DSB (Austria) - 2021-0.285.169

From GDPRhub
Revision as of 14:21, 21 July 2021 by 10.90.129.140 (talk)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
DSB (Austria) - 2021-0.285.169
LogoAT.png
Authority: DSB (Austria)
Jurisdiction: Austria
Relevant Law: Article 2(2)(c) GDPR
Article 4(1) GDPR
Article 4(15) GDPR
Article 51(1) EU Charter
Article 8 EU Charter
Article 3(2) Directive 95/46/EC
§ 1 DSG
§ 4(1) DSG
§ 45 DSG 2000
Type: Complaint
Outcome: Rejected
Started:
Decided: 03.05.2021
Published:
Fine: None
Parties: n/a
National Case Number/Name: 2021-0.285.169
European Case Law Identifier: ECLI:AT:DSB:2021:2021.0.285.169
Appeal: n/a
Original Language(s): German
Original Source: Rechtsinformationssystem des Bundes (RIS) (in DE)
Initial Contributor: n/a

The Austrian data protection authority found that neither the GDPR nor the Austrian law implementing the GDPR will apply to the transfer of health data between two individuals via WhatsApp, as such processing fall's under the GDPR's household exemption.

English Summary

Facts

Mr X and Ms Y have a son and are divorced. Ms Y has sole custody of their son. Reliable care is required for the son due to special needs (e.g. hyperactivity, medication, etc.). The mother of the Mr X often takes care of him.

In a court order, a number of the data subject's health conditions had been identified. The order referred to the data subject only as the "father of the child" or “father”. Among other things, it lists Mr X's depressive currents and rapid mental exhaustion/overstrain, so that Mr X is dependent on a specially created daily structure with many breaks.

Ms Y forwarded this court order to the Mr X's mother via WhatsApp. In an accompanying message, the Ms Y referred to the data subject by his first name and questioned whether he still is an eligible to take care for the son.

Mr X filed a complaint with the Austrian DPA (Datenschutzbehörde, DSB) alleging a violation of the his right to data protection as well as to confidentiality.

Holding

The complaint was dismissed as unfounded. Neither the GDPR nor the Austrian Data Protection Act (DSG) applied due to the exception in Article 2(2)(c) GDPR.

Classification of the Data

The DSB first found that the data transferred was personal data. Furthermore, the information relates to the physical or mental health of the data subject and contains information about the health status of the data subject, i.e. data concerning health within the meaning of Article 4(15) GDPR.

GDPR Does Not Apply Due to Exception of Article 2(2)(c) GDPR

The DSB founds that the GDPR does not apply due to the household exception provided for in Article 2(2)(c) GDPR.

Pursuant to Article 2(2)(c) GDPR, the GDPR does not apply to the processing of personal data by natural persons in the course of purely personal or household activities. As a restriction of the fundamental right under Article 8 EU Charter, this provision was to be interpreted restrictively in accordance with Article 52(1) EU Charter. The criterion of delimitation is the absence of any reference to a professional or economic activity. This means that the central criterion for the applicability of the exception - and thus for the non-applicability of the GDPR - is the imputability of the data processing to the private sphere. It was noted that the terms "personal" and "household" refer to the activity of the person processing personal data and not to the person whose data are being processed.

The GDPR itself mentions in this respect, for example, the conduct of correspondence or social networking and online activities in the context of a personal or household activity (cf. recital 18 GDPR). However, this only applies to the extent that data is exchanged in closed groups that have no relation to the professional or economic activities of the users. The exclusively private use of services such as WhatsApp is covered by the scope of the exception, provided that it is not accompanied by an unrestricted publication of personal data on the internet.

Furthermore, the term "household" is not to be interpreted strictly in terms of family law [please note that the German version of the GDPR is using the terms “personal” and “family”], but also includes other relationships that are described as "family" by the public perception, irrespective of marriage and filiation. In this respect, it is irrelevant whether there is a formal bond or whether personal relationships exist on a purely informal basis.

In the specific case, the WhatsApp message in question was sent to an individually determined recipient (and not to an undetermined or unlimited public group of addressees) on the occasion of a personal and at least indirectly family-related correspondence between the controller and her former mother-in-law, who often looks after the son who is in the sole custody of the respondent.

Relationship Between the GDPR and the DSG: DSG Does Not Apply Either

The DSP then examined whether the DSG applied beyond the scope of the GDPR and, in this respect, whether there was a breach of the right to confidentiality under § 1(1) DSG. However, the applicability was denied.

This followed from the legislative competence of the EU according to Article 16(2) TFEU for regulations on the protection of individuals with regard to the processing of personal data. It follows that if the facts of the case fall within the scope of Article 8 EU Charter, those provisions of the member state (§ 1 DSG) which offer the same guarantee must be disregarded. To the extent of this conformity, the national provisions remain "dormant in force" and the assessment is based exclusively on Union law.

In the DSB's view, § 1 DSG does not go beyond Article 8 EU Charter. In this respect, the DSG does not apply due to the exception of Article 2(2)(c) GDPR.

In Eventu: Processing Not Covered in any Case due to the Exception of Article 2(2)(c) GDPR

The DPA lastly found that even if recourse to § 1 DSG was possible, processing activities in the personal and household sphere are not covered because of § 4(1) DSG in conjunction with Article 2(2)(c) GDPR. § 4(1) DSG provides that the GDPR applies in addition to the DSG. The DSB concludes that this also applies to the exemptions of the GDPR, so that processing operations excluded from the scope of the GDPR are also not covered by the GDPR due to Article 2(2)(c) GDPR.

In addition, the DSB stated that it is possible in principle to have a data protection right in a member state that covers cases that go beyond the GDPR. This is specifically justified with the corresponding old case law of the ECJ on household exceptions under the GDPR (Article 3(2) Directive 95/46/EC), which corresponds to Article 2(2)(c) GDPR. While the Austrian legislator had made use of this possibility with § 45 DSG 2000, a provision similar to § 45 DSG 2000 no longer exists since the introduction of the GDPR. This leads to the conclusion that the Austrian legislator did not want to extend the DSH to matters that exclusively concern the personal or family sphere.

Comment

With regard to Article 16(2) TFEU and the legal nature of the GDPR as a regulation and not a directive, it is highly questionable if the member states are allowed to regulate data protection cases that are excluded from the scope of the GDPR unless there is a respective opening clause. In this respect, the remarks made by the DSB on § 4(1) DSG are also very doubtful in terms of European law.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.



Decisive authority
Data protection authority


Decision date
05/03/2021


Business number
2021-0.285.169


Appeal at the BVwG / VwGH / VfGH
This decision is final.




text
GZ: 2021-0.285.169 from May 3, 2021 (case number: DSB-D124.3448)
[Note processor: Names and companies, legal forms and product names, addresses (incl. URLs, IP and e-mail addresses), file numbers (and the like), etc., as well as their initials and abbreviations can be abbreviated and / or changed for reasons of pseudonymisation be. Obvious spelling, grammar, and punctuation errors have been corrected.]

NOTIFICATION
Proverb
The data protection authority decides on the data protection complaint by Markus A *** (complainant) of December 29, 2020, received on January 7, 2021, against Claudia N *** (respondent) for breach of the right to secrecy as follows:
-      The complaint is dismissed as unsubstantiated.
Legal basis: Art. 2 para. 2 lit. c, Art. 4 Z 1, Z 2 and 15, Art. 51 para. 1, Art. 57 para. 1 lit. f and Art. 77 para. 1 of the Regulation ( EU) 2016/679 (General Data Protection Regulation, hereinafter: GDPR), OJ No. L 119 of 4.5.2016 p. 1; Section 1 (1), Section 4 (1), Section 18 (1) and Section 24 (1) and (5) of the Data Protection Act (DSG), Federal Law Gazette I No. 165/1999 as amended; Art. 8 and Art. 52 Paragraph 1 of the Charter of Fundamental Rights of the European Union (EU-GRC), OJ No. C 202 of 7.6.2016, p. 389.

REASON
A. Arguments of the parties and course of the procedure
1. With an initial submission, the complainant alleged a violation of the right to secrecy by the respondent and alleged, in summary, that the respondent had sent a court order on December 16, 2020 with sensitive health data concerning the complainant via WhatsApp to a third person, namely Erika A ** *, passed on.
2. In her submission of January 26, 2021, the respondent replied that she and the complainant had been divorced since December 2015. She has sole custody for their son Andreas. Erika A *** is the biological mother of the complainant and the former mother-in-law of the respondent.
Since the disputed divorce in 2015, the Respondent has at times had telephone contact with her former mother-in-law. They would often take care of Andreas on the visiting weekends actually assigned to their ex-husband (the complainant), who would spend whole weekends as well as the winter or summer week with his grandparents. As far as the Respondent is aware, the Complainant maintains good and regular contact with his parents, which is why the Respondent assumes that they are informed about his state of health.
The transmission of the message in question to Erika A *** in connection with the inquiry regarding the complainant's resilience arises solely from concern for their son Andreas, since the respondent is not sure whether the complainant's health situation, which sounds dramatic to her as a layman, is a problem reliable support for Andreas, which is necessary due to his special needs (e.g. hyperactivity, medication, etc.). Since a solid basis for discussion was as good as non-existent between the respondent and the complainant, it was far from the respondent to confront the complainant with the diagnosis recorded in the court order. In order to protect the health and the physical and mental integrity of Andreas, the Respondent wanted to obtain certainty from her former mother-in-law by asking her former mother-in-law whether the complainant was still able to look after their son.
The respondent also pointed out that the screenshot of the transmitted message provided by the complainant only referred to the "child's father" and that neither the complainant's name nor any other personal data could be found there.
3. The complainant made no further submissions within the scope of the hearing of the parties.
B. Subject matter of the complaint
Based on the complainant's submissions, the subject of the complaint arises as to whether the respondent violated the complainant's right to secrecy by transmitting a court order with the complainant's health data to a third person, namely Erika A ***, via WhatsApp.
C. Factual Findings
The parties to the proceedings have been divorced since December 2015. The Respondent has sole custody of their son Andreas. Erika A *** is the biological mother of the complainant, grandmother of Andreas and the former mother-in-law of the respondent and often looks after the common son of the parties to the proceedings.
Assessment of evidence: The findings on family relationships and the care situation with regard to the joint son of the parties to the proceedings result from the indisputable information provided by the respondent.
The Respondent sent the following message to Erika A *** via WhatsApp in December 2020 (formatting not reproduced 1: 1):
[Editor's note: the documents inserted here in the form of graphic files (screenshots) cannot be pseudonymized with reasonable effort. They are reproduced here as a text document with an approximate reproduction of the formatting.]

[Screenshot from court order]

Due to the decision of the District Court *** of 04.07.2018 13 PU ****, the father is currently obliged to a monthly maintenance payment of EUR 3 **, 00 for my year old Andreas.

The minor is in the care and upbringing of the mother and, according to the files, has no income or assets.

The child's father suffered a leisure accident on July 2nd, 2013. Until 2014 he worked as a ****. The employment relationship was terminated during the sick leave (duration 1 year).
The child's father receives emergency assistance in the amount of EUR 4 *, 67 daily and is also marginally employed with an income of EUR * 34.00 including special payments at the facility ****. The income of the child's father is thus around EUR 1.00 per month.

The following clinical pictures were last diagnosed on June 5th, 2019:

 chronic depressive disorder
 Narcissistic or fearful avoidant personality structure
[Screenshot WhatsApp message]
Dear Erika, I had no idea how bad it was for Mark !! That explains a lot ... but unfortunately also raises the question of how much Andreas can rely on him or how much can Mark take care of him? 12:56

[Screenshot from court order]

 hypercholesterolemia
 Rapid mental exhaustion / excessive demands, so that the father is on a
specially created daily structure with many breaks.

He is also 60% disabled and an activity as a **** is no longer reasonable for him. According to the salary compass, the gross income as **** is between EUR 1. ***. 00 and EUR 2. ***. 00.
The child's father is constantly receiving psychiatric treatment.
The child's father is also legally responsible for Andreas N ***, born 1 * .0 * .1995, who is now studying at the FH in ******.

Evidence assessment:

The income of the child's father results from the submitted salary documents.
The clinical pictures of the child's father could be found in the patient's letter dated May 13, 2019. The neurologist's report dated March 6, 2015, included in the file, showed that a chronic course must be assumed and no improvement in health can be expected. It also emerges from this report that he can no longer practice the occupation as a **** at that time. The court also considers it credible and understandable if the child's father states in his interrogation that he is not able to work full-time and can only pursue marginal employment (rapid mental exhaustion / fatigue). The 60% disability of the father could be proven by the presented ID. The fact that the father is in psychiatric treatment could be credibly demonstrated by the father and was not denied by the district administration ***. The average earnings of a **** could be taken from the AMS salary compass. The fact that the child’s father is now legally responsible for his son Andreas again could be proven by means of a confirmation of enrollment.

Assessment of evidence: The findings on the content and the dispatch of the WhatsApp message at issue result from the insofar undisputed submission of the complainant in his submission that initiated the proceedings.
D. From a legal point of view, it follows:
D.1. For personal reference and the processing of data
In his submission that initiated the proceedings, the complainant complained about the disclosure of his health data by the respondent to a third person. The Respondent submits in this context that the screenshot provided by the complainant only speaks of the "child's father" and that neither the name nor any other personal data of the complainant are evident. At the outset, therefore, the question to be clarified is whether there is any processing of the complainant's personal data by the respondent.
According to Art. 4 No. 1 GDPR, "personal data" is all information that relates to an identified or identifiable natural person ("data subject"); A natural person is regarded as identifiable who, directly or indirectly, in particular by means of assignment to an identifier such as a name, to an identification number, to location data, to an online identifier or to one or more special characteristics that express the physical, physiological, genetic, psychological, economic, cultural or social identity of this natural person can be identified.
The European Court of Justice (ECJ) has already stated with regard to Article 2 (a) of Directive 95/46 / EC that the term “personal data” is based on a broad understanding. Accordingly, the term is not limited to sensitive or private information, but potentially includes all types of information, both objective and subjective, in the form of opinions or assessments, provided that it is information “about” the person in question . "(See the judgment of the ECJ of December 20, 2017, C-434/16 [Nowak]).
These considerations can be applied to the current legal situation according to the GDPR, since the definition of "personal data" according to Article 2 (a) of Directive 95/46 / EC has been adopted in Article 4 (1) GDPR.
A person is clearly identified if the identity of the person is immediately apparent from the information itself (cf. in this regard the judgment of the ECJ of October 19, 2016, C-582/14 [Breyer], margin no. 38). On the other hand, a person can be identified if the information in itself is not sufficient to assign it to a person, but this succeeds as soon as the information is linked with further information. In other words: if the person concerned is not named, for example, but can still be determined with the help of reference data, personal data should be used (cf. Ernst in Paal / Pauly [ed.], General Data Protection Regulation. Comment, Art. 4, margin no. 8). In order to determine whether a natural person can be identified, all means must also be taken into account that are likely to be used by the person responsible or another person according to general discretion to identify the natural person directly or indirectly (see Recital 26 GDPR).
Applied to the present case, the complainant's personal data is in any case available, as although the document attached to the WhatsApp message in question only speaks of the "father" or "child's father", the text message that was also transmitted expressly refers to " Mark “- meaning the complainant Markus A *** - takes. In this context, the Respondent herself states that, by means of the message at issue, she wanted to inquire from her former mother-in-law Erika A *** whether her son (the complainant), on the basis of the state of health attested to him, fulfilled his duties of care with regard to Andreas (their son of the parties to the proceedings). As a result, for both the respondent and the recipient of the WhatsApp message, Erika A ***, there was no question to whom the information or diagnoses contained in the attached document relate and the complainant was clearly identifiable for them as a result.
Since the WhatsApp message, which is the subject of the proceedings, also clearly shows information relating to the complainant's physical or mental health and from which information about the complainant's state of health emerges, there is also health data within the meaning of Art. 4 Z 15 GDPR.
The transmission of the WhatsApp message in question, i.e. the message to individually determined addressees (cf. Reimer in Sydow [Hrsg.], European General Data Protection Regulation. Handkommentar, Art. 4, Rz. 69) also clearly constitutes processing within the meaning of Art. 4 Z 2 GDPR.
D.2. General information on the fundamental right to secrecy
The fundamental right to secrecy enshrined in § 1 DSG, according to the first paragraph of which everyone, in particular with regard to respect for their private and family life, has the right to secrecy of the personal data concerning them, insofar as there is a legitimate interest in this, includes the protection of data subject before their data is determined and the data obtained about them are passed on. However, the basic right to secrecy is not absolute, but may be restricted by certain permissible interventions.
It should be noted that in the present case a violation of the right to secrecy according to § 1 Paragraph 1 DSG is to be examined and limitations of this claim from Paragraph 2 leg.cit., But not from Art. 6 Paragraph 1 (or Art . 9 para. 2) GDPR result.
Pursuant to Section 1 (2) DSG, restrictions on the right to confidentiality are only permitted to safeguard the overriding legitimate interests of another, insofar as the use of personal data is not in the vital interest of the person concerned or with his consent, whereby, in the event of intervention by a state authority, this only may take place on the basis of laws that are necessary for the reasons stated in Art. 8 Para. 2 ECHR.
However, the GDPR and in particular the basic principles anchored in it must be taken into account when interpreting the right to secrecy (see the decision of July 4, 2019, GZ DSB-D123.652 / 0001-DSB / 2019).
As a preliminary step, it must therefore first be checked whether the facts at hand are actually covered by the material scope of application of the GDPR (and subsequently the GDPR).
D.3. On the (non-) applicability of the GDPR and on the so-called "household exception"
According to Article 2 (2) (c), the GDPR does not apply to the processing of personal data by natural persons for the exercise of exclusively personal or family activities (colloquially also referred to as "household exception").
The standardization of the "budget exception" represents a balancing decision of the Union legislature with regard to the primary law stipulated in Art. 8 EU-GRC right to the protection of personal data. According to Art. 52 (1) EU-GRC, restrictions on the rights and freedoms guaranteed by them must be must therefore be provided for by law and respect the essence of these rights and freedoms.
According to the prevailing opinion, this exception must therefore be interpreted restrictively (cf. for the largely identical provision of Article 3 (2), second indent of Directive 95/46 / EC, the judgment of the ECJ of November 6, 2003, C-101/01 [Lindqvist] ).
The delimitation criterion is the absence of any reference to a professional or economic activity. That is, the central criterion for the applicability of the "household exception" - and thus for the inapplicability of the GDPR - is the attribution of the data processing to the private sector (cf. Heissl in Knyrim [ed.], DatKomm Art. 2 GDPR, margin no. 70).
It should be noted that the terms “personal” and “familiar” refer to the activity of the person who processes personal data and not to the person whose data is being processed. (See the judgment of the ECJ of July 10, 2018, C-25/17 [Jehovan todistajat], margin no. 41 with further references.).
The GDPR itself mentions the conduct of correspondence or the use of social networks and online activities in the context of personal or family activities (see recital 18 GDPR). However, this only applies to the extent that data is exchanged in closed groups that are not related to the professional or economic activities of the users (cf. Ennöckl in Sydow [Hrsg.], European General Data Protection Regulation. Handkommentar, Art. 2, Rz. 13; cf. . also the previously cited judgment of the European Court of Justice of July 10, 2018, C-25/17, margin no. 42 with further references, according to which an activity “cannot be regarded as exclusively personal or familial within the meaning of this provision if it is The object is to make personal data accessible to an unlimited number of people, or if it extends even partially to the public space and is therefore directed to an area outside the private sphere of the person who processes the data ”). The exclusively private use of services such as WhatsApp is included in the scope of the "household exception" (cf. Bergauer in Jahnel [Hrsg.], GDPR. Comment, Art. 2, margin no. 27), provided that this is not accompanied by unrestricted publication of personal data on the Internet ).
The term “family” is not to be interpreted strictly according to family law, but also includes other relationships that are referred to as “family” by the general public, regardless of marriage and childhood. In this respect, it is irrelevant whether there is a formal relationship or whether personal relationships exist on a purely informal basis (cf. Ernst in Paal / Pauly [ed.], General Data Protection Regulation. Comment, Art. 2, margin no. 18).
On the basis of these considerations, it should be stated in an intermediate step that in the present case the exception provision of Art. 2 Para. 2 lit c GDPR is applicable, since the transmission of the WhatsApp message in question to an individually determined recipient (and not to an indefinite or . Unlimited public addressees) on the occasion of a personal and at least indirectly familial correspondence between the Respondent and her former mother-in-law, who often looks after the respondent's son who is in the sole custody of the Respondent.
In the next step, the relationship between the GDPR and the GDPR with regard to the exceptions mentioned in Art. 2 Para. 2 GDPR must be dealt with.
According to Article 16 (2) TFEU, there is Union competence to enact provisions on the protection of natural persons in the processing of personal data by the Member States in the context of the exercise of activities that fall within the scope of Union law.
To the extent that a matter falls within the scope of Art. 8 EU-GRC, any constitutional provisions that offer the same guarantee have to remain "dormant in force" within the scope of this agreement and the assessment is based exclusively on the provision of Union law (cf. recently the decision of the German Federal Constitutional Court of November 6, 2019, GZ 1 BvR 276/17, Rz 47 ff; cf. also VfSlg. 19.632 / 2012, where the Constitutional Court has already ruled that it will guarantee constitutional law in the event of compliance Rights with the EU-GRC using the latter as a control standard).
In the present case, it cannot be said that the scope of protection of § 1 DSG goes beyond that of Art. 8 EU-GRC, so that § 1 DSG does not apply at all.
But even if one were to see an application of § 1 DSG, the complaint would not be successful:
The (simple legal) provision of § 4 Paragraph 1 DSG declares, in addition to the DSG, the DSGVO for the fully or partially automated processing of personal data as well as for the non-automated processing of personal data that is or is stored in a file system as applicable, without specific to refer to the exceptions in Art. 2 Para. 2 GDPR.
In this regard, however, the provisions of the GDPR at the national level have a fundamentally unrestricted subject area of application (see Kunnert in Bresich / Dopplinger / Dörnhöfer / Kunnert / Riedl, DSG § 4, note 3), so that based on Art. 2 Para C GDPR, processing operations that are excluded from the scope of the GDPR are also not covered by the GDPR (see ErlAB, 1761 BlgNR. XXV GP, p. 4).
The data protection authority does not overlook the fact that the "budget exception" standardized in Art. 2 Para. 2 lit. c GDPR is essentially identical in content to the previous provision of Art. 3 Para. 2 second indent of Directive 95/46 / EC (DS-RL) and according to the relevant case of the European Court of Justice, the member states were not prevented from extending the scope of national legal provisions, which were enacted in implementation of the DS-RL, to areas not covered by the scope of the DS-RL, provided that no other provision of Community law opposed this (cf. Judgment of the ECJ of November 6, 2003, C-101/01, margin number 98). The Austrian legislature had made use of this possibility - created under the DS-RL - and laid down specific data protection regulations for processing activities for private or family purposes in the earlier provision of § 45 DSG 2000 (see master version of Federal Law Gazette I No. 165 / 1999). The provision just cited did not provide for a general exception to the fundamental right to data protection, which would not have been possible due to its simple legal nature (cf. Jahnel, Handbuch Datenschutzrecht, p. 433 ff).
With regard to the current legal situation, it should be emphasized that the GDPR itself - due to the essentially identical word for the definition of the "household exception" - does not fall behind the scope of protection of the DS-RL, but a provision by the Austrian legislature in the DSG that is similar to Section 45 DSG 2000 was not (no longer) provided in the following.
From this it can be concluded that the Austrian legislature did not want to extend the scope of protection of the DSG to facts that exclusively concern the personal or family area.
D.4. Result
On the basis of the above considerations, the provision of Art. 2 Paragraph 2 lit. c GDPR is also applicable in connection with an alleged violation of Section 1 Paragraph 1 GDPR and consequently the scope of application of the GDPR or the DSG is not opened up. As a result, the right to lodge a complaint in accordance with Section 24 (1) DSG is not available for the communication via WhatsApp in the context of personal and family activities.
It was therefore to be decided according to the ruling.


European Case Law Identifier
ECLI: AT: DSB: 2021: 2021.0.285.169