DSB (Austria) - 2022-0.930.971

From GDPRhub
Revision as of 10:50, 14 November 2023 by Co (talk | contribs)
DSB - 2022-0.930.971
LogoAT.png
Authority: DSB (Austria)
Jurisdiction: Austria
Relevant Law: Article 4 GDPR
Article 13 GDPR
Article 25 GDPR
Article 32 GDPR
Article 89 GDPR
§ 7 DSG
Type: Advisory Opinion
Outcome: n/a
Started: 28.12.2022
Decided: 21.06.2023
Published: 29.08.2023
Fine: n/a
Parties: n/a
National Case Number/Name: 2022-0.930.971
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): German
Original Source: RIS (in DE)
Initial Contributor: co

The Austrian DPA authorised a research institute to conduct scientific research in the field of self-driving cars, given that the controller adopts appropriate safeguards for the protection of data subjects.

English Summary

Facts

The requesting entity is an automobile and rail industry research centre, the controller. As part of its research, it intends to carry out a scientific research project whose purpose is that of collecting training data for algorithms used for partially and fully self-driving vehicles and also aimed at increasing vehicle and road safety in that context. With such data the controller intends to develop new, automated driving technologies.

In order to do so, the controller would place a few self-driving vehicles on specific roads of an Austrian city and make them drive pre-defined routes. In this, it is necessary that the vehicles record public areas and streets, which include personal data of individuals, and transmit such data to the controller in order to research how such vehicles can safely drive around pedestrians. To this end, the vehicles are provided with both internal and external cameras that have an almost 360 view. Further, the video recordings will be used to categorise the different traffic objects/subjects, which inevitably includes individuals, and then train the vehicle to recognize them.

In addition to this, the test-vehicles will be equipped with signs stating that they are self-driving, the name of the controller, the aims of the recording, and a link and a QR code redirecting to the website of the controller. Plus, the person inside the car will have a ready-to-show pamphlet specifying the aims and legal basis of processing and information about the controller.

Further, the controller adopts several security measures, including restricting access to the data, nominating data processors under Article 28 GDPR for the classification of data and deletion and anonymization of personal data upon conclusion of the project. The controller plans to provide some of the recordings and their categorization to its partner-institutions researching in the field, but only insofar as the data can be anonymized or, if it cannot, only when the interests of data subjects do not override those of the institutions.

On 28 December 2022, the controller, according to the provision of Article 7(3) of the Austrian Law on Data protection (Datenschutzgesetz, DSG), requested the Austrian DPA’s (Datenschutzbehörde, DSB) authorization to proceed with the project. In line with Article 36(5) GDPR, Austrian Law requires that the DSB grants an authorisation in cases of processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, as per Article 89 GDPR, when either no legal provision allows the processing, when consent cannot be given and when the data is not publicly accessible or pseudonymised.

Holding

The DSB analysed the project and decided to grant an authorization to the controller. However, the DSB specified that in order to safeguard the legitimate interests of data subjects the following conditions must be met:

First, the DSB held that the processing of image data for purposes of scientific research are subject to the requirements set out in Article 7 DSG, and the processing of “test data” via video recordings requires the authorization of the DSB under Article 7(3) DSG.

As regards the obligation of the controller to provide information about the processing under Article 13 GDPR, the DSB held that the use of signs on the car is sufficient, however the term “autonomous driving” should be translated into German as well, since vehicles will be driving in Austrian territory.

In addition to this, the DSB specified that the image resolution should make sure, as far as possible, that the faces of pedestrians are not captured. Further, the DSB held that the transmission of the original recorded data in a non-anonymised form to third parties should only occur when an administrative order is given, for instance in case of an accident and shall not be transmitted to cooperation partners. The controller should also make sure that security measures under Article 32 GDPR are in place and that only designated employees of the controller have access to the data.

Lastly, the DSB pointed out that recording data and test results can only be published in an anonymized way.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

text

GZ: 2022-0.930.971 from June 21, 2023 (Procedure number: DSB-D202.321)

[Editor's note: Names and companies, legal forms and product names, addresses (including URLs, IP and email addresses), file numbers (and the like), etc., as well as their initials and abbreviations may be abbreviated for pseudonymization reasons and/ or be changed. Obvious spelling, grammar and punctuation errors have been corrected.

NOTICE

SAYING

The data protection authority decides on the application from N*** Verkehrsforschung GmbH (“applicant”), represented by attorney Dr. Johann E***, LL.M., dated December 28, 2022 for the granting of approval in accordance with Section 7 Para. 3 DSG as follows: The data protection authority decides on the application from N*** Verkehrsforschung GmbH (“applicant”), represented by RA Dr. Johann E***, LL.M., dated December 28, 2022 for the granting of approval in accordance with paragraph 7, paragraph 3, DSG as follows:

1.   The applicant is granted permission to use personal data in the form of (video) recordings in public places on public road, bus and rail transport within Austria as part of a scientific research project for the purpose of developing test data for algorithms in the area of (part -) autonomous driving as well as to increase road safety and vehicle safety.

2.   In order to safeguard the legitimate interests of the data subjects during the processing authorized in paragraph 1, the following conditions are imposed:

a. The marking of the test vehicles used must also be in German.

b. The image resolution should be chosen so that, if possible, no faces of those affected are visible

People or vehicle license plates are recognizable. Personal data from the databases viewed will only be processed to the extent necessary for the purposes of the activity approved under point 1.

c. A transfer of image and video data to third parties is only permitted in the event of an official order.

d. Access to the image or video recordings containing personal data is prohibited

by the applicant in an appropriate manner in accordance with Article 32 Paragraph 1 GDPR by the applicant in an appropriate manner in accordance with Article 32 Paragraph 1 GDPR

to be secured, e.g. by locking (for paper records) or by

Password (for electronic records).

e. The inspection and evaluation of image or video recordings may only be carried out by specific, trained employees of the applicant or their processor who have been informed about Section 6 DSG. The inspection and evaluation of image or video recordings may only be carried out by specific, trained employees of the applicant or their processor who are informed about paragraph 6, DSG, whose reliability in handling data is guaranteed in accordance with Section 6 Paragraph 3 DSG., whose reliability in handling data in accordance with Paragraph 6, Paragraph 3 , DSG is guaranteed.

f.   The video data or test results may only be published in anonymized form.

3.   According to Section 78 of the General Administrative Procedure Act 1991 (AVG), Federal Law Gazette No. 51/1991 as amended, in conjunction with Sections 1, 3 Paragraph 1 and TP 1 of the Federal Administrative Tax Ordinance 1983 (BVwAbgV), Federal Law Gazette No. 24 as amended, the applicant has an administrative fee in the amount of in accordance with paragraph 78 of the General Administrative Procedure Act 1991 (AVG), Federal Law Gazette No. 51 of 1991, as amended, in conjunction with paragraphs one, 3 paragraph one and TP 1 Federal Administrative Tax Ordinance 1983 (BVwAbgV), Federal Law Gazette No. 24 as amended, the applicant has to pay an administrative fee in the amount of

EUR 6.50

to be paid.

Legal basis: Section 7 of the Data Protection Act (DSG), Federal Law Gazette I No. 165/1999 as amended; Art. 13, 25 in conjunction with Art. 32, Art. 89 of Regulation (EU) 2016/679 (General Data Protection Regulation - GDPR), OJ No. L 119 of May 4, 2016, p.1; §§ 1, 5, 6 and 7a Ordinance of the Federal Minister for Climate Protection, Environment, Energy, Mobility, Innovation and Technology on framework conditions for automated driving (Automated Driving Ordinance – AutomatFahrV), Federal Law Gazette II No. 402/2016 as amended; § 78 of the General Administrative Procedure Act 1991 (AVG), Federal Law Gazette No. 51 as amended: Paragraph 7, of the Data Protection Act (DSG), Federal Law Gazette Part One, No. 165 from 1999, as amended; Article 13,, 25 in conjunction with Article 32,, Article 89, of Regulation (EU) 2016/679 (General Data Protection Regulation - GDPR), OJ No. L 119, 4.5.2016, p.1; Paragraphs one, 5, 6 and 7a Ordinance of the Federal Minister for Climate Protection, Environment, Energy, Mobility, Innovation and Technology on framework conditions for automated driving (Automated Driving Ordinance - AutomatFahrV), Federal Law Gazette Part 2, No. 402 from 2016, as amended; Paragraph 78 of the General Administrative Procedure Act 1991 (AVG), Federal Law Gazette No. 51 as amended.

REASON

A. Submissions of the applicant

With an application dated December 28, 2022, the applicant submitted an application for approval in accordance with Section 7 Paragraph 3 DSG and essentially submitted the following: With an application dated December 28, 2022, the applicant submitted an application for approval in accordance with Section 7, Paragraph 3 , DSG and essentially stated as follows:

The applicant is a leading research center for the automotive and railway industries and, as a non-university research institution, is investigating (partially) automated driving functions in public places in public road, bus and rail transport within Austria. The applicant's research includes the development, validation, testing and operation of fail-safe automated driving architectures and has set itself the task of ensuring the safe coexistence of highly (partially) automated vehicles with conventional vehicles in road traffic.

The aim of the research project is to (further) develop (partially) automated driving functions and to increase and improve both vehicle safety and road safety through research and development of new, automated drive technologies.

It is planned that the (partially) automated vehicles used by the applicant will be tested within Austria on a predefined route, with the first test drives in the city of O***, specifically in the southern part of O*** in the districts of L** * and B*** will take place parallel to T***straße. During these test drives, the (partially) automated vehicle takes on automated driving tasks between a local transport center and a shopping center.

The development and testing of the applicant's products make it necessary, as part of the initial test projects, to record image data on public roads within Austria in order to test the special local traffic conditions. The (partially) automated vehicles are oriented using vehicle sensors (lidar, radar) and pre-recorded, highly accurate maps. In the area of bus terminals and traffic signals, communication with the infrastructure (C-ITS) will also be used to increase detection accuracy.

In order to develop test data for algorithms in the area of (partially) autonomous driving, there are specific plans to determine and analyze personal video data using cameras in public places on public roads, buses and rail transport within Austria. This should provide information on the questions “how automated driving can be carried out safely and efficiently in areas with pedestrian traffic, how public transport and an automated shuttle for passenger transport can work together in the best possible way, what challenges exist in automated driving along a given route in real operation “Whether the position and direction of movement of road users can be better recognized through video data, image data including audio (in combination or as a supplement to other sensors)”.

The material is recorded using several cameras installed on the outside of the test vehicles operated by the applicant and enable up to 360° recordings of public road, bus and rail traffic. The applicant is also planning to install a camera in the interior of the vehicles used, which will record public road, bus and rail traffic from the driver's perspective. In addition, an image of the dashboard (e.g. gauge display, dashboard tablet) will be taken inside the vehicles in order to document and illustrate the functionality of the system.

The purpose of the collected video recordings was to detect traffic objects (road markings, traffic signs, bridges, etc.) and road users (single- and double-lane vehicles, cyclists, pedestrians, etc.). Since the intention is to make video recordings of public road, bus and rail transport on a predefined route, it is unavoidable that personal data will also be collected. It cannot be ruled out that the video data collected includes recordings of individuals, vehicle license plates or other personal data. However, the identity of road users is not important to the applicant. However, the fact that people must be recognizable as road users is of essential importance for the research purpose, especially since the applicant must ensure that the algorithms in (partially) autonomous vehicles can correctly recognize people as such.

The applicant states that the video data obtained in this way serves as a basis for the researchers to make appropriate categorizations, which are classified using generic terms (e.g. classification as “motor vehicle”, “pedestrian”, “cyclist”). These subsequently serve as reference material for the review of numerous algorithms, whereby their repeated and long-term use can ensure constant further development and improvement in the field of (partially) automated driving and in particular the associated traffic safety.

The data protection impact assessment carried out by the applicant within the meaning of Article 35 of the GDPR came to the conclusion that the risks could be reduced to an acceptable level through appropriate data protection precautions. The data protection impact assessment carried out by the applicant within the meaning of Article 35 of the GDPR reached the conclusion that the risks could be reduced to an acceptable level through appropriate data protection precautions.

The test vehicles used by the applicant were clearly and extensively marked as autonomous vehicles (e.g. white vehicle with blue inscription “Automated Drive” on both sides). There are also clearly visible signs on the test vehicles that provide information about the applicant as the person responsible for the processing and the purpose of the video recordings. Furthermore, the information sign would contain a corresponding link to the applicant's website as well as a QR code, which would be used to inform the data subjects about the data processing carried out. Both the link and the QR code led to further information about the applicant's data processing and research activities. In addition, the driver carries a sign in the vehicle that, in addition to pointing out video recordings, also shows the purpose, legal basis and data of the person responsible, which can be shown to a data subject at any time.

Principles of data security are guaranteed because the applicant is, on the one hand, an institution certified according to the TISAX procedure (“Trusted Information Security Assessment Exchange”). On the other hand, the applicant has introduced appropriate security measures with regard to physical access controls to the personal data (for paper recordings using a lock, for electronic recordings using a password). Only certain, trained project employees of the applicant who have been informed about Section 6, DSG are authorized to access or view the raw data and the evaluation of image or video recordings Applicant whose reliability in handling data is guaranteed in accordance with Section 6 (3) DSG. Data protection training is held at regular intervals for the applicant's project employees. It is intended to grant appropriate access authorizations by the project manager in coordination with IT, with access to the video data being secured by the user logging in by name and assigning a password. It is expressly prohibited to access or process data on private data processing devices. In addition, the applicant has introduced IT security requirements, which must be observed by the project employees. The applicant's IT systems are protected by logging system usage, whose reliability in handling data is guaranteed in accordance with paragraph 6, paragraph 3, DSG. Data protection training is held at regular intervals for the applicant's project employees. It is intended to grant appropriate access authorizations by the project manager in coordination with IT, with access to the video data being secured by the user logging in by name and assigning a password. It is expressly prohibited to access or process data on private data processing devices. In addition, the applicant has introduced IT security requirements, which must be observed by the project employees. The applicant's IT systems are protected by logging system usage.

The applicant deletes or anonymizes personal data as soon as they are no longer needed to achieve the research goals or for experimental development, but in any case upon completion of the respective research project, so that traceability to individual persons is not possible. The applicant will provide comprehensible documentation of the deletion and anonymization.

The applicant plans to make selected video recordings and their classification available to other scientific institutions with which she cooperates for research purposes in this area. Video data or other personal data transmitted to cooperation partners are bound to strict purpose restrictions (i.e. for research and development in the area of autonomous driving). The cooperation partners are determined by the applicant in the framework of framework agreements (e.g. COMET K2 Agreement - framework agreement). To the extent that it is sufficient for the specific research purpose, the applicant will remove the personal reference, in particular making the people and license plates of the vehicles recorded unrecognizable before they are made available to cooperation partners. If it is not possible to transmit anonymized video recordings because this would mean that the algorithms to be checked or developed cannot reliably recognize people, the applicant will ensure that a transmission only takes place if the interests of recognizable persons are in need of protection personal data do not outweigh the interests of the applicant or other scientific institutions in developing safe algorithms for (partially) autonomous driving.

If personal data is transferred to cooperation partners in countries outside the European Union (EU) for which there is no adequacy decision from the European Commission, the applicant will conclude a standard protection clause with appropriate technical and organizational measures to ensure that the personal data is processed in accordance with European data protection standards become.

Comprehensible documentation of the transmissions by the applicant is planned. Before a planned data transfer, the data protection team put together by the applicant will be informed and the legality of the transfer under data protection law will be checked.

If the applicant intends to publish video data or test results in order to bring the current research work closer to the general public, this will only be done in an anonymous form.

Regarding the existence of the requirements in accordance with Section 7 Paragraph 3 of the DSG, the applicant first submits that obtaining consent from the data subjects is impossible due to a lack of accessibility or involves disproportionate effort. The people affected are a group of people whose current address cannot be determined at all or only with disproportionate effort for the applicant, as they can only be identified and contacted afterwards. In addition, it cannot be ruled out that data processing also affects people from abroad, which makes it even more difficult to identify the people affected by the images. Obtaining consent would therefore cause disproportionate effort within the meaning of Section 7 Paragraph 3 Z 1 DSG of Paragraph 7, Paragraph 3, Number One, DSG.

The existence of a public interest exists because the research project promotes vehicle safety and road safety in connection with (partially) automated driving functions.

Regarding the applicant's professional suitability, she explains that it is a research institution for the automotive and railway industries, which guarantees that the determination and processing of the video data in Austria is carried out by qualified specialist personnel. The viewing and evaluation of personal data only takes place

by specific, trained employees who have been informed about Section 6 of the Data Protection Act and whose reliability in handling data is guaranteed in accordance with Section 6 (3) of the Data Protection Act. by specific, trained employees who have been informed about paragraph 6, DSG, whose reliability in handling data is guaranteed in accordance with paragraph 6, paragraph 3, DSG.

To the extent that the assistance of contract processors is necessary for the classification of image data, the applicant only uses those who can ensure compliance with data protection regulations and concludes the necessary contract data agreements in accordance with Art 28 GDPR. In addition, the people they employ are contractually obliged to treat personal data confidentially. They would also have to prove to the applicant that they have taken appropriate technical and organizational measures to protect personal data. is necessary, the applicant only uses those who can ensure compliance with data protection regulations and concludes the necessary order data agreements in accordance with Article 28, GDPR. In addition, the people they employ are contractually obliged to treat personal data confidentially. They would also have to prove to the applicant that they have taken appropriate technical and organizational measures to protect personal data.

The declaration of an authorized person according to Section 7 Paragraph 4 of the DSG is not necessary because the data required for research purposes is determined by the applicant herself.

B. Findings of Fact

The data protection authority bases its decision on the facts documented in point A.

C. From a legal point of view it follows:

C.1. Regarding point 1

C.1.1. Generally

Since the applicant plans to carry out test drives in the area of autonomous driving in Austria and also record video data in this context, approval from the data protection authority is required for this in accordance with Section 6 AutomatFahrV in conjunction with Section 7 Paragraph 3 DSG. Since the applicant plans to carry out test drives in the area of autonomous driving in Austria and also record video data in this context, approval from the data protection authority is required for this in accordance with paragraph 6, AutomatFahrV in conjunction with paragraph 7, paragraph 3, DSG.

Section 7 DSG standardizes data processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. Image data is also (identifiable) personal data within the meaning of Art. 4 Z 1 GDPR. At the same time, these image data generally do not involve processing special categories of personal data within the meaning of Art. 9 GDPR (cf. DSB of June 7, 2018, GZ DSB-D202.207/0001-DSB/2018, mwN). Paragraph 7, DSG standardizes data processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. Image data is also (identifiable) personal data within the meaning of Article 4, paragraph one, GDPR. At the same time, however, there is generally no processing of special categories of personal data within the meaning of Article 9 of the GDPR with these image data (cf. DSB of June 7, 2018, GZ DSB-D202.207/0001-DSB/2018, mwN).

The determination and evaluation of image data for the purposes of scientific research is subject to the special regulation of Section 7 DSG. The determination and evaluation of image data for the purposes of scientific research is subject to the special regulation of paragraph 7, DSG.

From the facts established, it follows that the requirements of Section 7 Paragraph 1 DSG Paragraph 7, Paragraph One, DSG (publicly accessible data or data that have already been determined for other investigations or purposes, or pseudonymized data) are not met.

Under the conditions that Section 7 Paragraph 2 DSGParagraph 7, Paragraph 2, DSG attaches to the processing of research-related data (research purposes in the public interest and either a legal basis (Section 1), or a (Section ,), or consent (Z.2) or a (Section ,) or an approval from the data protection authority (Z.3) in accordance with Section 7 Paragraph 3 DSG), Section 7 Paragraph 2 Paragraph 1 DSG initially appears to be fulfilled. There is no doubt that the automated use of vehicles for passenger transport is in the public interest and the AutomatFahrV also provides a legal basis for the testing and use of such vehicles. However, Section 6 leg. cit. under the heading “Test data” stipulates that if video data is collected outside of an accident data storage, approval from the data protection authority is required in accordance with Section 7 Para. 3 DSG. (Section ,) in accordance with paragraph 7, paragraph 3, DSG), paragraph 7, paragraph 2, paragraph 1 DSG initially appears to be fulfilled. There is no doubt that the automated use of vehicles for passenger transport is in the public interest and the AutomatFahrV also provides a legal basis for the testing and use of such vehicles. However, paragraph 6, leg. cit. under the heading “Test data” stipulates that if video data is collected outside of an accident data storage, authorization from the data protection authority is required in accordance with paragraph 7, paragraph 3, DSG.

Since neither the requirements of Section 7 Paragraph 1 DSG nor those of Section 7 Paragraph 2 Z 1 and Z 2 DSG are met, the planned use of data can only be carried out on the basis of a nor those of paragraph 7, paragraph 2, number one and number 2, DSG are present, the planned use of data can only take place based on approval by the data protection authority in accordance with Section 7 Paragraph 2 Z 3 in conjunction with Section 7 Paragraph 3 DSGApproval by the data protection authority in accordance with paragraph 7, paragraph 2, number 3, in conjunction with paragraph 7, paragraph 3, DSG.

C.1.2 Result

Since the request from those responsible for the granting of a permit was granted, the legal justification in accordance with Section 58 Para. 2 AVG could be omitted. Since the request from those responsible for the granting of a permit was granted, the legal justification in accordance with paragraph 58, paragraph 2, AVG could be omitted.

C.2. Regarding point 2

Edition 2.a serves to ensure the controller's obligation to provide information in accordance with Art. 13 GDPR. The person responsible has provided pictures of the information signs on the test vehicles. In addition to a QR code that leads to the data protection declaration of those responsible, these signs also contain the purpose “autonomous driving”. According to Art. 8 B-VG, the state language on Austrian territory, for which the person responsible has applied for this approval, is German. The data protection authority therefore also requests that the reference to the purpose of data processing (“autonomous driving”) also be included in the information signs in German (e.g.: “Autonomous or automated vehicle”). Edition 2.a serves to guarantee the person responsible’s obligation to provide information in accordance with Article 13, GDPR. The person responsible has provided pictures of the information signs on the test vehicles. In addition to a QR code that leads to the data protection declaration of those responsible, these signs also contain the purpose “autonomous driving”. According to Article 8, B-VG, the state language on Austrian territory, for which the person responsible has applied for this authorization, is the German language. The data protection authority therefore also requests that the reference to the purpose of data processing (“autonomous driving”) also be included in the information signs in German (e.g.: “Autonomous or automated vehicle”)

Conditions 2.b and 2.c refer in particular to the possibility of image data being secured, for example after a traffic accident (cf. the authorization to transmit the accident data storage in accordance with Section 5 Para. 3 AutomatFahrV). The requirement is intended to make it clear that such a transmission. Conditions 2.b and 2.c refer in particular to the possibility of image data being secured, for example after a traffic accident (compare the authorization to transmit the accident data storage in accordance with paragraph 5, paragraph 3, AutomatFahrV). The requirement is intended to make it clear that such a transmission must remain the only case in which the unevaluated, unprocessed (non-anonymized) original data may be transmitted. For this reason, any planned data transfer to third parties (cooperation partners) is expressly prohibited (see also the penultimate and last sentence of Section 6 of the AutomatFahrV). (see also the penultimate and last sentence of paragraph 6, the AutomatFahrV).

Requirements 2.d to 2.f serve to ensure data security when processing data and to ensure data secrecy.

C.3. Regarding point 3

This point (administrative levy) is based on the provisions cited therein. The granting of authorization for data processing for scientific research purposes is not covered by the fee and tax exemption clause of Section 69 Para. 6 DSG. This ruling point (administrative fee) is based on the provisions cited therein. The granting of authorization for data processing for scientific research purposes is not covered by the fees and charges exemption clause in Section 69, Paragraph 6, DSG.

This sum must be paid into the account *** in the name of the data protection authority. The business number and the completion date should be stated as the intended purpose.

So the decision had to be made according to the verdict.