BVwG - W214 2219800-3

From GDPRhub
Revision as of 09:36, 7 July 2021 by RRA (talk | contribs)
BVwG - W214 2219800-3
Courts logo1.png
Court: BVwG (Austria)
Jurisdiction: Austria
Relevant Law: Article 5(1)(c) GDPR
Article 5(1)(e) GDPR
Article 58(2)(d) GDPR
Article 77 GDPR
§ 22a PassG 1992
§ 22b PassG 1992
§ 22c PassG 1992
Decided: 26.04.2021
Published:
Parties:
National Case Number/Name: W214 2219800-3
European Case Law Identifier: ECLI:AT:BVWG:2021:W214.2219800.3.00
Appeal from: DSB
DSB-D123.770/0009-DSB/2019
Appeal to:
Original Language(s): German
Original Source: Rechtsinformationssystem des Bundes (RIS) (in German)
Initial Contributor: n/a

The Austrian Federal Administrative Court ruled that the storage of personal data on an identity document is justified for the entire duration of its validity, in particular to detect forgeries. In contrast, personal data from an old identity document must be deleted even if the data is the same as that of a new identity document.

English Summary

Facts

The controller issues identity cards and passports. The data transmitted for this purpose are in any case stored for the duration of the validity of the identity documents.

The data subject reported losing an identity card ("old ID"), which was subsequently blocked. He then applied for a new identity card ("new ID") using the same photograph, which was still valid at the time of the decision. The photograph relating to the new ID was still stored at the time of the decision. The same photograph was also stored in the data set of the old ID, even though it had been blocked for more than three years.

In a complaint to the Austrian DPA (DSB), the data subject requested, among other things, the deletion of these photographs. The DSB did not follow the data subject in this respect.

The data subject filed an appeal against this with the Austrian Federal Administrative Court (BVwG).

Holding

The BVwG ruled, among other things, that the controller is obliged to delete the photograph relating to the old ID. However, during the period of validity of an identity document, photographs may be stored.

Photographs as biometric data

The court first dealt with the question of whether photographs are biometric data within the meaning of Article 4(14) GDPR. In this regard, it stated that photographs serve to uniquely identify the person to whom the identity document is issued. This does not change if queries from the identity document register are carried out according to other criteria. In the end, however, the court leaves the qualification as biometric data open, since their processing would in any case be lawful under Article 9(2)(g) GDPR. The processing of biometric data was provided for at the statutory level by the Austrian Passport Act 1992 (PassG) for reasons of substantial public interest.

No obligation to delete data concerning a valid identity document

The court stated that there was no obligation to delete the data concerning the new identity card. Such obligation cannot exist during the period of validity of the identity card. After the expiry of the validity, § 22c PassG provides for a deletion obligation. First of all, the opinion of the data subject is rejected, according to which the photographs are to be deleted after production and issuing of the ID card and waiting for an appropriate complaint period. The data subject was of the opinion that "production and issuance" were the decisive purposes of the data processing and that those implied a corresponding deletion period. The court based its decision on the fact that § 22a(1) and § 22b(1) PassG, which regulate data processing from the time of application for the issuance of an identity document, do not provide for any deletion periods with regard to photographs. In addition, according to § 22b(4)(1) PassG, processed data of certain persons may be transmitted to specifically defined authorities for specifically defined purposes upon request in individual cases. In this respect, this provision seems to assume a storage of personal data beyond the production and issuance of the ID card.

The court then states that there is nevertheless also no authorisation for unlimited storage "in advance". Rather, the principles of data minimisation and storage limitation laid down in Article 5 GDPR set the relevant limits. However, processing for the duration of validity is justified in any case.

First of all, reference is made to the explanations in a government bill. According to these, "the processing of personal data of applicants for a travel document to the extent provided for by law is indispensable for an orderly enforcement of the passport system and, in this sense, there is always an overriding public interest in the processing of data that is worthy of protection". Therefore, no right of objection or right to erasure of processing had been introduced. According to the BVwG, this applies in any case to valid travel documents.

Otherwise, confirmation of the personal data and the dates of issue of the travel document would no longer be possible in the event of any problems with passports and identity cards in connection with a border control (e.g. if forgery is suspected). Also, identity checks for other authorities according to the above-mentioned § 22b (4) PassG or according to § 22b (4a) PassG, which also provides for such a check, would no longer be possible in case of doubts about the authenticity. In the court's view, photographs in particular were also necessary for these verifications, since especially in the case of falsifications of the ID card, a possible exchange of the photograph would not be recognisable if the data were otherwise left unchanged.

Finally, the court briefly states that it has no doubts about the constitutionality and EU lawfulness of § 22a and § 22b PassG. It therefore refrained from referring the case to the Austrian Constitutional Court or the ECJ. The data subject had proposed to ask the ECJ "whether processing purposes mentioned in national norms imply the existence of deletion periods in interaction with Article 5 GDPR, as well as whether there can be an unlimited storage of data without explicit provisions".

Obligation to delete data regarding an expired identity document

The court ruled that the photograph stored in the data record of the old ID must be deleted, even if it is identical to the photograph on the new ID. § 22c (1) PassG provides that one year after the identity card has been cancelled, personal data and in particular photographs are to be blocked for information requests (by authorities). According to § 22c (4) PassG, the personal data blocked for information must be physically deleted after a further two years.

These conditions were met here, so the court ruled that the right to deletion had been violated.

According to the BVwG, this decision is not changed by the fact that an application for a new ID using the same photo was submitted before the expiry of the deletion period. The data for the old ID do not constitute a basis for the new ID. Rather, it can only be based on the new data. The photo was stored twice. Deleting the old photo would not lead to a gap in the data record for the new ID card.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.