DSB (Austria) - DPA 2021-0.415.529: Difference between revisions

From GDPRhub
mNo edit summary
mNo edit summary
 
Line 81: Line 81:


=== Holding ===
=== Holding ===
The DPA held that the controller is required to not only justify the lawfulness of its data processing under [[Article 6 GDPR|Article 6 GDPR]], but also to comply with the principles of processing under [[Article 5 GDPR|Article 5 GDPR]].  Under [[Article 5 GDPR#2|Article 5(2) GDPR]], the controller is not only obligated to comply with these principles, but must also be able to prove compliance. The Court stated that the controller failed to provide such proof.
The DPA held that the controller is required to not only justify the lawfulness of its data processing under [[Article 6 GDPR|Article 6 GDPR]], but also to comply with the principles of processing under [[Article 5 GDPR|Article 5 GDPR]].  Under [[Article 5 GDPR#2|Article 5(2) GDPR]], the controller is not only obligated to comply with these principles, but must also be able to prove compliance. The DPA stated that the controller failed to provide such proof.


According to [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]], personal data must be processed lawfully, fairly and in a transparent manner. The DPA explained that from this transparency principle follows [[Article 14 GDPR|Article 14 GDPR]], which states that the controller has an information obligation if the data was not collected from the data subject themselves. The DPA stated that the controller took the data subject’s data from a job advertisement created by the data subject themselves in the e-Job-Room of the AMS without the data subject’s participation and thus without the knowledge of the data collection. The exception of the information obligation under [[Article 14 GDPR#5a|Article 14(5)(a) GDPR]] thus did not apply here. The controller should therefore have provided the data subject with the information under [[Article 14 GDPR|Article 14 GDPR]] at the latest at the time of the first text message to the data subject. The DPA stated that the controller failed to do so and thus violated the principle of transparency under [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] and thus processed the data subject’s data unlawfully.  
According to [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]], personal data must be processed lawfully, fairly and in a transparent manner. The DPA explained that from this transparency principle follows [[Article 14 GDPR|Article 14 GDPR]], which states that the controller has an information obligation if the data was not collected from the data subject themselves. The DPA stated that the controller took the data subject’s data from a job advertisement created by the data subject themselves in the e-Job-Room of the AMS without the data subject’s participation and thus without the knowledge of the data collection. The exception of the information obligation under [[Article 14 GDPR#5a|Article 14(5)(a) GDPR]] thus did not apply here. The controller should therefore have provided the data subject with the information under [[Article 14 GDPR|Article 14 GDPR]] at the latest at the time of the first text message to the data subject. The DPA stated that the controller failed to do so and thus violated the principle of transparency under [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] and thus processed the data subject’s data unlawfully.  

Latest revision as of 09:15, 29 May 2024

DSB - DPA 2021-0.415.529
LogoAT.png
Authority: DSB (Austria)
Jurisdiction: Austria
Relevant Law: Article 5 GDPR
Article 6(1)(f) GDPR
Article 14 GDPR
Article 17 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 06.08.2021
Published: 22.05.2024
Fine: n/a
Parties: n/a
National Case Number/Name: DPA 2021-0.415.529
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): German
Original Source: RIS (in DE)
Initial Contributor: ec

The DPA held that a controller unlawfully processed a data subject’s personal data by failing to inform the data subject of the collection from a job advertisement portal.

English Summary

Facts

The data subject was registered as a jobseeker with the Austrian Public Employment Service. The data subject received unsolicited job offers from a company (“the controller”) by text message, whereby the company had informed the data subject by telephone that it had received the data subject’s contact details from the Austrian Public Employment Service (“AMS’).

The data subject emailed the controller with a request for erasure, but received no response from the controller. The data subject continued to receive further text messages with job offers from the controller.

The data subject then lodged a complaint with the Austrian DPA (“Datenschutzbehörde”).

The controller argued that since the data subject had had been registered as a jobseeker with the AMS at the time of the first contact, it was not considered unlawful to send a job offer to the data subject. It therefore had a right to process the data subject’s data for the purposes of its business and thus had legitimate interests under Article 6(1)(f) GDPR. The controller did not address the issue of the data subject's right to erasure in its statement.

The data subject stated that they did not question the legality of the collection of their data as they were aware that the controller collected personal data such as their telephone number from the AMS. The data subject only wanted to enforce their right to erasure. The data subject explained that they had suspended all of their job advertisements via the AMS’s online portal, because they no longer needed support from the AMS. However, the data subject still received text messages from the controller with job offers despite several requests for erasure.

Holding

The DPA held that the controller is required to not only justify the lawfulness of its data processing under Article 6 GDPR, but also to comply with the principles of processing under Article 5 GDPR. Under Article 5(2) GDPR, the controller is not only obligated to comply with these principles, but must also be able to prove compliance. The DPA stated that the controller failed to provide such proof.

According to Article 5(1)(a) GDPR, personal data must be processed lawfully, fairly and in a transparent manner. The DPA explained that from this transparency principle follows Article 14 GDPR, which states that the controller has an information obligation if the data was not collected from the data subject themselves. The DPA stated that the controller took the data subject’s data from a job advertisement created by the data subject themselves in the e-Job-Room of the AMS without the data subject’s participation and thus without the knowledge of the data collection. The exception of the information obligation under Article 14(5)(a) GDPR thus did not apply here. The controller should therefore have provided the data subject with the information under Article 14 GDPR at the latest at the time of the first text message to the data subject. The DPA stated that the controller failed to do so and thus violated the principle of transparency under Article 5(1)(a) GDPR and thus processed the data subject’s data unlawfully.

Regarding the request for erasure, the DPA stated that under Article 17(1)(d) GDPR, the data subject has a right to erasure without undue delay and that the controller shall have the obligation to erase personal data without undue delay where the personal data have been unlawfully processed. The DPA found it unnecessary to go into further detail on other possible grounds for erasure, such as the data subject objecting to the processing under Article 17(1)(c) GDPR.

The DPA therefore held that the controller was obliged to erase the data subject's data immediately after receiving their request for erasure, but at the latest within the one-month period pursuant to Article 12(3) GDPR. By failing to do so, it violated the data subject's right to erasure under Article 17 GDPR.

The DPA thus ordered the controller to comply with the data subject’s request to erasure.

Comment

Share your comment here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

Text

GZ: 2021-0.415.529 of August 6, 2021 (case number: DSB-D124.3325)

[Editor's note: Names and companies, legal forms and product names, addresses (including URLs, IP and email addresses), file numbers (and the like), statistical information, etc., as well as their initials and abbreviations may be abbreviated and/or changed for pseudonymization reasons. Obvious spelling, grammatical and punctuation errors have been corrected.

The name of the AMS as a public corporation, which was not a party to this matter, has not been pseudonymised, as its legally defined job placement tasks are part of the reasoning, and therefore a meaningful and meaningful pseudonymisation of the name was not possible in this decision to be published in accordance with Section 23, Paragraph 2 of the DSG.]The name of the AMS as a public corporation, which was not a party to this matter, has not been pseudonymised, as its legally defined job placement tasks are part of the reasoning, and therefore a meaningful and meaningful pseudonymisation of the name was not possible in this decision to be published in accordance with Section 23, Paragraph 2 of the DSG.]

DECISION

RULING

The Data Protection Authority decides on the data protection complaint of Dipl. Ing. Richard A*** (complainant) from **** E***berg dated 1 December 2020 against N*** Personalbereitstellung GmbH (respondent) from **** J***stadt (by the Regional Court H**** registered in the commercial register under FN*3*2*0g) for violation of the right to erasure as follows:

1. The complaint is upheld and it is determined that the respondent has violated the complainant's right to erasure by not complying with his request for erasure dated October 3, 2020.

2. The respondent is ordered to delete all of the complainant's data processed by it within a period of 4 weeks, otherwise execution will occur.

Legal basis: Art. 5 (1) (a) and (2), Art. 12 (3), Art. 14 (1), (2) and (3) (b), Art. 17 (1) (d), Art. 24 (1), Art. 51 (1), Art. 57 (1) (f), Art. 58 (2) (c) and Art. 77 (1) of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter: GDPR), OJ L 119 of 4 May 2016, p. 1 as amended; Section 18, paragraph 1, and Section 24, paragraphs 1 and 5 of the Data Protection Act (DSG), Federal Law Gazette I No. 165/1999, as amended: Article 5, paragraph one, letters a and paragraph 2, Article 12, paragraph 3, Article 14, paragraph one, letters 2 and 3, letters b, Article 17, paragraph one, letters d, Article 24, paragraph one, Article 51, paragraph one, Article 57, paragraph one, letters f, Article 58, paragraph 2, letters c, and Article 77, paragraph one, of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter: GDPR), OJ No. L 119, 4 May 2016, p. 1, as amended; Paragraph 18, paragraph one, and paragraph 24, paragraph one and paragraph 5, of the Data Protection Act (DSG), Federal Law Gazette Part One, No. 165 of 1999, as amended.

REASONING

A. Arguments of the parties and course of proceedings

1. In his complaint received by the data protection authority on December 1, 2020, the complainant argued that the respondent had not responded to his written (by email) and substantiated request for deletion dated October 3, 2020, nor had he rejected the request. He had received unsolicited job offers from the respondent via SMS, with the respondent having informed him by telephone that she had received his contact details from the Public Employment Service (AMS).

2. The respondent, asked by the data protection authority to comment (procedural order of December 7, 2020, GZ: 2020-0.800.849), did not initially respond.

3. After being asked to comment (procedural order of March 25, 2021, GZ: 2021-0.213.417, verifiably delivered to the respondent as an RSb letter on April 6, 2021), the respondent issued the following statement in a letter dated April 12, 2021: The complainant was registered as a job seeker with the AMS at the time of first contact. Since the data was received "from the AMS as the official job placement platform," it was not considered unlawful to present the complainant with a job offer. The respondent did not address the question of the complainant's right to deletion in its statement.

4.   After hearing the parties' views on the outcome of the investigation (procedural order of 15 April 2021, ref. no. 2021-0.267.486), the complainant submitted the following statement on 19 April 2021: He was aware of the respondent's view on the handling of his data from direct contacts. However, he was not concerned with the legality of the investigation of his data, but only with the question of enforcing his right to erasure. He had put all of his job advertisements on hold via the AMS online portal after he no longer received any support from the AMS, but despite multiple requests for deletion, he had received SMS messages with job offers from the respondent, most recently on April 16, 2021.

5. After hearing the parties on the complainant's statement of April 19, 2021 and requesting the respondent to comment again on the complainant's submission, among other things with reference to the accountability requirement under Article 5, paragraph 2, GDPR (procedural order of April 23, 2021, GZ: 2021-0.291.660), the After hearing the parties on the complainant's statement of April 19, 2021 and requesting the respondent to comment again on the complainant's submission, among other things with reference to the accountability requirement under Article 5, paragraph 2, GDPR (procedural order of April 23, 2021, GZ: 2021-0.291.660), the respondent has not made any further comments on the complainant's submissions.

B. Subject matter of the complaint

Based on the parties' submissions, it emerges that the subject matter of the proceedings is the question of whether the respondent violated the complainant's right to deletion by refusing to comply with a request for deletion dated October 3, 2020.

C. Findings of fact

6. The respondent operates the business of hiring out workers (GISA reference number *6*99*4*8).

7. Assessment of evidence: This finding is based on the public business information system Austria (GISA) of the Federal Ministry for Digital and Economic Affairs (query of the respondent's data on August 5, 2021, extract enclosed in the reference number of this decision).

8.   The respondent processes the complainant's data (in particular his mobile phone number 06**/*8*4*77*1), which it took from a public online job advertisement of the complainant, who was looking for a job in 2020, in the eJob Room for applicants of the Public Employment Service (AMS) without the complainant's involvement and processed for its own purposes. It subsequently used this data several times to contact the complainant unsolicited by mobile phone text messages (SMS) and to ask him to contact several of its customers by telephone who had "job offers" that matched the complainant's professional profile.

9.   Assessment of evidence: These findings are based on the credible and factually undisputed submissions of the complainant in the complaint of 1 December 2020 (enclosed as an introductory document in GZ: 2020-0.800.849) and in the statement of 19 April 2021 (enclosed as an introductory document in GZ: 2021-0.291.660).

10. After previously unsuccessfully contacting the respondent by telephone with the aim of no longer receiving such SMS messages and subsequently deactivating the online job advertisement in the eJob-Room, the complainant sent a letter (email) with the following content to the respondent's general email address (office@n***personal.com) on 3 October 2020:

[Editor's note: The complainant's letter (email), reproduced here in the original of the decision as a graphic file, was converted into a text document using OCR for the purpose of reproduction in the RIS. The layout is only approximately reproduced.]

"Subject:  Request for immediate deletion in accordance with Art. 17 Para. 1 GDPRRequest for immediate deletion in accordance with Article 17, Paragraph one, GDPR

From:     Richard A*** <r.a***@x***net.com>

Date   October 3, 2020 5:00 p.m.**

Hello,

I hereby request the immediate deletion of personal data concerning me in accordance with Art. 17 Para. 1 GDPR.I hereby request the immediate deletion of personal data concerning me in accordance with Article 17, Paragraph one, GDPR.

Please delete all personal data concerning me as defined in Art. 4 No. 1 GDPR.Please delete all personal data concerning me as defined in Article 4 No. 1 GDPR.

I am of the opinion that the requirements of Art. 17 Para. 1 GDPR are met. You cannot invoke an exception under Article 17, Paragraph 3 of the GDPR, especially since I am not a public figure.I am of the opinion that the requirements of Article 17, Paragraph one of the GDPR are met. You cannot invoke an exception under Article 17, Paragraph 3 of the GDPR, especially since I am not a public figure.

If I have given my consent to the processing of my data (e.g. in accordance with Article 6, Paragraph 1, Letter a or Article 9, Paragraph 2 of the GDPR), I hereby revoke this consent for the entire data processing process.If I have given my consent to the processing of my data (e.g. in accordance with Article 6, Paragraph one, Letter a or Article 9, Paragraph 2 of the GDPR), I hereby revoke this consent for the entire data processing process.

I also object to the processing of personal data concerning me within the meaning of Article 21 of the GDPR; this also applies to profiling. I request that you restrict the processing of data concerning me in accordance with Article 13, Paragraph 1, Letter d of the GDPR, as long as it has not yet been determined whether your legitimate reasons outweigh mine.I also object to the processing of personal data concerning me within the meaning of Article 21 of the GDPR; this also applies to profiling. I request that you restrict the processing of data concerning me in accordance with Article 13, Paragraph 1, Letter d of the GDPR, as long as it has not yet been determined whether your legitimate reasons outweigh mine.

If you have made the data in question public, you are obliged under Article 17, Paragraph 2 of the GDPR to take all appropriate measures to inform other responsible parties, such as search engine operators, who process the personal data listed above, of my request to delete all links, copies or replications. This applies not only to exact copies of the data concerned, but also to those from which information contained in the data concerned can be extracted.If you have made the data concerned public, you are obliged under Article 17 Paragraph 2 of the GDPR to take all appropriate measures to inform other responsible parties, such as search engine operators, which process the personal data listed above, of my request to delete all links, copies or replications. This applies not only to exact copies of the data concerned, but also to those from which information contained in the data concerned can be extracted.

If you have disclosed the personal data concerned to one or more recipients within the meaning of Art. 4 No. 9 of the GDPR, you must also communicate my request to delete the personal data concerned and all references to it to all such recipients in accordance with Art. 19 of the GDPR. Please continue to inform me about these recipients.If you have disclosed the personal data concerned to one or more recipients within the meaning of Article 4, No. 9 GDPR, you must also communicate my request for deletion of the personal data mentioned and all references to it in accordance with Article 19 GDPR to all such recipients. Please continue to inform me about these recipients.

If you refuse deletion, you must give me reasons for this.

My request explicitly includes all other offers and companies for which you are responsible within the meaning of Art. 4 No. 7 GDPR.My request explicitly includes all other offers and companies for which you are responsible within the meaning of Article 4 No. 7 GDPR.

According to Art. 12 Para. 3 GDPR, you must inform me immediately, but no later than one month after receipt of the request, of the deletions made.According to Article 12 Para. 3 GDPR, you must inform me immediately, but no later than one month after receipt of the request, of the deletions made.

I have enclosed the following data to identify myself:

Dipl. Ing. Richard A***; resident: **** E***berg; born: **.**.1976; Tel.: 06**/*8*4*77*1; r.a***@x***net.com

If you do not comply with my request within the specified period, I reserve the right to take legal action against you and file a complaint with the responsible data protection supervisory authority. Today is October 3, 2020.

Thank you in advance for your effort.

Best regards

Dipl. Ing. Richard A***"

11. This message has been delivered.

12. The respondent has not responded to this message and has not deleted any of the complainant's data. The complainant received further SMS messages with "job offers" of the type described at least on November 20, 2020, December 1, 2020 and April 16, 2021.

13. Assessment of evidence: As last time. See in particular the attachments (graphic files reproducing the request for deletion of October 3, 2020) to the complaint of December 1, 2020.

D. From a legal point of view, this leads to the following:

D. 1. Total:

14. The complaint has been proven to be justified because the respondent did not process the complainant's data lawfully from the outset, as it violated the principle of transparency pursuant to Art. 5(1)(a) and Art. 14(1) and (2) GDPR when collecting the data, which is why it is obliged to delete the data in any case pursuant to Art. 17(1)(d) GDPR. Despite being asked to do so by the data protection authority, the respondent has not succeeded in proving the legality of its data processing. The complaint has been proven to be justified because the respondent did not process the complainant's data lawfully from the outset, as it violated the principle of transparency pursuant to Article 5, paragraph one, letter a and Article 14, paragraph one and 2 of the GDPR when collecting the data, which is why it is obliged to delete the data in any case pursuant to Article 17, paragraph one, letter d, of the GDPR. Despite being asked to do so by the data protection authority, the respondent has not succeeded in proving the legality of its data processing.

D.2. Objection of the respondent:

15. The respondent only countered the complaint (in the - very brief - statement of April 12, 2021) by arguing that it had received the complainant's data via the AMS as the "official job placement platform". In doing so, it essentially claims that it is permitted to process the complainant's data for the purposes of exercising its business, and thus for overriding legitimate interests in accordance with Article 6, Paragraph 1, Letter f, GDPR. In doing so, it essentially claims that it is permitted to process the complainant's data for the purposes of exercising its business, and thus for overriding legitimate interests in accordance with Article 6, Paragraph 1, Letter f, GDPR.

D.3. Legal basis for data processing, principles and justifications:

16. Considered separately from the complaint, such legitimate interests could be considered as legal bases for processing here.

17. However, the respondent overlooks the fact that, as a data controller, in order to ensure the lawfulness of its data processing, it not only needs a justification in accordance with Art. 6 GDPR, but also the principles for the processing of personal data in accordance with Art. 5(1) GDPR and its personal data in accordance with Article 5, paragraph 1, GDPR and must prove compliance with these principles to the data protection authority in the event of a dispute in accordance with paragraph 2 leg. cit. (accountability). The respondent was also expressly informed of the latter in the procedural order of 23 April 2021, GZ: 2021-0.291.660. No such evidence has been provided.

18. Accountability is a central element of the GDPR that has been added with the increased personal responsibility of the controller vis-à-vis the Data Protection Directive. It arises from Article 5, Paragraph 2 and Article 24, Paragraph 1 of the GDPR and states that the controller must not only comply with the provisions of the GDPR, but must also be able to prove this. The controller therefore has the burden of proof of compliance with the GDPR. Accountability is a central element of the GDPR that has been added with the controller’s increased personal responsibility vis-à-vis the Data Protection Directive. It arises from Article 5, Paragraph 2 and Article 24, Paragraph 1 of the GDPR and states that the controller must not only comply with the provisions of the GDPR, but must also be able to prove this. The controller therefore has the burden of proof of compliance with the GDPR. In particular, this results in a comprehensive documentation obligation (Hötzendorfer/Tschohl/Kastelitz in Knyrim, DatKomm Art 5 GDPR (as of May 7, 2020, rdb.at), Rz 58).DatKomm Article 5, GDPR (as of May 7, 2020, rdb.at), Rz 58).

D.4. Principle of transparency and obligation to provide information:

19. According to Art. 5, Paragraph 1, Letter a, GDPR, personal data must be processed lawfully, fairly and in a manner that is understandable to the data subject (“lawfulness, fairness and transparency”).

20. Any processing of personal data should be lawful and fair. For natural persons, there should be transparency as to whether personal data concerning them are collected, used, viewed or otherwise processed and to what extent the personal data are processed and will be processed in the future (GDPR, Recital 39, sentences 1 and 2, emphasis by the data protection authority).

21. The implementation of the principle of transparency is particularly served by the obligation to provide information pursuant to Art. 14 GDPR, which applies when data to be processed is not collected from the data subject himself (i.e. not with his cooperation, in particular by questioning, or by written or online notification by the data subject himself).

22. The respondent did indeed take the complainant’s data from a job advertisement created by the complainant himself in the AMS eJob Room, and therefore viewed and copied it there, but did so without the complainant’s cooperation and thus without the knowledge of the data collection and the information to be made available by the controller for this purpose, which is associated with such cooperation. The exception pursuant to Art. 14(5)(a) GDPR therefore comes here from the data collection and the information to be made available by the controller for this purpose. The exception pursuant to Article 14(5)(a) GDPR therefore does not apply here.

23. According to Article 14(3)(b) of the GDPR, the respondent should therefore have provided the complainant with the information required under Article 14(1) and (2) of the GDPR at the latest when the first SMS was sent to the complainant. According to Article 14(3)(b) of the GDPR, the respondent should therefore have provided the complainant with the information required under Article 14(1) and (2) of the GDPR at the latest when the first SMS was sent to the complainant.

24. By failing to do so, the respondent violated the principle of transparency pursuant to Article 5(1)(a) of the GDPR and thus processed the complainant’s data unlawfully right from the start. By failing to do so, the respondent violated the principle of transparency pursuant to Article 5(1)(a) of the GDPR and thus processed the complainant’s data unlawfully right from the start.

D.5. This means that the right to erasure is subject to the following:

25. Pursuant to Article 17(1)(d) of the GDPR, the data subject has the right to request the controller to erase personal data concerning him or her without delay, and the controller is obliged to erase personal data without delay if the personal data has been processed unlawfully.Pursuant to Article 17(1)(d) of the GDPR, the data subject has the right to request the controller to erase personal data concerning him or her without delay, and the controller is obliged to erase personal data without delay if the personal data has been processed unlawfully.

26. It is therefore not necessary to go into further detail on other possible reasons for erasure (in particular a possibly justified objection by the complainant in accordance with Article 17(1)(c) of the GDPR).It is therefore not necessary to go into further detail on other possible reasons for erasure (in particular a possibly justified objection by the complainant in accordance with Article 17(1)(c) of the GDPR).

D.6. Conclusions:

27. The respondent would therefore have been obliged to delete the complainant's data immediately after receiving his request for deletion on 3 October 2020, but no later than within one month under Article 12(3) GDPR. Since it failed to do so, it violated the complainant's right to deletion under Article 17 GDPR. This was established in accordance with the ruling (point 1).The respondent would therefore have been obliged to delete the complainant's data immediately after receiving his request for deletion on 3 October 2020, but no later than within one month under Article 12(3) GDPR. Since it failed to do so, it violated the complainant's right to deletion under Article 17 GDPR. This was established in accordance with the ruling (point 1).

28. In order to enforce the right to erasure, the respondent was further instructed to comply with the complainant’s request for erasure pursuant to Article 58(2)(c) of the GDPR (ruling point 2).In order to enforce the right to erasure, the respondent was further instructed to comply with the complainant’s request for erasure pursuant to Article 58(2)(c) of the GDPR (ruling point 2).