BVwG - W256 2240235-1

From GDPRhub
Revision as of 12:10, 11 January 2022 by MB (talk | contribs)
BVwG - W256 2240235-1
Courts logo1.png
Court: BVwG (Austria)
Jurisdiction: Austria
Relevant Law: Article 6(1)(e) GDPR
Article 9(2)(f) GDPR
§ 28(3) Administrative Court Procedure Act (Verwaltungsgerichtsverfahrensgesetz – VwGVG)
Decided: 05.11.2021
Published: 05.01.2022
Parties: unknown data subject (complainant before the DSB)
Municipality of Innsbruck (respondent before the DSB)
Austrian Data Protection Authority (Datenschutzbehörde - DSB)
National Case Number/Name: W256 2240235-1
European Case Law Identifier: ECLI:AT:BVWG:2021:W256.2240235.1.00
Appeal from: DSB
unknown
Appeal to: Unknown
Original Language(s): German
Original Source: Rechtsinformationssystem des Bundes (RIS) (in German)
Initial Contributor: n/a

The Federal Administrative Court (BVwG) remitted a case to the Austrian DPA (DSB) because the DSB had failed to properly establish the facts of the case and merely invited the parties to exchange submissions.

English Summary

Facts

The data subject is a retired employee of the municipality of Innsbruck. According to the data subject, the municipality had unlawfully disclosed the data subject's data in the course of a court procedure, inter alia by sharing them with an attorney which represented the municipality. The data subject lodged a complaint with the Austrian Data Protection Authority (Datenschutzbehörde - DSB).

The municipality argued before the DSB that the disclosure of the data subject's data to the attorney has been necessary for the exercise of legal claims of the municipality and therefore for the purposes of the legitimate interests pursued by the municipality under Article 6(1)(f) GDPR. The data subject was heard on this statement and filed a submission, arguing that Article 6(1)(f) GDPR does not apply on the municipality as it qualifies as a public authority. The DSB invited the municipality to submit a statement on this reply. The municipality filed a statement (mostly repeating their arguments) which was in turn again provided to the data subject who issued yet another submission (also mostly repeating their arguments).

In September 2019, the DSB issued its decision, rejecting the complaint. In essence, the DSB (for reasons unknown) did not assess the case under Article 6 and 9 GDPR but held that the disclosure of data under was lawful under § 1 Austrian Data Protection Act (DSG), because Austrian law allowed for parties to be represented by an attorney, which included the sharing of personal data.

The data subject filed an appeal with the Federal Administrative Court (Bundesverwaltungsgericht - BVwG).

Holding

The BVwG did not issue a decision on the merits of the case but remitted it back to the DSB, ordering it to properly establish the facts of the case. It held that the DSB failed to assess which personal data of the data subject have actually been shared with the attorney. Furthermore, the data subject had also argued that they were not fully aware which data have been shared with the attorney and where from the attorney received this data. In that respect DSB also failed to establish, when the respective data have been shared with the attorney and how they have been shared with the attorney. In particular, the BVwG criticized that the DSB merely invited the parties to exchange submissions but took no further steps to objectively establish the facts of the case.

Lastly, the BVwG held that the DSB failed to take into account Article 6(1)(e) and Article 9(2)(f) GDPR in their legal assessment but merely held that § 1 DSG had not been violated.

The DSB will now have to follow the BVwG's orders, properly establish the facts of the case and assess it under Article 6 and 9 GDPR.

Comment

The typical complaint procedure before the DSB so far consist of several round of submissions by both complainant and respondent but no other means of establishing facts (such as interrogations, expert witnesses, investigations in the form of data protection audits etc.). It remains to be seen if this decision and similar decisions by the BVwG will change the conduct of the DSB's practices when trying complaint cases under Article 77 GDPR.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.



court
Federal Administrative Court


Decision date
05/11/2021


Business number
W256 2240235-1


Saying


W256 2240235-1 / 10E

DECISION

The Federal Administrative Court, through the judge Mag. Caroline Kimm as chairman, the expert lay judge Dr. Claudia Rosenmayr-Klemenz and the expert lay judge Mag. Adriana Mandl as assessors on Dr. XXXX against the decision of the data protection authority of January 22, 2021, GZ: DSB- XXXX decided:
A) The contested decision is repealed in accordance with Section 28 (3) second sentence VwGVG and the matter is referred back to the data protection authority for a new decision to be issued.
B) The revision is not permitted according to Art. 133 Para. 4 B-VG.




text
Reason:
I. Procedure and facts:
In his complaint of September 11, 2019, the complainant alleged a violation of the right to secrecy by the municipality of Innsbruck (hereinafter: participating party). His personal data were not processed lawfully or without sufficient justification according to Art 6 GDPR. The violation occurred on March 28, 2019, and indeed - as can also be seen from the minutes presented in extracts - in the oral hearing before the Regional Administrative Court of Innsbruck regarding the complainant's complaint because of a determination of the ancillary fee values on the part of the party involved, attorney XXXX ( hereinafter: RA) occurred. According to § 18 VwGVG, the party involved is a party to the proceedings as the authority concerned and can be represented in such a procedure by a lawyer who is employed by the party involved. However, the RA is an external lawyer acting on the basis of a work contract. His data (name, address, salary details, etc.) were made available to “this too”. The attorney even handed over internal documents to the responsible judge, which could be submitted later if necessary, and when he intervened before the regional administrative court, he invoked the verbally granted power of attorney. A written power of attorney was not presented. There are now massive concerns about the content and scope of the verbal power of attorney granted to the RA as well as about the transfer of his personal data to the RA by the party involved.
The authority in question then requested the party involved to comment.
In its statement of October 3, 2019, the party involved stated that the processing of the complainant's personal data was carried out on the basis of Article 6 (1) (c) GDPR to fulfill the employer's legal obligation and to safeguard the client's legitimate interests in accordance with Art 6 Paragraph 1 lit f GDPR. As can be seen from the submitted minutes of the negotiation, the regional administrative court, based on the complainant's motion to exclude the RA from the oral hearing, decided on March 28, 2019 that the party involved, as the authority concerned, may use a legal representative, which according to § 9 para 1 AVG is subject to confidentiality. The data is only passed on to the lawyer for the legal defense of legal claims in the legitimate interest of the person responsible.
In addition, the complainant stated in a letter dated October 28, 2019 that he had been in a public-law retirement relationship with the participating party since XXXX. Administrative proceedings were pending in this regard because of the shortening of his entitlement to benefits and pensions. The party involved has official lawyers. The additional involvement of a lawyer in the proceedings before the regional administrative court was not necessary and was always rejected by him. In order for the lawyer to intervene, the complainant's personal data should have been transmitted to him beforehand. The complainant sees this as a violation of his right to secrecy and in this respect he has also addressed a request for information to the party involved. In response, he had received a list of 20 pages in which the use of data, transmission or forwarding of his data was based on § 101 Innsbruck Municipal Officials Act 1970. This (inadequate) information from the party involved is the subject of further proceedings before the authority concerned. Among other things, the complainant submitted the information in question from the party involved.
The party involved stated in its statement of November 27, 2019 that the personal data of the complainant had been passed on to the lawyer in order to assert legal claims.
In a letter dated January 29, 2020, the authority in question requested the party involved to specify in which provision their representation was arranged and whether there was a provision for an "external representation".
The participating party stated in its statement of March 2, 2020 that the representation of the participating party results from § 42 Innsbruck city law. This shows that the mayor represents the city. According to § 18 VwGVG, the city is also a party to the proceedings and can be represented as such. This includes the transmission of data. If data were not allowed to be passed on to a legal representative, this would amount to a ban on representation.
To this end, the complainant was given a hearing.
In his opinion of 11 May 2020, the complainant essentially repeated his previous submissions. In addition, he submitted that the present case was about the complainant's personal data and not about the data of the participating party himself. In this respect, express consent or a legal basis is required for his data to be passed on. The § 101 Innsbrucker Gemeindebeamtengesetz 1970 mentioned by the involved party in their information is not such a suitable legal basis. Article 6 (1) (f) GDPR now mentioned by the party involved is also out of the question. Since the complainant is a “civil servant”, “civil servant law” applies and Art 6 (1) (f) GDPR, which is not applicable to public authorities, is therefore not relevant.
The involved party has already passed on his "civil servant data" several times to the named lawyers. The lawyer in question had also been commissioned several times to represent the party involved against the complainant and, in this respect, should be well informed about his "civil servant data". A representation before an administrative court or the administrative court without knowledge of his salary and pension law data is unthinkable. There is also the question of who passed on his data from the party involved to the lawyer and whether there was a city senate resolution or a municipal council resolution for the authorization of the RA.
The fact that the lawyer in question represented the party involved in numerous proceedings also emerges from several of the above-mentioned findings of the Administrative Court from 2017 and 2020, among others. In view of the multitude of possibilities, he has a legitimate interest in finding out who has accessed his "civil servant data" (specifically: time compensation data, additional fee data such as overtime data, etc., possibly also health data, vacation data) for the purpose of passing on his "civil servant data".
The investigative procedure of the authority concerned should initially concentrate on this. The authority concerned should then check whether the transmission has resulted in a data protection violation. That there was no injury would be surprising. In the absence of his express consent and a legal basis to pass on his "civil servant data" to an external freelancer (e.g. notary, tax advisor, civil engineer, lawyer, etc.), a request will continue to be made that the authority concerned may research the true facts with all its means and the Identify violation of the right to secrecy. In particular, the authority concerned should have the internal access data presented and explained by the party involved.
In its statement of July 16, 2020, the party involved essentially repeated its previous submission.
To this end, the complainant was once again given a hearing by the authorities concerned.
In his statement of September 9, 2020, the complainant essentially referred to his statement of May 11, 2020. In addition, the complainant submitted that in the present case it was not a question of whether the party involved could be represented by a lawyer. For the present transmission of the complainant's personal data, what matters is whether consent has been obtained in advance or whether there is a legal basis. A consent to the transfer of his personal data from the personnel file or from the municipal IT system as well as his officially written statements and legal statements in service law matters is not given. He was also not asked about it. Nevertheless, the RA submitted such documents to the judge of the regional administrative court during the negotiations. Where the RA got this data from is not provided by the RA and a separate procedure is also pending. Under one of these, he presented his remuneration statement from May 2008, issued by the party involved, "as a representative" for the remaining monthly remuneration statements. 
In addition to his opinion of 9 September 2020, the complainant stated in his opinion of 25 September 2020 that he had already submitted to the RA as proof that his personal "sensitive" data had been transmitted by the party involved to the RA 20-page list, specifically refer to pages 13, 14 and 15. It shows that in connection with the pension certificate of March 31, 2016, XXXX and the proceedings conducted in this context (page 13), in connection with proceedings before the Constitutional Court re XXXX 8 (page 14), in connection with the declaratory decision on ancillary fee values from September 4, 2018, XXXX and the subsequent proceedings before the regional administrative court (page 15) and in connection with the decision on the determination of the ancillary fee allowance of June 3, 2019, XXXX identification data as well as salary and service-related data have been transmitted to the RA be.
In his statement of January 11, 2021, the complainant drew attention to the fact that both the proceedings conducted by the complainant against the party involved because of a violation of the right to information and the proceedings at issue here because of an alleged violation of the right to secrecy did not occur within the had been decided in the AVG.
With the contested decision, the complainant's complaint of September 11, 2019 against the participating party for breach of the right to secrecy was rejected as unfounded. The complainant had been an official of the state capital Innsbruck since XXXX. He has been in retirement since 2016. Because of the shortening of his entitlement to benefits and pensions, administrative proceedings were (were) pending in this regard. On October 8, 2018, the complainant filed a complaint against the decision of the mayor of the state capital Innsbruck of September 4, 2018 regarding the determination of the ancillary fee values. In the oral hearing before the regional administrative court on March 28, 2019, the party involved appeared alongside 2 official party representatives from the RA. The complainant's personal data were given to him. The subject of the complaint was now the question of whether the party involved had violated the complainant's right to secrecy by transmitting personal data to a lawyer. In legal terms, the authority in question stated that the party involved in the present case was an authority under Section 1 of the Data Protection Act. According to § 18 VwGVG, the authority concerned is also party to the proceedings before the administrative courts. As a party to the proceedings, the authority concerned would have the rights of a party under the VwGVG in conjunction with the AVG. The AVG does not know that a lawyer is required, but rather gives those involved the opportunity to be represented. According to § 10 AVG, a power of attorney can also be given orally before the authority; A note on the file is sufficient for their authentication. This authentication can also be done by making a corresponding note in the negotiation protocol. In this respect, the complainant's argument that there was no written power of attorney could be left open. It should therefore be stated in the result that there was a legally valid representation by the RA. From the lawyers' rules it emerges that a lawyer has to take care of the business assigned to him with care. In doing so, he is empowered to put forward anything that appears to be useful for representing the party under the law. It should be based on whether a subjective behavior that is covered by client information and deemed necessary for law enforcement and legal defense appears abstractly necessary in order to serve the matter objectively. Against this background, the data transfer that is the subject of the proceedings can be regarded as covered by Section 1 (2) DSG. Otherwise, successful litigation or legal enforcement or legal defense would not be possible and it is in the nature of the matter that data of the opposing party may also be processed for an effective and targeted defense.
The present complaint is directed against this. In it, the complainant submits - insofar as this is essential - that the legal assessment of the authority in question ignores the facts. In the present case, it is not about the transmission of "city-related" data, but rather the transmission of his personal (sensitive) data to a lawyer. The authority concerned equates his personal (sensitive) salary and service data inadmissibly with city-related data. It is undisputed that the party involved can pass on “city-related” data to a lawyer. However, this is disputed in the case of personal (sensitive) data of one of their officials. This requires approval or a legal basis. The subject of the present proceedings was the question of whether the party involved had been allowed to transmit his (sensitive) data to a "non-civil servant" lawyer prior to the hearing. For this, the authority concerned would have had to carry out a proportionality test. The Higher Administrative Court has already determined that salary and payment claims and their granting and rejection are sensitive data. The processing of his personal, service and salary data was clearly carried out by the RA for a purpose other than that for which it was originally collected by the service authority. Incidentally, the party involved has certainly given the RA much more data than his academic title, name and address for processing. Otherwise, proper preparation (without knowledge of the content of several references, pension statements, etc.) would not have been possible. As evidence of this, reference is made to the decision of the Administrative Court of February 19, 2020, Ra 2019/12/0038, with which the appeal of the complainant against the decision of the State Administrative Court of April 29, 2019 was discussed. In this context, reference is also made to the decision of the Constitutional Court of November 24, 2017, A6 / 2017. Here, too, it can be seen that the RA acted as a representative of the party involved and that personal data must therefore have been passed on to him. What personal data the RA was aware of could be derived, for example, from his receipts or pension statements, and a "clear" example from 2013 is presented to the Federal Administrative Court. In addition, confidential internal written documents were even presented to the judge of the regional administrative court by the RA. Finally, the authority in question did not deal with the power of attorney granted to the lawyer. If they are of the opinion that an oral power of attorney is sufficient, they fail to recognize that special formal requirements stipulated in the city constitution are also required for an effective power of attorney.
The authority in question submitted the complaint, including the administrative act, to the Federal Administrative Court and filed a reply.
II. Assessment of evidence: The course of the procedure and facts set out above result from the administrative act submitted.
II. The Federal Administrative Court has considered:
Legal assessment:
On A) According to Section 28 (3) second sentence VwGVG, the administrative court can set aside the contested decision with a resolution and refer the matter back to the authority for issue of a new decision if the authority has failed to investigate the matter. According to Section 28 (2) (2), this procedure presupposes that the administrative court's determination of the relevant facts is not in the interest of speediness or is associated with considerable cost savings.
In its ruling of June 26, 2014, No. Ro 2014/03/0063, the Administrative Court held that a referral of the matter to the administrative authority for the conduct of necessary investigations according to § 28 Paragraph 3 second sentence VwGVG was particularly considered will come if the administrative authority has neglected any necessary investigative activity, if it has only taken completely unsuitable investigative steps to determine the relevant facts or has only rudimentarily investigated. The same applies if there are concrete indications that the administrative authority failed to conduct (possibly difficult) investigations so that these can then be carried out by the administrative court (see also the decision of the administrative court of 25 January 2017, No. Ra 2016/12/0109, Rz 18ff.).
According to Section 24 (1) of the Data Protection Act, Federal Law Gazette I No. 165/1999 last amended by Federal Law Gazette I No. 14/2019 (DSG), every person concerned has the right to lodge a complaint with the data protection authority if they are of the opinion that the Processing of the personal data concerning you violates the GDPR or § 1 or Article 2 1st main part.
Section 24 (2) DSG generally specifies how a complaint to the authority concerned is prepared in terms of content and which documents (data) must be attached so that the authority can process it at all (see VwGH, January 26, 2012 , 2010/07/0087 on § 103 WRG 1959).
In particular, para. 2 no.3 and no.6 DSG stipulates that the complaint must contain the facts from which the infringement is derived as well as the information required to assess whether the complaint has been submitted on time.
This can be explained insofar as, without knowledge of the facts triggering the alleged data protection breach, in particular the data in question, it is not possible for the authority concerned to assess a legal infringement. With regard to the statute of limitations stipulated in Section 24 (4) DSG and the admissibility requirements that are differently graded according to data types, the specific naming or knowledge of the data in question and the accompanying circumstances of their alleged processing is essential for the assessment of a data protection breach (see Art 6 and Art 9 GDPR).
In his complaint to the data protection authority, the complainant alleged a violation of his right to secrecy by the party involved. At the oral hearing before the Regional Administrative Court of Innsbruck on March 28, 2019, the party involved had itself represented by the RA and for this purpose provided the party involved with his / her data, such as name, address, "salary details, etc." as well as internal documents which could be submitted later if required. The complainant now has massive reservations not only about the legal validity of the power of attorney granted to the RA, but also about the transmission of his data per se.
More detailed information on the circumstances surrounding the alleged transmission, in particular when, by whom and in what form the party involved, including any "salary details etc." or data relating to him in the internal office documents, should have passed on to the RA , are not found in the complaint.
However, since the facts on which the alleged data protection breach is based does not emerge from the complaint, the authority in question would have been required to work towards clarifying the essential facts of the decision and thus the actual subject matter of the proceedings. The authority concerned would initially have the option of proceeding in accordance with Section 13 (3) AVG.
The authority concerned did not make use of this option. But otherwise it has made no effort to clarify the facts relevant to data protection law and thus to determine the actual subject of the proceedings.
It is true that based on the complainant's complaint, it requested the participating party to comment (several times) and subsequently granted the complainant a hearing. The relevant investigative procedure of the authority concerned was limited to bringing the complaint and subsequently the statements made to the attention of the respective parties and to request a statement.
Efforts in this regard to determine the facts that are still open in view of the complaint and thus the subject matter of the proceedings cannot be inferred from the investigative steps of the authority concerned.
This is all the more surprising since the complainant himself pointed out several times in his further submissions to the clarification of the facts and thus the actual subject matter of the proceedings.
For example, in his statement of May 11, 2020, he stated that in the present case it was not about data of the party involved, but exclusively about data of the complainant himself ("civil servant data") and that in the present case numerous "freelancers" had accessed it. In view of the multitude of possibilities, the authority concerned should determine who has accessed his "official data". The investigative procedure of the authority concerned should therefore initially concentrate on clarifying the facts.
In his statement of September 9, 2020, the complainant again pointed out that the RA had submitted personal data from the personal file or from the city's IT system as well as from his officially written statements and legal statements in employment law matters at the hearing and he did not know where the RA got this data from.
In his statement of September 25, 2020, the complainant again referred to information provided by the party involved, from which it emerged that the party involved had transmitted his personal data to the RA in several proceedings that had already been concluded, including the one at issue here.
A description of which data transfer should actually be the basis of his complaint can therefore not be inferred from all of his submissions. The party involved did not provide any explanations (on its own initiative) either.
Accordingly, it was only stated in general in the contested decision that personal data (not specified) had been passed on to the lawyer and that the subject of the proceedings was the question of whether the party involved had thereby violated the complainant's right to secrecy. More detailed information on which of the complainant's data was transmitted to the lawyer when and in what form cannot be found in the entire decision. The legal statements of the authority concerned are also limited solely to restricting the permissibility of data transfer to a lawyer for the purpose of legal defense to a power of attorney granted to him.
In doing so, however, the authority in question overlooks the fact that this is not at all decisive in the present case.
Rather, Art 9 (2) lit f GDPR expressly stipulates that the processing of personal (sensitive) data for the establishment, exercise or defense of legal claims is only permitted if it is (also) (see Schiff in Ehmann / Selmayr, DS-GVO² Art 9 Rz 47, according to which this provision can also be used for non-sensitive data as a special case of the general authorization of legitimate interest standardized in Art 6 Para 1 lit f DSGVO).
Article 6 (1) (e) GDPR, which is applied in the sovereign area, is also based on such a need for data processing. According to this, the processing is only lawful if it is necessary for the performance of a task that is in the public interest or in the exercise of official authority.
The condition of necessity requires, in accordance with the protective purpose of the GDPR (Art 1 Paragraph 2), to limit the processing of personal data to what is absolutely necessary. The processing must therefore be necessary both for the performance of tasks in the public interest and in the exercise of official authority so that the person responsible can perform this task efficiently. This is to be assessed according to objective criteria, from which there is a connection between the data and the purpose pursued with the processing (see Heberlein in Ehmann / Selmayr, DS-GVO² Art 6 Rz 23; see also § 1 Paragraph 2 last sentence DSG, according to which the encroachment on the fundamental right may only be carried out in the mildest way leading to the goal.).
According to the jurisprudence of the Supreme Court, "necessary" within the meaning of Art 9 Paragraph 2 lit f GDPR means that without the data the assertion of the claim or a defense against it would not be possible or significantly more difficult (OGH, July 24, 2019, 6Ob45 / 19i ).
Such an assessment of the necessity of their processing is not possible without knowledge of the data and the more detailed accompanying circumstances of its data processing.
Because the authority in question denied a violation of the complainant's right to secrecy in the present case, without, however, specifically addressing the data processing in question and its accompanying circumstances in any form, the matter thus remained in need of extensive supplementation in one essential point, which is why In view of this particularly serious gap in the investigation, a remittal pursuant to Section 28 (3) second sentence VwGVG is necessary and also justified (cf. the decision of the Administrative Court of October 20, 2015, No. Ra 2015/09/0088).
A repetition of the preliminary investigation and thus an initial investigation and assessment of the relevant facts by the Federal Administrative Court cannot be within the meaning of the law. It is not evident that a direct further taking of evidence by the Federal Administrative Court "would be in the interest of speediness or associated with considerable cost savings" - also in view of the increased effort associated with the Federal Administrative Court's complaint procedure as a multi-party procedure.
The requirements of Section 28 (2) VwGVG are therefore not met in the present case of a complaint. As a result, the proceedings had to be referred back to the authority concerned for a new decision.
The authority concerned will therefore have to deal with the alleged data protection breach in the ongoing proceedings and to discuss it.
An oral hearing could be omitted in the present case in accordance with Section 24 (2) no. 1 VwGVG because it was already established on the basis of the file situation that the contested decision was to be "overturned". This fact is also applicable to resolutions to repeal and remittal (cf. for similar earlier legal situation Hengstschläger / Leeb, AVG [2007] § 67d margin no. 22).
to B) Inadmissibility of the revision:
Pursuant to Section 25a (1) VwGG, the administrative court has to pronounce in the verdict of its decision or decision whether the revision is admissible according to Article 133 (4) B-VG. The statement must be briefly justified.
The appeal is inadmissible because no legal question within the meaning of Art. 133 para. 4 B-VG was to be assessed, which is of fundamental importance: that the matter should be referred back to the administrative authority for the necessary investigations to be carried out in accordance with Section 28 para. 3 second sentence VwGVG In particular, it comes into consideration if the administrative authority only rudimentary or insufficiently determined, corresponds to the case law of the Administrative Court cited above.
It was therefore to be decided by the Senate according to the ruling.


European Case Law Identifier
ECLI: AT: BVWG: 2021: W256.2240235.1.00