BVwG - W101 2218962-1: Difference between revisions

From GDPRhub
mNo edit summary
m (two typos in holding)
 
Line 88: Line 88:


=== Holding ===
=== Holding ===
The BVwG dismissed the appeal an upheld the DSB's decision (with some minor edits). It held that the professional secrecy obligation under § 80 WTBG 2017 does not provide a general exception to the right of access. The controller could only invoke § 80 WTBG 2017, if secrecy was necessary for the protection of the principal (i.e. the data subject's wide) or the rights and freedoms of others. The controller had failed to explain in what way complying with the data subject's access request would actually violate the controller's secrecy obligation.
The BVwG dismissed the appeal and upheld the DSB's decision (with some minor edits). It held that the professional secrecy obligation under § 80 WTBG 2017 does not provide a general exception to the right of access. The controller could only invoke § 80 WTBG 2017, if secrecy was necessary for the protection of the principal (i.e. the data subject's wife) or the rights and freedoms of others. The controller had failed to explain in what way complying with the data subject's access request would actually violate the controller's secrecy obligation.


== Comment ==
== Comment ==

Latest revision as of 09:33, 17 September 2022

BVwG - W101 2218962-1
Courts logo1.png
Court: BVwG (Austria)
Jurisdiction: Austria
Relevant Law: Article 4(1) GDPR
Article 12 GDPR
Article 15(4) GDPR
§ 80 WTBG 2017 (Wirtschaftstreuhandberufsgesetz 2017)
Decided: 28.07.2022
Published: 26.08.2022
Parties: unknown data subject (complainant before the DSB)
unknown controller (respondent before the DSB)
Austrian Data Protection Authority (Datenschutzbehörde - DSB)
National Case Number/Name: W101 2218962-1
European Case Law Identifier: ECLI:AT:BVWG:2022:W101.2218962.1.00
Appeal from: DSB (Austria)
DSB-D123.357/0001-DSB/2019
Appeal to: Unknown
Original Language(s): German
Original Source: Rechtsinformationssystem des Bundes (RIS) (in German)
Initial Contributor: n/a

The Austrian Federal Administrative Court held that an accountant's statutory confidentiality obligation does not generally exclude the right to access under Article 15(4) GDPR but must be assessed on a case-by-case basis.

English Summary

Facts

The data subject and his wife were in divorce proceedings. The wife mandated a chartered accountant (controller) to calculate her (future) alimony claims against the data subject. According to the data subject, the controller's report on the alimony claims was partially based on data that was not publicly available, especially data on the financial situation of a private foundation that was one of the data subject's sources of income.

The data subject accused the controller of having obtained this data unlawfully. In July 2018, the data subject requested access under Article 15 GDPR from the controller, especially asking for information on the source of the data and a data copy. As the controller did not reply to the access request, the data subject lodged a complaint with the Austrian Data Protection Authority (Datenschutzbehörde - DSB) in August 2018.

Before the DSB, the controller argued that the report on the alimony claims was based on documents provided by the data subjects wife. The data subject contested to have ever handed any information concerning the private foundation to his wife. The controller did not provide access to the data subject in the course of the procedure before the DSB.

In April 2019, the DSB issued a decision and held that the controller had failed to comply with the data subject's access request and ordered the controller to comply or to inform the data subject of the reasons for not doing so under Article 12(4) GDPR.

The controller appealed the decision, arguing that it could not comply with the data subject's access request because that would violate its statutory professional secrecy obligation under § 80 WTBG 2017 (Wirtschaftstreuhandberufsgesetz 2017) in connection with Article 15(4) GDPR, as the data subject's wife had not waived this secrecy obligation.

Holding

The BVwG dismissed the appeal and upheld the DSB's decision (with some minor edits). It held that the professional secrecy obligation under § 80 WTBG 2017 does not provide a general exception to the right of access. The controller could only invoke § 80 WTBG 2017, if secrecy was necessary for the protection of the principal (i.e. the data subject's wife) or the rights and freedoms of others. The controller had failed to explain in what way complying with the data subject's access request would actually violate the controller's secrecy obligation.

Comment

The case is connected to BVwG - W101 2218962-2, where the BVwG ruled on the controller's violation of § 1 Austrian Data Protection Act (Datenschutzgesetz - DSG).

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

decision date

07/28/2022

standard

B-VG Art133 Para.4
DSG §24 paragraph 1
DSG §24 paragraph 5
GDPR Art12
GDPR Art15
GDPR Art4
VwGVG §28 paragraph 2
WTBG 2017 §80

saying

W101 2218962-1/10E

IN THE NAME OF THE REPUBLIC!

The Federal Administrative Court, through the judge Dr. Christine AMANN as chairwoman and the expert lay judge Mag. Viktoria HAIDINGER as assessor and the expert lay judge Mag. Thomas GSCHAAR as assessor on the complaint of XXXX as managing director of XXXX GmbH, represented by: NEUMAYER, WALTER & HASLINGER RAe, against the second part of the ruling. and 3. the decision of the data protection authority of April 10, 2019, GZ. DSB-D123.357/0001-DSB/2019, rightly recognised:

a)

The complaint is dismissed as unfounded in accordance with Section 28 (2) VwGVG in conjunction with Section 24 (1) and (5) DSG as amended, with the proviso that the ruling in part 2 of the above decision, after the words “thereby violated the right to information ,” to be amended as follows:

"that the request for information of July 30, 2018 was not complied with in accordance with Art. 15 GDPR."

b)

The revision is not permitted according to Art. 133 Para. 4 B-VG.

text

Reasons for decision:

I. Procedure:

On August 22nd, 2018, improved with a letter dated September 25th, 2018 due to a defect rectification order from the data protection authority, Mr. XXXX (= involved party before the Federal Administrative Court and applicant before the data protection authority) brought a data protection complaint against Mr. XXXX as managing director of XXXX GmbH (= complainant before the Federal Administrative Court and respondent before the data protection authority) because his right to information had been violated. He justified his data protection complaint essentially as follows:

The party involved is currently in divorce proceedings and her (still) wife commissioned the complainant to prepare a corresponding expert opinion in order to calculate the alimony. In this report, he stated, among other things, that his calculations were based on a large amount of publicly available information. However, this statement is objectively incorrect, since the data used by the complainant relates, for example, to the annual results of foundations or book values that are not shown or read from any public information source. Therefore, it is obvious that he obtained, researched and/or processed this data in an unlawful way. The complainant informed a third person of the financial figures of the XXXX private foundation and the income accruing to the party involved. Therefore, the party involved asked the complainant in a letter dated July 30, 2018 to provide information about the origin of the data and to transmit a copy of this data. However, this letter remained unanswered, which meant that the party involved had violated its right to information under Art. 15 GDPR.

In a statement dated November 5, 2018, the complainant essentially stated the following regarding the data protection complaint of the party involved:

Since the (still) wife and children of the party involved are beneficiaries of the foundation, he considers the data protection complaint within the meaning of Art. 6 (1) lit. a, b, c and f GDPR and a request for deletion to be misguided and not very effective. The statement was accompanied by a letter from the complainant's legal representative to the data protection authority dated August 28, 2017, which stated that the report in question was based on documents that the (still) wife of the party involved had received from the party involved had been.

In a statement dated March 7th, 2019, the party involved denied ever having given her (still) wife any documents relating to the foundation.

With ruling part 2 of the notice of April 10, 2019, GZ. DSB-D123.357/0001-DSB/2019, the data protection authority partially granted the data protection complaint of August 22, 2018 (regarding the violation of the right to information) and found that the complainant had thereby violated the party involved’s right to information, by not responding to her request for information dated July 30, 2018, which the complainant was in any case sent to the complainant by letter from the data protection authority dated October 4, 2018, and by not providing any (subsequent) information until the end of the procedure before the data protection authority. Furthermore, the complainant was instructed in part 3 of the decision to comply with the request of the involved party for information within a period of two weeks, otherwise execution, or to inform them of the non-action in accordance with Art. 12 (4) GDPR.

With regard to parts 2 and 3 of the above decision, the data protection authority essentially made the following findings of fact:

The party involved is in divorce proceedings with her wife. The wife had commissioned the complainant to prepare an expert opinion on her maintenance and the post-marital division of assets.

The complainant is an auditor and a generally sworn and court-certified expert as well as the managing director of XXXX GmbH.

The party involved submitted a request for information to the complainant in a letter dated July 30, 2018. The party involved sent this letter to the complainant by e-mail to the e-mail address XXXX.

It cannot be determined whether the complainant received the email with the request for information dated July 30, 2018. At the latest with the letter from the data protection authority dated October 4th, 2018, the complainant became aware of the request for information from the party involved. The complainant did not respond to the party involved's request for information until the conclusion of the proceedings before the data protection authority.

On the basis of these factual findings, the data protection authority essentially concluded the following in legal terms:

Regarding part 2:

In a letter dated July 30, 2018, the party involved requested information about the data processed by the complainant about them. In particular, pursuant to Article 15(1)(g) GDPR, the involved party requested information about the origin of "all available information" that the complainant had used in the report on post-marital maintenance and the post-marital division of assets relating to the wife of the party involved. Furthermore, the involved party requested a copy of the data processed by the complainant on the involved party and its electronic transmission in accordance with Art. 15 (3) GDPR.

Although it was not possible to determine whether the complainant had received the e-mail with the request for information of July 30, 2018, he undoubtedly became aware of this request for information in the proceedings before the data protection authority.

Despite two notices from the data protection authority that the complainant pursuant to Section 24 (6) DSG can subsequently remedy the alleged violation of rights until the conclusion of the proceedings before the data protection authority by responding to the request of the party involved pursuant to Art. ) and such information of the complainant would have to be given directly to the interested party, the complainant did not reply to the interested party.

Regarding part 3:

The deadline of two weeks set by the data protection authority for responding to the request for information appears to be reasonable in view of the fact that the complainant has known about it since the data protection authority's letter of October 4th, 2018 was served.

In the complaint against parts 2 and 3 of this decision, which was filed in a timely manner, the complainant essentially argued:

The requested provision of information relates exclusively to data from the XXXX private foundation and its countless subsidiaries. The requested provision of information in ruling part 3. of the above-mentioned decision forces the complainant to violate his legally recognized and not derogated by the DSGVO confidentiality obligations according to § 80 Wirtschaftstreuhandberufsgesetz 2017 (WTBG) regarding entrusted documents and client information and to commit a criminal offence. The view of the authority concerned that the information addressed to it, which it had sent to the party involved, would not be an disclosure of information, subject the GDPR to a formalism that cannot be inferred from it, since the information about the contact with the authority as information of the complainant in is to be regarded as information in the same way and the VO cannot be assumed to standardize the double information about those who have already submitted the request for information, i.e. to inform them about facts that they already know. The legal view is also based on Art. 14 (5) lit by the authority to the party involved is to be regarded as a circumstance that has informed the applicant and is contrary to a repeated obligation to provide information under Article 14 (5) (a) GDPR.

In addition, the complainant may only be required to disclose the data and to make copies of the documents entrusted to him if it is established that these are not subject to his duty of confidentiality.

Since the complainant obviously did not collect the data himself, the provision of information is subject to the obligation of secrecy under Section 80 WTBG in accordance with Article 14 (5) (d) GDPR, which the authority concerned did not even address in the justification.

The complainant thus submitted the applications that the Federal Administrative Court should

1. conduct an oral hearing;

2. rectify parts 2 and 3 of the contested decision; and

3. If necessary, amend part 2 of the contested decision in such a way that a determination of a violation of the right to information of the party involved is only determined to the extent that the information does not violate the confidentiality obligation according to § 80 WTBG or the confidentiality interests of the XXXX private foundation.

In a letter dated May 6th, 2019 to the party involved, the complainant essentially stated the following: The provision of information from the delivery of copies constituted a violation of the rights of third parties (Article 15 (4) GDPR) and a breach of professional duties in the sense of the confidentiality obligation of the chartered accountant according to Section 80 WTBG in conjunction with Art. 14 Para. 5 lit. d GDPR. The data and documents would represent a legal restriction of the fundamental right to data protection within the meaning of Section 1 Para the statements already made to the data protection authority, did not allow any release from the duty of confidentiality. In addition, the information infringes the rights of the XXXX private foundation, which is exclusively concerned with its documents and its subsidiaries. The complainant had not been authorized by his client to provide any further information. Section 80 WTBG expressly opposes the provision of information within the meaning of Article 14 (5) (d) GDPR as a recognized statutory duty of confidentiality (Section 1 (2) DSG), “which the GDPR has not repealed”.

In a letter dated May 6, 2019, the complainant of the party involved "notwithstanding the complaint to the Federal Administrative Court" issued a notification of the information that had not been provided and essentially repeated the reasons given in the complaint.

With a letter from the data protection authority dated May 15, 2019, the complaint against parts 2 and 3 of the above decision, including the administrative act, was sent to the Federal Administrative Court.

On April 27th, 2022, an oral hearing took place before the Federal Administrative Court, in which all parties involved in the complaints procedure took part and in which the (still) wife of those involved took part Party had been questioned as a witness.

II. The Federal Administrative Court considered:

1. Findings:

The subject of the administrative proceedings is the question of whether the complainant violated the party involved's right to information by not complying with their request for data information of July 30, 2018.

The complainant is a chartered accountant and prepared an expert opinion dated May 16, 2018 for the (still) wife of the involved party about any maintenance claims she had against the involved party. In this report, the party involved processed personal data of the party involved, which was publicly accessible to a small extent, but was largely transmitted by the (still) wife.

With reference to this report, the party involved requested information from the complainant on July 30, 2018 about all available information about the origin of their data, in particular the annual results of XXXX or book values, etc., and the transmission of a copy of this data.

The information requested by the involved party relates to their personal data, which were processed by the complainant in the report of May 16, 2018, in particular all those that were not publicly accessible to the complainant.

The complainant's request for information dated July 30, 2018 remained unanswered throughout the administrative procedure before the data protection authority. Only after the above-mentioned decision was issued did the complainant refer to his professional confidentiality obligation to the party involved in a reply dated May 6, 2019.

With regard to sentence 1 of the above-mentioned decision, it was determined as decisive that the complainant, as the (sole) responsible party, violated its right to secrecy through the processing of its (not publicly accessible) personal data worthy of protection in the expert opinion of May 16, 2018.

Since the secrecy interests of the party involved were violated during processing in the report, the complainant was fundamentally unable to invoke his professional duty of confidentiality and, as the provider of information, was obliged to provide the information requested by the party involved.

It is therefore decisive that the complainant, as the (sole) person responsible, did not comply with the request for information from the involved party regarding their personal data processed by him and thereby violated the involved party's right to information.

2. Evidence assessment:

The findings on the relevant facts result from the administrative act, the complaint and the court files on Zlen. W101 2218962-1 and -2.

It is undisputed that the complainant did not comply with the request for information from the party involved dated July 30, 2018 during the entire administrative procedure before the data protection authority and that he only referred to his professional confidentiality obligation towards the party involved in the reply letter dated May 6, 2019.

The complainant only disputes whether he, as a chartered accountant, was able to invoke his professional confidentiality obligation in the given case constellation, so that he did not violate the confidentiality interests of the party involved in the processing in the expert opinion of May 16, 2018, and therefore the refusal of the requested information was lawful.

The above statements regarding the 1st part of the ruling, which are equally important here, result from the finding of June 27th, 2022, Zl. W101 2218962-2/19E.

3. Legal assessment:

3.1. According to Art. 130 Para. 1 Z 1 B-VG, the administrative courts decide on complaints against the decision of an administrative authority due to illegality.

According to § 6 BVwGG, the Federal Administrative Court decides through a single judge, unless federal or state laws provide for the decision to be made by senates.

Pursuant to Section 27 (1) DSG, the Federal Administrative Court decides through the Senate on complaints against decisions due to violation of the duty to inform pursuant to Section 24 (7) leg. cit. and the duty of the data protection authority to make a decision. In accordance with Section 27 (2) first sentence DSG, the Senate consists of a chairman and one expert lay judge each from the circle of employers and from the circle of employees.

In this case, the Senate is responsible.

The procedure of the administrative courts, with the exception of the Federal Finance Court, is regulated by the VwGVG, Federal Law Gazette I 2013/33 as amended by Federal Law Gazette I 2013/122 (§ 1 leg.cit.). Pursuant to Section 58 (2) VwGVG, conflicting provisions that were already promulgated at the time this federal law came into force remain in force.

According to § 17 VwGVG, unless otherwise specified in this federal law, the provisions of the AVG with the exception of §§ 1 to 5 and Part IV, the provisions, apply to the procedure for complaints pursuant to Art. 130 Para. 1 B-VG the Federal Fiscal Code - BAO, Federal Law Gazette No. 194/1961, the Agricultural Procedures Act - AgrVG, Federal Law Gazette No. 173/1950, and the Service Law Procedures Act 1984 - DVG, Federal Law Gazette No. 29/1984, and otherwise those procedural provisions in federal or state laws that the authority applied or should have applied in the proceedings preceding the proceedings before the administrative court.

3.2. Pursuant to § 31 Para. 1 VwGVG, the decisions and orders are made by way of a resolution, unless a finding is to be made.

Pursuant to Section 28 (1) VwGVG, the administrative court has to settle the legal matter by finding it unless the complaint is to be rejected or the proceedings are to be discontinued.

According to § 28 para. 2 VwGVG, the administrative court has to decide on the matter itself if the relevant facts are established or the determination of the relevant facts by the administrative court itself is in the interest of speed or is associated with significant cost savings.

3.3. to A)

3.3.1. Applicable Law

3.3.1.1. The relevant provisions of the GDPR

Article 4

definitions

For the purposes of this Regulation, the term means:

1. "Personal data" means any information relating to an identified or identifiable natural person (hereinafter "data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more special features that express the physical , physiological, genetic, mental, economic, cultural or social identity of that natural person;

2. "Processing" means any process carried out with or without the help of automated processes or any such series of processes in connection with personal data, such as collection, recording, organisation, ordering, storage, adaptation or modification, reading out, querying, use, disclosure by transmission, distribution or any other form of making available, matching or linking, restriction, deletion or destruction;

3rd - 6th (…)

7. "Responsible person" means the natural or legal person, public authority, agency or other body that alone or jointly with others decides on the purposes and means of processing personal data; if the purposes and means of this processing are specified by Union law or the law of the Member States, the person responsible or the specific criteria for his naming can be provided for by Union law or the law of the Member States;

8-26 (...)

Article 12

Transparent information, communication and modalities for exercising the rights of the data subject

1. The controller shall take appropriate measures to provide the data subject with any information referred to in Articles 13 and 14 and any communication referred to in Articles 15 to 22 and Article 34 relating to the processing in a concise, transparent, understandable and easily accessible manner submit the form in clear and plain language; this applies in particular to information that is specifically aimed at children. The information is transmitted in writing or in another form, possibly also electronically. If requested by the data subject, the information may be provided orally, provided that the data subject's identity has been proven in some other way.

2. The controller shall facilitate the exercise of the data subject's rights under Articles 15 to 22. In the cases referred to in Article 11(2), the controller may refuse only on the basis of the data subject's request to exercise their rights under Articles 15 to 22 to take action if he can show that he is unable to identify the person concerned.

(3) - (5) (…)

6. Without prejudice to Article 11, if the controller has reasonable doubts as to the identity of the natural person making the request pursuant to Articles 15 to 21, he may request additional information necessary to confirm the identity of the data subject.

(7) (…).

Article 15

Right of access of the data subject

(1) The data subject has the right to request confirmation from the person responsible as to whether personal data relating to them are being processed; if this is the case, you have the right to information about this personal data and the following information:

a) the processing purposes;

b) the categories of personal data being processed;

c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;

d) if possible, the envisaged period for which the personal data will be stored or, if this is not possible, the criteria used to determine that period;

e) the existence of a right to correction or deletion of the personal data concerning you or to restriction of processing by the person responsible or a right to object to this processing;

f) the existence of a right of appeal to a supervisory authority;

g) if the personal data are not collected from the data subject, all available information about the origin of the data;

h) the existence of automated decision-making, including profiling, in accordance with Article 22(1) and (4) and — at least in these cases — meaningful information about the logic involved and the scope and envisaged effects of such processing for the data subject.

(2) (…)

(3) The person responsible provides a copy of the personal data that are the subject of the processing. For any additional copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. If the data subject submits the request electronically, the information must be made available in a common electronic format, unless otherwise specified.

(4) (…).

3.3.1.2. The relevant provisions of the DSG

Complaint to the data protection authority

Section 24. (1) Every data subject has the right to lodge a complaint with the data protection authority if they believe that the processing of their personal data violates the GDPR or Section 1 or Article 2, Part 1.

(2) The complaint must contain:

1. the designation of the right deemed to have been infringed,

2. as far as this is reasonable, the designation of the legal entity or body to which the alleged infringement is attributed (respondent party),

3. the facts from which the infringement is derived,

4. the grounds on which the allegation of illegality is based,

5. the desire to determine the alleged infringement and

6. the information required to assess whether the complaint was filed in a timely manner.

(3) A complaint may be accompanied by the application on which it is based and any response by the respondent. The data protection authority shall provide further assistance in the event of a complaint at the request of the data subject.

(4) The right to have a complaint dealt with shall lapse if the intervener does not file it within one year of becoming aware of the event giving rise to the complaint, but at the latest within three years after the event allegedly took place. Late complaints are to be rejected.

(5) If a complaint proves to be justified, it must be followed. If an infringement is attributable to a person responsible for the private sphere, the person responsible must be instructed to comply with the complainant's requests for information, correction, deletion, restriction or data transfer to the extent necessary to eliminate the identified infringement. If the complaint proves to be unjustified, it must be dismissed.

(6) Until the proceedings before the data protection authority have been concluded, a respondent may subsequently remedy the alleged infringement by complying with the complainant's requests. If the data protection authority considers the complaint to be unfounded, it must hear the complainant. At the same time, he should be made aware that the data protection authority will informally discontinue the procedure if he does not explain within a reasonable period of time why he still considers the originally alleged infringement to be at least partially not remedied. If the essence of the matter is changed by such a statement by the complainant (Section 13(8) AVG), it is to be assumed that the original complaint will be withdrawn and a new complaint will be filed at the same time. In this case, too, the original complaint procedure is to be discontinued informally and the complainant to be informed. Late statements are not to be considered.

(7) The complainant will be informed by the data protection authority about the status and the result of the investigation within three months of filing the complaint.

(8) Any data subject may appeal to the Federal Administrative Court if the data protection authority does not deal with the complaint or has not informed the data subject of the status or the outcome of the complaint within three months.

(9) The data protection authority can - if necessary - involve official experts in the procedure.

(10) The decision period according to § 73 AVG does not include:

1. the time during which the proceedings are suspended until the final decision on a preliminary question;

2. the time during a procedure according to Art. 56, 60 and 63 DSGVO.

3.3.1.3. The relevant provisions of the Federal Law on the Public Accounting Professions, Federal Law Gazette I No. 137/2017 (Wirtschaftstreuhandberufsgesetz 2017 – WTBG 2017)

duty of confidentiality

Section 80. (1) Persons entitled to exercise the profession are obliged to maintain secrecy about the matters entrusted to them. For this duty of confidentiality it is irrelevant whether the knowledge of these circumstances and facts is also accessible to other persons or not.

(2) The professional secrecy obligation also extends to personal circumstances and company or business secrets that have become known to them when carrying out orders or in the course of an official, non-public procedure in the exercise of their profession.

(3) To what extent a person entitled to exercise the profession is exempt from the obligation to submit a certificate, to allow inspection of business papers or to provide information in administrative, tax, civil and criminal proceedings, with regard to what has become known to him in the exercise of his profession, determine the administrative and tax procedure laws as well as the code of civil and criminal procedure, but with the proviso that in tax proceedings before the tax authorities, a person entitled to exercise the profession has the same rights as a lawyer.

(3a) Insofar as the right of the professional to secrecy requires this to ensure the protection of the client or the rights and freedoms of other persons or the enforcement of civil law claims, the person concerned (Art. 4 Z 1 DSGVO) cannot rely on the rights of Art 12 to 22 and Art 119 of May 4th, 2016 p. 1 (hereinafter: GDPR), as well as § 1 Para. 3 DSG.

(4) The confidentiality obligation does not apply if and insofar

1. Reporting and information obligations within the framework of the provisions of Directive (EU) 2015/849 to prevent the use of the financial system for the purpose of money laundering and terrorist financing; amending Regulation (EU) No. 648/2012 and repealing Directive 2005/60/EC and Directive 2006/70/EC as amended by Directive (EU) 2018/843 OJ No. L 156 of 19.06. 2018 p. 43 (hereinafter: Money Laundering Directive), and the implementation measures issued in connection therewith or

2. the client has expressly released the professional from this obligation or

3rd-4th (...)

(5) (…)

3.3.2. According to Art. 15 Para. 1 GDPR, the data subject (the party involved) has the right to request confirmation from the person responsible as to whether personal data relating to them are being processed; if this is the case, she has a right to information about this personal data and to information according to lit. a) to h).

The complainant, as the sole person responsible within the meaning of Art. 4 Z 7 GDPR, prepared a (private) report for his client – the (still) wife of the involved party – on May 16, 2018 in order to document their possible future maintenance claims against the involved party.

During the entire administrative procedure before the data protection authority, the complainant did not comply with the request for information from the party involved dated July 30, 2018, and he only referred to his professional confidentiality obligation towards the party involved in a reply dated May 6, 2019.

In the complaint, the complainant stated more specifically that the provision of information and the handing over of copies constituted a violation of the rights of third parties (Article 15 (4) GDPR) and a breach of professional duties within the meaning of the professional secrecy obligation of the chartered accountant under Section 80 WTBG in conjunction with Article 14 (5) lit d GDPR. The data and documents would be subject to a legal restriction of the fundamental right to data protection within the meaning of Section 1 (2) DSG through Section 80 WTBG and the duty of confidentiality towards the complainant's client, the (still) wife of the party involved, who did not allow any release from the duty of confidentiality .

The complainant's argument cannot be accepted for the following reasons:

The right to information is regulated in Art. 15 GDPR. In terms of content, the right to information grants the data subject the right to request confirmation from the person responsible as to whether their personal data has been processed. If there is one or more such processing operations, the data subject has a right to information about the personal data and other information specified in Article 15 (1) lit. a to h leg. cit. defined information. This information must be provided so that the purpose of this right of the data subject can be fulfilled, namely to enable the data subject to gain an insight into the "whether and how" of the processing of their personal data (Jahnel, commentary on the General Data Protection Regulation Art. 15 DSGVO [as of 01.12 .2020, rdb.at] margin no. 2). To a certain extent, the claim ranges from the "whether" of the data processing (Art. 15 para. 1 half-sentence 1 DSGVO) to the "how" (Art. 15 para. 1 half-sentence 2 lit. a-h, para. 2 DSGVO) to the "what" ( Art. 15 para. 1 clause 2, para. 3 GDPR).

If the person responsible processes the data of the person concerned, he must provide information about the specific characteristics including the additional information and hand over a copy of the data himself (Art. 15 para. 1 lit. a to h, para. 2, 3 and 4; Haidinger in Knyrim, DatKomm Art. 15 GDPR [as of December 1, 2021, rdb.at] margin no. 27; Jahnel, Commentary on the General Data Protection Regulation Art. 15 GDPR [as of December 1, 2020, rdb.at] margin no. 2, 14 ff).

A principle for the processing of personal data according to Article 5 Paragraph 1 lit good faith, transparency").

Recital (39) to this provision states:

“Any processing of personal data should be lawful and fair. There should be transparency for natural persons as to whether personal data relating to them is being collected, used, viewed or otherwise processed and to what extent the personal data is being processed and will be processed in the future. The principle of transparency requires that all information and communications relating to the processing of that personal data are easily accessible and understandable and that they are expressed in clear and plain language. This principle concerns in particular the information on the identity of the person responsible and the purposes of the processing and other information that ensure fair and transparent processing with regard to the data subjects, as well as their right to obtain confirmation and information about which ones concern them personal data are processed. (...)" (cf. also Jahnel, commentary on the General Data Protection Regulation Art. 5 GDPR, margin nos. 8 to 15 [status 1.12.2020, rdb.at]; Hötzendorfer/ Tschohl/Kastelitz in Knyrim, DatKomm Art. 5 GDPR, Margin nos. 11 to 19 [as of May 7, 2020, rdb.at]).

Pursuant to Section 80 WTBG, the person concerned can only invoke the rights of Articles 12 to 22 and Article 34 GDPR and Article 1 DSG to the extent that the chartered accountant’s right to secrecy to ensure the protection of the client or the rights and freedoms other people required. However, this does not mean that the chartered accountant does not have to disclose anything to the opponent of his client's interests even if he is a data subject in accordance with Art. 15 GDPR, but rather that the chartered accountant's appeal to confidentiality is only selective and under clearly defined conditions can be done. In the present case, the complainant has not specifically explained to what extent disclosure of the data in question to the party involved, which was transmitted by his client, would violate his professional secrecy. In this context, it is particularly important to consider that the (still) wife, as the client, sent all non-public data of the party involved to the complainant, which was then processed by the complainant in the expert opinion of May 16, 2018.

Since the party involved was violated by the complainant as the (sole) responsible person through the processing of their (not publicly accessible) personal data worthy of protection in the report of May 16, 2018, the complainant did not have to rely on his professional confidentiality according to § 80 WTBG. It is therefore not sufficient to make a general reference to the duty of confidentiality in the course of a request for information pursuant to Art. 15 GDPR.

In addition, the provision of Art. 15 Para. 3 GDPR (which is to be applied to all information subject to the obligation to provide information; see Haidinger in Knyrim, DatKomm Art. 15 GDPR Rz 34 [status 1.10.2018, rdb.at]) provides that the The data subject must be provided with the data in a common electronic format if the application was submitted electronically, unless otherwise stated. In the present case, the application was also submitted electronically, so that the information must be transmitted electronically.

For the reasons set out, the responsible Senate consequently came to the conclusion that the complainant violated the right to information of the party involved by not providing the requested information on their personal data processed in the expert opinion of May 16, 2018. This is the same conclusion that the DPA came to, but on a different basis.

Since, for these reasons, the contested parts 2 and 3 of the above-mentioned decision are not unlawful within the meaning of Art. 130 Para. 1 Z 1 B-VG, the complaint raised against them was pursuant to § 28 Para and Para. 5 DSG as amended with a change to the provisions of the first instance ruling.

It was therefore to be decided accordingly.

3.3.4. Pursuant to Section 24 (1) VwGVG, the administrative court must hold a public oral hearing upon application or, if it deems it necessary, ex officio.

Although the complainant has submitted an application for a public hearing, in the present case the omission of an oral hearing can be based on the fact that the facts were clarified from the file situation file situation in connection with the hearing carried out on Zl. W101 2218962-2. The Federal Administrative Court only had to rule on a legal issue (cf. ECtHR June 20, 2013, Appl. No. 24510/06, Abdulgadirov/AZE, margin nos. 34ff). According to the case law of the Constitutional Court, an oral hearing can be omitted if the facts are undisputed and the legal question is not particularly complex (VfSlg. 17.597/2005; VfSlg. 17.855/2006; most recently VfGH 18.06.2012, B 155/12).

Consequently, pursuant to § 24 para. 1 and para. 4 VwGVG, an oral hearing was not to be held.

3.4. Re B) Inadmissibility of the revision:

Pursuant to § 25a Para. 1 VwGG, the administrative court has to pronounce in its ruling or decision whether the revision is admissible according to Art. 133 Para. 4 B-VG. The statement must be briefly justified.

According to Art. 133 Para. 4 B-VG, the revision is not permissible because the decision does not depend on the solution of a legal question that is of fundamental importance. The present decision neither deviates from the previous case law of the Administrative Court, nor is there any case law; Furthermore, the case law of the Administrative Court is not to be judged as inconsistent. There are also no other indications of a fundamental importance of the legal question to be solved.