DSB (Austria) - 2023-0.137.735

From GDPRhub
Revision as of 13:01, 7 August 2023 by Mg (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Austria |DPA-BG-Color= |DPAlogo=LogoAT.png |DPA_Abbrevation=DSB |DPA_With_Country=DSB (Austria) |Case_Number_Name=2023-0.137.735 |ECLI=ECLI:AT:DSB:2023:2023.0.137.735 |Original_Source_Name_1=RIS |Original_Source_Link_1=https://www.ris.bka.gv.at/Dokument.wxe?ResultFunctionToken=781b2319-902d-4155-8237-4ceb50a97274&Position=1&SkipToDocumentPage=True&Abfrage=Dsk&Entscheidungsart=Undefined&Organ=Undefined&SucheNachRechtssatz=True&SucheNachT...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
DSB - 2023-0.137.735
LogoAT.png
Authority: DSB (Austria)
Jurisdiction: Austria
Relevant Law: Article 57(4) GDPR
Type: Complaint
Outcome: Rejected
Started:
Decided: 21.02.2023
Published: 01.08.2023
Fine: n/a
Parties: n/a
National Case Number/Name: 2023-0.137.735
European Case Law Identifier: ECLI:AT:DSB:2023:2023.0.137.735
Appeal: Unknown
Original Language(s): German
Original Source: RIS (in DE)
Initial Contributor: mg

The Austrian DPA refused to act on a complaint and declared it “dishonest” and “abusive” after a data subject asked a controller to pay €2,900 for GDPR violations as alternative to litigation.

English Summary

Facts

The data subject made an access request with the controller. The controller replied, but the data subject claimed that the answer was either false or incomplete, as the data subject had evidence that the controller processed further personal data. The data subject asked the controller to pay €2,900 as a compensation for the damage suffered as a consequence of the allegedly unlawful processing. Alternatively, the data subject threatened that they would have lodged a complaint with the competent DPA. The controller refused to pay and the data subject lodged a complaint with the Austrian DPA.

Holding

The DPA refused to act on the complaint pursuant to Article 57(4) GDPR. According to this provision, a DPA can refuse to act or charge a reasonable fee when a request is excessive or manifestly unfounded. In this case, the DPA found that the latter scenario applied. As a matter of fact, the request for €2,900 as an alternative to the threatened litigation was seen by the supervisory authority as “dishonest”. The complaint was thus considered as abusive exercise of a procedural right, namely the right enshrined in Article 77(1) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

text

GZ: 2023-0.137.735 from February 21, 2023 (case number: DSB-D124.1473/22)

[Editor's note: Names and companies, legal forms and product names, addresses (including URLs, IP and e-mail addresses), file numbers (and the like), etc., as well as their initials and abbreviations may be abbreviated and/or changed for reasons of pseudonymization be. Corrected obvious spelling, grammar, and punctuation errors.]

NOTICE

SAY

The data protection authority decides on the data protection complaint by Mr. Ernst A*** (complainant) of November 10, 2022, improved with the submission of December 9, 2022, against Mr. RA Mag. Stefan B*** (first respondent) because of the alleged violation of the law to secrecy, the alleged violation of the right to information and the alleged violation of the right to information as well as against Ms. Sofia C*** (second respondent), represented by the first respondent, because of the alleged violation of the right to confidentiality and the alleged violation of the right to information as follows:

 The complaint is rejected because it is obviously unfounded

Legal basis: Article 51 (1), Article 57 (1) (f), Article 57 (4) and Article 77 (1) of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter: GDPR) , OJ No. L 119 of 04.05.2016, p. 1; Section 1 (1) and (2) and Section 24 (1) and (5) of the Data Protection Act (DSG), Federal Law Gazette I No. 165/1999 as amended: Article 51, paragraph one, Article 57, paragraph one, litera f,, Article 57, paragraph 4, and Article 77, paragraph one, of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter: GDPR), OJ No. L 119 of 04.05.2016, p. 1; Paragraph one, paragraph one and paragraph 2, as well as paragraph 24, paragraph one and paragraph 5, of the Data Protection Act (DSG), Federal Law Gazette Part One, No. 165 from 1999, as amended.

REASON

A. Submissions of the parties and course of the proceedings

1. In his (amended) complaint of November 10, 2022, the complainant claimed that the first respondent had violated the right to secrecy, the right to information and the right to information, and the second respondent had violated the right to confidentiality and the right to information. In explanation, the complainant explained that he had contacted the two respondents with a request for information and had been informed that his data was being processed by the respondents. However, since he is not a party to the media warning wave regarding Google Fonts, it follows that either the information is incorrect or his data is being processed without a legal basis. In addition, the Respondent would use the Webalizer tool on its website, which was neither referred to in the data protection declaration published on the Respondent's website nor referred to in the information.

2. In their two statements of January 3, 2023 and January 23, 2023, the Respondents essentially argued that they had provided the complainant with sufficient information or information in a letter dated September 21, 2022, in a timely manner. The Respondents also stated that the Complainant had offered to refrain from filing a complaint with the data protection authority for a payment of €2,900 and submitted a letter to that effect.

3. The complainant did not make any further statements during the granted hearing of the parties. A corresponding forwarding report is enclosed with the file and there is also no error message from an e-mail server.

B. Subject of Complaint

The subject of the complaint is the question of whether the first respondent violated the complainant's right to secrecy, the right to information and the right to information, and the second respondent violated the right to confidentiality and the right to information. First, however, it must be checked whether the requirements for a rejection of the complaint pursuant to Art. 57 (4) GDPR are met the second respondent's right to secrecy and the right to information has been violated. First of all, however, it must be checked whether the prerequisites for a rejection of the complaint pursuant to Article 57, paragraph 4, GDPR are present.

C. Findings of Facts

The complainant turned to the first respondent on August 18, 2022 and to the second respondent on September 27, 2022 with a request for information.

The first respondent provided information to the complainant in a letter dated September 22, 2022, and the second respondent provided information to the complainant in a letter dated October 17, 2022.

The complainant then sent the following letter to the respondents:

[Editor's note: the graphic file inserted here (letter from the complainant) was removed because it cannot be displayed in the RIS. It has the following relevant content:

"Regarding your letters to me, I unfortunately have to inform you that you are processing my data illegally, have not fulfilled your obligations under Art 15 GDPR incompletely and incorrectly and therefore your careless handling of the subject of data protection not only annoys me massively, but also causes me a lot Makes you uncomfortable."Referring to your letter to me, I unfortunately have to inform you that you are processing my data illegally, have not completely and incorrectly fulfilled your obligations under Article 15, GDPR and therefore your careless handling of the subject of data protection not only annoys me massively, but also makes me very uncomfortable.

However, I am happy to declare that I am willing to have the damage caused to me reimbursed in full by a one-off payment of EUR 2,900.00, stating the reference “****”, to my account IBAN AT**** within one week.

In return, I undertake not to lodge a complaint with the data protection authority or any claim for damages with the competent court against you."]

Assessment of evidence: The findings result from the submissions of the parties and the submitted, harmless documents.

D. In legal terms it follows that:

Pursuant to Art. 57 Para. 4 GDPR, the supervisory authority may charge a reasonable fee based on administrative costs or refuse to to act on the request. The filing of a complaint in accordance with Art. 77 Para. 1 GDPR in conjunction with Section 24 Para. 1 DSG must be qualified as an "enquiry" within the meaning of Art. 57 Para. 4 GDPR and this also results without doubt from Art. 78 Para. 2 GDPR. The filing of a complaint in accordance with Article 77, Paragraph 1, GDPR in conjunction with Paragraph 24, Paragraph 1, DSG is in any case to be qualified as an "enquiry" within the meaning of Article 57, Paragraph 4, GDPR and this also results undoubtedly from Article 78, paragraph 2, GDPR.

As established, the complainant offered the respondents to refrain from filing a complaint with the data protection authority for a payment of €2,900.

Against this background, in the opinion of the data protection authority, the complainant cannot be assumed to have an actual need for legal protection, which is why the complaint in question is to be qualified as dishonest and the use of the data protection authority's activities by the complainant as abusive.

The complaint was therefore, based on Art. 57 (4) GDPR, due to obvious unfoundedness. The complaint was therefore to be rejected based on Article 57, Paragraph 4, GDPR due to obvious unfoundedness.

It had to be decided accordingly.