DSB (Austria) - 2021-0.347.702
DSB - DSB-D124.3420 | |
---|---|
Authority: | DSB (Austria) |
Jurisdiction: | Austria |
Relevant Law: | Article 6(1)(f) GDPR Article 9(2)(f) GDPR |
Type: | Complaint |
Outcome: | Rejected |
Started: | 15.11.2022 |
Decided: | 04.02.2022 |
Published: | |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | DSB-D124.3420 |
European Case Law Identifier: | ECLI:AT:DSB:2022:2021.0.347.702 |
Appeal: | n/a |
Original Language(s): | German |
Original Source: | DSB (in DE) |
Initial Contributor: | n/a |
The Austrian DPA dismissed a complaint against a law firm which was accused of unlawfully processing personal data of the data subject. According to the DPA, the processing was justified under Article 6(1)(f) GDPR in conjunction with Article 9(2)(f) GDPR.
English Summary
Facts
The data subject gambled online on the website of the controller, seated in Malta. When the data subject lost some money, he demanded a refund from the controller claiming that the controller's online gambeling services were illegal, at least in Austria from where the data subject accessed the online casino. The controller then refunded the money.
The data subject later opened account with a different online gambling company (herinafter: company C), which was part of the same group of companies as the controller. The data subject once again demanded a refund of his losses. He based it on the same claim as before: alleged illegality. However, company C refused to give a refund. The data subject then brought the dispute to court.
The controller forwarded personal data of the data subject to company C who in turn forwarded it to the law firm. During the court proceedings, the law firm that represented company C (but is also the controller's firm) used the data subject's personal data to strengthen company C’s defense. The lawyer stated that the data subject previously had a player account with the controller, where he also demanded a refund of his losses based on the same claim.
The data subject later submitted a complaint with the Austrian DPA against the law firm about the use of his personal data during the court proceedings. He stated that the exchange of personal data from the controller to company C was neither covered by the privacy policy of the controller nor did he give consent for it. The data was therefore unlawfully processed by the law firm who defended company C.
The law firm stated that the data subject was using the online gambling services of both the controller and company C, which are affiliated companies belonging to the same group of companies. The data transfer between companies being part of one group can be based on legitimate interest – Art 6(f ) GDPR. They argued that although the GDPR does not explicitly provide for "group privilege, “it can be deduced from recital 48 of the GDPR that an exchange of, inter alia, customer data between data controllers that are part of a group of companies can be based on a legitimate interest pursuant to Art. 6(1)(f) of the GDPR.”
Holding
The DPA held that the exchange of customer data between the controller and company C was lawful pursuant to Art. 6(f) GDPR as the processing was necessary for the purposes of legitimate interest. In this case, the processing of data was justified for the purpose of a factual, plausible and related defence of a party representative in a civil dispute.
The DPA argued that Art. 9(1) GDPR prohibits the processing of sensitive data. However, Article 9(2)(f) GDPR creates a legal basis for using particularly protected data where it is necessary for the “establishment, exercise or defense of legal claims (…)” In those cases, the consent of the data subject is not required for the lawful processing. That provision in conjunction with Art 6(1)(f) GDPR can also be used as a justification for processing data that are not specifically protected for the purposes of legal defence before a court by way of an interpretative conclusion of magnitude.
In the case at hand, the public interest of access to evidence and the right to present facts stood in contrast to the interest of the data subject which was twofold. Firstly, his interest in the confidentiality of his data and secondly, his interest in preventing the law firm from making a factual submission that could damage his own success in the proceedings.
The DPA drew the conclusion that the interest of the law firm outweighed the interest of the data subject.
The processing of the data of the data subject was therefore justified by Art. 6(1)(f) in conjunction with Art. 9(2)(f) GDPR, as the law firm did not unlawfully interfere with the complainant's right to confidentiality.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
text GZ: 2021-0.347.702 from February 4, 2022 (process number: DSB-D124.3420) [Editor's note: Names and companies, legal forms and product names, addresses (including URLs, IP and e-mail addresses), file numbers (and the like), etc., as well as their initials and abbreviations may be abbreviated and/or changed for reasons of pseudonymization be. Corrected obvious spelling, grammar, and punctuation errors.] NOTICE SAY The data protection authority decides on the data protection complaint by Markus A*** (complainant) from 1*** Vienna dated November 15, 2020 against N*** N*** Rechtsanwälte GmbH (respondent party, entered in the commercial register for FN 6*1* 7 * 4o by the Vienna Commercial Court, previously N*** & N*** Rechtsanwälte GmbH) from 1*** Vienna for violation of the right to secrecy as follows: The appeal is dismissed. Legal basis: Art. 4 Z 7, Art. 6 para. 1 lit. f, Art. 9 para. 2 lit. f, Art. 51 para. 1, Art. 57 para. 1 lit. f and Art. 77 para Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter: GDPR), OJ No. L 119 of 4.5.2016 p. 1; § 1 paragraph 1 and 2, § 18 paragraph 1 and § 24 paragraph 1 and paragraph 5 of the Data Protection Act (DSG), Federal Law Gazette I No. 165/1999 as amended, as well as § 1a paragraph 6 and § 9 paragraph 1 of the Lawyers' Code (RAO), RGBl. No. 96/1868 as amended REASON A. Submissions of the parties and course of the proceedings 1. In his complaint dated November 15, 2020 and emailed to the Data Protection Authority on the same day (including an addendum dated the same day), the complainant submitted (along with some copies of documents) the following in summary: B*** Gaming p.l.c. (hereinafter abbreviated to: B***) forwarded the data concerning him to C*** Limited (hereinafter abbreviated to: C***), which this *3 C * in the pending proceedings at the District Court of T*** used 24/20d against him. This is a violation of the relevant provisions of the GDPR. The data transfer is not covered by the data protection guidelines of B***. He did not give B*** permission to pass this data on to third parties. Pages 9 and 10 of C***'s objection dated August 10, 2020 state: On October 23, 2019, the plaintiff registered a player account on the website www.b***.com operated by B***. The plaintiff contacted B*** and requested reimbursement of his net losses based on the alleged illegality of B***'s online casino offering in Austria. B*** agreed, purely as a gesture of goodwill, without prejudice and without acknowledging any rights or obligations, to a refund of the amount claimed by the plaintiff. In the course of this, B*** transferred the agreed amount to the plaintiff in December 2019. The Respondent had stored and processed the data he had unlawfully passed on from B*** to C*** without any legal basis. As a law firm, however, the Respondent should have known that the C*** she represented had obtained this data illegally. 2. After a deficiency order from the data protection authority (procedural order of March 8, 2021, GZ: 2020-0.772.988), the complainant additionally submitted on March 24, 2021 that he considered himself by the respondent as well as B*** and C* ** in his fundamental right to secrecy according to § 1 Abs. 1 DSG as violated, since the provisions on the lawfulness of processing according to Art. 6 DSGVO were not observed. 3. Because of the intergovernmental connection - the B*** and the C*** are companies under Maltese law with main offices in the Republic of Malta - two further, separately conducted proceedings (case numbers DSB-D130.583 regarding the B*** and DSB-D130.601 regarding C***) opened. 4. The respondent, requested by the data protection authority (procedural order of March 26, 2021, GZ: 2021-0.226.849) to comment, countered the complaint in its statement of May 11, 2021 with the following: The complainant was a customer of several of her clients, which lawfully offer games of chance in the form of online casinos, including the B*** and the C***, which are part of a group of companies and between which the data in question are exchanged. The complainant had opened player accounts with both companies and participated in online gambling, first with B***, then with C***. In both cases he claimed back the amounts used after losses and claimed the illegality of the online casino offers. He received a goodwill refund from B*** in December 2019, whereupon he opened a player account with C*** in 2020 and after refusing a renewed claim for reimbursement of his game losses at the T*** district court to *3 C* 24/20d filed a lawsuit against C***. In these proceedings, C*** was represented by the respondent. However, the court dismissed the action on the grounds of abuse of rights (not final). In terms of data protection, the Respondent explained that the GDPR does not recognize any express “group privilege”, but it can be deduced from Recital 48 to the GDPR that an exchange of customer data, among other things, between those responsible who are part of a group of companies is based on a legitimate interest pursuant to Art. 6 para . 1 lit. f GDPR can be supported. In the present case, her client had no other option than to pass on the data exchanged within the group of companies to the respondent as her law-friendly representative, while the complainant did not have an overriding could demonstrate an interest in secrecy. The same result can be reached on the basis of a size limitation from Art. 9 Para. 2 lit. f GDPR, which provision even expressly permits the processing of specially protected data for legal defense purposes. The data processing was therefore lawful, the data protection complaint should be dismissed. 5. According to the parties, the complainant responded to these results of the investigation (procedural order of May 11, 2021, GZ: 2021-0.341.020) as follows to the Respondent's submissions: It was for the assessment of the question of whether a violation of the Confidentiality according to the GDPR or DSG is legally irrelevant whether a civil court has determined an abuse of rights in the underlying legal matter or not. Apart from that, the judgment of the district court T*** is not yet final and in other cases with similar facts the courts have come to the conclusion that he has not acted abusively. Despite knowledge of the Austrian legal situation and against better knowledge, C*** offered a prohibited game of chance in Austria. The gambling company had to expect that some players would ask for their losses back. In addition, the fundamental right to data protection according to § 1 DSG is a constitutionally protected right. B. Subject of Complaint 6. On the basis of the parties' submissions, it follows that the subject of the complaint is the question of whether the Respondent was entitled to submit data of the Complainant for the submission in civil proceedings initiated by the Complainant as plaintiff before the District Court of T*** on behalf of its client C*** to process that the complainant had previously participated in B*** online gambling and received a refund from the latter company. The question of whether the business activities (organization of online games of chance) of B*** and C*** in Austria were lawful is not the subject of the proceedings. C. Findings of Facts 7. The Respondent is a company organized in the legal form of a limited liability company that practices the legal profession. In this capacity, on August 10, 2020, she brought a civil case pending by the complainant as a plaintiff at the T*** District Court, file number *3 C *24/20d (Markus A*** against C*** Limited for the payment of EUR 1,765.00), as the authorized and authorized representative of the defendant C*** Limited, filed an "objection in the European procedure for small claims" against the lawsuit and submitted (under point II. 7., slightly expanded content also under point V . 1. to 3 of the pleading) as follows (emphasis not reproduced): "Even if the plaintiff assumes the invalidity of the concluded gambling contracts - based on a legal view contrary to Union law - the plaintiff's action is clearly abusive. Prior to opening a player account on our website www.c***.com, the plaintiff had already played on the website www.b***.com operated by our affiliated company B*** Gaming plc and suffered losses in the process . On the basis of the alleged illegality of the online casino offer, the plaintiff also demanded the reimbursement of his net losses there, which were reimbursed to him in December 2019 as a gesture of goodwill and without prejudice for the respective factual and legal position. The plaintiff finally opened a new player account on our website on January 16, 2020, shortly after the reimbursement of his net losses on the website www.b***.com. The plaintiff knowingly took advantage of what he considered to be an "illegal" gambling offer - which he admittedly misguided - and thereby acted with the clear intention of causing damage. The plaintiff played with the knowledge that he couldn't lose. Because in the event of a loss, he would claim back the losses suffered from us. Should he win, he would of course simply keep the winnings.” This argument was repeated in substance in subsequent pleadings in these proceedings. 8. Evidence assessment: These findings are based on the consistent submissions of both parties and the copy of the corresponding brief submitted by the complainant (enclosure to supplement the complaint of November 15, 2020, enclosed as an enclosure in GZ: 2020-0.772.988). 9. B*** and C*** are affiliated companies belonging to the same group of companies. The C*** had received the relevant data relating to the previous customer relationship and its termination from the B*** and forwarded it to the Respondent 10. Evidence assessment: as before; this finding is also based on the credible and, with regard to the fact that B*** and C*** belong to one and the same group of companies, the complainant's undisputed submissions by the respondent in the statement of May 11, 2021 (enclosed as an initial piece in GZ: 2021-0.341.020). D. In legal terms it follows that: D.1. Total: 11. The complaint has proven to be unjustified, since the data processing for the purpose of a factual, plausible defense argument related to the subject matter of a party's representative in a civil law dispute is prohibited by Art. 6 Para. 1 lit. f in conjunction with Art. 9 Para lit f GDPR was justified. D.2. applicable legislation: 12. The basic right to secrecy enshrined in § 1 DSG, according to the first paragraph of which everyone has a right to secrecy of the personal data concerning him, in particular with regard to respect for his private and family life, insofar as there is a legitimate interest in this, includes the Protection of the data subject against the determination of their data and the disclosure of the data determined about them. However, the basic right to secrecy is not absolute, but may be limited by certain permissible interventions. 13. It should be noted that in the present case a violation of the right to secrecy according to Section 1 (1) DSG must be checked and restrictions on this right may result from Section 1 (2) DSG. 14. According to Section 1 (2) DSG, restrictions on the right to secrecy are only permissible to protect the overriding legitimate interests of another person, insofar as the use of personal data is not in the vital interests of the person concerned or with his consent, whereby in the event of intervention by a state authority these may only take place on the basis of laws that are necessary for the reasons stated in Art. 8 Para. 2 ECHR. 15. However, the GDPR and in particular the principles enshrined therein must be taken into account when interpreting the right to secrecy (cf. the decision of July 4, 2019, GZ: DSB-D123.652/0001-DSB/2019, RIS ). 16. According to Art. 6 Para. 1 lit. f GDPR, the processing of personal data is lawful if the processing is necessary to safeguard the legitimate interests of the person responsible or a third party, unless the interests or fundamental rights and freedoms of the data subject that protect require personal data, especially when the data subject is a child. 17. According to Art. 9 Para. 1 GDPR, the processing of personal data revealing racial and ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as the processing of genetic data, biometric data for the clear identification of a natural personal, health data or data concerning a natural person's sex life or sexual orientation. According to Art. 9 Para. 2 lit. f GDPR, Para. 1 does not apply in the event that the processing is necessary for the establishment, exercise or defense of legal claims or for actions of the courts in the context of their judicial activities. 18. § 1a paragraph 6 and § 9 paragraph 1 RAO read: "§ 1a [...] (6) The provisions relating to lawyers also apply mutatis mutandis to law firms. […] § 9. (1) The lawyer is obliged to conduct the representations he has taken on in accordance with the law and to represent the rights of his party against everyone with zeal, loyalty and conscientiousness. He is authorized to state frankly whatever he deems appropriate to represent his party under the law, to use its means of attack and defense in any manner which does not conflict with his mandate, his conscience and the law. D.3. Data protection and activities of lawyers: 19. First of all, lawyers, including law firms, regularly act as controllers when they process data for the purpose of representing their clients. Although they act under power of attorney and are thus entitled to issue legally binding statements for their clients, the decision as to which third-party data is to be processed for the fulfillment of the mandate is made by the lawyer, subject to evidence to the contrary made without instructions from the client. Any other understanding of the possible roles of the person responsible (Art. 4 Z 7 DSGVO) or processor (Art. 4 Z 8 DSGVO) would be incompatible with the independence of a lawyer in questions of professional practice (cf. the considerations of the data protection authority in the decision of March 9, 2015, GZ. DSB-D122.299/0003-DSB/2015, RIS, as well as the considerations of the Federal Administrative Court on the role of responsible person and independence in the practice of professional detectives, decision of June 25, 2019, Zl. W258 2188466-1, RIS, and court experts, findings of September 27, 2018, Zl. W214 2196366-2, RIS, and of January 23, 2020, Zl. W214 2196366-3, RIS). 20. The Respondent made the decision here to transfer data that were originally processed by B*** and that her client received from the latter company through data exchange within a group of companies (Art. 4 Z 19 GDPR). use the legal position of C***, that the complainant does not owe the payment of EUR 1,765.00, in carrying out its obligations as a law firm in accordance with § 9 para to defend and thus to transmit this data to the competent court. D.4. Appropriate process submissions as the basis for lawful data processing: 21. Art. 9 Para. 2 lit. f GDPR creates a legal basis for the use of specially protected data (such as health data of a data subject) even against the will of the latter in the course of official investigations (court or administrative proceedings). The provision can also (see above, margin no. 15) be used as a basis for interfering with the right to secrecy. 22. This regulation is intended to prevent a legal claim from being asserted in court, in administrative proceedings or out of court (and thus ultimately not being enforceable) or for the defense position to be weakened because this would happen without processing (especially disclosure in the proceedings) sensitive data of another person is not possible. At the same time, it is standardized that courts may also process (in particular collect, record, store and - if necessary - also disclose to other parties involved in the proceedings) sensitive data (such as health data for calculating pain compensation or determining other claims) as part of their judicial activities, which in particular are necessary for the processing of the procedure and decision-making ("functionality"). […] The factual element of necessity (possibly within the framework of a weighing of interests) must be observed, even if the necessity of specific data can be unclear in the case of disputed claims. (Kastelitz/Hötzendorfer/Tschohl in Knyrim, DatKomm Art 9 GDPR (as of May 7th, 2020, rdb.at), margin no. 45, underlining not in the original). 23. As the Respondent correctly argued, the provision in conjunction with Art. 6 (1) (f) GDPR can also be used as a justification for processing non-specially protected data for purposes of legal defense before a court by way of an interpretative size limit. No consent from the data subject is required for data processing on the basis of Art. 6 Para. 1 lit. f and Art. 9 Para. 2 lit. f GDPR. D.5. Weighing of interests: 24. Based on the established facts, it is plausible that the Respondent's submissions were suitable and necessary to strengthen C***'s defense position as a defendant. According to Section 1a (6) and Section 9 (1) sentence 2 RAO, the Respondent, as a law firm, is legally authorized to use such a means of defence. However, the authority (administrative authority or court) to which it is presented must always decide on the admissibility of evidence (DSB, recommendation of 03/02/2017, GZ: DSB-D213.453/0003-DSB/2016, RIS, also relating to § 50a DSG 2000 and the data of an inadmissible video surveillance/image processing; cf. also DSB, decision of December 13th, 2019, GZ: DSB-D123.978/0003-DSB/2019, RIS, regarding the non-existing right to deletion of data of an inadmissible image processing intended to serve as evidence in a tenancy dispute). The same applies mutatis mutandis to questions about the admissibility and process relevance of a party's submissions. 25. The legislators of the GDPR and the RAO see an important public interest in the effective functioning of the administration of justice, which also includes access to evidence and the right to present facts (cf. in particular the doctrine cited under margin no. 22 mwN and DSB, notice of December 6th, 2021, GZ: 2020-0.774.665 [case number: DSB-D124.3119], not yet published, regarding the presentation of a copy of a certificate from an uncertain source by a lawyer before a labor court). 26. In any case, this justifies a legitimate interest of the Respondent in the data processing. 27. This legitimate interest is offset by the complainant’s interest in the secrecy of his data, which is legally protected by Section 1 (1) DSG, as well as his obvious interest in preventing the respondent and thus the C*** she represents from submitting a factual statement that could damage your own litigation success. 28. However, the complainant is not able to show that his legitimate interests outweigh this. 29. It follows that the Respondent was entitled to carry out the data processing referred to in the complaint for the purpose of a factual, plausible defense argument related to the subject matter of the process. D.6. Conclusion: 30. Since the Respondent was able to rely on the justification pursuant to Art. 6 (1) lit. f in conjunction with Art. 9 (2) lit. f GDPR, it did not unlawfully interfere with the complainant's right to secrecy. 31. The complaint was therefore to be dismissed as unfounded in accordance with Section 24 (5) sentence 3 DSG.