BVwG - W274 2214412-1

From GDPRhub
Revision as of 09:28, 22 February 2021 by Fabian (talk | contribs) (Created page with "{{COURTdecisionBOX |Jurisdiction=Austria |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=BVwG |Court_With_Country=BVwG (Austria) |Case_Number_Name=W274 22144...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
BVwG - W274 2214412-1
Courts logo1.png
Court: BVwG (Austria)
Jurisdiction: Austria
Relevant Law: Article 5(1)(d) GDPR
Article 15 GDPR
Article 18 GDPR
Article 21 GDPR
Article 77 GDPR
Article 79 GDPR
§§ 1, 24 Austrian Data Protection Act (Datenschutzgesetz - DSG)
Article 133 (4) Austrian Constitution (B-VG)
Decided: 04.12.2020
Published: 12.02.2021
Parties: doctor
Doctor Search Portal
National Case Number/Name: W274 2214412-1
European Case Law Identifier: ECLI:AT:BVWG:2020:W274.2214412.1.00
Appeal from: DPA (Datenschutzbehörde - DSB)
Appeal to: Not appealed
Original Language(s): German
Original Source: Rechtsinformationssystem des Bundes (RIS) (in German)
Initial Contributor: Fabian Schuster

The Austrian Federal Administrative Court held that the parallelism of legal protection options is permissible under the GDPR, which is directly applicable in Austria. Furthermore, (formal) change in the legal framework does not interrupt preclusion periods, where the material formulation of these preclusion periods has not changed.

English Summary

Facts

The complainant lodged a complaint pursuant to Article 77 of the GDPR on the grounds of infringement of the right to erasure of data pursuant to Article 17 of the GDPR and the right to object to data processing pursuant to Article 21 of the GDPR against one of Austria's leading doctor search platforms.

This platform is intended to enable patients and doctors to find each other. For this purpose, it listed doctors on its website - including the complainant- with their title, name, address, speciality, telephone number and surgery hours. Directly below the presentation of this data, the MB allows anonymous third parties to rate the respective doctors according to a school grading system in various categories as well as to write a "field report" in free text. In order to be able to submit such an evaluation, it was necessary to register on the website with a freely selected user name and to provide an e-mail address and date of birth. The entry of further data was not required.

The complainant claimed that the allegations in some evaluations were untrue and likely to damage his reputation and standing.

The Data Protection Authority rejected the complaint on the grounds of inadmissibility. In its opinion, the recourse to the data protection authority was inadmissible because an ordinary court was already dealing with the same matter.

Dispute

Does the online platform violate the rights of the data subject under the GDPR and is there an obligation for the platform to delete all data which use does not comply with the provisions of the GDPR, in particular the complainant's entire doctor profile including all evaluations, and to refrain from any further processing of the data.

Holding

In its decision the Administrative Court agrees with the reasoning of the Supreme Court, according to which the parallelism of legal protection options is permissible under the GDPR, which is directly applicable in Austria, and the circumstance of parallel recourse to administrative jurisdiction under subsequent judicial review does not affect an indispensable core of Austrian constitutional law. The dismissal by the data protection authority (DPA) for the reasons of the exclusion of parallel legal enforcement is, therefore out of question, without having to address that the subject matter of the dispute or complaint is not identical (in this case, legal recourse to the DPA would also be open).

However, the court held that preclusive or limitation periods serve to ensure that proceedings are conducted within a reasonable period of time, so that in particular difficulties with evidence are to be avoided. The (formal) change in the legal framework does not interrupt the aforementioned preclusion periods, where the material formulation of these preclusion periods has not changed in any case. The fact that the position asserted by the complainant in pre-trial correspondence was rejected and then continued to be asserted in an insignificantly modified form does not change the preclusion period of § 24 (4) Data Protection Act (DSG) as long as the "knowledge of the event giving rise to the complaint" is not affected.

Therefore, the late filing of the complaint within the meaning of § 24 (4) DSG leads to its dismissal. The authority concerned was right in dismissing the complaint - albeit for a different reason - so that the complaint - again as a result - was unsuccessful.


Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

IN THE NAME OF THE REPUBLIC!

The Federal Administrative Court, by Judge LUGHOFER as Chairman and the experts Prof. KommR POLLIRER and Dr. GOGOLA as Associate Judges, rules on the appeal of XXXX , ophthalmology specialist, XXXX , represented by Dr. Susanne BINDER-NOVAK, lawyer, Riemerplatz 1, 3100 St. Pölten, against the decision of the data protection authority of 4 January 2019, GZ. Pölten, against the decision of the data protection authority of 04.01.2019, GZ: DSB-D123.264/0007-DSB/2018, co-participants XXXX , XXXX , represented by Mag. Stefan KORAB, lawyer, Schwindgasse 6, 1040 Vienna, on the grounds of infringement of the right to erasure and objection, in closed session:

A)

The appeal is not upheld.

B)

The appeal is not admissible pursuant to Art. 133 para. 4 B-VG.



Reasons for decision:

By complaint pursuant to Articles 15 to 18 and 21 of the GDPR" of 24.07.2018, received by the data protection authority (hereinafter: the authority concerned) on 26.07.2018, XXXX (hereinafter: complainant, BF) requested that the authority concerned determines the violation of the BF's rights and obliges XXXX (hereinafter: co-participant, MB) by means of a decision to delete all data whose use does not comply with the provisions of the GDPR and the DPA, in particular the BF's entire doctor profile including all evaluations on the XXXX platform, and to refrain from any further processing of the data. 

In this regard, the BF - represented by a lawyer - stated in summary: She lodged a complaint pursuant to Article 77 of the GDPR on the grounds of infringement of the right to erasure of data pursuant to Article 17 of the GDPR and the right to object to data processing pursuant to Article 21 of the GDPR. According to her own information, the MB had established itself as the leading doctor search portal in Austria with the widest reach of any website in the country. The MB had been repeatedly requested to refrain from processing BF's data and to delete her data. Both on 03.07.2017 (letter of request with objection) and on 22.06.2018 (request for deletion), letters in this regard had been successfully sent to the MB. With regard to the letter of 03.07.2017, the MB had informed the designated legal representative by email on 10.07.2017 that it would not comply with the request. The cancellation request dated 22.06.2018 had been rejected by email dated 06.07.2018. The MB justified its refusal by stating that the data published on the XXXX platform was published, generally accessible data. This reasoning was flawed and did not justify the refusal to delete the data. The MB was the operator of the XXXX website. This is a doctor search portal which is intended to enable patients and doctors to find each other. For this purpose, the MB listed doctors on its website - including BF - with their title, name, address, speciality, telephone number and surgery hours. Directly below the presentation of this data, the MB allows anonymous third parties to rate the respective doctors according to a school grading system in various categories as well as to write a "field report" in free text. In order to be able to submit such an evaluation, it was necessary to register on the website with a freely selected user name and to provide an e-mail address and date of birth. The entry of further data was not required. The case law of the Supreme Court (6 Ob 48/16a), according to which the mere reproduction of permissibly published data does not constitute a violation of the fundamental right to data protection, is outdated and not applicable to the case at hand. 
Only the new legal situation will be discussed here: According to Section 7 of the Data Protection Act, the processing of publicly accessible data is now only permissible if it is carried out for archiving purposes in the public interest, scientific and historical research purposes or statistical purposes that do not aim at personal results. The operation and provision of an evaluation platform that served the economic interests of the operator was not an archival purpose in the public interest. The evaluation platform went far beyond the mere reproduction of generally accessible data. The MB provided the possibility to rate the doctors listed and to write a report on their experience. By linking the reproduced data, new data was created. This newly created data was neither subject to the privilege under the old legal situation section 8(2) of the Data Protection Act 2000 nor to the exemption provision under section 7 of the Data Protection Act. The BA had neither consented to the use of its data nor was there any other justification. The BF's rights were massively impaired by the publication of her data and in particular by the linking by means of untrue statements and misuse of her data as an advertising platform for other "premium doctors", whereas the premium doctors were not confronted with such advertising. 

Re a):
The untrue allegations in some evaluations that the BF keeps its patients waiting for several hours without justification, prescribes the wrong medication and does not take time for the patients' concerns are likely to damage the reputation and standing of the BF. Obviously, the allegations that the BF prescribed the wrong medication and did not take the patients' concerns seriously could in any case have serious consequences for the BF's reputation. The BF also has a considerable effort to constantly check the publications on the website or to react quickly, as it is not informed as a non-premium member. Even if it did react, it had repeatedly happened that the user's details were not disclosed to it, so that the BF could not directly claim injunctive relief and revocation from the user. Deregistration from the system was possible with other portals such as Herold, which had a rating system on its homepage, as well as with the rating system of the Medical Association, but not with the MB.

Re b):
The BF's data was also used for unlawful advertising: XXXX advertised to paying members that the premium entries would be placed on entries of non-premium customers in the vicinity, while conversely the paying premium customer was free from such advertising by other doctors on his portal. Moreover, according to section 2(3)(3) of the Ordinance of the Austrian Medical Association on the Type and Form of Permissible Medical Information in Public, self-promotion of one's own person or services by means of intrusive and/or market-soliciting presentation was impermissible. The advertising banner with the publication of the representations of premium customers on the internet was therefore inadmissible. 
The processing of the data by the MB was therefore unlawful. 

In a lawyer's statement dated 31 August 2018, the MB requested that the appeal would rejected or, in the alternative, that it be dismissed.

She requested their rejection on the grounds of pendency and delay, arguing that in the action of 27 November 2017 brought before the Vienna Regional Court, the BA demanded the deletion of her data from the MC on the basis of her objection and the alleged violation of her data protection rights. The proceedings were pending at first instance at the Vienna Court of Appeal under 39 Cg 60/17d. The same case could not be the subject of two proceedings before different authorities at the same time.
Furthermore, according to the BF's own submission, she had objected to the processing of her data in a letter to the MB dated 03.07.2017 and requested that it be deleted. On 10 July 2017, the MB announced that it would not comply with this request. The BF filed the complaint in question with the data protection authority on 26 July 2018, i.e. more than a year after the MB's refusal. The complaint was therefore late pursuant to section 24(4) of the DPA and had to be rejected. 

Moreover, the complaint was not justified in terms of content:
The MB then commented in detail under point 3 on why the complaint was not justified in terms of content. In particular, the data of the BA, name, practice address, telephone number, practice hours and health insurance funds were permissibly published data, as the BA published them itself on its homepage. Moreover, this data was public due to an explicit legal order under section 27(1) of the Medical Practitioners Act. There was no interest in secrecy in this data and it was generally available under section 1(1) of the Data Protection Act. Furthermore, the BF used an inadmissible justification for its request in section 7 of the Data Protection Act. The basis for the processing was Article 6(1)(f) of the GDPR. The processing of the doctors' data and the publication of the same on the XXXX was also permissible without consent. 
The testimonials did not affect the reputation and standing of BF. The question of the possible untruthfulness of claims made by users was a question of civil law and not a question of data protection. The GTC already regulated the principles of writing testimonials. Furthermore, there were filters and the possibility to submit a report of abuse for each testimonial. The MB investigates each report of abuse individually. Each report of abuse by the BF was also investigated individually and in some cases measures (including deletion) were taken. Doctors also had the possibility to publish their own comments on experience reports. The BF had made use of this possibility. The MB offered all doctors and customers the possibility of being automatically informed about every evaluation on the XXXX. 
The MB did not engage in unlawful advertising for other doctors. Moreover, this was not a question of data protection law. The Supreme Court had already dealt with the XXXX and deemed it permissible (6 Ob 48/16a). The MB had also not violated the medical code of conduct. 
Moreover, the processing of the BF's data by the MB fell under the media privilege of Section 9 of the DPA, which is why Art. 21 and Art. 17 of the GDPR were not applicable. Moreover, the MB was a media auxiliary service. There was a high public interest in a public exchange of opinions on health issues. Even if Art. 17 and 21 of the GDPR were applicable, a balancing of interests would be in favour of the MB, so that there would be no claim for deletion. 
Upon request, BF made the following comments on 18.09.2018: 
Regarding the assertion that the case was pending before the courts, the BA stated that the court proceedings were primarily based on violations of unfair competition and the Unfair Competition Act (UWG). The request for cancellation on the basis of a violation of the Data Protection Act was sought on the basis of the amendment to the GDPR. 
With regard to the alleged delay, the BA stated that the authority responsible for complaints was now the authority in question. In its letter of 24 May 2018, the MB had taken the view that consent to the processing of this data by the BA was not required, "thus the necessary review facts had been established in the letter of 24 May 2018 on the basis of the new Data Protection Act". In a letter dated 22 June 2018, the deletion was requested on the basis of the new legal situation, so that the competence of the data protection authority pursuant to section 32 of the Data Protection Act was given for the proceedings in question. 
The BF contested the MB's arguments that the data protection complaint was substantively unjustified. 
In its statement of 24 October 2018, the MC essentially reiterated its previous position, expressly supplemented it with regard to the statement of 18 September 2018 and argued that it was incorrect for the BA to claim that it was primarily asserting claims for infringement of unfair competition or the UWG in the proceedings before the Commercial Court. It asserted both competition law and data protection law claims before the Vienna Commercial Court. The case was therefore the same as in the present appeal proceedings. With regard to lateness, it was not possible for the BF to extend the deadline under Article 24(4) of the Data Protection Act (previously Article 34(1) of the Data Protection Act 2000) at will by sending a later letter of request with the same content. 
In the contested decision, the authority dismissed the complaint and made the following findings (the names of the parties were adapted): 
"1. the MB operates an online doctor search portal with the possibility to rate doctors. The applicant is listed as a specialist in ophthalmology on the MB. BF already requested the deletion of her doctor's profile and all associated evaluations on the MB in a letter of request dated 03.07.2017. As the MB did not comply with the BF's request, the BF filed a lawsuit with the Commercial Court of Vienna on 27 November 2017 (GZ 39 Cg 60/17d). In the context of this action, the BF argues, inter alia, that the MB has violated its right to data protection pursuant to section 1(1) of the Austrian Data Protection Act 2000 (DSG 2000) and requests that its published data and the associated ratings and reviews be deleted from the XXXX website or other similar websites operated by the MB and that the BF's data not be included and processed again in the future. 
In a letter dated 22 June 2018, BF again requested the deletion of her data from the MB website, or at least the deletion of her data from the rating platform. As the MB did not comply with this request either, the BF filed a complaint with the data protection authority on 24 July 2018 on the grounds of violation of the right of deletion and objection. The proceedings at the Vienna Commercial Court (39 Cg 60/17d) were still pending on the cut-off date of 25 May 2018. 
In legal terms, the authority concerned stated that according to Article 79(1) of the GDPR, a data subject must have an effective judicial remedy without prejudice to an administrative remedy. Neither the binding part of the GDPR nor the recitals indicate the relationship between the judicial and the administrative remedy. A parallel (or successive) conduct of proceedings in the same matter before a court (Art. 78 GDPR) and before the supervisory authority (Art. 77 GDPR) could not be inferred from the GDPR from a systematic point of view. Even if Art. 77 and Art. 79 GDPR gave such an appearance, this would run counter to the legal protection mechanism of the GDPR. The aim of resorting to a legal remedy is to provide a definitive remedy. However, parallel proceedings open up the possibility of obtaining different decisions in one and the same case. Neither the GDPR, nor the General Administrative Procedures Act (AVG) or the Code of Civil Procedure (ZPO) contain any rules on the stay of proceedings in the case of parallel proceedings, if the assessment of preliminary issues is not at issue, but the main issue is identical in both proceedings. As a result, it could not be the purpose of the GDPR to first refer the question of the lawfulness of a certain processing of personal data to a court, only to refer the same question to a supervisory authority after the conclusion of the legal proceedings - or, as in this case, even at the same time. Moreover, a special problem would arise in cross-border cases; in this respect, the mechanism according to Art. 60 ff GDPR would be invalid. 

In the complaint of 27 November 2017, the BF argued, inter alia, that the MB had infringed its right to data protection under section 1(1) of the Data Protection Act 2000 and requested that its published data be deleted and that no further recording and processing of the data take place. 
In the underlying complaint, the BF expressly asserts a violation of the right to deletion pursuant to Article 17 of the GDPR and objection to data processing pursuant to Article 21 of the GDPR and requests that the MB be ordered to delete the BF's entire doctor profile, including all evaluations on the XXXX platform, and to refrain from any further processing of the data. 
Both the judicial and the administrative proceedings therefore focused on the same subject matter, namely ultimately the deletion of the BF's data from the XXXX platform and the prevention of future processing. 
It should be noted that with the request of 22.06.2018, the BF merely requested the deletion of all her data on the MB platform and did not expressly rely on Art. 21 GDPR, whereby the objection ultimately leads to deletion and is therefore consumed by the asserted right to deletion. 
Pursuant to section 69(4) of the DPA, proceedings pending before the ordinary courts under the DPA 2000 at the time of the entry into force of the DPA 2018 were to be continued under the provisions of the DPA and the GDPR, with the proviso that the jurisdiction of the ordinary courts remained in force. Since the action under 39 Cg 60/17d was still pending at the time of the entry into force of the DPA and the GDPR (on 25 May 2018), the jurisdiction of the Vienna Higher Regional Court did not change. Insofar as the BF argues that the legal proceedings are primarily based on a violation of the law of unfair competition or the UWG, it must be countered that it does no harm if - in addition to alleged violations of data protection rights - other civil law claims are also asserted at the same time in the legal remedy, because the ZPO permits the cumulative assertion of similar claims. Thus, the Vienna Court of Appeal nevertheless had to rule on the refused request for deletion.
As a result, from the perspective of data protection law, the authority concerned would have had to rule on the same issue as the Vienna Higher Regional Court in the present appeal proceedings. However, simultaneous use of the right of appeal to the supervisory authority and the right of judicial remedy in the same matter was out of the question. 
The BF's appeal against this decision is directed against this decision on the grounds of incorrect legal assessment and secondary deficiencies in the findings, with the primary request that the decision be amended - "if necessary after corrective determination of the relevant facts" - to the effect that the BF's requests are granted. In the alternative, a motion to set aside was filed. 

The authority concerned submitted the complaint together with the administrative act in electronic form with the request to dismiss the complaint. The relevant facts had been established. In addition, the authority stated that, due to the rejection, the substantive assessment of the complaint was not to be addressed because it had not been the subject of a complaint before the authority and thus could not be the subject of the proceedings before the administrative court. The subject matter of the administrative court proceedings was only whether the authority before which the appeal was brought had rightly rejected the appeal. If the BA argued that there was no direct claim in the proceedings before the respondent authority, that the respondent authority could not award anything and that the BA would not receive an enforcement order, it had to be countered that according to Article 58(2)(c) of the GDPR in conjunction with Article 24(5), when granting a complaint, in addition to establishing a violation of the law, an order had to be issued to the respondent to comply with the requests in order to remedy the established violation of the law. This was an order for performance, the execution of which the BF could apply for itself in accordance with the provisions of the VVG. It was true that there was no subjective legal claim to the initiation of an official investigation procedure. However, this was undoubtedly a complaint procedure under Article 77(1) of the GDPR in conjunction with Article 24(1) of the GDPR, to which a subjective legal claim existed. The subject matter of the dispute was identical. A parallel (i.e. simultaneous) use of the right of appeal to the supervisory authority and a judicial remedy in the same matter is not possible. 

The complaint is not justified in the result: 
The Administrative Court bases its decision on the findings already made by the authority concerned and reproduced above and supplements them as follows: 
On 03.07.2017, the BF sent a letter to the MB through its legal representation with - as far as relevant - the following content: 
" XXXX - XXXX / XXXX 
…. 
On the online platform XXXX operated by them, evaluations are repeatedly published which refer to the expert activities of my client. 
…
Furthermore, my client has not consented to the use of her data and the provision of the same on her website and expressly opposes this data processing. You are therefore also hereby requested to delete the XXXX report published on 27.06.2017, to remove Ms XXXX's doctor profile from her XXXX platform, to prevent the data from being made available again and to remove all evaluations. A date of 20.07.2017 is noted as the date for carrying out a deletion. In the event that the deletion is not carried out within the deadline, I have been instructed to take legal action".
(Annex ./A1 to the data protection complaint of 24.7.2018)
In a letter dated 10 July 2017 to MMag. Dr. BINDER-NOVAK, received promptly by the latter, the MB stated, inter alia: 
"We refer to your letter of 03.07.2017 as legal representation of Ms XXXX and would like to comment as follows:
… 
You are asking us to delete Ms XXXX's profile along with all reviews. We would like to note that we find Ms XXXX's repeated approach of trying to suppress the free expression of patients on XXXX extremely questionable. With regard to the company data of her client displayed on XXXX, this is already published and generally accessible data. The company data was personally circulated by Ms XXXX with the aim of making it accessible to interested parties (especially female patients). 
… 
We are therefore unable to delete Ms XXXX's profile. 
…“
(Exhibit ./20 of the MB's response in the proceedings 39 Cg 60/17d of the Vienna Commercial Court). 
The content of the date of dispatch and the timely receipt of the letter of 10 July 2017 by the BF's legal representative are undisputed and already result from the BF's submission in its complaint of 24 July 2018.
Legally follows:
Pursuant to section 69(4) of the DPA, proceedings pending before the data protection authority or the ordinary courts under the Data Protection Act 2000 at the time of the entry into force of the DPA shall be continued in accordance with the provisions of this federal act and the GDPR, subject to the proviso that the jurisdiction of the ordinary courts shall remain in force. 
Pursuant to Article 77(1) of the GDPR, without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her residence, place of work or the place of the alleged infringement, if the data subject considers that the processing of personal data relating to him or her infringes this Regulation. 
Pursuant to Article 79(1) of the GDPR, without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, every data subject shall have the right to an effective judicial remedy if he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data not in compliance with this Regulation. 
Pursuant to Section 24 (1) of the Data Protection Act, every data subject has the right to lodge a complaint with the data protection authority if he or she is of the opinion that the processing of personal data concerning him or her violates the GDPR or Section 1 and Art 2 first main section. 
Pursuant to para 4, the right to have a complaint dealt with expires if the complainant does not file it within one year after he/she became aware of the event giving rise to the complaint, but at the latest within three years after the event is alleged to have taken place. Late complaints shall be rejected. 
Pursuant to Section 34(1) of the FADP 2000, the right to have a petition under Section 30, a complaint under Section 31 or an action under Section 32 dealt with shall expire if the petitioner does not file it within one year after he/she became aware of the event giving rise to the complaint, but at the latest within three years after the event allegedly took place. Late complaints shall be rejected. 

In its decision of 23.05.2019 6Ob91/19d, the Supreme Court explicitly dealt with the question of the "duplication of legal protection options with regard to Art. 77(1) and Art. 79(1) GDPR".
In summary, he stated that in the literature, the dual nature of the possibilities of legal protection is largely affirmed. Accordingly, the "one-stop-shop" principle was not upheld (without exception). In the legislative process at the European level, Austria was the only state to vote against the adoption of the GDPR, because the parallelism of legal protection options created the risk of contradictory court decisions in the same matter and a violation of the principle of "res judicata". However, it is precisely this episode in the development of the law that speaks for the fact that the GDPR has intentionally standardised a two-track legal protection by the EU legislator. The GDPR does not regulate the relationship between Art. 77, 78 and 79. The explanations in the report of the Constitutional Committee (Explanatory Memorandum 1761 BlgNR. 25. GP 30) did not change this, since, on the one hand, the exclusion of civil proceedings, which was obviously intended by the legislator, could not be inferred from the wording of the law itself, and, on the other hand, the GDPR had direct validity and was directly applicable, which is why national provisions contradicting the GDPR had to remain inapplicable due to the primacy of EU law. 
According to settled case-law and prevailing doctrine, the requirement to assign a matter for execution either entirely to the courts or to the administrative authorities is to be derived from Article 94 (1) of the Federal Constitution. The prohibition of parallel competences obliges the legislator to establish objectively ascertainable criteria for the competence of one or the other executive body. However, it is permissible to split a factual situation into several aspects, i.e. in one and the same matter, the administrative authority may be assigned the decision-making determination of the existence of one element of the facts, whereas the court may be assigned the determination of the existence of other requirements. 
Section 31(2) of the DPA 2000 still provided for a demarcation and explicitly did not provide for parallel jurisdiction. Now, Article 24(1) of the DPA provides that every data subject has the right to lodge a complaint with the data protection authority if he or she is of the opinion that the processing of personal data relating to him or her violates the GDPR or Article 1 and Article 2, first part of the DPA. According to the legislative materials, this provision is intended to implement the right of appeal under Art. 77 DPA. The fact that the (there) plaintiff may have several possibilities of legal protection from the various national authorities, whereby a review of the decisions by independent courts is guaranteed in each case, does not in any case constitute a violation of an indispensable core of Austrian constitutional law. 

This means for the case at hand:
Although the subject matter of the cited decision was the question of whether the ordinary courts had jurisdiction in addition to the existing jurisdiction of the data protection authority, the question to be resolved here is the opposite, i.e. whether recourse to the data protection authority is also possible in the case of recourse to ordinary courts for the same subject matter of the dispute, the Administrative Court agrees with the reasoning of the Supreme Court, according to which the parallelism of legal protection options is permissible under the GDPR, which is directly applicable in Austria, and the circumstance of parallel recourse to administrative jurisdiction under subsequent judicial review does not affect an indispensable core of Austrian constitutional law.
The authority concerned based its rejection of the data protection complaint solely on the inadmissibility, in its opinion, of recourse to the data protection authority, because in casu an ordinary court was already dealing with the same matter. The authority affirmed the preliminary question of the identity of the subject matter of the dispute or complaint. 
In its complaint, the BF apparently did not object to the legal opinion of the prosecuting authority, according to which a two-track legal protection was to be denied if the subject matter of the dispute was identical, but denied the identity of the subject matter of the dispute or complaint concerning the proceedings conducted by the BF before the Commercial Court on the one hand and the proceedings before the data protection authority on the other. 
As described above, the Administrative Court agrees with the legal opinion of the Supreme Court, which is substantiated in detail, according to which such a two-track approach is expressly intended by the GDPR. A rejection for the reasons stated by the authority concerned, an exclusion of parallel legal enforcement, is therefore out of the question, without having to address the BF's assertion that the subject matter of the dispute or complaint is not identical (in this case, legal recourse to the data protection authority would also be open). 

Therefore, the decision-making competence of the authority concerned is to be affirmed in principle. 
Both under the old (DSG 2000) and the new legal situation as of 25 May 2018, preclusion rules existed and still exist for the assertion of data protection law violations. Both provisions contain a subjective short preclusion period (within one year from knowledge of the event giving rise to the complaint) as well as an objective long period (at the latest within three years after the event is alleged to have taken place).
Already according to the BF's own submission and on the basis of the letter sent by the BF's legal representation to the MB on 3 July 2017, the BF was at that time aware of the fact that (according to its assertion) the MB published the BF's "doctor profile" on the XXXX platform in an inadmissible manner, also inadmissible assessments in the opinion of the BF. It is true that the letter of 03.07.2017 initially refers to a specific aspect, namely the BF's expert status. However, it is clear from the last paragraphs (reproduced above) that the BF was already at that time pursuing its entire legal position presented in the current proceedings in full knowledge of the factual situation, which also forms the basis of the submissions in these proceedings. In the further proceedings (see the complaint of 24.07.2018, the statement of 18.09.2018 as well as the present complaint of 31.01.2019), no further material factual element is alleged which was not obviously already covered by the letter of 03.07.2017 and the request for cancellation at that time. 
The authority rightly stated that the objection under Article 21 of the GDPR (not included in the applications), which was also raised in the complaint of 24 July 2018, is consumed by the requested right to erasure. 
In its opinion of 31.08.2018, the MB already pointed out that the complaint was out of time within the meaning of section 24(4) of the DPA. In its statement of 18 September 2018 (point 2), the BF commented that the MB had taken the view in its letter of 24 May 2018 that consent to the processing of this data was not required, and that the "necessary review facts had therefore been established with the letter of 24 May 2018 on the basis of the new Data Protection Act". By letter of 22 June 2018, the deletion was requested on the basis of the new legal situation. The competence of the authority called upon was given. 
Apart from the grammatical incomprehensibility of the second paragraph of point 2 of the data protection complaint of 18 September 2018, it is also not apparent in what way a further rejection letter of the MB of 24 May 2018 - which was apparently not submitted in the proceedings - could be relevant for the preclusion period for the BF beginning on 3 July 2017. If the BF apparently believes that the change in the legal situation and the rejection of the BF's claims by the MB as well as its further letter of request of 22 June 2018 do not constitute a violation of preclusion periods, this view cannot be accepted. 
Preclusive or limitation periods serve to ensure that proceedings are conducted within a reasonable period of time, so that in particular difficulties with evidence are to be avoided. The (formal) change in the legal situation does not interrupt the aforementioned preclusion periods, whereby the material formulation of these preclusion periods has not changed in any case. The fact that the position asserted by the BF in pre-trial correspondence was rejected and then continued to be asserted in an insignificantly modified form does not change the preclusion period of § 24 (4) as long as the "knowledge of the event giving rise to the complaint" is not affected. However, since, as stated, the BF was already aware of the entire event complaining of it at the time of its first letter of request, on 3 July 2017, which it made the subject of the proceedings before the authority concerned, the claim to treatment in this regard had already expired at the time the complaint was filed on 26 July 2018. 
It is true that the authority concerned limited its reasoning for the rejection solely to the question of the admissibility of the parallel use of administrative jurisdiction. However, as the prosecuting authority correctly states in its statement on the submission of the file, the subject matter of the complaint before the prosecuting authority and thus before the Administrative Court includes the question of whether the prosecuting authority was justified in rejecting the complaint. 
A late filing of a complaint within the meaning of Section 24 (4) of the FADP also leads to a rejection (last sentence). Therefore, the authority concerned was right in rejecting the complaint - albeit for a different reason - so that the complaint - again as a result - was unsuccessful. 

An oral hearing could be dispensed with. Such a hearing was not requested and the facts relevant for the legal assessment to be made (including the supplementary facts established on the basis of the documents known to and available to all parties) are established. 
The decision that the appeal is inadmissible is based on the fact that the two-pronged legal protection pursuant to Art. 77(1) and Art. 79(1) GDPR ultimately follows unambiguously from the text of the Regulation and this fact was expressly clarified by the Supreme Court. 

European Case Law Identifier
ECLI:AT:BVWG:2020:W274.2214412.1.00

Federal Administrative Court	04.12.2020