BVwG - W252 2246581-1/6E

From GDPRhub
Revision as of 09:11, 30 August 2023 by Mg (talk | contribs) (→‎Facts)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
BVwG - W252 2246581-1/6E
Courts logo1.png
Court: BVwG (Austria)
Jurisdiction: Austria
Relevant Law: Article 15(1)(h) GDPR
Article 22(1) GDPR
Article 22(4) GDPR
Decided: 29.06.2023
Published: 10.08.2023
Parties:
National Case Number/Name: W252 2246581-1/6E
European Case Law Identifier: ECLI:AT:BVWG:2023:W252.2246581.1.00
Appeal from: DPA
Decision of 05.08.2021 (no link available)
Appeal to: Unknown
Original Language(s): German
Original Source: RIS (in German)
Initial Contributor: nho23

An Austrian court held that in case of automated decision-making, the 'meaningful information about the logic involved' mentioned by Article 15(1)(h) GDPR does not impose a full discolure of the mathemical formula used by the controller.

English Summary

Facts

The data subject filed a complaint against the controller - a credit ranking agency.

In the original procedure before the Austrian DPA, the data subject claimed that their rights resulting from Article 15(1)(h) GDPR were infringed as the controller did not sufficiently inform them about the logic and algorithm used for the processing of their personal data in the context of an automated decision about the data subject's creditworthiness.

The controller replied that the processing at issue was not 'automated decision-making' pursuant to Article 22 GDPR, but only 'light profiling' under Article 4(4) GDPR. Therefore, the controller claimed that Article 15(1)(h) GDPR did not apply in the first place. Moreover, the controller argued that the algorithm regulating profiling could not be disclosed, being part of business secrets of the company.

The Austrian DPA upheld the complaint and issued a decision against the controller, ordering the latter to provide access to the information requested by the data subject.

The controller appealed the decision with the Austrian Federal Administrative Court (Bundesverwaltungsgericht - BVwG), stating that they provided the data subject with sufficient information.

Holding

The court upheld the controller's appeal.

First, the court noted that, according to Article 15(1)(h) GDPR, in case of automated decision-making the controller shall provide the data subject with an explanation about the logic behind the processing. However, this 'logic' shall not be understood as the algorithm or mathematical formula underlying the automated decision. Rather, the controller shall provide the following pieces of information: a) categories of personal data and why they are relevant to the creation of the profile; b) how the profile is created by automated means, with specific regard to the statistical method used; c) why the profile is relevant for the decision; d) how the profile is actually used in the context of the decision.

In the case at issue, the court held that the information provided by the controller was sufficient, as the controller disclosed all the elementes listed above in a comprehensive manner. Data used and their function in the weighting was clearly stated by the controller, alongside with the meaning of the results (the profile) and the statistical nature of the processing. The data subject could thus understand the processing of their personal data. The court stressed that a more accurate description of how the concrete weighting of the parameters took place would have amounted to the disclosure of the mathematical formula (i.e. the algorithm) governing profiling, which is not covered by the GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

decision date

06/29/2023

standard

B-VG Art133 Para.4
DSGVO Art15 Abs1 lit

B-VG Art. 133 today B-VG Art. 133 valid from 01.01.2019 to 24.05.2018 last amended by Federal Law Gazette I No. 138/2017 B-VG Art. 133 valid from 01.01.2019 last amended by Federal Law Gazette I No. 22/2018 B-VG Art. 133 valid from 05/25/2018 to 12/31/2018 last changed by Federal Law Gazette I No. 22/2018 B-VG Art. 133 valid from 08/01/2014 to 05/24/2018 last changed by BGBl I No. 164/2013 Federal Constitutional Law Art by BGBl. I No. 100/2003 B-VG Art. 133 valid from 01.01.1975 to 31.12.2003 last amended by BGBl. No. 444/1974 B-VG Art. 133 valid from 25.12.1946 to 31.12.1974 last amended by Federal Law Gazette No. 211/1946 B-VG Art. 133 valid from December 19, 1945 to December 24, 1946 last amended by StGBl. No. 4/1945 B-VG Art. 133 valid from 01/03/1930 to 06/30/1934

saying

W252 2246581-1/6E

IN THE NAME OF THE REPUBLIC!

The Federal Administrative Court, through the judge Mag.a Elisabeth SCHMUT LL.M. as chairperson and the expert lay judges Dr.in Claudia ROSENMAYR-KLEMENZ and Mag.a Adriana MANDL as assessors on the complaint of the XXXX, represented by Putz The Federal Administrative Court, through the judge Mag.a Elisabeth SCHMUT LL.M. as chairperson and the expert lay judges Dr.in Claudia ROSENMAYR-KLEMENZ and Mag.a Adriana MANDL as assessors on the complaint of the roman XXXX, represented by Putz & Rischka Rechtsanwälte KG, 1030 Vienna, Reisnerstraße 12, (participating party before the administrative court XXXX, represented by Piaty Müller-Mezin Schoeller Rechtsanwälte GmbH Rischka Rechtsanwälte KG, 1030 Vienna, Reisnerstrasse 12, (participating party before the Roman XXXX administrative court, represented by Piaty Müller-Mezin Schoeller Rechtsanwälte GmbH & Co KG, 8010 Graz, Glacisstrasse 27/2), against points 1, 2.a) and 2.b) of the decision of the data protection authority of August 5th, 2021, GZ XXXX, in a closed session in a data protection matter: Co KG, 8010 Graz, Glacisstraße 27/2), against the points 1., 2.a) and 2.b) of the decision of the data protection authority of August 5th, 2021, GZ roman XXXX, in a closed session in a data protection matter rightly recognized:

A) The appeal is upheld and the ruling in the contested decision is amended to read as a whole:

"The data protection complaint is dismissed as unfounded.".

B) The revision is allowed.

text

Reasons for decision:

I. Procedure: Roman one. Procedure:

1. With a submission dated October 24, 2019, the party involved (hereinafter "MP") lodged a data protection complaint with the relevant authority and summarized that the complainant (hereinafter "BF") had violated their right to information. She had repeatedly requested information under data protection law from the MP, but the MP had not given her sufficient information about the calculation, the logic involved and the calculation instructions (algorithm) to be carried out by the system for the creditworthiness scores assigned to her.

2. The BF commented on the allegations and claimed that it had already adequately fulfilled its obligation to provide information. In addition, on the one hand there is no profiling within the meaning of Art 22 DSGVO and on the other hand the algorithm concerns a business/company secret.2. The BF commented on the allegations and claimed that it had already adequately fulfilled its duty to provide information. In addition, on the one hand there is no profiling within the meaning of Article 22, DSGVO and on the other hand the algorithm concerns a business/company secret.

3. With a decision dated August 5th, 2021, the relevant authority partially upheld the complaint and found that the BF had violated the MP’s right to information by providing her with incomplete information (point 1). In other cases of execution, it was the duty of the BF to inform the BF about the weighting of the parameters or input variables of various creditworthiness scores (point 2.a)) and to give the MP an explanation as to why they had the respective evaluation results (point 2.b)). Otherwise, she dismissed the complaint (paragraph 3).

The authority concerned explained that the BF had stated that the parameters or input variables were weighted differently, but had not disclosed how the weighting was specifically designed. The algorithm itself cannot be disclosed.

4. The present complaint of the BF of September 9th, 2021 is directed against clause 1., 2.a) and 2.b) of the decision. In this, the BF states that they have already provided the MP with additional information on how the score values came about. In this case, there is only "light profiling" within the meaning of Art 4 Para 4 GDPR, which is why there is no obligation to provide information under Art 15 Para 1 lit h GDPR. In addition, the performance mandate of the authority concerned is excessive and concerns business and trade secrets that are worthy of protection.4. The present complaint by the BF of September 9, 2021 is directed against clause 1, 2.a) and 2.b) of the decision. In this, the BF states that they have already provided the MP with additional information on how the score values came about. In this case, there is only "light profiling" within the meaning of Article 4, Paragraph 4, GDPR, which is why there is no obligation to provide information under Article 15, Paragraph 1, Litera h, GDPR. In addition, the performance mandate of the authority concerned is excessive and concerns business and trade secrets that are worthy of protection.

5. The authority concerned submitted the complaint, following the administrative act, with a brief dated September 17, 2021, received on September 21, 2021, and applied for the complaint to be dismissed - with reference to the reasoning of the decision.

6. With the order of the business allocation committee of October 21, 2021, the procedure was removed from court department W214 and with the order of March 23, 2022, court department W253 and reassigned.

Evidence was collected by inspecting the administrative file and in particular the information contained therein by the BF.

II. The Federal Administrative Court considered: Roman II. The Federal Administrative Court considered:

1. The following facts are established:

1.1. On November 22, 2018, the MP sent a request for information to the BF. The BF provided the MP with information on December 4th, 2018 and supplemented this in several statements.

The supplementary information from July 15, 2020 contains, among other things, numerous data on the MP, such as their name, date of birth, addresses, payment arrears, commercial functions, company holdings, property, ect (see the supplementary information from the BF from July 15, 2020; OZ 1, S 134 ff ).

1.2. For the score calculation in general, the BF presented excerpts:

1.3. The BF provided the following information in excerpts on the profitability index (Wikex) (formatting not 1:1):

1.4. The BF provided excerpts of the following information on the RiskIndicator (formatting not 1:1):

1.5. The BF provided excerpts of the following information (formatting not 1:1) on the “XXXX” or the “XXXX” for the “CompanyScore”, “BasicScore” and “New Founderscore” models: 1.5. The BF provided excerpts of the following information on the “roman XXXX” or the “roman XXXX” for the models “company score”, “basis score” and “new founder score” (formatting not 1:1):

2. The findings result from the following assessment of evidence:

The findings are based on the harmless administrative act.

The information from the BF on the individual calculation models results from the unobjectionable information from the BF of July 15, 2020 (OZ 1, S 126 ff).

3. Legally it follows:

to A)

The admissible complaint is justified.

3.1. On the subject of the complaint:

The subject matter of a procedure requiring an application is – as in the present case – basically determined by the application (cf. VwGH May 24, 2022, Ro 2022/04/0011). The object of the complaint is therefore the question of whether information is owed pursuant to Art. 15 para. 1 lit. h GDPR and, if so, whether the BF has already provided this information sufficiently VwGH May 24, 2022, Ro 2022/04/0011). The object of the complaint is therefore the question of whether information is owed under Article 15, paragraph one, litera h, GDPR and, if applicable, whether the BF has already provided this information sufficiently.

3.2. Regarding the relevant legal provisions:

The relevant provisions of the GDPR are excerpted as follows:

"Article 15

Right of access of the data subject

(1) The data subject has the right to request confirmation from the person responsible as to whether personal data relating to them are being processed; if this is the case, you have the right to information about this personal data and the following information:

[…]

h) the existence of automated decision-making, including profiling, in accordance with Article 22(1) and (4) and — at least in these cases — meaningful information about the logic involved and the scope and envisaged effects of such processing for the data subject. [...]"

3.3. Regarding the right to information according to Art. 15 Para. 1 lit h GDPR: 3.3. Regarding the right to information according to Article 15, paragraph one, litera h, GDPR:

In the case of automated decisions in individual cases in accordance with Article 22 (1) and (4) GDPR, the person concerned must be informed of the evaluation results achieved and the decisions made, as well as information on the logic used and the scope and intended effects of such processing (Haidinger in Knyrim, DatKomm Art 15 GDPR Rz 44). In the case of automated decisions in individual cases in accordance with Article 22, Paragraphs 1 and 4 GDPR, the person concerned must be informed of the evaluation results achieved and the decisions made, as well as information on the logic used and the scope and intended effects of such processing (Haidinger in Knyrim, DatKomm Article 15, GDPR margin no. 44).

According to Haidinger, this information is only to be provided in the case of "severe profiling", i.e. if the decision has significant effects (Haidinger in Knyrim, DatKomm Art 15 DSGVO margin no. 44). Zavadil disagrees, according to which the processing of credit data is risky and the purpose of the processing is to sell it to anyone. This alone is sufficient to significantly affect the data subject within the meaning of Art 22 (1) GDPR (Haidinger in Knyrim, DatKomm Art 15 GDPR Rz 44; Zavadil, Dako 2020/33, p.56). According to Haidinger, this information should only be provided in the case of "severe profiling", i.e. if the decision has significant effects (Haidinger in Knyrim, DatKomm Article 15, DSGVO margin no. 44). Zavadil disagrees, according to which the processing of credit data is risky and the purpose of the processing is to sell it to anyone. This alone is sufficient to significantly affect the data subject within the meaning of Article 22, paragraph one, GDPR (Haidinger in Knyrim, DatKomm Article 15, GDPR Rz 44; Zavadil, Dako 2020/33, p.56).

If there is an automated decision-making process in an individual case in accordance with Article 22 (1) and (4) GDPR, the data subject must also be informed of this when the information is provided. In addition, information about the logic involved and the scope and intended effects of such processing must be provided. When providing information to the data subject, the person responsible must describe the logic used in such a way that they are informed about the parameters included in the evaluation and they can recognize which aspects of their person or their behavior are being used. The algorithm itself cannot be disclosed (Jahnel, comment on the General Data Protection Regulation Ar. 15 GDPR). If there is automated decision-making in individual cases in accordance with Article 22, Paragraphs 1 and 4 GDPR, the data subject must also be informed of this when the information is provided. In addition, information about the logic involved and the scope and intended effects of such processing must be provided. When providing information to the data subject, the person responsible must describe the logic used in such a way that they are informed about the parameters included in the evaluation and they can recognize which aspects of their person or their behavior are being used. The algorithm itself cannot be disclosed (Jahnel, comment on the General Data Protection Regulation Ar. 15 GDPR).

Logic means the principle on which the calculation is based, but not the concrete calculation formula, including weighting and calculation method (algorithm) (Haidinger in Knyrim, DatKomm Art 15 DSGVO Rz 45). Logic means the principle on which the calculation is based, but not the specific calculation formula, including weighting and calculation method (algorithm) (Haidinger in Knyrim, DatKomm Article 15, GDPR Rz 45).

The Article 29 Working Party recommends that instead of extensive mathematical explanations of how algorithms or machine learning work, those responsible for the data subject should e.g. B. provide the following information clearly and concisely:

 the categories of data used or to be used in profiling or automated decision-making;

 why these categories are considered relevant;

 how the profiles used in automated decision-making are created, including statistics used in analysis;

 why this profile is relevant for automated decision making and

 how it is used for a decision on the data subject (Article 29 Working Party, Automated decision-making on a case-by-case basis (WP251 rev.01) p 35)

For the present case this means:

As the authority concerned already explained, the BF has the parameters or the input variables for the calculation of the "Wikex", the "RiskIndicator" and the "XXXX Rating" or the "XXXX Evaluation" in the models "company score" "basis score" and "New start-up score" disclosed. As the authority concerned already explained, the BF has the parameters or the input variables for the calculation of the "Wikex", the "RiskIndicator" and the "Roman XXXX Rating" or the "Roman XXXX Rating" in the models “CompanyScore” “BasicScore” and “Newfounder Score” disclosed.

The Respondent also disclosed the information on how the parameters or input variables came about, as it stated in its statement of July 15, 2020 on “Wikex” that “Wikex” “using a statistical model used a probability of non-payment in percent deviating from 100% (no Conspicuousness) forecast" (see the last page of the information from 15.7.2020 under point C.9.). Regarding the "RiskIndicator", the Respondent explained that the "Wikex" is included in its calculation and with the "RiskIndicator" a payment conspicuousness "is predicted on the basis of historical empirical values" (see page 6 of the information from July 15, 2020 under point C. 9.). Regarding the "XXXX rating" or the "XXXX evaluation", the respondent states that "different statistical models are (are) being used" (see also page 6 of the information from July 15, 2020 under point C.9). The information The Respondent has also disclosed how the parameters or input variables came about, as it stated on “Wikex” in its statement of July 15, 2020 that “Wikex” “uses a statistical model to calculate a probability of non-payment in percent that differs from 100% (no abnormality) forecast" (see the last page of the information from July 15, 2020 under point C.9.). Regarding the "RiskIndicator", the Respondent explained that the "Wikex" is included in its calculation and with the "RiskIndicator" a payment conspicuousness "is predicted on the basis of historical empirical values" (see page 6 of the information from July 15, 2020 under point C. 9.). Regarding the "Roman XXXX Rating" or the "Roman XXXX Rating", the Respondent states that "different statistical models are (are) being used" (see also page 6 of the information from July 15, 2020 under point C.9.).

The Respondent listed those profile categories that are possible for an assignment of the data subject: She specified the profile categories for the "Wikex" under "Evaluation declaration" on the last page of the information from July 15, 2020 (under point C.9.). . For the "RiskIndicator" it listed the profile categories under "Assessment Statement" on page 16 of the information dated July 15, 2020 (see point C.9.). For the "XXXX rating" or the "XXXX evaluation", the profile categories were listed using the table on the "rating classes" on page 16 of the information from July 15, 2020 (also under point C.9.). (See the legal explanations in the decision of August 5th, 2021, S 46 f). The Respondent listed those profile categories that are possible for an assignment of the data subject: She listed the profile categories for the “Wikex” under “Evaluation declaration”. on the last page of the information from July 15, 2020 (under point C.9.). For the "RiskIndicator" it listed the profile categories under "Assessment Statement" on page 16 of the information dated July 15, 2020 (see point C.9.). For the "Roman XXXX Rating" or the "Roman XXXX Rating", the profile categories were listed using the table on the "Rating Classes" on page 16 of the information from July 15, 2020 (also under point C.9.). (see the legal explanations in the notification of August 5th, 2021, p. 46 f).

In its general statements, the BF stated in detail what the respective assessments should say. Naturally, BF cannot know how the respective contractual partners of BF use this information and therefore cannot provide information. Some companies or clerks will still accept certain evaluation results for the conclusion of a contract or for certain conditions, while others will not. It is not possible for the BF to provide information about this. In this respect, the BF has adequately informed about the scope of the processing.

Contrary to the opinion of the authority concerned and the MP, the information provided by the BF on the influence of the individual variables on the assessment result is sufficient. As can be seen from the findings, the BF explained that, for example, the variable “real property” of the “RiskIndicator” has a positive effect on the valuation result if real property is available, otherwise it has a neutral effect. "Uncollected cases" would have a negative effect, if such entries are not available, this has no influence ("neutral") on the evaluation. Since the MP knows from this information how which variable affects the evaluation result, it is possible - as required in its statement - to "influence" the score value (MP statement of December 3rd, 2020, S 5; OZ 1, p 236).

The MP can thus understand how the individual variables influence the respective assessments. The principle on which the assessment is based has been set out by the BF (see Jahnel, comment on the General Data Protection Regulation Art 15 GDPR Rz 32) With what exact weighting the respective variables (e.g. "open debt collection cases") are included in the assessment, however, information cannot be provided (Haidinger in Knyrim, DatKomm Art 15 DSGVO Rz 45). The MP can thus understand how the individual variables influence the respective assessments. The principle on which the assessment is based was explained by the BF (see Jahnel, comment on the General Data Protection Regulation, Article 15, GDPR margin no. 32) with which exact weighting the respective variables (e.g. “open collection cases”) are included in the assessment , but cannot be disclosed (Haidinger in Knyrim, DatKomm Article 15, GDPR margin no. 45).

The BF agrees that disclosure of the concrete weighting of the variables would lead to disclosure of the algorithm. Contrary to the view or request of the MP, the score formulas, the computational algorithm, the statistical/computational procedure and the weighting of the data processed are not covered by the right to information (see the MP's statement of December 3rd, 2020, S 2; OZ 1 , S 233; as well as the data protection complaint of October 24, 2019, S 4; OZ 1, S 16). It should be noted in particular that the MP does not have to be able to recalculate their concrete result; the principle of the calculation, on the other hand, was sufficiently explained to her, as stated.

Irrespective of whether automated decision-making including profiling (Art. 22 Para. 1 and 4 GDPR) takes place in the present case and whether the information provided was owed for this, BF provided information corresponding to Art. 15 Para. 1 lit h GDPR and this was complete . Since the respective explanations for the variables and calculations were also understandable, the MP was able to get an idea of the processing, become aware of it and check its legality (see Recital 63 GDPR). A "recalculation" of the individual ratings is not necessary for this (Haidinger in Knyrim, DatKomm Art 15 GDPR Rz 45). Regardless of whether automated decision-making including profiling (Article 22, paragraphs one and 4 GDPR) takes place in the present case and whether the information provided was owed, BF provided information corresponding to Article 15, paragraph one, litera h, GDPR and this was complete. Since the respective explanations for the variables and calculations were also understandable, the MP was able to get an idea of the processing, become aware of it and check its legality (see Recital 63 GDPR). It is not necessary to "recalculate" the individual ratings (Haidinger in Knyrim, DatKomm Article 15, GDPR margin no. 45).

The individual points of the decision all relate to the right to information according to Art. 15 Para. 1 lit h DSGVO and are not separable. The complaint of the BF was therefore to be upheld and the ruling in the notice to be changed accordingly. The individual rulings in the notice all relate to the right to information under Article 15, paragraph one, lit. h, GDPR and are inseparable. The complaint of the BF was therefore to be upheld and the verdict of the decision to be changed accordingly.

3.4. Pursuant to Section 24 (1) VwGVG, the administrative court must hold a public oral hearing upon application or, if it deems it necessary, ex officio.3.4. According to paragraph 24, paragraph one, VwGVG, the administrative court must hold a public oral hearing upon application or, if it deems it necessary, ex officio.

According to § 24 para. 4 VwGVG - unless otherwise provided by federal or state law - the administrative court can, regardless of a party's application, refrain from a hearing if the files indicate that the oral discussion does not give reason to expect any further clarification of the legal matter, and a Art. 6 para. 1 EMRK nor Art. 47 GRC stand in the way of the omission of the hearing. Pursuant to paragraph 24, paragraph 4, VwGVG - unless otherwise provided by federal or state law - the administrative court can refrain from a hearing, regardless of a party's application, if the files recognize that the oral discussion does not lead to the expectation of further clarification of the legal matter, and that neither Article 6, paragraph one, ECHR nor Article 47 CFR preclude the omission of the hearing.

The requested oral hearing could be waived, since the facts that are essential for the legal assessment have already been fully collected by the administrative authority and in a proper investigation and at the time of the decision of the adjudicating court is still up to date and complete as required by law. The complaint also did not allege any facts that contradicted or went beyond the result of the official investigation (VwGH February 24, 2015, Ra 2014/19/0171). Furthermore, the administrative court was able to agree with the assessment of evidence by the authority concerned. The information provided by the BF was fully recorded by the authority concerned in the decision.

The assessment of whether the statements in the information in accordance with Art 15 Para 1 lit h GDPR is a legal question. The actual content of the information and thus the facts relevant to the decision is undisputed in the present proceedings. The assessment of whether the statements in the information comply with Article 15, paragraph one, litera h, GDPR is a legal question. The actual content of the information and thus the facts relevant to the decision are undisputed in the present proceedings.

In the present case, the Federal Administrative Court therefore only has to rule on a legal issue (cf. ECtHR June 20, 2013, Appl. No. 24510/06, Abdulgadirov/AZE, margin nos. 34 et seq.). Neither Art. 6 Para. 1 of the ECHR nor Art. 47 of the Charter of Fundamental Rights stand in the way of the omission of the hearing. In the present case, the Federal Administrative Court therefore only has to decide on a legal issue, compare ECtHR June 20, 2013, Appl. No. 24510/06, Abdulgadirov/AZE, margin no. 34 ff). Neither Article 6, Paragraph 1 of the ECHR nor Article 47 of the Charter of Fundamental Rights stand in the way of the omission of the hearing.

3.5. It had to be decided accordingly.

Re B) Admissibility of the revision

Pursuant to § 25a Para. 1 VwGG, the administrative court has to pronounce in its ruling or resolution whether the revision is admissible in accordance with Art. 133 Para. 4 B-VG. The statement must be briefly justified. According to paragraph 25 a, paragraph one, VwGG, the administrative court has to pronounce in its ruling or decision whether the revision is permissible according to article 133, paragraph 4, B-VG. The statement must be briefly justified.

The revision is permitted in accordance with Art. 133 Para. 4 B-VG because there has not yet been any case law from the Administrative Court on the basis of which criteria precise, transparent, understandable information formulated in clear and simple language is to be assessed. The revision is in accordance with Article 133, paragraph 4, B-VG, because there has not yet been any case law from the Administrative Court on the basis of which criteria precise, transparent, understandable information formulated in clear and simple language is to be assessed.