2 lit. d and Art. 77 of the General Data Protection Regulation (GDPR), OJ No. L 119 of 04.05.2016; Sections 1, 24 para. 1 and 5 of the Data Protection Act (DSG), Federal Law Gazette I No. 165/1999 as amended as well as Sections 22a, 22b, 22c of the Passport Act 1992, Federal Law Gazette No. 839/1992 as amended. No. 839/1992 as amended. These provisions are also to be applied in the present appeal proceedings before the Federal Administrative Court; furthermore, Art. 5 para. 1 lit. c of the GDPR is relevant.

Art. 4 Z 14 DSGVO reads:

„14.
	

"biometric data" means personal data, obtained by means of specific technical procedures, relating to the physical, physiological or behavioural characteristics of a natural person, which enable or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;".
	

Art. 5 para. 1 lit. c and e DSGVO read:

"Art. 5 GDPR Principles for the processing of personal data

(1) Personal data must

(c) adequate and relevant to the purpose and limited to what is necessary for the purposes of the processing ('data minimisation');'.

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data are processed; personal data may be kept for longer periods insofar as the personal data are processed solely for archiving purposes in the public interest or for scientific and historical research purposes, or for statistical purposes as referred to in Article 89(1), subject to the implementation of appropriate technical and organisational measures required by this Regulation to protect the rights and freedoms of the data subject ('storage limitation');'.

Article 58(2)(d) of the GDPR reads:

"Article 58 Powers

(2) Each supervisory authority shall have all of the following remedial powers that permit it,

(d) instruct the controller or processor, as appropriate, to bring processing operations into compliance with this Regulation in a specified manner and within a specified period of time;'.

Article 77 of the GDPR reads:

"Article 77

Right to complain to a supervisory authority

1. Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her residence, place of work or the place of the alleged infringement, if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.

2. The supervisory authority to which the complaint has been lodged shall inform the complainant of the status and outcome of the complaint, including the possibility of a judicial remedy under Article 78.".

Section 1 and Section 24 (1) and (5) of the FADP read:

"Article 1

(Constitutional provision)

Fundamental right to data protection

(1) Everyone has the right to confidentiality of personal data relating to him or her, in particular with regard to respect for his or her private and family life, insofar as there is an interest worthy of protection. The existence of such an interest shall be excluded if data is not accessible to a claim to secrecy due to its general availability or due to its lack of traceability to the person concerned.

(2) Unless the use of personal data is in the vital interest of the data subject or with his or her consent, restrictions on the right to confidentiality shall only be permissible to safeguard overriding legitimate interests of another, and, in the case of interference by a public authority, only on the basis of laws which are necessary for the reasons set out in Article 8(2) of the European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR), Federal Law Gazette No. 210/1958. Such laws may only provide for the use of data which, by their nature, are particularly worthy of protection, in order to safeguard important public interests, and must at the same time lay down appropriate safeguards for the protection of the confidentiality interests of the data subjects. Even in the case of permissible restrictions, the encroachment on the fundamental right may only be carried out in the most lenient manner that leads to the objective.

(3) Insofar as personal data concerning him or her are intended for computer-assisted processing or for processing in files kept manually, i.e. without computer assistance, everyone shall have the right, in accordance with statutory provisions
1.the right to be informed about who processes which data concerning him/her, where the data originate from and for what purpose they are used, in particular also to whom they are transmitted;
2.The right to rectification of inaccurate data and the right to erasure of inadmissibly processed data.

(4) Restrictions of the rights under subsection (3) shall only be permissible under the conditions set out in subsection (2).

(1) Every data subject shall have the right to lodge a complaint with the data protection authority if he or she considers that the processing of personal data relating to him or her infringes the GDPR or Section 1 or Article 2, Chapter 1.

(5) If a complaint proves to be justified, it shall be followed up. If an infringement is attributable to a private sector controller, the latter shall be ordered to comply with the complainant's requests for information, rectification, erasure, restriction or data transfer to the extent necessary to remedy the identified infringement. If the complaint proves to be unjustified, it shall be dismissed.

Section 22a of the Passports Act 1992, including the heading, reads:

"Processing of personal data on the occasion of the application and in local applications

§ 22a. (1) The passport authorities shall be empowered, when an application is made for the issue of a passport or identity card, to

a) Names,

b) Gender,

(c) academic degree,

d) Date of birth,

e) Place of birth,

f) Citizenship,

g) Residences or contact point (Section 19a MeldeG),

h) Size,

(i) special characteristics in verbal description,

j) photograph,

(k) the papillary line impressions of two fingers,

(l) signature; and

m) the area-specific personal identifier (bPK) pursuant to § 9 of the E-Government Act - E-GovG, Federal Law Gazette I No. 10/2004, and

(n) names, sex and dates of birth of co-registered children

of the applicant for the purpose of inserting these data into the passport or identity card and to transmit these data for this purpose to the processor pursuant to § 3 para. 6.

(2) The locally competent passport authority shall be authorised to determine further personal data (procedural data) required for the issuing procedure and other procedures pursuant to this Federal Act and to process such data together with the related data pursuant to subsection 1 as well as the further data pursuant to section 22b subsection 1 in an automated manner.

(3) Only names, dates of birth, passport or identity card number, a procedure number or the area-specific personal identifier (bPK, Section 9 of the E-Government Act) may be processed as selection criteria for determining data pursuant to para. 2. Information on the photograph and the signature image is only permissible if this is a necessary prerequisite for the fulfilment of an official task. Papillary line prints processed pursuant to para. 1 lit. k may only be processed for the identification of the passport holder and the verification of the authenticity of the document in execution of this Act.

(4) Data processed pursuant to para 2 may only be processed for the enforcement of this Federal Act, unless there is a separate explicit legal authorisation. However, procedural data may only be processed by the respective competent local passport authority.

(5) The procedural data pursuant to para 2 shall be deleted as soon as they are no longer required, but no later than ten years after the decision has become final or after the passport has been issued. Data on documents to be presented as evidence in proceedings under this Federal Act and data on official decisions to be taken into account in such proceedings shall be deleted one year after the passport or identity card has been cancelled, in the case of passports at the latest six years after the expiry of the period of validity.

(5a) The data pursuant to para 1 lit. k shall be deleted no later than two months after the document has been sent (section 3 para 6), and no later than four months after the document has been sent with the involvement of the Federal Ministry for European and International Affairs, otherwise upon effective withdrawal or legally binding rejection or dismissal of the application.

(6) Log data on processing operations actually carried out, such as in particular changes, queries and transfers, shall be kept for three years."

Section 22b of the Passports Act 1992, including the heading, reads:

"Processing of personal data in the framework of central evidence

§ 22b. (1) The passport authorities, as joint controllers pursuant to Art. 4(7) in conjunction with Art. 26(1) of the GDPR, shall be authorised to process the personal data required for the performance of the tasks assigned to them under this Federal Act pursuant to § 22a(1), with the exception of lit. k, and, from the time of issuance

(a) the issuing authority,

(b) the date of issue,

(c) the passport or identity card number,

(d) the period of validity,

(e) the scope of application,

f) the area-specific personal identifier (bPK, Section 9 of the E-Government Act),

(g) specific information necessary for the issuing procedure; and

h) a note on any ongoing proceedings under this federal act

jointly in such a way that each data controller also has access to those data in the data processing which have been made available to him/her by the other data controllers. The purpose of this processing is to inform an authority pursuant to para. 4 about the issuance of a passport or identity card or about a procedure pursuant to this federal law.

(1a) The fulfilment of information, access, rectification, erasure and other obligations under the provisions of the GDPR vis-à-vis the data subject shall be incumbent on each controller with regard to those data processed in connection with the procedures it conducts or the measures it takes. If a data subject exercises a right under the GDPR against a controller who is not competent pursuant to the first sentence and provides proof of his or her identity, the data subject shall be referred to the competent controller.

(1b) The Federal Minister of the Interior shall exercise the function of a data processor pursuant to Art. 4(8) in conjunction with Art. 28(1) of the GDPR. In this function, he or she is obliged to fulfil the data protection obligations pursuant to Art. 28(3)(a) to (h) of the GDPR. In this function, he must implement data quality assurance measures, such as in particular providing information on the possible identity of two similar data records or the spelling of addresses. In addition, he is entitled to use other processors.

(2) The passport authorities may also determine the name, sex, academic degree, date of birth, place of birth, nationality, place of residence or contact point (section 15a MeldeG), photograph, the area-specific personal identifier (bPK, section 9 E-Government Act), names of a person's parents and alias data of a person and process them within the framework of a central record together with the reason for storage as well as the issuing authority, the date of issue, the passport number and the period of validity of the passport or passport replacement if

1. a passport or passport replacement of the person concerned is reported lost or alienated,

2. a passport or passport replacement has been refused or withdrawn from the person concerned pursuant to sections 14 or 15; or

3. the passport authority is informed about the order to take a travel document pursuant to section 107 of the Federal Act on Judicial Proceedings in Non-Contentious Matters (Außerstreitgesetz - AußStrG), Federal Law Gazette I No. 111/2003, or the revocation of such a measure.

The purpose of this processing is to establish the identity of persons and to prevent improper processing of travel documents as well as to inform the authorities about existing grounds for refusal and revocation. Section 22a (3) last sentence shall apply mutatis mutandis to the use of photo data.

(3) The passport authorities shall be empowered,

1. the personal data stored by them in the central registry on the occasion of a specific procedure for the purposes pursuant to para. 1 last sentence and para. 2 penultimate sentence as well as

2. the personal data stored in the central registry for the purposes of proceedings under this federal act

to process. A retrieval of personal data is only permissible on the basis of the search criteria specified in § 22a par. 3. With the exception of information retrieval, the use of a photograph stored pursuant to para 2 is only permitted within six months after the photograph has been processed in the central registry for the first time.

(4) Upon request in individual cases, data of certain persons processed pursuant to paras 1 and 2 may be transmitted to the passport authorities for the purpose of procedures under this Federal Act, to the master number register authority for the purpose of electronic data verification pursuant to section 18 para 1 E-GovG, to the security authorities, ordinary courts and public prosecution authorities for their activities in the service of criminal justice. In the case of granting the possibility of automated retrieval of personal data, such retrieval shall only be permitted on the basis of the search criteria specified in section 22a (3). Otherwise, transfers are only permissible if there is an explicit legal authorisation for this.

(4a) Upon request in individual cases, the names, dates of birth, photograph and passport or identity card number of certain persons may be transmitted to authorities if they have to establish the identity of a person within the scope of a legally assigned task and if this is not possible otherwise or not within the time required by the circumstances. Paragraph 4, second sentence, shall apply.

(5) The logging regulations of § 22a par. 6 shall also apply to the central evidence pursuant to par. 1 and 2 of this provision.

(6) With regard to the processing of personal data under this Federal Act, there shall be no right to object pursuant to Art. 21 of the GDPR and no right to restrict processing pursuant to Art. 18 of the GDPR. The data subjects shall be informed of this in an appropriate manner.

(7) The Federal Minister of the Interior shall, upon request of the person concerned using the electronic proof of identity (E-ID) function, process a note in the central record that the person concerned will be informed in due time about the expiry of the validity of his/her travel document and notify the person concerned in due time before the expiry of the validity of his/her travel document. No notification shall be made and the relevant note shall be deleted if the person concerned so requests. The Federal Minister of the Interior is authorised to determine by decree a later point in time from which data subjects may be notified of the expiry of the validity of their travel documents.

(8) The citizenship authority shall be authorised and, upon request, obliged to provide the Authority with data lawfully held by it and required for proceedings or for the initiation of proceedings under this Federal Act. A refusal to provide information is not permissible. The data shall be deleted immediately if they are no longer required for the fulfilment of the specific purpose."

Section 22c of the Passports Act 1992, including the heading, reads:

"Central record; blocking of information and deletion

§ 22c. (1) Personal data processed pursuant to section 22b sub-section 1 when an application is filed shall be deleted upon effective withdrawal or legally binding rejection of the application, the note on an ongoing procedure pursuant to this Federal Act shall be deleted upon legally binding conclusion of the procedure. Apart from that, the personal data pursuant to section 22b para 1 shall be blocked for information one year after the passport or identity card has been cancelled, in the case of passports, however, no later than six years after the expiry of the last period of validity.

(2) Personal data processed in accordance with section 22b(2) are

1. in the cases of Z 1 and, in the cases of Z 2, in the case of travel documents in circulation, six years after the expiry of the last period of validity in the case of passports, and one year after the expiry of the period of validity in the case of a passport replacement,

2. otherwise, in the cases of para 2, to block information for ten years after the decision has become final.

(3) If the reason for storing the data ceases to apply prior to the expiry of the full stops referred to in subsection 2, the personal data shall be blocked for information one year after the reason ceases to apply.

(4) The personal data blocked for information shall also be physically deleted after the expiry of two further years."

3.3.2 Applied to the specific case, this means the following:

On the qualification of photographs as biometric data:

The complainant assumes that the data used for passports and identity cards are biometric data within the meaning of Art. 4(14) of the GDPR. The other party disputes this. It should be noted that the scientific literature by Jahnel states that facial images fulfil all elements of the definition. The phrase "enabling or confirming the unique identification of that natural person" refers to "personal data" and not to the specific technical means of processing. "For the concept of biometric data, it is therefore important that data are obtained by specific technical means and that these data allow the unambiguous identification of the person. [...] Therefore, facial images are always biometric data. [...] In order for facial data to also fall under the concept of special categories of personal data, however, an additional factual element must be fulfilled according to the definition of Art. 9(1), namely the processing 'for the purpose of uniquely identifying a natural person'" (Jahnel, Kommentar zur DSGVO, Art. 4 Rz 8 und 9). Hödl in Knyrim, DatKomm Art 4 DSGVO (as of 1.12.2018, rdb.at), explains in a more differentiated manner: "Simple photographs of persons do not constitute biometric material. Only the further technical processing of the image data should lead to the existence of biometric data." In this respect, this would correspond to the complainant's view that the image data will qualify as biometric data at the latest when processed by the authority.

The photographs used for passports and identity cards serve the purpose of uniquely identifying the person to whom the identity document was issued, even if queries from the identity document register have to be carried out according to other criteria.

Ultimately, the question of whether the photographs used are biometric data can be left open for the following reasons: even if they were biometric data, the processing of these data is provided for at the level of the law (Passport Act 1992) for reasons of substantial public interest (Art. 9(2)(g) GDPR), although the respective deletion periods and, even if no deletion periods are provided for, the provisions of Art. 5 GDPR in particular also come into play.

With regard to points 1 and 2 of the contested decision:

In decision point 1 of the contested decision, the authority ruled that the complaint was partially upheld and that the co-participating party had violated the complainant's right to confidentiality by storing the complainant's personal data (§ 22b para. 2 of the Passport Act 1992) on identity card no. XXXX were stored in the central identity document register, and that in point 2 of the contested decision the co-participating party be ordered to delete the data pursuant to point 1 within a period of two weeks.

The co-operating party complied with this order and, on 30.08.2019, arranged for the deletion of the data relating to the complainant's identity card no. XXXX at the XXXX. The deletion of this data was confirmed by XXXX on 03.09.2019.

The complainant challenges paragraph 1 of the contested decision insofar as he states that the authority only requires the deletion from the central register. However, it was not clear from the decision whether this also applied to the local record. He therefore requested that points 1 and 2 be extended to the effect that all data on the XXXX ID card were to be deleted, which would also include the local record.

However, as the involved party explained in its statement of 23.02.2021, the central and local identity document registers are technically inseparable and the identity card no. XXXX does not appear in the identity document register either centrally or locally after the deletion has been carried out.

As a result, it follows that points 1 and 2 of the contested decision do not need to be corrected due to the technical inseparability of the central and the local identity document registers, and the complaint is therefore to be dismissed in this respect.

With regard to point 3 of the contested decision:

The complainant further requested the deletion of the photographs stored in the identity document register for the identity cards no. XXXX and XXXX.

The authority dismissed the complainant's data protection complaint in this regard in point 3 of the contested decision.

For identity card no. XXXX :

The identity card No. XXXX , in the name of the complainant, is valid from 07.09.2015 to 06.09.2025.

The complainant considers that his right to confidentiality has been violated and requests the deletion of his photo for identity card no. XXXX, arguing that § 22a and § 22b of the Passport Act 1992 do not stipulate a deletion period, which is why the maximum processing period or storage period must be derived from the purpose of the processing. These processing purposes were listed in the last sentence of section 22a(1) and the last sentence of section 22b(1). It follows from this that after the production and dispatch of the ID card and waiting for an appropriate complaint period, the purpose of the processing with regard to the photograph had been achieved in any case.

The intervening party argues that the standardisation of a deletion period in §22a and §22b of the Passport Act 1992 would be counterproductive for the duration of validity, as the data would still be needed.

It is correct that with regard to the data mentioned in § 22a para. 1 and § 22b para. 1 Passport Act 1992, no statutory deletion periods are provided for - among others - photographs in valid travel documents. As far as the purposes stated in the Act are concerned, the last sentence of section 22b(1), for example, refers to subsection (4). According to section 22b (4) of the Passport Act 1992, data of certain persons processed upon request in individual cases pursuant to subsections (1) and (2) may be transmitted to the passport authorities for the purpose of proceedings under this Federal Act, to the master number register authority for the purpose of electronic data verification pursuant to section 18 (1) of the E-GovG, to the security authorities, ordinary courts and public prosecution authorities for their activities in the service of criminal justice. This provision seems to assume a storage of personal data beyond the production and sending of the ID card.

Nevertheless, in this case - if interpreted in conformity with Union and constitutional law - it cannot be assumed that there is an entitlement to unlimited storage "in stock", but rather, when assessing the lawfulness of the processing, Art. 5 GDPR must be consulted, according to which personal data must be adequate and relevant to the purpose and limited to what is necessary for the purposes of the processing ("data minimisation") and stored in a form that permits identification of data subjects only for as long as is necessary for the purposes for which the data are processed ("storage limitation"). According to the explanations in Government Bill 65 of the Supplements XXVI GP, "for an orderly enforcement of the passport system, the processing of personal data of applicants for a travel document is indispensable to the extent provided for by law and in this sense there is always an overriding public interest in data processing that is worthy of protection", which is why there is also no right of objection or right to restriction of processing. According to the Federal Administrative Court, this must in any case apply to valid travel documents. As the party involved correctly points out, if the personal data were deleted immediately after the production and dispatch of the identity document (and waiting for an appropriate complaint period), it would no longer be possible to clarify the personal data and the dates of issue of the travel document in the event of any problems with Austrian passports and identity cards in connection with a border control, for example if there were suspicions of forgery. In addition, as stated above, in the event of any doubts about the authenticity of the travel document presented when it is used as a travel document or as an official photo ID, in the event of identity clarifications upon request in the individual case of the authorities named in § 22b para. 4 and para. 4a Passport Act 1992, a verification of the issued Austrian travel document in comparison with the travel document data requested by the travel document applicant until the expiry of the validity period of the travel document by the passport authority is no longer possible without the record data (in particular name, date of birth, proof of citizenship, passport photo, signature, issuing authority, travel document number, date of issue, date of validity) processed in the course of the application for and issuance of travel documents. Contrary to the complainant's view, the pure document data without a photograph are not sufficient for the above-mentioned purposes, especially since photographs are usually absolutely necessary for the clarification of identity, since, for example, in the case of falsifications of the ID card, a possible exchange of the photograph would not be recognisable if the data were otherwise left unchanged. The complainant argues that there are "a number of lesser means" and that there are hardly any known cases of "perfect" forgeries, but especially when there are no document verification devices/technical aids available, forgeries cannot always be recognised at first glance, which is why it is necessary to be able to compare the data and the photograph in the IDR. In the present case, there are no obvious alternative means, especially since the ID card does not have a chip that could be read. It follows from the above that the processing of the personal data for the duration of the validity of the identity card is, pursuant to Article 5 of the GDPR, adequate and relevant to the purpose and limited to what is necessary for the purposes of the processing, since the processing of the complainant's personal data in the identity card no. XXXX is necessary for the above-mentioned reasons at any rate until the expiry of the validity of the identity card. Thereafter, the deletion periods of Section 22c of the Passport Act 1992 apply, which, as a result of the technical inseparability of the central and local identity document registers, in effect apply to the central and local applications.

The complaint was therefore to be dismissed in this respect.

The Federal Administrative Court is therefore unable to identify any unconstitutionality of the provisions of § 22a and § 22b of the Passport Act 1992, which is why a referral to the Constitutional Court pursuant to Art. 140 (1) 1 could be dispensed with. The complainant's suggestion to submit the question to the ECJ for a preliminary ruling pursuant to Art. 267 TFEU "whether processing purposes mentioned in national standards in conjunction with Art. 5 GDPR imply the existence of deletion periods, as well as whether there can be an unlimited storage of data without explicit standardisation" was not to be followed due to the above, especially since a court that is not the court of last instance - such as the Federal Administrative Court (cf. VfGH 26.02.2018, E 4325/2017) - is only obliged to make a submission if it doubts the validity of Union law (Kolonovits/Muzak/Stöger, Verwaltungsverfahrensrecht11, Rz 313/1). However, in the opinion of the Federal Administrative Court, such doubts do not exist and were not alleged in the appeal.

For identity card no. XXXX :

Identity card No. XXXX , in the name of the complainant, was issued on 07.09.2015 and set to invalid on 24.09.2015 in the Identity Document Register.

The complainant considers that his fundamental right to data protection has been violated and requests the deletion of his photo on identity card no. XXXX .

In the contested decision, the authority concerned stated that pursuant to section 22c (1) of the Passport Act 1992, the personal data pursuant to section 22b (1) had to be blocked for information for one year after the passport or identity card [...] had been cancelled. Pursuant to para 4, the personal data blocked for information must also be physically deleted after a further two years. Therefore, the personal data had to be blocked for information as of 24 September 2016 and also deleted after two years. However, as an application for a new identity card had been submitted on 24 September 2015, it had to be assumed that the same photograph had been used in the course of creating the identity card. This meant that the blocking or deletion of information for these ID cards did not yet apply.

The co-respondent argued that deleting the IDR data of the claimed identity card no. XXXX from the Identity Documents Register would have the effect of removing the basis for processing (storing) the complainant's personal data pursuant to §§ 22a para. 1 and 22b para. 1 Passport Act 1992 for the "replacement" identity card no. XXXX, which would be valid until 6 September 2025.

However, this cannot be followed:

Even if the creation of identity card no. XXXX is based on the same application and the same photograph as the invalidated identity card no. XXXX, it is not clear to what extent the personal data or the photograph of the complainant on the invalid identity card no. XXXX form the basis for the processing (storage) of the personal data or the photograph of the complainant on the identity card no. XXXX at the present time. The basis for the issuing of the valid identity card no. XXXX as well as the storage of the personal data is the complainant's application for the issuing of the identity card of 7 September 2015 and the complaint about the (now invalid) identity card no. XXXX by the complainant of 24 September 2015. However, this basis is not lost by the deletion of the photograph of the invalid identity card no. XXXX. Moreover, as can be seen from the extract from the Central Identity Document Register concerning the complainant, the complainant's personal data or photograph are stored twice, once in relation to the invalid identity card no. XXXX and once in relation to the valid identity card no. XXXX . Therefore, if one were to delete the complainant's personal data or photograph from the invalid identity card no. XXXX, the personal data or photograph of the complainant would still be present in the data record of the identity card no. XXXX, especially since the data record of the valid identity card no. XXXX does not contain a reference to the data record of the invalid identity card no. XXXX, but - as already explained - the data are listed independently. The argumentation of the other party that both identity cards form a legal unit can therefore not be accepted. The personal data or (as requested by the complainant) the photograph would therefore have had to be blocked for information as of 24 September 2016 and deleted after two years. Moreover, the above considerations regarding the necessity of storing the data in the IDR do not apply to invalid or expired ID cards, as invalid or expired ID cards per se no longer have an ID function. The complaint was therefore to be upheld and the other party was to be ordered to have the complainant's photo of identity card no. XXXX deleted from the identity document register (both the central identity document register and the local application) within a period of two weeks.

On the omission of an oral hearing:

Pursuant to section 24 (1) VwGVG, the administrative court shall hold a public hearing upon request or, if it deems it necessary, ex officio.

Pursuant to section 24 (4) VwGVG, the administrative court may - unless otherwise provided by federal or provincial law - dispense with a hearing notwithstanding a party application if the files show that the oral discussion is unlikely to result in further clarification of the case and neither Art. 6 (1) ECHR nor Art. 47 CFR preclude the dispensing with the hearing.

In the case at hand, the complainant did not request an oral hearing and the facts of the case were clarified by the files. The use of further evidence was not necessary to clarify the facts.

In the present case, the Federal Administrative Court has to rule exclusively on a question of law (cf. ECHR 20.06.2013, Appl. no. 24510/06, Abdulgadirov v. AZE, para. 34 et seq.). According to the case law of the Constitutional Court, an oral hearing can also be omitted if the facts of the case are undisputed and the legal question is not of any particular complexity (VfSlg. 17.597/2005; VfSlg. 17.855/2006; most recently, for example, VfGH 18.06.2012, B 155/12).

It was therefore not necessary to hold an oral hearing.

Re B) Inadmissibility of the appeal:

Pursuant to § 25a para 1 VwGG, the administrative court shall state in the ruling of its decision or order whether the appeal is admissible pursuant to Art. 133 para 4 B-VG. The decision shall be briefly substantiated.

The present decision does not depend on the solution of a legal question of fundamental importance. There is neither a lack of case law of the Administrative Court nor does the present decision deviate from the case law of the Administrative Court; furthermore, the present case law of the Administrative Court is not to be judged as inconsistent. There are also no other indications of fundamental importance of the legal questions to be resolved. The Federal Administrative Court can base all significant legal questions on the established case law of the Administrative Court or on a legal situation that is clear anyway. On this basis, a legal question of fundamental importance within the meaning of Art. 133 para. 4 B-VG cannot be affirmed (cf. e.g. VwGH 25.09.2015, Ra 2015/16/0085, mwN). Therefore, it had to be stated that the appeal was not admissible pursuant to Art. 133 (4) B-VG.
European Case Law Identifier

ECLI:AT:BVWG:2021:W214.2219800.3.00